ThreatHunter

1.0

A comprehensive PowerShell toolkit for threat hunting, digital forensics, and incident response (DFIR). Provides "Hunt" functions to detect persistence mechanisms, analyze system artifacts, search event logs, and generate detailed forensic reports.

Minimum PowerShell version

5.1

Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Module -Name ThreatHunter

Copy and Paste the following command to install this package using Microsoft.PowerShell.PSResourceGet More Info

Install-PSResource -Name ThreatHunter

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deploy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More

Owners

Package Details

Author(s)

  • Blake White

Tags

DFIR ThreatHunting IncidentResponse Forensics Security Persistence EventLogs Browser Registry MITRE VirusTotal Windows PowerShell ClickFix Malware CyberSecurity SecOps EVTX

Functions

Hunt-Persistence Hunt-Files Hunt-Browser Hunt-Logs Hunt-Registry Hunt-Services Hunt-Tasks Hunt-VirusTotal Hunt-ForensicDump

Dependencies

This module has no dependencies.

Release Notes

ThreatHunter v1.0

A comprehensive PowerShell toolkit for threat hunting, digital forensics, and incident response (DFIR). Provides hunt functions to detect persistence mechanisms, analyze system artifacts, search event logs, and generate detailed forensic reports.

CORE CAPABILITIES:

Hunt-ForensicDump    - Forensic collection with interactive HTML reporting
Hunt-Persistence     - Detect 60+ persistence techniques (registry, services, WMI, tasks)
Hunt-Logs            - Event log analysis with caching and IOC detection
Hunt-Browser         - Browser history/extension analysis with tool integration
Hunt-Files           - File hunting by time, content, hashes, and ADS
Hunt-Registry        - Registry search, autoruns, and Run MRU (ClickFix detection)
Hunt-Services        - Service enumeration with svchost DLL resolution
Hunt-Tasks           - Scheduled task analysis with privilege detection
Hunt-VirusTotal      - VirusTotal API integration with auto-upload

KEY FEATURES:

- Pure PowerShell with no compiled binaries or external dependencies
- Interactive HTML reports with dark/light themes
- Smart caching for browser and log data
- Flexible date filtering (relative and absolute formats)
- MITRE ATT&CK mapping for persistence techniques
- ClickFix detection via Win+R command analysis
- Offline analysis support for exported EVTX logs and CSV files

REQUIREMENTS:

- PowerShell 5.0+
- Windows 7/Server 2008 R2 or later
- Administrator privileges recommended

QUICK EXAMPLES:

   # Quick forensic dump and export event logs to ZIP
   Hunt-ForensicDump -StartDate "3D" -LoadBrowserTool -SkipConfirmation -ExportLogs

   # Hunt for persistence
   Hunt-Persistence -Aggressive

   # Search all event logs for IOCs
   Hunt-Logs -StartDate "7D" -Search "mimikatz"

   # Pull all browser history
   Hunt-Browser -LoadTool -SkipConfirmation

DOCUMENTATION:

- Wiki: https://github.com/blwhit/ThreatHunter/wiki
- GitHub: https://github.com/blwhit/ThreatHunter
- Issues: https://github.com/blwhit/ThreatHunter/issues

FileList

Version History

Version Downloads Last updated
1.0 (current version) 9 1/9/2026