explaingit

barnacules/threathunter

Analysis updated 2026-05-18

1PythonAudience · ops devopsComplexity · 3/5Setup · moderate

TLDR

A read-only Windows security scanner that checks for persistence, hidden processes, and network beaconing, without modifying the system.

Mindmap

mindmap
  root((ThreatHunter))
    What it does
      Read only scanning
      No system changes
      Structured findings
    Detectors
      Persistence sweep
      Hidden process detection
      Beaconing detection
      ETW monitoring
    Tech stack
      Python
      Windows APIs
      YARA
    Output
      Console
      JSONL
      Syslog
      Webhook

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Sweep a Windows machine for common persistence mechanisms attackers use to survive reboots.

USE CASE 2

Detect hidden processes that a rootkit may be trying to conceal from normal process listings.

USE CASE 3

Flag network connections with the steady timing pattern typical of malware command-and-control traffic.

USE CASE 4

Feed structured findings into a SIEM or log pipeline through syslog, webhook, or JSONL output.

What is it built with?

PythonWindowsYARAETW

How does it compare?

barnacules/threathuntera-bissell/unleash-liteabhiinnovates/whatsapp-hr-assistant
Stars111
LanguagePythonPythonPython
Setup difficultymoderatehardhard
Complexity3/54/53/5
Audienceops devopsresearcherdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Windows only, some detectors need a C toolchain for yara-python or an elevated Administrator terminal for full coverage.

The README does not state a license for the project.

In plain English

ThreatHunter is a passive, read-only security scanning tool for Windows machines. It is built for blue teams, incident responders, and security-minded users who want to check a system for signs of attacker activity. It does not modify the system in any way: it does not quarantine anything, kill processes, or open network ports. It only reports what it finds and leaves decisions to the person reading the output. The tool runs several detectors at once. A persistence sweep checks the places attackers commonly use to survive a reboot, such as registry run keys, Startup folders, Winlogon entries, scheduled tasks, services, and WMI subscriptions. A hidden process detector cross-checks the kernel's process list against several Windows enumeration methods to catch processes that rootkits try to hide. A driver inspector checks digital signatures on loaded drivers. A file scanner measures file entropy to flag packed or obfuscated binaries, and can optionally run YARA rule matching plus VirusTotal reputation lookups if you provide your own free VirusTotal API key. A network beaconing detector flags connections with the steady, low-jitter timing pattern typical of malware calling home. An ETW monitor watches Windows event channels, including Sysmon and Defender, for real-time process and file activity. Findings can be sent to the console, a rotating log file, a JSONL file, syslog, or a webhook. By default the console stays quiet, showing only medium-severity or higher findings plus a heartbeat line once a minute summarizing how many files, processes, and connections have been checked so far. ThreatHunter needs Windows 10, 11, or Server 2019 or newer, along with Python 3.10 or later. It works best run from an elevated Administrator terminal, since that gives it full visibility into kernel structures and system processes, though it will still run with reduced coverage without elevated privileges.

Copy-paste prompts

Prompt 1
Explain what ThreatHunter's persistence sweep checks for on a Windows machine and why each location matters.
Prompt 2
Help me install ThreatHunter's dependencies on Windows, including handling yara-python if it fails to build.
Prompt 3
Walk me through configuring ThreatHunter's config.toml for custom output sinks like syslog or a webhook.
Prompt 4
How does ThreatHunter's network beaconing detector use coefficient of variation to flag suspicious connections?

Frequently asked questions

What is threathunter?

A read-only Windows security scanner that checks for persistence, hidden processes, and network beaconing, without modifying the system.

What language is threathunter written in?

Mainly Python. The stack also includes Python, Windows, YARA.

What license does threathunter use?

The README does not state a license for the project.

How hard is threathunter to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is threathunter for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.