Good Hunting

The personal blog of Chris Gerritz. I muse on malware, threat hunting, and security incidents. Occasionally more.

PSHunt Framework

PSHunt Structure

PSHunt is divided into several modules, functions, and folders. The below gives an outline of the grouping of these functions and upcoming posts will describe how how to use them with examples and screenshots.

Discovery

Discovery functions and cmdlets are used to identify hosts on the network and build a target list that can be ingested by the scanners and survey deployment cmdlets.
Get-HuntTargets Invoke-HuntPortScan

Scanners

Scans are modular queries that take in a remote ComputerName argument and output a Powershell object. The utility Invoke-HuntScan is used to initiate the selected scan against your target list.
Scan_OSInfo.ps1

Surveys

Surveys are scripts that are deployed to remote hosts to collect comprehensive information from the host. Running locally allows the scripts to dig deeper into the operating system than what remote WMI or registry queries normally allow.
Survey.ps1 SurveyLogs.ps1

Utilities

Utility functions provide the base functionality for deployment and execution of surveys and scans.
Invoke-HuntSurvey Get-HuntSurveyResults Invoke-HuntScanner

Analysis

There are two types of analysis functions:

  • Survey Analysis

    Survey Analysis functions provide the framework for analysing and displaying survey and scan results.

    Initialize-HuntReputation Update-HuntObject Group-HuntObject

  • File Analysis File Analysis functions are a set of utilities to analyze files and malware.

    Get-Entropy Get-VTReport Get-Hashes

Libraries (Lib)

Libraries are 3rd party tools that have been incorporated to enable additional analysis or are other projects (i.e. Posh-VirusTotal) that are utilized by the framework.
7zip Posh-VirusTotal

Reputation Lists

Reputation lists include hashes from the NIST NSRL Database, baselined virtual machines provided by Infocyte, and also is updated with any VirusTotal submission made using PSHunt's Get-VTReport. These lists are loaded into a global memory variable by Initialize-HuntReputation and is compared against by Update-HuntObject.

Author image
San Antonio, TX Website
Chris Gerritz is a retired Air Force cyber warfare officer and pilot. He now hunts malware for a living as co-founder of Infocyte.