Listen to this Post
What started as a curiosity about Windows forensics has evolved into a full toolkit of DFIR superpowers! Season 1 of PowerShell-Hunter has brought together a collection of powerful tools for defenders to hunt smarter and harder. Here’s a roundup of the tools and their capabilities:
- PowerShell 4104 Event Analyzer: Cuts through malicious script noise.
- AD Threat Hunter: Catches password sprays and brute force attempts.
- MRU Analysis: Reveals user activity through Most Recently Used lists.
- BAM Analyzer: Tracks application execution with Background Activity Moderator.
- PCA Analysis: Uncovers program compatibility logs.
- UserAssist Hunt: Decodes ROT13-encoded registry keys.
- Prefetch Hunter: Follows program execution breadcrumbs with LOLBAS integration.
- ShellBag Hunter: Explores shellbag artifacts for forensic insights.
All tools are available at GitHub – MHaggis/PowerShell-Hunter.
You Should Know:
Here are some practical commands and codes to get started with PowerShell-Hunter tools:
1. PowerShell 4104 Event Analyzer:
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Select-Object -Property TimeCreated, Message
2. AD Threat Hunter:
Get-EventLog -LogName Security -InstanceId 4625 | Select-Object -Property TimeGenerated, Message
3. MRU Analysis:
Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' | Select-Object -Property *
4. BAM Analyzer:
Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings' | Select-Object -Property *
5. PCA Analysis:
Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted' | Select-Object -Property *
6. UserAssist Hunt:
Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist' | Select-Object -Property *
7. Prefetch Hunter:
Get-ChildItem -Path 'C:\Windows\Prefetch' | Select-Object -Property Name, LastWriteTime
8. ShellBag Hunter:
Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\Shell\Bags' | Select-Object -Property *
What Undercode Say:
The PowerShell-Hunter toolkit is a game-changer for Windows forensics and DFIR professionals. By leveraging these tools, defenders can gain deeper insights into malicious activities and user behaviors. The integration of LOLBAS and the focus on Windows artifacts make this toolkit indispensable for modern threat hunting. Whether you’re analyzing PowerShell logs, tracking application execution, or decoding registry keys, these tools provide a robust foundation for forensic investigations. Don’t forget to explore the GitHub repository for more details and updates as Season 2 approaches. Happy hunting!
Related URLs:
References:
Reported By: Michaelahaag Github – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
