Windows systems generate thousands of security events every day. Most of those events go unnoticed unless an analyst manually reviews Event Viewer or a SIEM platform collects and correlates them.
That challenge inspired the development of Windows Threat Analyzer (WTA)—an open-source Python application that transforms raw Windows Event Logs into actionable security alerts, risk scores, and MITRE ATT&CK-mapped detections.
Rather than replacing enterprise SIEM platforms, Windows Threat Analyzer focuses on demonstrating how host-based detection engineering can be implemented using native Windows telemetry and Sysmon. The detections are constantly getting enriched and new detection rules are being added each day.
Why Build Windows Threat Analyzer?
Windows already records a wealth of security information, but manually reviewing those logs is difficult and time-consuming.
Windows Threat Analyzer aims to:
Continuously monitor Windows Event Logs
Detect suspicious activity using rule-based analytics
Correlate related events
Assign risk scores
Map detections to MITRE ATT&CK techniques
Present results through an easy-to-understand graphical interface
The project demonstrates practical cybersecurity concepts while remaining lightweight and fully written in Python.
Current Detection Coverage
The latest version currently supports more than twenty detection rules covering common attack techniques observed during Windows intrusions.
Authentication Monitoring
The analyzer detects authentication-related events such as:
Multiple failed logon attempts
Possible brute-force attacks
Administrator logons
Assignment of special privileges
These detections help identify suspicious authentication activity and privileged account usage.
Account Management Detection
Windows Threat Analyzer monitors changes to user accounts, including:
New local user creation
User deletion
Addition of users to the Administrators group
These activities are frequently associated with persistence or privilege escalation.
Persistence Techniques
Attackers often attempt to survive system reboots by creating persistence mechanisms.
Current detections include:
Windows service installation
Scheduled task creation
WMI Event Filters
WMI Event Consumers
WMI Filter Bindings
These events provide valuable indicators that unauthorized persistence may have been established.
PowerShell Monitoring
PowerShell remains one of the most abused administration tools in modern attacks.
The analyzer currently detects:
Encoded PowerShell execution
Suspicious PowerShell module logging
These detections help identify potentially malicious script execution.
Windows Defender Integration
Instead of ignoring Microsoft Defender, Windows Threat Analyzer incorporates Defender detections into its analysis.
Current support includes:
Defender malware detection events
This allows security analysts to view antivirus detections alongside other Windows security events.
Sysmon-Powered Detection
When Sysmon is installed, Windows Threat Analyzer gains access to much richer telemetry.
Current Sysmon detections include:
Process Injection
CreateRemoteThread activity
Suspicious process memory access
Credential dumping attempts
Process Hollowing
Alternate Data Stream creation
Unsigned driver loading
Suspicious DLL loading
Named Pipe activity associated with known offensive tooling
These detections significantly improve visibility into post-exploitation techniques that standard Windows logs often miss.
Credential Theft Detection
One notable capability is monitoring access to LSASS, the Windows process responsible for storing authentication credentials.
Unauthorized access to LSASS is commonly associated with credential dumping tools.
The analyzer watches for suspicious memory access patterns that may indicate attempts to extract credentials.
Event Correlation
Individual Windows events rarely tell the whole story.
Windows Threat Analyzer correlates related events occurring within a configurable time window.
For example:
Administrator privileges assigned
User added to Administrators group
Instead of generating isolated alerts, the application links related activity together, providing additional context for analysts.
MITRE ATT&CK Mapping
Each supported detection is mapped to relevant MITRE ATT&CK techniques where applicable.
Examples include:
Credential Dumping
Process Injection
Process Hollowing
WMI Event Subscription
Alternate Data Streams
This mapping helps analysts understand how detected behavior aligns with established attacker techniques.
Risk Scoring
Rather than displaying hundreds of disconnected alerts, Windows Threat Analyzer calculates a cumulative host risk score.
The score reflects the overall severity of observed activity and helps prioritize investigation.
Risk levels currently include:
Informational
Low
Medium
High
Critical
Reporting
Collected data can be exported for documentation or further analysis.
Supported export formats include:
CSV
JSON
PDF
These reports are useful for incident documentation and offline analysis.
User Interface
The desktop application provides a security operations–style dashboard featuring:
Live event monitoring
Alert management
Timeline visualization
Search and filtering
Risk overview
Event deduplication
Alert acknowledgment
The interface is designed to make Windows security events easier to interpret without requiring direct interaction with Event Viewer.
Current Detection Summary
At the time of writing, Windows Threat Analyzer includes:
24 numbered detection rules
Dynamic Named Pipe detections
Windows Security Event monitoring
Sysmon behavioral detections
Event correlation
MITRE ATT&CK mapping
Risk scoring
Timeline visualization
PDF, CSV, and JSON reporting
The project continues to expand as additional detection rules and analysis capabilities are implemented.
Looking Ahead
Windows Threat Analyzer is an ongoing project focused on improving host-based threat detection using Windows-native telemetry.
Future development areas may include:
Additional Sysmon detections
Registry persistence monitoring
Ransomware behavior detection
Threat intelligence enrichment
Sigma rule compatibility
YARA integration
Machine learning–assisted anomaly detection
Expanded ATT&CK coverage
Multi-host monitoring
Final Thoughts
Building detection tools provides valuable insight into how Windows records security events and how attackers interact with operating systems.
Windows Threat Analyzer demonstrates that meaningful security analytics can be built using Python, SQLite, Windows Event Logs, and Sysmon without requiring enterprise infrastructure.
As development continues, the project aims to expand its detection coverage while remaining a practical platform for learning detection engineering, Windows internals, and defensive cybersecurity.
Thank you for following the project's progress. Feedback, suggestions, and contributions are always welcome as Windows Threat Analyzer continues to evolve.