Estimated Reading Time: 5 minutes
APT-Hunter first released at the beginning of 2021 and since the release, many use cases and features were added along with bug fixes . APT-Hunter V2.0 now includes more than 200 use cases , log hunting , new frequency analysis , very easy to use and analyze multiple devices logs at same time .
Github Repo : https://github.com/ahmedkhlief/APT-Hunter
APT-Hunter Release : includes new pre-compiled executable for windows
APT-Hunter New Features
- Apt-Hunter now support more than 200 use cases.
- Introducing Log hunting feature which can take string or regex and search all the logs and provide you a parsed report for all findings.
- New Process Execution frequency analysis : this will help you identify suspicious and rare processes run in the environment .
- New Login Events report : the new CSV Login events report include parsed (Date, User , Source IP , Logon Process , Workstation Name , Logon Type , Device Name , Original Log ) column fields so you can easily filter , investigate suspicious logins and if you analyze multiple machines you can have time line analysis for the logins .
- Specify the timezone you want : before APT-Hunter was using UTC timezone for all reports but now you can specify the timezone or use ( local ) to auto detect your timezone.
- No need to specify the type of logs : APT-Hunter will analyze folders for logs and detect the type of logs then analyze it .
- Analyze Multiple devices logs and get unified timeline : You can provide a directory with all machine logs you want to analyze and APT-Hunter will provide a single report for all machines which will easy the timeline analysis .
- Terminal Service Events now include columns for ( user , source IP ) to make it easier to filter and check for suspicious activity .
- Many bug fixes since last release .
APT-Hunter new use cases
- Suspicious Command or process found in the log
- User Added using Net Command
- Process running in suspicious location
- Process running in Unusual location
- Suspicious Process Found
- Suspicious Powershell commands Process Found
- Suspected privielge Escalation attempt using NAMED PIPE
- non-interactive powershell being executed by another application in the background
- User Created through management interface
- User Created through management interface
- Dcsync Attack detected
- dcshadow Attack detected
- network share object was added
- network share object was added
- Windows is shutting down
- User added to local group
- User added to local group
- User added to global group
- User added to global group
- User added to Universal group
- User added to Universal group
- User Removed from Global Group
- User Removed from Global Group
- User Removed from Universal Group
- User Removed from Universal Group
- User Removed from Local Group
- User Removed from Local Group
- User Removed Group
- User Removed Group
- User Account Removed
- User Account Removed
- High number of Pass the hash attempt Detected . detection will be paused for this user to not flood the detection list
- Pass the hash attempt Detected
- Pass the hash attempt Detected
- Audit log cleared
- Suspicious Attempt to enumerate groups
- Suspicious Attempt to enumerate groups
- System audit policy was changed
- schedule task created
- schedule task deleted
- schedule task updated
- schedule task enabled
- schedule task disabled
- System Logs Cleared
- Service Installed with executable in TEMP Folder
- Service installed in the system
- psexec service detected installed in the system
- Service start type changed
- Service State Changed
- Zerologon Exploitation Using Well-known Tools
- non-system accounts getting a handle to and accessing lsass
- non-system accounts getting a handle to and accessing lsass
- Password Spray Detected
- Suspicious Command or process found in the log
- Windows Defender took action against Malware
- Windows Defender failed to take action against Malware
- Windows Defender Found Malware
- Windows Defender deleted history of malwares
- Windows Defender detected suspicious behavior Malware
- Windows Defender real-time protection disabled
- Windows Defender real-time protection configuration changed
- Windows Defender antimalware platform configuration changed
- Windows Defender scanning for malware is disabled
- Windows Defender scanning for viruses is disabled
- Suspicious Command or process found in the log
- schedule task registered
- schedule task updated
- schedule task deleted
- Service installed in the system
- psexec service detected installed in the system
- Service start type changed
- Service State Changed
- Zerologon Exploitation Using Well-known Tools
- Suspicious Command or process found in the log
- Powershell Module logging – Malicious Commands Detected
- powershell script block – Found Suspicious PowerShell commands
- PowerShell ISE Operation – Found Suspicious PowerShell commands
- Powershell Executing Pipeline – Suspicious Powershell Commands detected
- Powershell Executing Pipeline – User Powershell Commands
- Suspicious Command or process found in the log
- Powershell Executing Pipeline – Suspicious Powershell Commands detected
- Suspicious PowerShell commands Detected
- Suspicious PowerShell commands Detected
- User connected RDP from Local host – Possible Socks Proxy being used
- User Connecting RDP from Public IP
- User Loggedon to machine
- connection is initiated using WinRM from this machine – Powershell remoting
- connection is initiated using WinRM to this machine – Powershell remoting
- [ T1086 ] Powershell with Suspicious Argument
- [ T1543 ] Sc.exe manipulating windows services
- [ T1059 ] wscript or cscript runing script
- [ T1218.005 ] Mshta found running in the system
- Psexec Detected in the system
- [T1053] Scheduled Task manipulation
- Prohibited Process connecting to internet
- Command run remotely Using WMI
- Detect IIS/Exchange Exploitation
- [T1082] System Information Discovery
- [T1117] Bypassing Application Whitelisting with Regsvr32
- [T1055] Process Injection
- [T0000] Console History
- [ T0000 ] Remotely Query Login Sessions – Network
- [ T0000 ] Remotely Query Login Sessions – Process
- T0000 Suspicious process name detected
- T1002 Data Compressed
- T1003 Credential Dumping ImageLoad
- [T1003] Credential Dumping – Process
- [T1003] Credential Dumping – Process Access
- [T1003] Credential Dumping – Registry
- [T1003] Credential Dumping – Registry Save
- [T1004] Winlogon Helper DLL
- [T1004] Winlogon Helper DLL
- [ T1007 ] System Service Discovery
- [T1223] Compiled HTML File
- [T1218] Signed Binary Proxy Execution – Process
- [T1218] Signed Binary Proxy Execution – Process
- [T1218] Signed Binary Proxy Execution – Network
- [T1216] Signed Script Proxy Execution
- [T1214] Credentials in Registry
- [T1209] Boot or Logon Autostart Execution: Time Providers
- [T1202] Indirect Command Execution
- [T1201] Password Policy Discovery
- [T1197] BITS Jobs – Process
- [T1197] BITS Jobs – Network
- [T1196] Control Panel Items – Registry
- [T1196] Control Panel Items – Process
- [T1191] Signed Binary Proxy Execution: CMSTP
- [T1183] Image File Execution Options Injection
- [T1182] AppCert DLLs Registry Modification
- [T1180] Screensaver Hijack
- [T1179] Hooking detected
- [T1170] Detecting Mshta
- [T1170] Detecting Mshta
- [T1158] Hidden Files and Directories – VSS
- [T1158] Hidden Files and Directories
- [T1146] Clear Command History
- [T1140] Deobfuscate/Decode Files or Information
- [T1138] Application Shimming – Registry
- [T1138] Application Shimming – process
- [T1136] Create Account
- [T1135] Network Share Discovery – Process
- [T1131] Authentication Package
- [T1130] Install Root Certificate
- [T1128] Netsh Helper DLL – Process
- [T1128] Netsh Helper DLL – Registry
- [T1127] Trusted Developer Utilities
- [T1126] Network Share Connection Removal
- [T1124] System Time Discovery
- [T1115] Audio Capture
- [T1122] Component Object Model Hijacking
- [T1121] Regsvcs/Regasm
- [T1118] InstallUtil
- [T1117] Regsvr32
- [T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj
- [T1115] Clipboard Data Collection
- [T1107] Indicator Removal on Host
- [T1103] AppInit DLLs Usage
- [T1096] Hide Artifacts: NTFS File Attributes
- [T1088] Bypass User Account Control – Registry
- [T1088] Bypass User Account Control – Process
- [T1087] Account Discovery
- [T1086] PowerShell Downloads – Process
- [T1086] PowerShell Process found
- [T1085] Rundll32 Execution detected
- [T1082] System Information Discovery
- [T1081] Credentials in Files
- [T1077] Windows Admin Shares – Process – Created
- [T1077] Windows Admin Shares – Process
- [T1077] Windows Admin Shares – Network
- [T1076] Remote Desktop Protocol – Process
- [T1076] Remote Desktop Protocol – Registry
- [T1074] Data Staged – Process
- [T1070] Indicator removal on host
- [T1069] Permission Groups Discovery – Process
- [T1063] Security Software Discovery
- [T1060] Registry Run Keys or Start Folder
- [T1059] Command-Line Interface
- [1057] Running Process Discovery
- [T1054] Indicator Blocking – Sysmon registry edited from other source
- [T1054] Indicator Blocking – Driver unloaded
- [T1053] Scheduled Task – Process
- [T1050] New Service – Process
- [T1049] System Network Connections Discovery
- [T1047] Windows Management Instrumentation – Process
- [T1047] Windows Management Instrumentation – Network
- [T1047] Windows Management Instrumentation – Instances of an Active Script Event Consumer – Process
- [T1047] Windows Management Instrumentation – Instances of an Active Script Event Consumer – FileAccess
- [T1040] Network Sniffing Detected
- [T1037] Boot or Logon Initialization Scripts
- [T1036] Masquerading – Extension
- [T1031] Modify Existing Service
- [T1028] Windows Remote Management
- [T1027] Obfuscated Files or Information
- [T1018] Remote System Discovery – Process
- [T1018] Remote System Discovery – Network
- [T1015] Accessibility Features – Registry
- [T1015] Accessibility features
- [T1013] Local Port Monitor
- [T1012] Query Registry – Process
- [T1012] Query Registry – Network
- [T1012] Processes opening handles and accessing Lsass with potential dlls in memory
- [T1003] Processes opening handles and accessing Lsass with potential dlls in memory
- [T1112] process updating fDenyTSConnections or UserAuthentication registry key values
- [T1059] processes loading PowerShell DLL system.management.automation
- [T1059] PSHost* pipes found in PowerShell execution
- [T1112] process updating UseLogonCredential registry key value
- [T1055] Process Injection – Process
I would like to thank zAbuQasem for his contribution in Ninja New UI
Purple Teamer , coder who obsessed in information security and will never stop learning . certified : OSCP , CRTP , DFIRP , DFIRA , CEHV9 , CCNA R&S , CCNA Cyber Ops , Splunk Power , SPlunk Core