remove aggressive mode from short term roadmap

Author: codeyourweb

README.md

@@ -31,27 +31,32 @@ _go-yara_ and CGO compilation. You'll find a detailed documentation [here](READM
 
 ### Usage 
 ```
-usage: irma [-h|--help] [-y|--yara-rules "<value>"] [-d|--dump "<value>"]
+usage: irma [-h|--help] [-c|--network-capture "<value>"] [-b|--bpffilter
+            "<value>"] [-y|--yara-rules "<value>"] [-d|--dump "<value>"]
             [-q|--quarantine "<value>"] [-k|--kill] [-f|--faker]
-            [-n|--notifications] [-v|--verbose]
+            [-n|--notifications] [-v|--verbose] 
 
             Incident Response - Minimal Analysis
 
 Arguments:
 
-  -h  --help           Print help information
-  -y  --yara-rules     Yara rules path (the program will look for *.yar files
-                       recursively). Default: ./yara-signatures
-  -d  --dump           Dump all running process to the specified directory
-  -q  --quarantine     Specify path to store matching artefacts in quarantine
-                       (Base64/RC4 with key: irma
-  -k  --kill           Kill suspicious process ID (without removing process
-                       binary)
-  -f  --faker          Spawn fake processes such as wireshark / procmon /
-                       procdump / x64dbg
-  -n  --notifications  Use Windows notifications when a file or memory stream
-                       match your YARA rules
-  -v  --verbose        Display every error and information messages
+  -h  --help             Print help information
+  -c  --network-capture  Capture network interface to PCAP file. Default:
+  -b  --bpffilter        Use Berkeley Packet Filter to capture only selected
+                         parts of network traffic. Default:
+  -y  --yara-rules       Yara rules path (the program will look for *.yar files
+                         recursively). Default: ./yara-signatures
+  -d  --dump             Dump all running process to the specified directory
+  -q  --quarantine       Specify path to store matching artefacts in quarantine
+                         (Base64/RC4 with key: irma)
+  -k  --kill             Kill suspicious process ID (without removing process
+                         binary)
+  -f  --faker            Spawn fake processes such as wireshark / procmon /
+                         procdump / x64dbg
+  -n  --notifications    Use Windows notifications when a file or memory stream
+                         match your YARA rules
+  -v  --verbose          Display every error and information messages
+
 ``` 
 
 ## About this project and future versions

analysis.go

@@ -22,7 +22,7 @@ type FileDescriptor struct {
 }
 
 // FileAnalysis sub-routine for file analysis (used in registry / task scheduler / startmenu scan)
-func FileAnalysis(path string, pQuarantine string, pKill bool, pAggressive bool, pNotifications bool, pVerbose bool, rules *yara.Rules, sourceIndex string) {
+func FileAnalysis(path string, pQuarantine string, pKill bool, pNotifications bool, pVerbose bool, rules *yara.Rules, sourceIndex string) {
 	var f os.FileInfo
 	var err error
 	var content []byte
@@ -91,7 +91,7 @@ func FileAnalysis(path string, pQuarantine string, pKill bool, pAggressive bool,
 }
 
 // MemoryAnalysis sub-routine for running processes analysis
-func MemoryAnalysis(proc *ProcessInformation, pQuarantine string, pKill bool, pAggressive bool, pNotifications bool, pVerbose bool, rules *yara.Rules) {
+func MemoryAnalysis(proc *ProcessInformation, pQuarantine string, pKill bool, pNotifications bool, pVerbose bool, rules *yara.Rules) {
 	if pVerbose {
 		log.Println("[INFO] [MEMORY] Analyzing", proc.ProcessName, "PID:", proc.PID)
 	}

filehelper.go

@@ -13,30 +13,30 @@ import (
 )
 
 // WindowsFileSystemAnalysisRoutine analyse windows filesystem every 300 seconds
-func WindowsFileSystemAnalysisRoutine(pQuarantine string, pKill bool, pAggressive bool, pNotifications bool, pVerbose bool, rules *yara.Rules) {
+func WindowsFileSystemAnalysisRoutine(pQuarantine string, pKill bool, pNotifications bool, pVerbose bool, rules *yara.Rules) {
 	for {
 		env := ListEnvironmentPathFiles(pVerbose)
 		temp := ListTemporaryFiles(pVerbose)
 
 		for _, p := range env {
-			FileAnalysis(p, pQuarantine, pKill, pAggressive, pNotifications, pVerbose, rules, "ENV")
+			FileAnalysis(p, pQuarantine, pKill, pNotifications, pVerbose, rules, "ENV")
 		}
 
 		for _, p := range temp {
-			FileAnalysis(p, pQuarantine, pKill, pAggressive, pNotifications, pVerbose, rules, "TEMP")
+			FileAnalysis(p, pQuarantine, pKill, pNotifications, pVerbose, rules, "TEMP")
 		}
 
 		time.Sleep(300 * time.Second)
 	}
 }
 
 // UserFileSystemAnalysisRoutine analyse windows filesystem every 60 seconds
-func UserFileSystemAnalysisRoutine(pQuarantine string, pKill bool, pAggressive bool, pNotifications bool, pVerbose bool, rules *yara.Rules) {
+func UserFileSystemAnalysisRoutine(pQuarantine string, pKill bool, pNotifications bool, pVerbose bool, rules *yara.Rules) {
 	for {
 		files := ListUserWorkspaceFiles(pVerbose)
 
 		for _, p := range files {
-			FileAnalysis(p, pQuarantine, pKill, pAggressive, pNotifications, pVerbose, rules, "USER")
+			FileAnalysis(p, pQuarantine, pKill, pNotifications, pVerbose, rules, "USER")
 		}
 		time.Sleep(60 * time.Second)
 	}

main.go

@@ -53,12 +53,11 @@ func main() {
 	pBpfFilter := parser.String("b", "bpffilter", &argparse.Options{Required: false, Default: "", Help: "Use Berkeley Packet Filter to capture only selected parts of network traffic"})
 	pYaraPath := parser.String("y", "yara-rules", &argparse.Options{Required: false, Default: "./yara-signatures", Help: "Yara rules path (the program will look for *.yar files recursively)"})
 	pDump := parser.String("d", "dump", &argparse.Options{Required: false, Help: "Dump all running process to the specified directory"})
-	pQuarantine := parser.String("q", "quarantine", &argparse.Options{Required: false, Help: "Specify path to store matching artefacts in quarantine (Base64/RC4 with key: irma"})
+	pQuarantine := parser.String("q", "quarantine", &argparse.Options{Required: false, Help: "Specify path to store matching artefacts in quarantine (Base64/RC4 with key: irma)"})
 	pKill := parser.Flag("k", "kill", &argparse.Options{Required: false, Help: "Kill suspicious process ID (without removing process binary)"})
 	pFaker := parser.Flag("f", "faker", &argparse.Options{Required: false, Help: "Spawn fake processes such as wireshark / procmon / procdump / x64dbg"})
 	pNotifications := parser.Flag("n", "notifications", &argparse.Options{Required: false, Help: "Use Windows notifications when a file or memory stream match your YARA rules"})
 	pVerbose := parser.Flag("v", "verbose", &argparse.Options{Required: false, Help: "Display every error and information messages"})
-	pAggressive := parser.Flag("a", "aggressive", &argparse.Options{Required: false, Help: "Aggressive mode - remove suscpicious process executable / track and kill suspicious PPID / remove schedule task & regkey persistence"})
 
 	err = parser.Parse(os.Args)
 	if err != nil {
@@ -102,12 +101,12 @@ func main() {
 	if len(*pNetworkCapturePath) > 0 {
 		go NetworkAnalysisRoutine(*pBpfFilter, *pNetworkCapturePath, *pVerbose)
 	}
-	go MemoryAnalysisRoutine(*pDump, *pQuarantine, *pKill, *pAggressive, *pNotifications, *pVerbose, rules)
-	go RegistryAnalysisRoutine(*pQuarantine, *pKill, *pAggressive, *pNotifications, *pVerbose, rules)
-	go StartMenuAnalysisRoutine(*pQuarantine, *pKill, *pAggressive, *pNotifications, *pVerbose, rules)
-	go TaskSchedulerAnalysisRoutine(*pQuarantine, *pKill, *pAggressive, *pNotifications, *pVerbose, rules)
-	go WindowsFileSystemAnalysisRoutine(*pQuarantine, *pKill, *pAggressive, *pNotifications, *pVerbose, rules)
-	go UserFileSystemAnalysisRoutine(*pQuarantine, *pKill, *pAggressive, *pNotifications, *pVerbose, rules)
+	go MemoryAnalysisRoutine(*pDump, *pQuarantine, *pKill, *pNotifications, *pVerbose, rules)
+	go RegistryAnalysisRoutine(*pQuarantine, *pKill, *pNotifications, *pVerbose, rules)
+	go StartMenuAnalysisRoutine(*pQuarantine, *pKill, *pNotifications, *pVerbose, rules)
+	go TaskSchedulerAnalysisRoutine(*pQuarantine, *pKill, *pNotifications, *pVerbose, rules)
+	go WindowsFileSystemAnalysisRoutine(*pQuarantine, *pKill, *pNotifications, *pVerbose, rules)
+	go UserFileSystemAnalysisRoutine(*pQuarantine, *pKill, *pNotifications, *pVerbose, rules)
 	<-exit
 
 }

procsmemory.go

@@ -23,7 +23,7 @@ type ProcessInformation struct {
 }
 
 // MemoryAnalysisRoutine analyse processes memory every 5 seconds
-func MemoryAnalysisRoutine(pDump string, pQuarantine string, pKill bool, pAggressive bool, pNotifications bool, pVerbose bool, rules *yara.Rules) {
+func MemoryAnalysisRoutine(pDump string, pQuarantine string, pKill bool, pNotifications bool, pVerbose bool, rules *yara.Rules) {
 	for {
 		// list process information and memory
 		procs := ListProcess(pVerbose)
@@ -43,11 +43,11 @@ func MemoryAnalysisRoutine(pDump string, pQuarantine string, pKill bool, pAggres
 				KillProcessByID(proc.PID, pVerbose)
 			} else {
 				// analyzing process memory and cleaning memory buffer
-				MemoryAnalysis(&proc, pQuarantine, pKill, pAggressive, pNotifications, pVerbose, rules)
+				MemoryAnalysis(&proc, pQuarantine, pKill, pNotifications, pVerbose, rules)
 				proc.MemoryDump = nil
 
 				// analyzing process executable
-				FileAnalysis(proc.ProcessPath, pQuarantine, pKill, pAggressive, pNotifications, pVerbose, rules, "MEMORY")
+				FileAnalysis(proc.ProcessPath, pQuarantine, pKill, pNotifications, pVerbose, rules, "MEMORY")
 			}
 		}
 

windowslnkparser.go

@@ -11,7 +11,7 @@ import (
 )
 
 // StartMenuAnalysisRoutine analyse system artefacts every 15 seconds
-func StartMenuAnalysisRoutine(pQuarantine string, pKill bool, pAggressive bool, pNotifications bool, pVerbose bool, rules *yara.Rules) {
+func StartMenuAnalysisRoutine(pQuarantine string, pKill bool, pNotifications bool, pVerbose bool, rules *yara.Rules) {
 	for {
 		lnk, errors := ListStartMenuLnkPersistence(pVerbose)
 		if errors != nil && pVerbose {
@@ -23,7 +23,7 @@ func StartMenuAnalysisRoutine(pQuarantine string, pKill bool, pAggressive bool,
 		for _, l := range lnk {
 			paths := FormatPathFromComplexString(l)
 			for _, p := range paths {
-				FileAnalysis(p, pQuarantine, pKill, pAggressive, pNotifications, pVerbose, rules, "STARTMENU")
+				FileAnalysis(p, pQuarantine, pKill, pNotifications, pVerbose, rules, "STARTMENU")
 			}
 		}
 

windowsregistry.go

@@ -19,7 +19,7 @@ type RegistryValue struct {
 }
 
 // RegistryAnalysisRoutine analyse registry persistence keys every 15 seconds
-func RegistryAnalysisRoutine(pQuarantine string, pKill bool, pAggressive bool, pNotifications bool, pVerbose bool, rules *yara.Rules) {
+func RegistryAnalysisRoutine(pQuarantine string, pKill bool, pNotifications bool, pVerbose bool, rules *yara.Rules) {
 	for {
 		values, errors := EnumRegistryPeristence()
 
@@ -32,7 +32,7 @@ func RegistryAnalysisRoutine(pQuarantine string, pKill bool, pAggressive bool, p
 		for _, k := range values {
 			paths := FormatPathFromComplexString(k.value)
 			for _, p := range paths {
-				FileAnalysis(p, pQuarantine, pKill, pAggressive, pNotifications, pVerbose, rules, "REGISTRY")
+				FileAnalysis(p, pQuarantine, pKill, pNotifications, pVerbose, rules, "REGISTRY")
 			}
 		}
 

windowstaskscheduler.go

@@ -36,7 +36,7 @@ var (
 var taskSchedulerInitialized bool = false
 
 // TaskSchedulerAnalysisRoutine analyse Windows Task Scheduler executable every 15 seconds
-func TaskSchedulerAnalysisRoutine(pQuarantine string, pKill bool, pAggressive bool, pNotifications bool, pVerbose bool, rules *yara.Rules) {
+func TaskSchedulerAnalysisRoutine(pQuarantine string, pKill bool, pNotifications bool, pVerbose bool, rules *yara.Rules) {
 	for {
 		defer UninitializeTaskScheduler()
 		tasks, err := GetTasks()
@@ -48,7 +48,7 @@ func TaskSchedulerAnalysisRoutine(pQuarantine string, pKill bool, pAggressive bo
 			for _, e := range t.ActionList {
 				paths := FormatPathFromComplexString(e.Path)
 				for _, p := range paths {
-					FileAnalysis(p, pQuarantine, pKill, pAggressive, pNotifications, pVerbose, rules, "TASKS")
+					FileAnalysis(p, pQuarantine, pKill, pNotifications, pVerbose, rules, "TASKS")
 				}
 			}
 		}