Wednesday, July 8, 2026

Windows Threat Analyzer – A Python-Based Host Detection Platform for Windows Event Logs

 

Windows systems generate thousands of security events every day. Most of those events go unnoticed unless an analyst manually reviews Event Viewer or a SIEM platform collects and correlates them.

That challenge inspired the development of Windows Threat Analyzer (WTA)—an open-source Python application that transforms raw Windows Event Logs into actionable security alerts, risk scores, and MITRE ATT&CK-mapped detections.

Rather than replacing enterprise SIEM platforms, Windows Threat Analyzer focuses on demonstrating how host-based detection engineering can be implemented using native Windows telemetry and Sysmon. The detections are constantly getting enriched and new detection rules are being added each day.


Why Build Windows Threat Analyzer?

Windows already records a wealth of security information, but manually reviewing those logs is difficult and time-consuming.

Windows Threat Analyzer aims to:

  • Continuously monitor Windows Event Logs

  • Detect suspicious activity using rule-based analytics

  • Correlate related events

  • Assign risk scores

  • Map detections to MITRE ATT&CK techniques

  • Present results through an easy-to-understand graphical interface

The project demonstrates practical cybersecurity concepts while remaining lightweight and fully written in Python.


Current Detection Coverage

The latest version currently supports more than twenty detection rules covering common attack techniques observed during Windows intrusions.

Authentication Monitoring

The analyzer detects authentication-related events such as:

  • Multiple failed logon attempts

  • Possible brute-force attacks

  • Administrator logons

  • Assignment of special privileges

These detections help identify suspicious authentication activity and privileged account usage.


Account Management Detection

Windows Threat Analyzer monitors changes to user accounts, including:

  • New local user creation

  • User deletion

  • Addition of users to the Administrators group

These activities are frequently associated with persistence or privilege escalation.


Persistence Techniques

Attackers often attempt to survive system reboots by creating persistence mechanisms.

Current detections include:

  • Windows service installation

  • Scheduled task creation

  • WMI Event Filters

  • WMI Event Consumers

  • WMI Filter Bindings

These events provide valuable indicators that unauthorized persistence may have been established.


PowerShell Monitoring

PowerShell remains one of the most abused administration tools in modern attacks.

The analyzer currently detects:

  • Encoded PowerShell execution

  • Suspicious PowerShell module logging

These detections help identify potentially malicious script execution.


Windows Defender Integration

Instead of ignoring Microsoft Defender, Windows Threat Analyzer incorporates Defender detections into its analysis.

Current support includes:

  • Defender malware detection events

This allows security analysts to view antivirus detections alongside other Windows security events.


Sysmon-Powered Detection

When Sysmon is installed, Windows Threat Analyzer gains access to much richer telemetry.

Current Sysmon detections include:

  • Process Injection

  • CreateRemoteThread activity

  • Suspicious process memory access

  • Credential dumping attempts

  • Process Hollowing

  • Alternate Data Stream creation

  • Unsigned driver loading

  • Suspicious DLL loading

  • Named Pipe activity associated with known offensive tooling

These detections significantly improve visibility into post-exploitation techniques that standard Windows logs often miss.


Credential Theft Detection

One notable capability is monitoring access to LSASS, the Windows process responsible for storing authentication credentials.

Unauthorized access to LSASS is commonly associated with credential dumping tools.

The analyzer watches for suspicious memory access patterns that may indicate attempts to extract credentials.


Event Correlation

Individual Windows events rarely tell the whole story.

Windows Threat Analyzer correlates related events occurring within a configurable time window.

For example:

  • Administrator privileges assigned

  • User added to Administrators group

Instead of generating isolated alerts, the application links related activity together, providing additional context for analysts.


MITRE ATT&CK Mapping

Each supported detection is mapped to relevant MITRE ATT&CK techniques where applicable.

Examples include:

  • Credential Dumping

  • Process Injection

  • Process Hollowing

  • WMI Event Subscription

  • Alternate Data Streams

This mapping helps analysts understand how detected behavior aligns with established attacker techniques.


Risk Scoring

Rather than displaying hundreds of disconnected alerts, Windows Threat Analyzer calculates a cumulative host risk score.

The score reflects the overall severity of observed activity and helps prioritize investigation.

Risk levels currently include:

  • Informational

  • Low

  • Medium

  • High

  • Critical


Reporting

Collected data can be exported for documentation or further analysis.

Supported export formats include:

  • CSV

  • JSON

  • PDF

These reports are useful for incident documentation and offline analysis.


User Interface

The desktop application provides a security operations–style dashboard featuring:

  • Live event monitoring

  • Alert management

  • Timeline visualization

  • Search and filtering

  • Risk overview

  • Event deduplication

  • Alert acknowledgment

The interface is designed to make Windows security events easier to interpret without requiring direct interaction with Event Viewer.


Current Detection Summary

At the time of writing, Windows Threat Analyzer includes:

  • 24 numbered detection rules

  • Dynamic Named Pipe detections

  • Windows Security Event monitoring

  • Sysmon behavioral detections

  • Event correlation

  • MITRE ATT&CK mapping

  • Risk scoring

  • Timeline visualization

  • PDF, CSV, and JSON reporting

The project continues to expand as additional detection rules and analysis capabilities are implemented.


Looking Ahead

Windows Threat Analyzer is an ongoing project focused on improving host-based threat detection using Windows-native telemetry.

Future development areas may include:

  • Additional Sysmon detections

  • Registry persistence monitoring

  • Ransomware behavior detection

  • Threat intelligence enrichment

  • Sigma rule compatibility

  • YARA integration

  • Machine learning–assisted anomaly detection

  • Expanded ATT&CK coverage

  • Multi-host monitoring


Final Thoughts

Building detection tools provides valuable insight into how Windows records security events and how attackers interact with operating systems.

Windows Threat Analyzer demonstrates that meaningful security analytics can be built using Python, SQLite, Windows Event Logs, and Sysmon without requiring enterprise infrastructure.

As development continues, the project aims to expand its detection coverage while remaining a practical platform for learning detection engineering, Windows internals, and defensive cybersecurity.

Thank you for following the project's progress. Feedback, suggestions, and contributions are always welcome as Windows Threat Analyzer continues to evolve.