▸ v1.0.0 "First Light" — Open Source

WRAITH

Agentless threat hunting for Windows networks_

Find one artifact. Hunt the entire network. Map the kill chain. No EDR agents. No complex deployments. Just SMB, WMI, YAML rules, and YARA — phasing through your infrastructure like a ghost.

View on GitHub See it hunt ↓

/// Spectral Capabilities

Ghost Powers

WRAITH phases through your network unseen — no agents installed, no footprint left behind. Just intelligence.

GHOST

SMB Artifact Sweep

Phase through file shares across entire subnets. Hunt for known-bad paths, filenames, and hashes using declarative YAML rules. Wildcard user profile expansion built in.

AGENTLESS

SIGNAL

WMI Remote Collection

Query running processes, services, scheduled tasks, autoruns, and registry keys remotely via WMI/DCOM. Catch LOLBins, persistence, and suspicious services without touching the endpoint.

PROCESSES · SERVICES · TASKS

DNA

YARA Scanning

Download suspicious artifacts and scan them locally with compiled YARA rulesets. Ship with rules for Mimikatz, Cobalt Strike, SharpHound, encoded PowerShell, and more.

7 RULES INCLUDED

MAP

MITRE ATT&CK Mapping

Every hunt rule tags tactic, technique, and subtechnique. Findings carry ATT&CK context through to every export format — from JSON to HTML reports to Sentinel.

TACTIC · TECHNIQUE · SUB

SIGNAL

Sentinel TI Export

Generate IOC CSVs formatted for the Microsoft Sentinel Threat Intelligence upload connector. Full metadata (TLP, confidence, expiry, MITRE tags) or simple two-column format.

CSV · SENTINEL · IOC

LIST

Client-Ready Reports

Standalone HTML reports with severity breakdown, host summary, ATT&CK coverage heatmap, and full findings table. Dark-themed. No dependencies. Just open in a browser.

HTML · JSON · JSONL

/// The Problem → The Solution

Before & After WRAITH

Without WRAITH

Find one artifact on one host, manually
RDP into each machine to check for spread
No structured output — notes in a text file
Hours spent on a single sweep
EDR coverage gaps = blind spots
No MITRE mapping, no threat context

→

With WRAITH

One artifact → YAML rule → sweep the entire /24
Agentless via SMB + WMI, no RDP needed
JSON, Sentinel CSV, and HTML reports auto-generated
Full subnet scanned in minutes, multi-threaded
Works where EDR doesn't — legacy, misconfigured, gaps
MITRE ATT&CK mapped, YARA enriched, timeline correlated

/// Under the Hood

Architecture

  ┌─────────────────────────────────────────────────────────────────┐
  │  WRAITH ENGINE                                                   │
  │                                                                   │
  │   YAML Rules ──→ Parser ──→ Matcher ──→ Findings                │
  │       │                          ↑            │                   │
  │       ▼                          │            ▼                   │
  │   Collectors                     │        Exporters              │
  │   ├── SMB  (port 445) ──────────┤        ├── JSON               │
  │   ├── WMI  (port 135) ──────────┤        ├── Sentinel CSV       │
  │   └── YARA (local scan) ────────┘        └── HTML Report        │
  │                                                                   │
  │   Target Expansion ──→ Port Discovery ──→ Thread Pool            │
  │   CIDR / IP / @file       445 + 135          40 concurrent       │
  └─────────────────────────────────────────────────────────────────┘

/// Get Started

Summon the Ghost

Three commands. No signup. No license. MIT open source.

Clone

$ git clone https://github.com/yourorg/wraith.git
$ cd wraith

Install

$ pip install -r requirements.txt
# Optional: pip install yara-python

Hunt

$ python -m wraith hunt \
  -t 10.1.0.0/24 \
  -u Administrator -d CORP \
  -H <NT_HASH> \
  -r examples/hunt_rules/ \
  --yara examples/yara_rules/ \
  --download --sentinel-export --html