6 More Threat Hunting Tools Everyone in the Industry Should Be Using

Microsoft Sysinternals Suite — https://docs.microsoft.com/en-us/sysinternals/

The first tool might surprise some of you because it isn’t some obscure Github project with unique (and sometimes hard to pronounce!) project names. Instead, the first on our list is the good old Sysinternals Suite by Microsoft. This suite of tools is hugely helpful to threat hunters in three main ways:

Kansa — https://github.com/davehull/Kansa

Another tool that can be hugely useful for both threat hunting and incident response is Kansa, a self-described “modular incident response framework in Powershell.” The tool has one major function, and it does it very well. Kansa uses PowerShell Remoting “user contributed modules across hosts in an enterprise to collect data for use during incident response, breach hunts, or for building an environmental baseline.”

Kroll Artifact Parser and Extractor (KAPE) — https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape

A tool that is used widely by IR professions and the digital forensics crew is KAPE (or the Kroll Artifact Parser and Extractor). KAPE allows analysts to set up specific “targets” (basically specific locations in in the filesystem) and automatically parse through the results and collect all the evidence. But it isn’t just a glorified copy-and-paste tool. It also parses through associated and related data (like EvidenceOfExecution, BrowserHistory, and more) to speed up triage and analysis.

GHIDRA — https://ghidra-sre.org

If you’ve been hanging around the malware reverse engineering scene for a while you are probably familiar with tools such as IDA Pro and GHIDRA, the latter of which was designed by the secretive Research Directorate of the National Security Agency (or No Such Agency, if they had their way!). GHIDRA offers security researchers tools such as a debugger, hex editor, and disassembler all in one, and completely free.

Regshot — https://github.com/Seabreg/Regshot

While some of our tools, like GHIDRA and Sysinternals, are monolithic in size and scope, Regshot is quite the opposite. Regshot is like a screenshot tool and the “diff” Linux command line tool but for your registry. It allows hunters to grab a complete “screenshot” of their registry quickly and effortlessly, and then take a second “screenshot” and find the differences.

UACME — https://github.com/hfiref0x/UACME

Our last tool is a bit of a black sheep to our list, but it is no less useful. UACME (or UAC-ME) is a tool that can allow anyone to easily defeat Windows User Account Control using a variety of methods. We are definitely not condoning the use of this tool for malicious purposes, but when you are looking for tell-tale methods of maliciousness, and you want to build detection content, this tool can simplify this process considerably.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cyborg Security

Cyborg Security

Cyborg Security is a pioneer in cybernetic threat hunting, delivering an advanced, actionable threat hunting platform.