ARTHIR: ATT&CK Remote Threat Hunting Incident Response Windows Tool

ArTHIR is a modular framework that can be used remotely against one, or many target systems to perform threat hunting, incident response, compromise assessments, configuration, containment, and any other activities you can conjure up utilizing built-in PowerShell (any version) and Windows Remote Management (WinRM).

This is an improvement to the well-known tool Kansa, but with more capabilities than just running PowerShell scripts. ArTHIR makes it easier to push and execute any binary remotely and retrieve back the output!

One goal of ArTHIR is for you to map your threat hunting and incident response modules to the MITRE ATT&CK Framework. Map your modules to one or more tactics and technique IDs and fill in your MITRE ATT&CK Matrix on your capabilities, and gaps needing improvement.

Have an idea for a module? Have a utility you want run remotely but no easy way to do it volume? ArTHIR provides you this capability. An open source project, hosted on GitHub, everyone is encouraged to contribute and build modules, share ideas, and request updates. There is even a SLACK page to ask questions, share ideas, and collaborate.

Included in ArTHIR are all the original Kansa modules, and several LOG-MD free edition modules. Also included is a template of some key items you will need to build your own PowerShell or utility modules.

Michael Gough
NCC Group

Michael Gough is a malware archaeologist, Blue Team defender, incident responder and logoholic for NCC Group. Michael developed several Windows logging cheat sheets to help the security industry understand Windows logging, where to start and what to look for. Michael presents at many security and technology conferences helping to educate on security that attendees can go back to work and actually do. Michael is a primary contributor to the open source project ARTHIR. Michael is also co-developer of LOG-MD, a free and premium tool that audits the settings, harvests and reports on malicious Windows log data and malicious system artifacts. Michael is co-host of “THE Incident Response Podcast”. In addition, Michael also ran BSides Texas entity (Austin, San Antonio, Dallas and Houston) for six years and lead for the Austin Conference.