Displaying 1 to 20 from 26 results

Loki - Loki - Simple IOC and Incident Response Scanner

  •    Python

The Windows binary is compiled with PyInstaller 2.1 and should run as x86 application on both x86 and x64 based systems. Download the latest version of LOKI from the releases section.

binaryalert - BinaryAlert: Serverless, Real-time & Retroactive Malware Detection

  •    Python

BinaryAlert is an open-source serverless AWS pipeline where any file uploaded to an S3 bucket is immediately scanned with a configurable set of YARA rules. An alert will fire as soon as any match is found, giving an incident response team the ability to quickly contain the threat before it spreads.

signature-base - Signature base for my scanner tools

  •    Python

The signature-base repository is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This signature-base is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICLAR PURPOSE. See the GNU General Public License for more details.

php-malware-finder - Detect potentially malicious PHP files

  •    PHP

PHP-malware-finder does its very best to detect obfuscated/dodgy code as well as files using PHP functions often used in malwares/webshells. Of course it's trivial to bypass PMF, but its goal is to catch kiddies and idiots, not people with a working brain. If you report a stupid tailored bypass for PMF, you likely belong to one (or both) category, and should re-read the previous statement.




yarGen - yarGen is a generator for YARA rules

  •    Python

The main principle is the creation of yara rules from strings found in malware files while removing all strings that also appear in goodware files. Therefore yarGen includes a big goodware strings and opcode database as ZIP archives that have to be extracted before the first use. Since version 0.12.0 yarGen does not completely remove the goodware strings from the analysis process but includes them with a very low score depending on the number of occurences in goodware samples. The rules will be included if no better strings can be found and marked with a comment /* Goodware rule */. Force yarGen to remove all goodware strings with --excludegood. Also since version 0.12.0 yarGen allows to place the "strings.xml" from PEstudio in the program directory in order to apply the blacklist definition during the string analysis process. You'll get better results.

multiscanner - Modular file scanning/analysis framework

  •    Javascript

MultiScanner is a file analysis framework that assists the user in evaluating a set of files by automatically running a suite of tools for the user and aggregating the output. Tools can be custom built Python scripts, web APIs, software running on another machine, etc. Tools are incorporated by creating modules that run in the MultiScanner framework. Modules are designed to be quickly written and easily incorporated into the framework. Currently written and maintained modules are related to malware analytics, but the framework is not limited to that scope. For a list of modules you can look in modules/. Descriptions and config options can be found on the Analysis Modules page.

awesome-yara - A curated list of awesome YARA rules, tools, and people.

  •    

A curated list of awesome YARA rules, tools, and resources. Inspired by awesome-python and awesome-php. YARA is an ancronym for: YARA: Another Recursive Ancronym, or Yet Another Ridiculous Acronym. Pick your choice.

yara-python - The Python interface for YARA

  •    C

With this library you can use YARA from your Python programs. It covers all YARA's features, from compiling, saving and loading rules to scanning files, strings and processes.For this option to work you must build and install YARA separately before installing yara-python.


go-yara - Go bindings for YARA

  •    Go

Go bindings for YARA, staying as close as sensible to the library's C-API while taking inspiration from the yara-python implementation.indicate that the linker is probably looking at an old version of libyara.

yara-validator - Validates yara rules and tries to repair the broken ones.

  •    Python

Validates yara rules and tries to repair the broken ones.

yaratool - Python libary to normalize Yara signatures

  •    Python

YaraTool was created to normalize yara signatures to format the signatures nicely, detect duplicates, and express a specific signature by hash (similar to how we express malware). The hashing method in this tool is the same as the Ruby Yara-Normalize module. The following snippet takes a signature, normalizes it, prints out the pieces of the rule, and provides the "Yara Normalized" hash. The YNHash is designed to identify yara signatures.

yara-forensics - Set of Yara rules for finding files using magics headers

  •    Shell

Yara is the pattern matching swiss knife for malware researchers (and everyone else). Basically Yara allow us to scan files based on textual or binary patterns, thus we can take advantage of Yara's potential and focus it in forensic investigations. For now I have created a set of rules that search for magic headers on files and dump files like raw image of dd as well. So I invite anyone to add or improve rules regarding forensics stuff.

docker-yara - Yara Dockerfile

  •    Dockerfile

This repository contains a Dockerfile of Yara. Find a bug? Want more features? Find something missing in the documentation? Let me know! Please don't hesitate to file an issue and I'll get right on it.

yaml2yara - Generate bulk YARA rules from YAML input

  •    HTML

This project is released under the AGPL license. Please see LICENSE for more information. This repository contains a script that will create custom detection rules from YAML input.

ThreatKB - Knowledge base workflow management for Yara rules and C2 artifacts (IP, DNS, SSL) (ALPHA STATE AT THE MOMENT)

  •    Javascript

It's best to run the application and it's Python virtualenv within a screen session to ensure ThreatKB continues to run. Note: Within screen, Ctrl+a+d will dettach your session and return you to your normal shell. To return to the screen session, run screen -list and look for the "Inquest_ThreatKB" entry followed by its PID then use screen -r InQuest_ThreatKB.<PID> to reattach.

yara-rules - A collection of Yara rules we wish to share with the world, most probably referenced from http://blog

  •    

A collection of Yara rules we wish to share with the world, most probably referenced from http://blog.inquest.net.

yara - Malice Yara Plugin

  •    YARA

This repository contains a Dockerfile of the Yara malice plugin malice/yara. This will output to stdout and POST to malice results API webhook endpoint.

spyre - simple YARA-based IOC scanner

  •    Go

Spyre is a simple YARA scanner, the main goal is easy operationalization of YARA rules. Comprehensive rule sets are not included. Spyre is intended to be used as an investigation tool by incident responders with an appropriate skill level. It is not meant to be used as any kind of endpoint protection service.

volatility-misp - Volatility plugin to interface with MISP

  •    Python

volatility-misp is a volatility plugin that allows to pull yara rules from a MISP instance's yara attributes and use them in yarascan.