How to install PSHunt on Windows?

Clone the GitHub repository and import the PowerShell module, but ensure prerequisites like execution policies are configured and dependencies such as Posh-VirusTotal are installed for full functionality, as it's a modular framework.

PSHunt vs PowerSploit for threat hunting?

PSHunt is focused on defensive threat hunting and forensic analysis with modular scanning, while PowerSploit is more offensive for exploitation. PSHunt is better for DFIR teams, whereas PowerSploit suits red teaming.

Can PSHunt scan Linux servers?

No, PSHunt is currently designed only for Windows endpoints, as stated in the README. For Linux systems, you would need alternative tools or consider extending the framework with custom scripts.

How to create custom scans in PSHunt?

Write PowerShell scripts following PSHunt's modular structure, using functions like Invoke-HuntScan. The README outlines the scanner format, allowing integration of new queries for specific indicators of compromise.

Does PSHunt integrate with SIEM tools?

PSHunt outputs PowerShell objects that can be converted to formats like CSV or JSON for integration, but direct SIEM integration isn't built-in; you'll need custom scripts to export and ingest results.

Is PSHunt still actively maintained?

The maintainer indicates updates are done 'as time allows,' so while open-source, active maintenance may be irregular. Check the GitHub repo for recent commits and community contributions.

PSHunt

Apache-2.0PowerShell

A PowerShell module for remote endpoint threat hunting, scanning for indicators of compromise and collecting system state information.

GitHub

What is PSHunt?

PSHunt is a PowerShell Threat Hunting Module that scans remote Windows endpoints for indicators of compromise and collects comprehensive system state information like active processes, autostarts, configurations, and logs. It provides a framework for security professionals to conduct threat hunting and forensic analysis across networked systems. The project originated as the open-source precursor to Infocyte's commercial HUNT product.

Target Audience

DFIR (Digital Forensics and Incident Response) professionals, security analysts, and threat hunters who need to perform remote endpoint investigations on Windows networks using PowerShell.

Value Proposition

Developers choose PSHunt because it offers a modular, extensible PowerShell-based framework specifically designed for threat hunting, integrating discovery, scanning, surveying, and analysis capabilities into a single toolkit. It leverages community-driven security tools and reputation lists, making it a practical open-source alternative to commercial solutions.

Overview

Powershell Threat Hunting Module

Use Cases

Best For

Scanning remote Windows endpoints for indicators of compromise (IOCs)

Related Projects

Community-curated · Updated weekly · 100% open source

Found a gem we're missing?

Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.

Submit a project Star on GitHub

291 stars63 forks0 contributors

Collecting comprehensive system state information for forensic analysis

Automating threat hunting workflows across networked systems

Integrating with VirusTotal and NIST NSRL for hash reputation checks

Deploying local survey scripts to gather deep system data beyond remote queries

Building target lists and conducting network discovery for security assessments

Not Ideal For

Organizations with mixed or non-Windows operating systems
Teams requiring real-time, automated threat detection without manual intervention
Users who prefer graphical interfaces over command-line tools
Small-scale incidents where lightweight, single-purpose tools are sufficient

Pros & Cons

Pros

Modular and Extensible Framework

PSHunt is structured into distinct modules like Discovery, Scanners, and Surveys, allowing security professionals to customize and extend functionality for specific threat hunting workflows, as outlined in the README's project structure.

Deep System Information Collection

Through surveys deployed locally on remote hosts, PSHunt gathers comprehensive data beyond typical remote queries, such as active processes and autostarts, enabling thorough forensic analysis, as described in the Surveys section.

Integration with Reputation Services

It integrates with NIST NSRL Database, VirusTotal, and Infocyte baselines for hash comparison, providing valuable context for identifying known good and bad files, as mentioned in the Reputation Lists part of the README.

Community-Driven and Open Source

Built on and attributing code from security experts like Jared Atkinson and Matt Graeber, PSHunt leverages community tools and is under liberal licenses, fostering collaboration and adaptation, as noted in the Attributions section.

Cons

Windows-Only Limitation

The README explicitly states 'Currently just Windows,' which restricts its use to Windows environments and makes it unsuitable for cross-platform threat hunting scenarios, limiting broader adoption.

Complex Setup and PowerShell Dependency

Requires significant PowerShell expertise and setup, including managing modules and dependencies like Posh-VirusTotal, which can be a barrier for teams without strong scripting skills or in automated environments.

Potential Maintenance Concerns

The project maintainer notes that updates will be done 'as time allows,' indicating irregular maintenance, which could lead to outdated tools or lack of support for emerging threats, as mentioned in Project Logistics.

Open Source Alternative To

PSHunt is an open-source alternative to the following products:

I

Infocyte HUNT

Infocyte HUNT is a cybersecurity platform for threat detection and response that helps organizations identify and remediate threats across endpoints and servers.

Frequently Asked Questions

Home

Cybersecurity Blue Team

grr

GRR Rapid Response: remote live forensics for incident response

Stars5,068

Forks796

Last commit18 days ago

Hunting ELK (HELK)

The Hunting ELK

Stars3,926

Forks691

Last commit2 years ago

DeepBlueCLI

DeepBlueCLI is a PowerShell module designed for security professionals to perform threat hunting and forensic analysis using Windows Event Logs. It processes logs from Security, System, Application, PowerShell, and Sysmon sources to detect a wide range of suspicious activities and attack patterns. ## Key Features - **Suspicious Account Detection** — Identifies user creation, group additions, password guessing, password spraying, and Bloodhound-style privilege anomalies. - **Command-Line Analysis** — Detects long command lines, obfuscated commands, PowerShell launched via WMIC/PsExec, and compressed/Base64-encoded commands with automatic decoding. - **Service Auditing** — Flags suspicious service creation, service errors, and attempts to stop/start the Windows Event Log service. - **Attack Tool Detection** — Recognizes Mimikatz `lsadump::sam` commands and EMET/AppLocker blocks. - **Flexible Output** — Exports results in multiple formats including JSON, CSV, HTML, XML, and PowerShell objects for further analysis. ## Philosophy DeepBlueCLI prioritizes practical, actionable detection of real-world attack techniques, leveraging built-in Windows logging capabilities to provide defenders with a powerful, scriptable hunting tool.

Stars2,408

Forks372

Last commit2 years ago