BinaryAlert is an open-source serverless AWS pipeline where any file uploaded to an S3 bucket is immediately scanned with a configurable set of YARA rules. An alert will fire as soon as any match is found, giving an incident response team the ability to quickly contain the threat before it spreads.
Read the documentation at binaryalert.io.
This repository fork utilizes THOR Thunderstorm (THOR as a web service, see https://www.nextron-systems.com/thor-thunderstorm/) to replace yextend and yara-python to check for YARA matches.
This integration has the following advantages:
- Includes THOR's 15,000+ hand-crafted YARA rule set with focus on
- APT related malware
- Hack tools
- Forensic artefacts
- Obfuscation techniques
- Web shells
- Special file type support
- Registry hives (full walk and IOC application)
- Memory dumps (full YARA scan)
- EVTX Eventlogs (log parsing and IOC application)
- WER files (error report analysis)
You can still use your custom YARA rules along with the THOR encrypted rule set by placing them in the ./custom-signatures/yara
sub folder in THOR's program folder.
We've replaced the original YARA scanning method and reduced the YARA scanning to a sinlge instance. It takes much longer to apply two rule sets one after another than combining them first and applying them in a single step.
This BinaryAlert fork requires
- a THOR "service" license and
- a THOR package for Linux (minimum version 10.6.0)
- Get a THOR 10 for Linux package
- Get a THOR service license from the Nextron customer portal
- Extract the THOR 10 for Linux package and place the license in the extracted program directory
- Clone this binaryalert fork
git clone https://github.com/NextronSystems/binaryalert.git
cd
into thethor10-linux
directory- Add the THOR 10 program folder with the
*.lic
license file todependencies.zip
in the binaryalert folderzip -ur ../binaryalert/lambda_functions/analyzer/dependencies.zip ./
Place the contents from the THOR package and your THOR license into lambda_functions/analyzer/dependencies.zip
.
Place your rules in the folder - or better: a dedicated sub folder - within ./rules
. Your rules will automatically get initialized with THOR.
To activate the advanced analyzers for the file types mentioned above (registry hives, memory dumps, EVTX files, WER files), removed the --pure-yara
flag in the file yara_analyzer.py
.