barnacules/threathunter — explained in plain English
Analysis updated 2026-05-18
Sweep a Windows machine for common persistence mechanisms attackers use to survive reboots.
Detect hidden processes that a rootkit may be trying to conceal from normal process listings.
Flag network connections with the steady timing pattern typical of malware command-and-control traffic.
Feed structured findings into a SIEM or log pipeline through syslog, webhook, or JSONL output.
| barnacules/threathunter | a-bissell/unleash-lite | abhiinnovates/whatsapp-hr-assistant | |
|---|---|---|---|
| Stars | 1 | 1 | 1 |
| Language | Python | Python | Python |
| Setup difficulty | moderate | hard | hard |
| Complexity | 3/5 | 4/5 | 3/5 |
| Audience | ops devops | researcher | developer |
Figures from each repo's GitHub metadata at analysis time.
Windows only, some detectors need a C toolchain for yara-python or an elevated Administrator terminal for full coverage.
ThreatHunter is a passive, read-only security scanning tool for Windows machines. It is built for blue teams, incident responders, and security-minded users who want to check a system for signs of attacker activity. It does not modify the system in any way: it does not quarantine anything, kill processes, or open network ports. It only reports what it finds and leaves decisions to the person reading the output. The tool runs several detectors at once. A persistence sweep checks the places attackers commonly use to survive a reboot, such as registry run keys, Startup folders, Winlogon entries, scheduled tasks, services, and WMI subscriptions. A hidden process detector cross-checks the kernel's process list against several Windows enumeration methods to catch processes that rootkits try to hide. A driver inspector checks digital signatures on loaded drivers. A file scanner measures file entropy to flag packed or obfuscated binaries, and can optionally run YARA rule matching plus VirusTotal reputation lookups if you provide your own free VirusTotal API key. A network beaconing detector flags connections with the steady, low-jitter timing pattern typical of malware calling home. An ETW monitor watches Windows event channels, including Sysmon and Defender, for real-time process and file activity. Findings can be sent to the console, a rotating log file, a JSONL file, syslog, or a webhook. By default the console stays quiet, showing only medium-severity or higher findings plus a heartbeat line once a minute summarizing how many files, processes, and connections have been checked so far. ThreatHunter needs Windows 10, 11, or Server 2019 or newer, along with Python 3.10 or later. It works best run from an elevated Administrator terminal, since that gives it full visibility into kernel structures and system processes, though it will still run with reduced coverage without elevated privileges.
A read-only Windows security scanner that checks for persistence, hidden processes, and network beaconing, without modifying the system.
Mainly Python. The stack also includes Python, Windows, YARA.
The README does not state a license for the project.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.