Open Source Threat Hunting Tool

WRAITH

Windows Threat Hunting and Triage

An open-source tool that helps you quickly understand what is happening on a Windows endpoint. Surface persistence, dig into process activity, review event logs, and spot suspicious artifacts without chasing data across a dozen different places.

↓  Download for WindowsView SourceLearn More
v1.0.0Windows 10 / 11Build 20241128
Why WRAITH

Built for the work, not the pitch.

Three areas where WRAITH cuts time during a live investigation.

Process Visibility

See every running and recently executed process. Spot anomalous parent-child relationships and execution paths without digging through a dozen tools.

Persistence Discovery

Enumerate registry run keys, scheduled tasks, startup entries, and services to quickly find what is set to survive a reboot.

Event Log Triage

Parse and filter Windows event logs to surface logon anomalies, privilege escalation, and security-relevant system changes.

Investigation

What it helps you answer.

What is running right now?
What is set to persist?
What changed on this endpoint?
What deserves investigation first?
Workflow

Investigation in four steps.

01

Run WRAITH

Launch the portable executable on any Windows 10/11 machine. No install required.

02

Collect Artifacts

WRAITH enumerates processes, persistence, event logs, and browser artifacts in seconds.

03

Review Findings

Browse the structured output — flagged items are surfaced. Everything is in one view.

04

Prioritize Suspicious Activity

Use YARA hits, KEV matches, and process anomalies to decide where to dig next.

wraith.exe

collect

review

hunt

Processes. Persistence. Logs. Browser artifacts. In one place.

What It Does

Each module targets a specific area of Windows host investigation so you can move through triage systematically.

YARA Scanning

Run YARA rules against host artifacts to detect known threat patterns and suspicious indicators during triage.

Persistence Inspection

Enumerate and review common Windows persistence mechanisms including registry keys, scheduled tasks, and startup entries.

Process Review

Examine running and historical process data to identify anomalous execution, suspicious parent-child relationships, and outliers.

Event Log Analysis

Parse and filter Windows event logs to surface security-relevant events, logon anomalies, and system changes.

Browser Artifact Review

Collect and review browser history, downloads, and cached data across major browsers for investigation context.

KEV Correlation

Cross-reference discovered software and patch levels against the CISA Known Exploited Vulnerabilities catalog.

Report Export

Generate structured triage reports summarizing findings, artifacts, and analyst observations for documentation and handoff.

Threat Hunting Workflows

Guided investigation workflows that help analysts systematically examine host data and surface what matters.

Why We Built This

WRAITH started from a real frustration: doing Windows triage meant jumping between a dozen different tools, manually pulling registry keys, grepping through event logs, and hoping you caught everything that mattered. It takes too long, and it's easy to miss things when you are working fast under pressure.

This tool pulls the most important Windows artifacts together in one place. Running processes, persistence mechanisms, browser history, event log entries, YARA hits — it surfaces them all in a structured format so you can spend your time thinking about what the data means, not hunting for where the data lives.

WRAITH is not trying to replace your judgment as an analyst. It is trying to get you to useful information faster. The goal is simple: you open it, you see what is on the machine, and you decide where to dig next. No noise, no fluff.

It's built for the people who actually do this work, by people who have done this work. Open source, and focused on the job.

What's Coming

Areas we are actively working on and plan to ship in upcoming releases.

Extended Artifact Coverage

Additional forensic artifact parsers for WMI, services, prefetch, and network indicators.

Enhanced YARA Integration

Deeper YARA rule management, custom rule import, and match context enrichment.

Timeline Visualization

Unified timeline view correlating event log entries, persistence changes, and process activity.

Remote Collection Support

Secure remote data collection from Windows endpoints for centralized triage workflows.

Portable Windows triage
No heavy setup
Fast artifact review
Built for real investigations