diff --git a/.gitignore b/.gitignore index c656c0c..c5461ff 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ .vscode/ -quarantine/ -yara-signatures/ +quarantine/* +yara-signatures/* diff --git a/README.md b/README.md index 2260388..4dda943 100644 --- a/README.md +++ b/README.md @@ -31,9 +31,11 @@ _go-yara_ and CGO compilation. You'll find a detailed documentation [here](READM ### Usage ``` -usage: IRMA [-h|--help] [-y|--yara-rules ""] [-d|--dump ""] +usage: irma [-h|--help] [-y|--yara-rules ""] [-d|--dump ""] [-q|--quarantine ""] [-k|--kill] [-f|--faker] - [-a|--aggressive] [-n|--notifications] [-v|--verbose] + [-n|--notifications] [-v|--verbose] + + Incident Response - Minimal Analysis Arguments: @@ -42,16 +44,14 @@ Arguments: recursively). Default: ./yara-signatures -d --dump Dump all running process to the specified directory -q --quarantine Specify path to store matching artefacts in quarantine - (Base64/RC4 with key: IRMA + (Base64/RC4 with key: irma -k --kill Kill suspicious process ID (without removing process binary) -f --faker Spawn fake processes such as wireshark / procmon / procdump / x64dbg - -a --aggressive Aggressive mode - remove suscpicious process executable - / track and remove PPID / remove schedule task & regkey - persistence -n --notifications Use Windows notifications when a file or memory stream match your YARA rules + -v --verbose Display every error and information messages ``` ## About this project and future versions diff --git a/analysis.go b/analysis.go index bd179d9..cebc0aa 100644 --- a/analysis.go +++ b/analysis.go @@ -51,7 +51,7 @@ func FileAnalysis(path string, pQuarantine string, pKill bool, pAggressive bool, // dump matching file to quarantine if len(pQuarantine) > 0 { log.Println("[INFO]", "Dumping file", path) - err := QuarantineFile(filepath.Base(path), pQuarantine) + err := QuarantineFile(path, pQuarantine) if err != nil { log.Println("[ERROR]", "Cannot quarantine file", path, err) } diff --git a/main.go b/main.go index b0b11ed..24e4e56 100644 --- a/main.go +++ b/main.go @@ -28,6 +28,7 @@ func main() { // create mutex to avoid program running multiple instances if _, err = CreateMutex("irmaBinMutex"); err != nil { + log.Println("Only one instance or irma can be launched") os.Exit(1) } @@ -37,9 +38,12 @@ func main() { pQuarantine := parser.String("q", "quarantine", &argparse.Options{Required: false, Help: "Specify path to store matching artefacts in quarantine (Base64/RC4 with key: irma"}) pKill := parser.Flag("k", "kill", &argparse.Options{Required: false, Help: "Kill suspicious process ID (without removing process binary)"}) pFaker := parser.Flag("f", "faker", &argparse.Options{Required: false, Help: "Spawn fake processes such as wireshark / procmon / procdump / x64dbg"}) - pAggressive := parser.Flag("a", "aggressive", &argparse.Options{Required: false, Help: "Aggressive mode - remove suscpicious process executable / track and remove suspicious PPID / remove schedule task & regkey persistence"}) pNotifications := parser.Flag("n", "notifications", &argparse.Options{Required: false, Help: "Use Windows notifications when a file or memory stream match your YARA rules"}) - pVerbose := parser.Flag("v", "verbose", &argparse.Options{Required: false, Help: "Display every error"}) + pVerbose := parser.Flag("v", "verbose", &argparse.Options{Required: false, Help: "Display every error and information messages"}) + + // TODO : working on aggressive mode - it will remove suscpicious process executable / track and remove suspicious PPID / remove schedule task & regkey persistence + //pAggressive := parser.Flag("a", "aggressive", &argparse.Options{Required: false, Help: "Aggressive mode - remove suscpicious process executable / track and remove suspicious PPID / remove schedule task & regkey persistence"}) + pAggressive := false err = parser.Parse(os.Args) if err != nil { @@ -68,12 +72,12 @@ func main() { } log.Println("[INIT]", len(rules.GetRules()), "YARA rules compiled") log.Println("[INFO] Start scanning Memory / Registry / StartMenu / Task Scheduler / Filesystem") - go MemoryAnalysisRoutine(*pDump, *pQuarantine, *pKill, *pAggressive, *pNotifications, *pVerbose, rules) - //go RegistryAnalysisRoutine(*pQuarantine, *pKill, *pAggressive, *pNotifications, *pVerbose, rules) - //go StartMenuAnalysisRoutine(*pQuarantine, *pKill, *pAggressive, *pNotifications, *pVerbose, rules) - //go TaskSchedulerAnalysisRoutine(*pQuarantine, *pKill, *pAggressive, *pNotifications, *pVerbose, rules) - //go WindowsFileSystemAnalysisRoutine(*pQuarantine, *pKill, *pAggressive, *pNotifications, *pVerbose, rules) - //go UserFileSystemAnalysisRoutine(*pQuarantine, *pKill, *pAggressive, *pNotifications, *pVerbose, rules) + go MemoryAnalysisRoutine(*pDump, *pQuarantine, *pKill, pAggressive, *pNotifications, *pVerbose, rules) + go RegistryAnalysisRoutine(*pQuarantine, *pKill, pAggressive, *pNotifications, *pVerbose, rules) + go StartMenuAnalysisRoutine(*pQuarantine, *pKill, pAggressive, *pNotifications, *pVerbose, rules) + go TaskSchedulerAnalysisRoutine(*pQuarantine, *pKill, pAggressive, *pNotifications, *pVerbose, rules) + go WindowsFileSystemAnalysisRoutine(*pQuarantine, *pKill, pAggressive, *pNotifications, *pVerbose, rules) + go UserFileSystemAnalysisRoutine(*pQuarantine, *pKill, pAggressive, *pNotifications, *pVerbose, rules) for true { time.Sleep(3600 * time.Second)