Author: Michal Soltysik
Cybersecurity Analyst & Consultant | Forensics Examiner | SOC Trainer | Cyber Warfare Organizer
Official website: https://michalsoltysik.com/
LinkedIn: https://www.linkedin.com/in/michal-soltysik-ssh-soc/
Cybersecurity content: https://www.youtube.com/playlist?list=PL0RdRWQWldOAAKBqOVEutxKMP-a6CNoLY
Accredible: https://www.credential.net/profile/michalsoltysik/wallet
Credly: https://www.credly.com/users/michal-soltysik
Email: [email protected]
Written in C# and compiled against the .NET Framework 4.x.
All tools are compiled into standalone .exe executable files with a standard MZ file header and run natively on Windows systems.
License: Free for personal and commercial use.
Repository overview:
This repository contains a Windows endpoint inspection suite designed for endpoints running Windows operating systems.
The suite combines live endpoint visibility, persistence discovery, and network context with optional reputation enrichment.
Tools included:
(0) Active Endpoint Hash & IP Inspector - 5-Module Suite
(1) Active SHA-256 Hash Checker
(2) Active Public IP Checker
(3) Service Hash Checker
(4) Scheduled Task Hash Checker
(5) Autostart Hash Checker
Important Notice - External Reputation APIs:
This repository optionally integrates with third-party reputation services to enrich collected artifacts with contextual intelligence.
VirusTotal API:
(1) Supports both VirusTotal Public API and VirusTotal Premium API.
(2) Public API limitations include:
4 requests per minute.
500 requests per day.
Personal, non-commercial use only.
(3) Public API keys must not be used in commercial products or business workflows.
(4) Abuse of rate limits, account sharing, or automated bulk lookups may violate VirusTotal Terms of Service.
(5) Reputation lookups are optional; the tool remains fully functional without an API key, and only the final reputation column on the right is left empty when no API data is available.
AbuseIPDB API:
(1) Used to retrieve reputation information for public IP addresses observed in active outbound connections.
(2) API limits depend on the selected plan (Free, Basic, or Premium).
(3) Free and lower-tier plans enforce daily request caps and reduced feature sets.
(4) Excessive querying may result in rate limiting or temporary API blocking.
(5) IP reputation lookups are optional; without an API key, network inspection remains available and only the final reputation column is left empty.
Usage Responsibility:
(1) Before using the application, users must explicitly acknowledge and accept responsibility via mandatory notice dialogs displayed on first launch.
(2) By accepting these notices, users confirm that they understand applicable API limits and licensing terms, are authorized to use the provided API keys, and accept full responsibility for how the tool and integrated services are used.
(3) Users are responsible for ensuring their API key usage complies with the current Terms of Service of VirusTotal and AbuseIPDB.
(4) API terms, limits, and licensing conditions may change over time.
(5) Users are strongly advised to review official documentation before use:
https://docs.virustotal.com/reference/public-vs-premium-api
https://docs.abuseipdb.com/#api-daily-rate-limits
Summary:
This is the main application and unified entry point for the entire toolkit.
It provides a single tabbed interface that hosts all five inspection modules, allowing analysts to switch between endpoint perspectives without launching multiple executables.
Core characteristics:
(1) Unified Windows GUI hosting all modules as tabs.
(2) Centralized startup notices and API usage disclosures.
(3) Optional session-only API key handling for:
VirusTotal (file hash reputation).
AbuseIPDB (public IP reputation).
(4) Consistent scan controls and workflow across all modules.
(5) Designed for baseline creation followed by delta-based threat hunting.
(6) Uses a persistent color legend and consistent row coloring across all modules to clearly distinguish baseline state from post-baseline changes.
(7) Supports exporting module results to CSV files for reporting, investigation, and offline analysis.
Note: The application itself does not perform scanning logic; it orchestrates and embeds the individual modules described below.
Module summary:
Enumerates currently running processes and:
(1) Extracts full command line arguments and executable paths of active processes.
(2) Computes SHA-256 hashes of in-memory binaries.
(3) Optionally queries VirusTotal for file reputation.
(4) Appends only newly observed processes between scans to support baseline comparison.
(5) Uses a persistent color legend and consistent row coloring to visually distinguish baseline processes (light green) from newly observed processes (light red) across scans.
Enumerates active TCP connections and:
(1) Filters connections to public remote IP addresses only.
(2) Correlates each connection with the owning process.
(3) Optionally queries AbuseIPDB for IP reputation.
(4) Supports detection of newly established outbound connections.
(5) Uses a persistent color legend and consistent row coloring to visually distinguish baseline processes (light green) from newly observed processes (light red) across scans.
Enumerates Windows services and:
(1) Extracts service executables and command lines.
(2) Computes SHA-256 hashes of service binaries.
(3) Identifies service startup type and current state.
(4) Optionally enriches hashes with VirusTotal reputation.
(5) Appends only newly created services to support baseline comparison and persistence detection.
(6) Uses a persistent color legend and consistent row coloring to visually distinguish baseline processes (light green) from newly observed processes (light red) across scans.
Enumerates Windows Scheduled Tasks and:
(1) Expands tasks into individual executable actions.
(2) Collects trigger information (boot, logon, scheduled, event-based).
(3) Computes SHA-256 hashes of task action binaries.
(4) Optionally queries VirusTotal for reputation data.
(5) Appends only newly detected scheduled tasks to enable reliable baseline comparison and detection of newly introduced persistence mechanisms.
(6) Uses a persistent color legend and consistent row coloring to visually distinguish baseline processes (light green) from newly observed processes (light red) across scans.
Aggregates common Windows persistence mechanisms, including:
(1) Windows Services:
Services configured with Automatic and Automatic (Delayed Start) startup types.
Service ImagePath and associated command-line parameters.
(2) Registry-based autostart entries (Run and RunOnce keys under):
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
(3) Startup folders:
Per-user Startup folder (shell:startup).
System-wide Startup folder (shell:common startup).
(4) Scheduled Tasks:
Tasks triggered at system startup.
Tasks triggered at user logon.
Tasks configured for persistence through time-based or event-based triggers.
(5) WMI event subscription persistence:
Permanent event subscriptions (Event Filters, Consumers, and Bindings).
Execution of commands or scripts in response to system or user events.
For each entry, the module:
(1) Resolves the executed binary or script.
(2) Computes a SHA-256 hash where applicable.
(3) Optionally enriches results with VirusTotal reputation.
(4) Appends and evaluates only newly introduced autostart entries to enable accurate baseline comparison and detection of persistence added after initial execution.
(5) Uses a persistent color legend and consistent row coloring to visually distinguish baseline processes (light green) from newly observed processes (light red) across scans.
Operational model:
All modules follow a consistent workflow:
(1) Start New Scan:
Performs initial enumeration and establishes a baseline on first execution.
On subsequent executions, extends the existing baseline by appending only newly observed artifacts.
(2) Cancel:
Safely pauses long-running enumeration, hashing, or reputation lookups.
Preserves all collected data and scan progress without data loss.
(3) Continue Scanning:
Resumes the scan from the exact point where it was paused.
Continues hashing and reputation enrichment without restarting completed steps.
(4) Skip Mode - Skip Running Processes / Skip Active IP Checks / Skip Services / Skip Scheduled Tasks / Skip Current Items (depending on the selected tab):
Stops processing already observed artifacts.
Switches scanning logic to newly introduced artifacts only.
Ensures reliable baseline comparison and clean detection of changes between executions.
(5) Save Results:
Exports the current view to a CSV file.
Preserves all collected metadata, hashes, and reputation results for reporting and analysis.
Note: No destructive actions are performed by any module.
Intended use:
This repository is intended for:
(1) SOC laboratories and training environments.
(2) Blue Team operations in both test and production environments.
(3) Threat hunting and detection engineering activities.
(4) Malware analysis and post-execution inspection in controlled scenarios.
(5) DFIR investigations and incident response triage (post-compromise endpoint inspection).
(6) Production endpoints for baseline creation and continuous inspection, provided no malicious code is intentionally executed.