Top 6 PowerShell threat-hunting Projects

sysmon-modular

15 2,485 6.8 PowerShell

A repository of sysmon configuration modules

Project mention: Sysmon 15.0 is out now with advanced features | /r/sysadmin | 2023-06-29

I was specifically using the https://github.com/olafhartong/sysmon-modular config, but once we started seeing systems crash I tried building extremely minimal configs and still found them causing hangs.

AzureHunter

2 755 0.0 PowerShell

A Cloud Forensics Powershell module to run threat hunting playbooks on data from Azure and O365
WorkOS

workos.com sponsored

The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
sysmon-config

1 749 7.2 PowerShell

Advanced Sysmon ATT&CK configuration focusing on Detecting the Most Techniques per Data source in MITRE ATT&CK, Provide Visibility into Forensic Artifact Events for UEBA, Detect Exploitation events with wide CVE Coverage, and Risk Scoring of CVE, UEBA, Forensic, and MITRE ATT&CK Events. (by ion-storm)
DetectionLabELK

3 525 0.0 PowerShell

DetectionLabELK is a fork from DetectionLab with ELK stack instead of Splunk.
EventLogging

1 446 5.0 PowerShell

Automation scripts to deploy Windows Event Forwarding, Sysmon, and custom audit policies in an Active Directory environment.
Purpleteam

1 120 8.3 PowerShell

Purpleteam scripts simulation & Detection - trigger events for SOC detections

NOTE: The open source projects on this list are ordered by number of github stars. The number of mentions indicates repo mentiontions in the last 12 Months or since we started tracking (Dec 2020).