Skip to content

ethack/tht

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

402 Commits

.github

.github

 
 

bin

bin

 
 

cron

cron

 
 

docs

docs

 
 

scripts

scripts

 
 

test

test

 
 

zsh

zsh

 
 

.cache-buster

.cache-buster

 
 

.dockerignore

.dockerignore

 
 

.gitignore

.gitignore

 
 

.gitmodules

.gitmodules

 
 

Dockerfile

Dockerfile

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

cheatsheets

cheatsheets

 
 

tht

tht

 
 

Repository files navigation

Threat Hunting Toolkit

GitHub | DockerHub | Docs

Docker Image Size Docker Pull Count MIT license

The Threat Hunting Toolkit (THT) is a Swiss Army knife for threat hunting, log processing, and security-focused data science. It incorporates many CLI tools into one place for ease of deployment and includes wrappers and convenience features for ease of use. It comes packaged as a Docker image that can be deployed with a single command. Spend less time struggling with installation, configuration, or environment differences, and more on filtering, slicing, and data stacking.

Features

🧰 Easy to Install

  • Small - Keep download size under 300 MB.
  • Portable - Works across a variety of systems thanks to Docker.

📖 Fast to Learn

  • Consistent - Get the same configuration on every system, which means a familiar environment everywhere.
  • Format Agnostic - Avoid swapping between similar tools with annoying syntax variations for different formats including Zeek, CSV, TSV, and JSON.
  • Remove Boilerplate - Remove the boilerplate for common use cases with the included scripts, functions, and aliases.
  • Documented - There are cheatsheets and documentation available to get started right away.

🚀 Fast to Run

  • Optimized - Everything is benchmarked to find the fastest methods when there are several options.
  • Parallel - Many of the components take advantage of multiple CPU cores to process data in parallel.

Usage

The recommended method is to use the tht wrapper script included in the repo.

Install

sudo curl -o /usr/local/bin/tht https://raw.githubusercontent.com/ethack/tht/main/tht && sudo chmod +x /usr/local/bin/tht

Run

tht

Update

tht update
You can also start THT with a docker command.

From DockerHub

docker run \
    --rm -it \
    -h $(hostname) \
    --init \
    --pid host \
    -v /etc/localtime:/etc/localtime \
    -v /:/host \
    -w "/host/$(pwd)" \
    ethack/tht

From GitHub Container Registry

docker run \
    --rm -it \
    -h $(hostname) \
    --init \
    --pid host \
    -v /etc/localtime:/etc/localtime \
    -v /:/host \
    -w "/host/$(pwd)" \
    ghcr.io/ethack/tht

However, you will lose all the convenience features the tht wrapper script provides.

If you'd like to build the image or documentation manually, see here.

Documentation

For the current documentation, see here.

These pages are good place to get the lay of the land:

License

The source code in this project is licensed under the MIT license.

The documentation is licensed under the CC BY-NC-SA 4.0 license.

About

Threat Hunting Toolkit is a Swiss Army knife for threat hunting, log processing, and security-focused data science

ethack.github.io/tht/

Topics

docker threat-hunting zeek

Resources

Readme

License

MIT license
Activity

Stars

117 stars

Watchers

10 watching

Forks

19 forks
Report repository

Contributors 2

Languages