search

ahmedkhlief / APT-Hunter

APT-Hunter is Threat Hunting tool for windows event logs which made by purple team mindset to provide detect APT movements hidden in the sea of windows event logs to decrease the time to uncover suspicious activity
https://shells.systems/introducing-apt-hunter-threat-hunting-tool-via-windows-event-log/
GNU General Public License v3.0
1.26k stars 238 forks source link

2.0 - evtxdetect_auto error and no CSV output #13

Closed AndrewRathbun closed 2 years ago

AndrewRathbun commented 3 years ago

Hello,

Thank you for providing a compiled Windows EXE. I'll be making a Module in KAPE for this tool, but first I think some bugs need to be fixed :)

I ran the tool against the EVTX-ATTACK-SAMPLES repo and received the following errors:

Error Analyzing Sysmon logs
ERROR:root:Traceback (most recent call last):
  File "APT-Hunter.py", line 130, in evtxdetect_auto
  File "lib\EvtxDetection.py", line 3082, in detect_events_Sysmon_log
NameError: name 'user' is not defined

https://github.com/ahmedkhlief/APT-Hunter/blob/60fc3fd07616e89e5fdb8e390cf6a564d1c64435/APT-Hunter.py#L130 https://github.com/ahmedkhlief/APT-Hunter/blob/60fc3fd07616e89e5fdb8e390cf6a564d1c64435/lib/EvtxDetection.py#L3082

Also, despite the below message indicating otherwise, there was no CSV output to be found.

Time Sketch Report saved as V:\EVTX\APTHunterTest_TimeSketch.csv
Logon Events Report saved as V:\EVTX\APTHunterTest_Logon_Events.csv
Report saved as V:\EVTX\APTHunterTest_Report.xlsx

So I think something might be wrong 🤷

ahmedkhlief commented 2 years ago

Thanks for your feedback , i fixed the issue . kindly check and let me know