BinaryAlert: Serverless, Real-Time & Retroactive Malware Detection
BinaryAlert is an open-source serverless AWS pipeline where any file uploaded to an S3 bucket is immediately scanned with a configurable set of YARA rules. An alert will fire as soon as any match is found, giving an incident response team the ability to quickly contain the threat before it spreads.
Read the documentation at binaryalert.io.
This repository fork utilizes THOR Thunderstorm (THOR as a web service, see https://www.nextron-systems.com/thor-thunderstorm/) to replace yextend and yara-python to check for YARA matches.
This integration has the following advantages:
- Includes THOR's 15,000+ hand-crafted YARA rule set with focus on
- APT related malware
- Hack tools
- Forensic artefacts
- Obfuscation techniques
- Web shells
- Special file type support
- Registry hives (full walk and IOC application)
- Memory dumps (full YARA scan)
- EVTX Eventlogs (log parsing and IOC application)
- WER files (error report analysis)
You can still use your custom YARA rules along with the THOR encrypted rule set by placing them in the
./custom-signatures/yara sub folder in THOR's program folder.
We've replaced the original YARA scanning method and reduced the YARA scanning to a sinlge instance. It takes much longer to apply two rule sets one after another than combining them first and applying them in a single step.
This BinaryAlert fork requires
- a THOR "service" license and
- a THOR package for Linux (minimum version 10.6.0)
- Get a THOR 10 for Linux package
- Get a THOR service license from the Nextron customer portal
- Extract the THOR 10 for Linux package and place the license in the extracted program directory
- Clone this binaryalert fork
git clone https://github.com/NextronSystems/binaryalert.git
- Add the THOR 10 program folder with the
*.liclicense file to
dependencies.zipin the binaryalert folder
zip -ur ../binaryalert/lambda_functions/analyzer/dependencies.zip ./
Place the contents from the THOR package and your THOR license into
Add Your Customer YARA Rules
Place your rules in the folder - or better: a dedicated sub folder - within
./rules. Your rules will automatically get initialized with THOR.
Activate Advanced Features
To activate the advanced analyzers for the file types mentioned above (registry hives, memory dumps, EVTX files, WER files), removed the
--pure-yara flag in the file