Introducing ArTHIR –ATT&CK Remote Threat Hunting Incident Response Windows tool presented at BSidesAustin 2019

by Michael Gough,

Summary : ArTHIR is a modular framework that can be used remotely against one, or many target systems to perform Threat Hunting, Incident Response, compromise assessments, configuration, containment, and any other activities you can conjure up utilizing built-in PowerShell (any version) and Windows Remote Management (WinRM).This is an improvement to the well-known tool Kansa, but with more capabilities than just running PowerShell scripts. ArTHIR makes it easier to push and execute any binary remotely and retrieve back the output!One goal of ArTHIR is for you to map your Threat Hunting and Incident Response modules to the MITRE ATT&CK Framework. Map your modules to one or more Tactics and Technique IDs and fill in your MITRE ATT&CK Matrix on your capabilities, and gaps needing improvement.Have an idea for a module? Have a utility you want run remotely but no easy way to do it volume? ArTHIR provides you this capability. An Open Source project, hosted on GitHub, everyone is encouraged to contribute and build modules, share ideas, and request updates. There is even a SLACK page to ask questions, share ideas, and collaborate.