• Stars
    star
    859
  • Rank 53,078 (Top 2 %)
  • Language
    Python
  • License
    Other
  • Created about 6 years ago
  • Updated 2 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Real-time, container-based file scanning at enterprise scale

Strelka Banner

Releases   |   Documentation   |   Pull Requests   |   Issues

GitHub release Build Status Pull Requests Slack License

Strelka is a real-time, container-based file scanning system used for threat hunting, threat detection, and incident response. Originally based on the design established by Lockheed Martin's Laika BOSS and similar projects (see: related projects), Strelka's purpose is to perform file extraction and metadata collection at enterprise scale.

Strelka differs from its sibling projects in a few significant ways:

  • Core codebase is Go and Python3.9+
  • Server components run in containers for ease and flexibility of deployment
  • OS-native client applications for Windows, Mac, and Linux
  • Built using libraries and formats that allow cross-platform, cross-language support

Features

Strelka is a modular data scanning platform, allowing users or systems to submit files for the purpose of analyzing, extracting, and reporting file content and metadata. Coupled with a SIEM, Strelka is able to aggregate, alert, and provide analysts with the capability to better understand their environment without having to perform direct data gathering or time-consuming file analysis.

Strelka Features

Quickstart

Running a file through Strelka is simple. In this section, Strelka capabilities of extraction and analysis are demonstrated for a one-off analysis.

Please review the documentation for details on how to properly build and deploy Strelka in an enterprise environment.

Step 1: Install prerequisites

# Ubuntu 22.04
sudo apt install -y wget git docker docker-compose golang jq && \
sudo usermod -aG docker $USER && \
newgrp docker

Step 2: Download Strelka

git clone https://github.com/target/strelka.git && \
cd strelka

Step 3: Download and install preferred yara rules (optional)

rm configs/python/backend/yara/rules.yara && \
git clone https://github.com/Yara-Rules/rules.git configs/python/backend/yara/rules/ && \
echo 'include "./rules/index.yar"' > configs/python/backend/yara/rules.yara

Step 4a: Pull precompiled images and start Strelka

Note: You can skip the go build process and use the Strelka UI at http://0.0.0.0:9980 to analyze files.

docker-compose -f build/docker-compose-no-build.yaml up -d && \
go build github.com/target/strelka/src/go/cmd/strelka-oneshot

Step 4b: Build and start Strelka

Note: You can skip the go build process and use the Strelka UI at http://0.0.0.0:9980 to analyze files.

docker-compose -f build/docker-compose.yaml build && \
docker-compose -f build/docker-compose.yaml up -d && \
go build github.com/target/strelka/src/go/cmd/strelka-oneshot

Step 5: Prepare a file to analyze

Use any malware sample, or other file you'd like Strelka to analyze.

wget https://github.com/ytisf/theZoo/raw/master/malware/Binaries/Win32.Emotet/Win32.Emotet.zip -P samples/

Step 6: Analyze the file with Strelka using the dockerized oneshot

./strelka-oneshot -f samples/Win32.Emotet.zip -l - | jq

What's happening here?

  1. Strelka determined that the submitted file was an encrypted ZIP (See: taste.yara backend.yaml)
  2. ScanEncryptedZip used a dictionary to crack the ZIP file password, and extract the compressed file
  3. The extracted file was sent back into the Strelka pipeline by the scanner, and Strelka determined that the extracted file was an EXE
  4. ScanPe dissected the EXE file and added useful metadata to the output
  5. ScanYara analyzed the EXE file, using the provided rules, and added numerous matches to the output, some indicating the file might be malicious

The following output has been edited for brevity.

{
  "file": {
    "depth": 0,
    "flavors": {
      "mime": ["application/zip"],
      "yara": ["encrypted_zip", "zip_file"]
    },
    "scanners": [
      "ScanEncryptedZip",
      "ScanEntropy",
      "ScanFooter",
      "ScanHash",
      "ScanHeader",
      "ScanYara",
      "ScanZip"
    ]
  },
  "scan": {
    "encrypted_zip": {
      "cracked_password": "infected",
      "elapsed": 0.114269,
      "total": {"extracted": 1, "files": 1}
    }
  }
}
{
  "file": {
    "depth": 1,
    "flavors": {
      "mime": ["application/x-dosexec"],
      "yara": ["mz_file"]
    },
    "name": "29D6161522C7F7F21B35401907C702BDDB05ED47.bin",
    "scanners": [
      "ScanEntropy",
      "ScanFooter",
      "ScanHash",
      "ScanHeader",
      "ScanPe",
      "ScanYara"
    ]
  },
  "scan": {
    "pe": {
      "address_of_entry_point": 5168,
      "base_of_code": 4096,
      "base_of_data": 32768,
      "checksum": 47465,
      "compile_time": "2015-03-31T08:53:51",
      "elapsed": 0.013076,
      "file_alignment": 4096,
      "file_info": {
        "company_name": "In CSS3",
        "file_description": "Note: In CSS3, the text-decoration property is a shorthand property for text-decoration-line, text-decoration-color, and text-decoration-style, but this is currently.",
        "file_version": "1.00.0065",
        "fixed": {"operating_systems": ["WINDOWS32"]},
        "internal_name": "Callstb",
        "original_filename": "NOFAstb.exe",
        "product_name": "Goodreads",
        "product_version": "1.00.0065",
        "var": {"character_set": "Unicode", "language": "U.S. English"}
      }
    },
    "yara": {
      "elapsed": 0.068918,
      "matches": [
        "SEH__vba",
        "SEH_Init",
        "Big_Numbers1",
        "IsPE32",
        "IsWindowsGUI",
        "HasOverlay",
        "HasRichSignature",
        "Microsoft_Visual_Basic_v50v60",
        "Microsoft_Visual_Basic_v50",
        "Microsoft_Visual_Basic_v50_v60",
        "Microsoft_Visual_Basic_v50_additional",
        "Microsoft_Visual_Basic_v50v60_additional"
      ],
      "tags": [
        "AntiDebug",
        "SEH",
        "Tactic_DefensiveEvasion",
        "Technique_AntiDebugging",
        "SubTechnique_SEH",
        "PECheck",
        "PEiD"
      ]
    }
  }
}

What's next?

If Strelka was deployed and ingesting files in your environment, you might be collecting these events in your SIEM. With this analysis, you could write a rule that looks for events matching the suspicious yara tags, alerting you to a potentially malicious file.

scan.yara.tags:("Technique_AntiDebugging" && "SubTechnique_SEH")

Fileshot UI

Strelka's UI is available when you build the provided containers. This web interface allows you to upload files to Strelka and capture the events, which are stored locally.

Navigate to http://localhost:9980/ and use the login strelka/strelka.

Strelka UI

Potential Uses

With over 50 file scanners for the most common file types (e.g., exe, docx, js, zip), Strelka provides users with the ability to gain new insights into files on their host, network, or enterprise. While Strelka is not a detection engine itself (although it does utilize YARA, it can provide enough metadata to identify suspicious or malicious files. Some potential uses for Strelka include:

Strelka Uses

Additional Documentation

More documentation about Strelka can be found in the README, including:

Contribute

Guidelines for contributing can be found here.

Known Issues

See issues labeled bug in the tracker for any potential known issues.

Related Projects

Licensing

Strelka and its associated code is released under the terms of the Apache 2.0 License.

Target Banner

More Repositories

1

goalert

Open source on-call scheduling, automated escalations, and notifications so you never miss a critical alert
Go
2,215
star
2

lorri

Your project's nix-env
Rust
990
star
3

matrixprofile-ts

A Python library for detecting patterns and anomalies in massive datasets using the Matrix Profile
Python
734
star
4

flottbot

A chatbot framework written in Go. All configurations are made in YAML files, or inside scripts written in your favorite language.
Go
335
star
5

halogen

Automatically create YARA rules from malicious documents.
Python
205
star
6

pod-reaper

Rule based pod killing kubernetes controller
Go
198
star
7

portauthority

API that leverages Clair to scan Docker Registries and Kubernetes Clusters for vulnerabilities
Go
151
star
8

huntlib

A Python library to help with some common threat hunting data analysis operations
Python
131
star
9

mmk-ui-api

UI, API, and Scanner (Rules Engine) services for Merry Maker
TypeScript
119
star
10

row-types

A Haskell library for open records and variants using closed type families and type literals
Haskell
112
star
11

data-validator

A tool to validate data, built around Apache Spark.
Scala
101
star
12

libdart

A High Performance, Network Optimized, JSON Library
C++
80
star
13

XCBBuildServiceProxy

A framework to create proxies for XCBBuildService, which allows for custom Xcode build integrations.
Swift
74
star
14

strelka-ui

Strelka Web UI for File Submission and Analysis
JavaScript
51
star
15

graphql-liftoff

Generate GraphQL schema language from API specifications and more
TypeScript
44
star
16

nix-fetchers

A set of morally pure fetching builtins for Nix.
Python
43
star
17

grease

Automated Scripting Engine For the Modern Age
Python
42
star
18

react-native-svg-parser

Parses SVG files and converts to 'react-native-svg' format objects. NOTE: This project has been archived.
JavaScript
42
star
19

theta-idl

Define communication protocols between applications using algebraic data types.
Haskell
41
star
20

Threat-Hunting

Detection of obfuscated Powershell commands
Jupyter Notebook
41
star
21

f5-bigip-cookbook

Chef cookbook for F5 Big IP
Ruby
37
star
22

winnaker

An audit tool that tests the whole system functionality of Spinnaker
Python
33
star
23

go-arty

Go client library for Artifactory and Xray
Go
31
star
24

captains-log

A continuous integration plugin that helps organize release information in slack
JavaScript
31
star
25

attack-navigator-docker

A simple Docker container that serves the MITRE ATT&CK Navigator web app
Makefile
26
star
26

POSSUM

Java
24
star
27

reuse

A simple Golang app to test TCP and SSL/TLS session reuse.
Go
22
star
28

karmabot

A karmabot for Slack
Python
21
star
29

lite-for-jdbc

Lightweight library to simplify JDBC database access
Kotlin
21
star
30

edge-mac-integrations

A collection scripts and API interactions used by Target to simplify the user experience and make Jamf Pro Self Service the one stop shop for access, peripherals, and software.
Shell
19
star
31

statsd-kafka-backend

A Statsd backend for sending metrics to Kafka
JavaScript
18
star
32

network_interfaces_v2-cookbook

Chef cookbook for managing network interfaces on Ubuntu, RHEL and Windows
Ruby
17
star
33

impeller

Manage Helm charts in Kubernetes clusters.
Go
15
star
34

table-model

Supercharge your datagrid with TableModel
JavaScript
15
star
35

REDstack

REDstack - Hadoop as a service on OpenStack
Python
15
star
36

secured-yarn-cluster-ansible

Ansible playbook for provisioning secured yarn cluster
Ruby
14
star
37

casper-auto-provisioning

Shell
13
star
38

jenkins-docker-master

Dockerfile for Jenkins master
Shell
12
star
39

native_memory_allocator

A Kotlin library providing a simple, high-performance way to use off-heap native memory in JVM applications.
Kotlin
10
star
40

sccmosd-refresh-multitool

A method to migrate from Windows 7 (w/ BIOS) to Windows 10 (w/ UEFI) In A Single Task Sequence
PowerShell
9
star
41

markdown-inject

Add file or command output to markdown documents.
TypeScript
9
star
42

jenkins-docker-nginx

Dockerfile for NGINX frontend to Jenkins
Shell
9
star
43

intellidiff

Kotlin
9
star
44

emoji_manager

Custom emoji management for Enterprise Slack users
Kotlin
8
star
45

cloudpunch

A framework to performance test OpenStack at scale
Python
8
star
46

boots_of_haste

This script parses through an Nmap XML file and sends requests through Burp for every open port.
Python
7
star
47

gelvedere

Cli to deploy a Jenkins master
Go
7
star
48

jenkins-docker-api

An API to manage containerized Jenkins masters
Go
6
star
49

sensu-go-goalert

Sensu Go GoAlert Handler
Go
6
star
50

cartster

Target Partner's Commerce Basket Transfer Example App
JavaScript
6
star
51

consensource-compose

INACTIVE REPO! Please visit github.com/target/consensource
Shell
5
star
52

consensource-database

Reporting database
Rust
5
star
53

consensource-processor

Transaction processor, smart contracts
Rust
5
star
54

pacemaker-cookbook

Chef cookbook for managing pacemaker on RHEL
Ruby
5
star
55

coldsalt

(THIS REPO HAS BEEN ARCHIVED) API test automation
Python
4
star
56

jupyter-git-extension

Extension that adds basic git functionality to the Jupyter Notebook UI
JavaScript
4
star
57

DataStoreExplorer

Kotlin
3
star
58

plugin-for-rundeck-to-execute-sap-modules

Rundeck plugin for connecting to SAP systems for triggering ABAP programs and process chains
Java
3
star
59

flottbot-docs

Documentation for flottbot
JavaScript
3
star
60

mmk-js-scope

Puppeteer worker for Merry Maker
TypeScript
3
star
61

consensource-docs

WIP: Docsite
CSS
3
star
62

consensource-sds

An event subscriber for publishing blockchain events to an off-chain reporting database
Rust
3
star
63

osx-edgelab

Python
2
star
64

pull-request-code-coverage

A continuous integration plugin to allow detecting code coverage for only the lines changed in a PR.
Go
2
star
65

mmk-types

JavaScript
2
star
66

woozie

An Emacs package for creating and validating Apache Oozie workflows
Emacs Lisp
2
star
67

consensource-cli

CLI for testing transactions and genesis
Rust
2
star
68

concatenated-barcode-parser

This library has logic to parse GS1-128 (Global Standard 1) concatenated barcode and return a list of parsed objects
Kotlin
2
star
69

hdp-cloud

Ruby
1
star
70

burndown-for-github-projects

TypeScript
1
star
71

setupcfg2nix

Generate nix expressions from setup.cfg for a python package.
Python
1
star
72

k-sim

A simple simulator trying to work through bottleneck/constraints theory as applied to a few simple Kafka topologies.
JavaScript
1
star
73

compiler-of-android-for-lona

The Android Compiler for Lona Design Systems
FreeMarker
1
star
74

token-manager-for-salesforce

Spring Boot library to make Salesforce API calls easy
Java
1
star
75

chatops-docs

Terms & Conditions for using Slack at Target
HTML
1
star
76

Schema-Check-filter-for-Logstash

(This repo is archived) Schema Check filter for Logstash
Ruby
1
star