ThreatHunter is a comprehensive PowerShell toolkit designed for threat hunting, digital forensics, and incident response (DFIR).
It provides a suite of hunt functions to detect persistence mechanisms, analyze system artifacts, search event logs, and generate detailed forensic reports - all through PowerShell on the command line.
| Function | Purpose |
|---|---|
| Hunt-ForensicDump | Forensic collection with interactive HTML reporting |
| Hunt-Persistence | Detect 60+ persistence techniques (registry, services, WMI, tasks) |
| Hunt-Logs | Event log analysis with caching and IOC detection |
| Hunt-Browser | Browser history/extension analysis with tool integration |
| Hunt-Files | File hunting by time, content, hashes, and ADS |
| Hunt-Registry | Registry search, autoruns, and Run MRU (ClickFix detection) |
| Hunt-Services | Service enumeration with svchost DLL resolution |
| Hunt-Tasks | Scheduled task analysis with privilege detection |
| Hunt-VirusTotal | VirusTotal API integration with auto-upload |
Install-Module ThreatHunter -Force -AllowClobber
Import-Module ThreatHunterInstall-Module ThreatHunter -Scope CurrentUser
Import-Module ThreatHunter
# When Done
Uninstall-Module ThreatHuntergit clone https://github.com/blwhit/ThreatHunter.git
cd .\ThreatHunter\
Import-Module .\ThreatHunter.psd1Invoke-WebRequest -Uri "https://raw.githubusercontent.com/blwhit/ThreatHunter/refs/heads/main/ThreatHunter.psm1" -OutFile "ThreatHunter.psm1"
Import-Module ".\ThreatHunter.psm1"Import-Module : File 'ThreatHunter.psm1' cannot be loaded because running scripts is disabled on this system.
Set-ExecutionPolicy Unrestricted -Scope Process# Quick forensic dump and Export EVTZ to ZIP
Hunt-ForensicDump -StartDate "3D" -LoadBrowserTool -SkipConfirmation -ExportLogs
# Hunt for persistence
Hunt-Persistence -Aggressive
# Search all event logs for IOCs
Hunt-Logs -StartDate "7D" -Search "mimikatz"
# Pull all browser history
Hunt-Browser -LoadTool -SkipConfirmation- PowerShell 5.0+
- Windows 7/Server 2008 R2 or later
- Administrator privileges (recommended)
- Pure PowerShell - No compiled binaries or external dependencies
- Interactive HTML Reports - Single-file forensic reports with dark/light themes
- Smart Caching - Browser and log caching for fast repeated searches
- Multiple Outputs - Console, CSV, PowerShell objects
- Date Filtering - Flexible relative and absolute date formats
- MITRE ATT&CK - Persistence techniques mapped to framework
- ClickFix Detection - Analyze Win+R commands for social engineering attacks
- Offline Analysis - Process exported EVTX logs and CSV files
- Home - Module overview and quick start
- Hunt-ForensicDump - Master forensic collection
- Hunt-Persistence - 60+ persistence techniques
- Hunt-Logs - Event log hunting
- Hunt-Browser - Browser analysis
- Hunt-Files - File system hunting
- Hunt-Registry - Registry analysis
- Hunt-Services - Service enumeration
- Hunt-Tasks - Scheduled task analysis
- Hunt-VirusTotal - VirusTotal integration
- Incident Response - Quick triage and comprehensive data collection
- Threat Hunting - Proactive search for persistence and IOCs
- Forensic Analysis - Detailed system artifact examination
- PowerShell Gallery: https://www.powershellgallery.com/packages/ThreatHunter/1.0
- Wiki Documentation: View the Wiki
- MITRE ATT&CK: https://attack.mitre.org
- Issue Tracker: Submit an Issue
Author: [Blake White]
Version: 1.0
Last Updated: Jan 2026