Spyre is a simple host-based IOC scanner built around the YARA pattern matching engine and other scan modules. The main goal of this project is easy ope-rationalization of YARA rules and other indicators of compromise.
Users need to bring their own rule sets. The awesome-yara repository gives a good overview of free yara rule sets out there.
It is intended to be used as an investigation tool by incident responders. It is not meant to evolve into any kind of endpoint protection service.
filescan.yar
, procscan.yar
for file scans, process memory scans, respectively. The following options exist for providing rules files to Spyre (and will be tried in this order):$PROGRAM.zip
: If the Spyre binary is called spyre
or spyre.exe
, use spyre.zip
.infected
(AV industry standard) to prevent antivirus software from mistaking parts of the ruleset as malicious content and preventing the scan. YARA rule files may contain include
statements.Configuration
Run-time options can be either passed via command line parameters or via file that params.txt
. Empty lines and lines starting with the #
character are ignored. Every line is interpreted as a single command line argument.
If a ZIP file has been appended to the Spyre binary, configuration and other files such as YARA rules are only read from this ZIP file. Otherwise, they are read from the directory into which the binary has been placed.
Some options allow specifying a list of items. This can be done by separating the items using a semicolon (;
).
--high-priority
Normally (unless this switch is enabled), Spyre instructs the OS scheduler to lower the priorities of CPU time and I/O operations, in order to avoid disruption of normal system operation.
--set-hostname=NAME
Explicitly set the hostname that will be used in the log file and in the report. This is usually not needed.
--loglevel=LEVEL
Set the log level. Valid: trace, debug, info, notice, warn, error, quiet.
--report=SPEC
Set one or more report targets, separated by a semicolon (;
). Default: spyre.log
in the current working directory, using the plain format.
A different output format can be specified by appending ,format=FORMAT
. The following formats are currently supported:
plain
, the default, a simple human-readable text formattsjson
, a JSON document that can be imported into Timesketch--path=PATHLIST
Set one or more specific filesystem paths to scan. Default: /
(Unix) or all fixed drives (Windows).
--yara-file-rules=FILELIST
Set list of YARA rule files for scanning files on the system. Default: Use filescan.yar
from appended ZIP file, $PROGRAM.ZIP
, or current working directory.
--yara-proc-rules=FILELIST
Set list of YARA rule files for scanning processes’ memory regions. Default: Use procscan.yar
from appended ZIP file, $PROGRAM.ZIP
, or current working directory.
--max-file-size=SIZE
Set maximum size for files to be scanned using YARA. Default: 32MB
--ioc-file=FILE
Notes About YARA Rules
YARA is configured with default settings, plus the following explicit switches (cf. 3rdparty.mk
):
--disable-magic
--disable-cuckoo
--enable-dotnet
--enable-macho
--enable-dex
Building
Spyre can be built for 32bit and 64bit Linux and Windows targets on a Debian/buster system (or a chroot) in which the following packages have been installed:
GOROOT
has been set.This describes the build environment that is exercised regularly via CI.
The same build has also been successfully tried on Fedora 30 with the following packages installed:
Once everything has been installed, just type make
. This should download archives for musl-libc, openssl, yara, build those and then build spyre.
The bare spyre binaries are created in _build/<triplet>/
.
Running make release
creates a ZIP file that contains those binaries for all supported architectures.
shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…
Extract and execute a PE embedded within a PNG file using an LNK file. The…
Embark on the journey of becoming a certified Red Team professional with our definitive guide.…
This repository contains proof of concept exploits for CVE-2024-5836 and CVE-2024-6778, which are vulnerabilities within…
This took me like 4 days (+2 days for an update), but I got it…
MaLDAPtive is a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation and detection. Its foundation is…