IRMA is a lightweight tool made for live forensics on Windows Platform. It is focused on three use cases:
- enpoint detection - live analysis, quarantine and eradication of malware on a workstation
- live analysis & sandbox host - logging and instant notifications for malware TTP's assessment
- signatures quality test - scan your endpoint baseline and check for false positives
IRMA is intended to work with both user or administrator rights. Based on your user privileges it can:
- implements the YARA library and regularly scan the workstation's files and memory
- search for execution context (parent process, regkey, scheduled task persistence) Every suspect behaviour could be text logged, notified to the user, and/or eradicated
Currently, IRMA is able to:
- list running processes and log for suspiscious actions
- list common persistence mecanisms (registry keys / scheduled tasks / startup folder links)
- perform YARA scan on files and memory
- dump / quarantine suspiscious artefacts
- spawn fake analysis processes to make the computer look like an analysis platform
Feel free to download compiled release of this software. If you want to compile from sources, it could be a little bit tricky cause it's stronly depends of go-yara and CGO compilation. You'll find a detailed documentation here
usage: irma [-h|--help] -c|--configuration "<value>" [-b|--builder "<value>"]
Incident Response - Minimal Analysis
Arguments:
-h --help Print help information
-c --configuration yaml configuration file
-b --builder create a standalone launcher executable with packed
rules and configuration.
IRMA embeds a configuration file in order to define which files to scan, and where to scan them.
irma.exe -c configuration.yaml
IRMA builder mode lets you create a standalone, static compiled, self-extracting archive. It contains irma binary, configuration file, and signatures. Hence, this binary could be deployed on any other system and launch without additional configuration.
irma.exe -c configuration.yaml -b irma-sfx-binary.exe
I undertook this project initially in order to learn Go. Then little by little I tried to understand how to use the Win32 API and finally to read the process memory on a Windows system. Initially focused on system oriented live forensics, I plan to enhance IRMA functionalities with network based detection & analysis.
Further versions may contains:
- SNORT/Suricata rules analysis
- Transfer of analysis results to a SIEM
- Agent management platform - Command and control ability
Feel free to ask for new features or create pull request if your interested in this project.