Custodian-HT

Threat Hunting and Digital Forensics Toolkit for Windows and Linux

Features • Quick Start • Documentation • Requirements • License

---

Overview

Custodian-HT is a comprehensive, modular threat hunting and digital forensics toolkit designed for SOC analysts, DFIR investigators, and security professionals. It provides an interactive menu-driven interface for rapid triage, artifact collection, and threat hunting across Windows and Linux systems—both locally and remotely.

Built for real-world incident response scenarios, Custodian-HT integrates with industry-standard tools like KAPE, Hayabusa, Chainsaw, Eric Zimmerman's tools, Volatility3, and YARA to provide a complete forensic analysis workflow.

Features

🔍 Local Operations

Feature	Description
Quick Triage	Comprehensive system triage with automated HTML report generation
Collection Modules	Network, Event Logs, System Artifacts, Persistence, Browser Extensions
Hunt Playbooks	Guided threat hunting for Ransomware, Lateral Movement, Credential Access, and more
Analysis Tools	Integration with Hayabusa, Chainsaw, YARA, Sigma, EZTools, Volatility3
OSINT Integration	VirusTotal, AbuseIPDB, URLhaus, AlienVault OTX lookups

🖥️ Windows Remote Hunting

Feature	Description
WinRM Connection	PowerShell Remoting with Kerberos/NTLM authentication
PSExec Connection	SMB-based alternative when WinRM is unavailable
Remote Triage	Execute collection modules on remote Windows systems
Remote KAPE	Deploy and run KAPE on remote systems, retrieve results
Script Deployment	Deploy custom PowerShell scripts for collection
Hash Search	Search for IOCs by hash across remote systems

🐧 Linux Remote Hunting

Feature	Description
SSH Connection	Key-based and password authentication with smart fallback
Full System Triage	Deploy collection script, execute, retrieve artifacts
AVML Memory Capture	Remote Linux memory acquisition
Quick Triage	Live forensic commands executed via SSH
Hash Search	Search for IOCs across remote Linux filesystems

📦 KAPE & Memory

Feature	Description
Local KAPE Collection	Triage, Full, or Custom collection modes
Remote KAPE Deployment	Deploy, execute, and retrieve KAPE from remote systems
Memory Capture	DumpIt and Magnet RAM Capture support with Secure Boot detection

🔬 Scanning & Detection

Feature	Description
Loki-RS Scanner	IOC scanning with YARA rules (local and remote)
yarGen	YARA rule generation from samples
Sigma Rules	Detection rule conversion and deployment

📊 Vulnerability Intelligence

Feature	Description
Patch Tuesday Analysis	Microsoft monthly vulnerability analysis and reporting

Quick Start

Installation

# Clone the repository
git clone https://github.com/yourusername/Custodian-HT.git
cd Custodian-HT

# Run the initialization script
.\Initialize-CustodianHT.ps1

# Launch the toolkit
.\Custodian-HTLauncher.ps1

First Run

1. Configure API Keys (optional): Edit Config\Custodian-HT.json to add your VirusTotal, AbuseIPDB, and other API keys for OSINT lookups.

2. Install External Tools (optional): Place tools in the Tools\ directory:

   • Tools\kape\ - KAPE
   • Tools\hayabusa\ - Hayabusa
   • Tools\chainsaw\ - Chainsaw
   • Tools\yara\ - YARA
   • Tools\PSTools\ - Sysinternals PSExec
   • Tools\DumpIt\ - Memory capture tools

3. Launch: Run .\Custodian-HTLauncher.ps1 and select your operation from the interactive menu.

Screenshots

Click to expand screenshots

Main Menu

  ██████╗██╗   ██╗███████╗████████╗ ██████╗ ██████╗ ██╗ █████╗ ███╗   ██╗       ██╗  ██╗████████╗
 ██╔════╝██║   ██║██╔════╝╚══██╔══╝██╔═══██╗██╔══██╗██║██╔══██╗████╗  ██║       ██║  ██║╚══██╔══╝
 ██║     ██║   ██║███████╗   ██║   ██║   ██║██║  ██║██║███████║██╔██╗ ██║█████╗███████║   ██║
 ██║     ██║   ██║╚════██║   ██║   ██║   ██║██║  ██║██║██╔══██║██║╚██╗██║╚════╝██╔══██║   ██║
 ╚██████╗╚██████╔╝███████║   ██║   ╚██████╔╝██████╔╝██║██║  ██║██║ ╚████║       ██║  ██║   ██║
  ╚═════╝ ╚═════╝ ╚══════╝   ╚═╝    ╚═════╝ ╚═════╝ ╚═╝╚═╝  ╚═╝╚═╝  ╚═══╝       ╚═╝  ╚═╝   ╚═╝

  Threat Hunting and DFIR Toolkit v2.2.18
  RootGuard Cyber Defence

  Target: localhost

  LOCAL OPERATIONS
  [1] Quick Triage            - Comprehensive system triage + HTML report
  [2] Collection Modules      - Network, Logs, System, Persistence
  [3] Hunt Playbooks          - Guided threat hunting scenarios
  [4] Analysis Tools          - Hayabusa, Chainsaw, YARA, Sigma
  [5] EZTools                 - Eric Zimmerman's forensic tools
  [6] OSINT                   - Threat intelligence lookups

  REMOTE OPERATIONS
  [7] Windows Remote          - WinRM hunting (hybrid: modules + deployment)
  [8] Linux Remote            - SSH hunting (deployment-based)

  KAPE & MEMORY
  [K] KAPE Collection         - Local and remote KAPE acquisition
  [M] Memory Capture          - Local memory dump (DumpIt/MagnetRAM)

  SCANNING & DETECTION
  [S] Scanning Tools          - Loki-RS IOC scanner, yarGen rule generator

  VULNERABILITY INTELLIGENCE
  [P] Patch Tuesday           - Microsoft monthly vulnerability analysis

  [0] Exit

Requirements

System Requirements

• Operating System: Windows 10/11 or Windows Server 2016+
• PowerShell: 5.1 or 7.x (both supported)
• Privileges: Administrator recommended for full functionality

For Remote Operations

Target	Requirements
Windows (WinRM)	WinRM enabled (Enable-PSRemoting -Force), TCP 5985/5986
Windows (PSExec)	Admin shares accessible (C$), TCP 445, PSExec.exe
Linux (SSH)	SSH service running, TCP 22, sudo privileges recommended

Optional Tools

These tools enhance Custodian-HT's capabilities when placed in the Tools\ directory:

Tool	Purpose	Download
KAPE	Artifact collection	Kroll
Hayabusa	Event log analysis	GitHub
Chainsaw	Sigma-based hunting	GitHub
YARA	Pattern scanning	GitHub
EZTools	Forensic parsers	Eric Zimmerman
Volatility3	Memory analysis	GitHub
PSExec	Remote execution	Sysinternals
DumpIt	Memory capture	Magnet Forensics
AVML	Linux memory capture	GitHub
Loki	IOC scanner	GitHub

Directory Structure

Custodian-HT/
├── Custodian-HTLauncher.ps1    # Main launcher script
├── Custodian-HT.psm1           # Root module
├── Initialize-CustodianHT.ps1  # Setup script
├── Config/
│   └── Custodian-HT.json       # Configuration (API keys, paths)
├── Modules/
│   ├── CustodianCore.psm1      # Core functions
│   ├── CustodianNetwork.psm1   # Network collection
│   ├── CustodianSystem.psm1    # System artifacts
│   ├── CustodianEventLogs.psm1 # Event log collection
│   ├── CustodianPlaybooks.psm1 # Hunt playbooks
│   ├── CustodianOSINT.psm1     # Threat intelligence
│   ├── CustodianAnalysis.psm1  # Analysis tool wrappers
│   ├── CustodianScanning.psm1  # IOC scanning
│   ├── CustodianPatchTuesday.psm1 # Vulnerability intel
│   └── ...
├── Tools/                      # External tools directory
├── Output/                     # Collection output
│   ├── Triage/
│   ├── Collection/
│   ├── Memory/
│   └── Analysis/
├── Scripts/
│   ├── Custodian-linux.sh      # Linux triage script
│   └── Invoke-ThreatHunt.ps1   # Windows deployment script
└── docs/
    └── USER_GUIDE.md           # Detailed documentation

Documentation

• User Guide - Detailed usage instructions
• Installation Guide - Setup and configuration
• Module Reference - Available functions and parameters
• Playbook Guide - Hunt playbook documentation
• Troubleshooting - Common issues and solutions

Hunt Playbooks

Custodian-HT includes pre-built threat hunting playbooks:

Playbook	Description
Ransomware Hunt	Encryption activity, shadow copy deletion, suspicious extensions
Lateral Movement	RDP, SMB, WMI, PsExec indicators
Persistence Hunt	Autoruns, scheduled tasks, services, WMI subscriptions
Credential Access	LSASS access, SAM dumps, Kerberos attacks
Data Exfiltration	Large files, archives, cloud storage activity
LOLBins Hunt	PowerShell, WMIC, CertUtil, BitsAdmin abuse
Webshell Hunt	Web directory anomalies, IIS log analysis
BEC Investigation	Email client artifacts, Outlook data

Contributing

Contributions are welcome! Please read our Contributing Guide for details on:

• Code style and standards
• Submitting pull requests
• Reporting bugs
• Requesting features

License

This project is licensed under the MIT License - see the LICENSE file for details.

Acknowledgments

• Eric Zimmerman - EZTools suite
• Yamato Security - Hayabusa
• WithSecure Labs - Chainsaw
• Florian Roth - YARA rules and Loki
• Volatility Foundation - Volatility3
• Kroll - KAPE
• Microsoft - AVML

Disclaimer

This tool is provided for legitimate security testing and incident response purposes only. Users are responsible for ensuring they have proper authorization before using this tool on any system. The authors are not responsible for any misuse or damage caused by this tool.

---

RootGuard Cyber Defence
Threat Hunting • Detection Engineering • Incident Response