{"id":20571535,"url":"https://github.com/circl/factual-rules-generator","last_synced_at":"2025-04-14T17:07:12.549Z","repository":{"id":114094360,"uuid":"366386288","full_name":"CIRCL/factual-rules-generator","owner":"CIRCL","description":"Factual-rules-generator is an open source project which aims to generate YARA rules about installed software from a machine.","archived":false,"fork":false,"pushed_at":"2022-01-18T10:05:51.000Z","size":3357,"stargazers_count":76,"open_issues_count":0,"forks_count":6,"subscribers_count":9,"default_branch":"main","last_synced_at":"2025-04-14T17:07:01.435Z","etag":null,"topics":["computer-forensics","dfir","yara","yara-rules"],"latest_commit_sha":null,"homepage":"https://circl.github.io/factual-rules-generator/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CIRCL.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2021-05-11T13:10:52.000Z","updated_at":"2024-11-03T18:34:00.000Z","dependencies_parsed_at":"2023-06-12T17:02:42.460Z","dependency_job_id":null,"html_url":"https://github.com/CIRCL/factual-rules-generator","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CIRCL%2Ffactual-rules-generator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CIRCL%2Ffactual-rules-generator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CIRCL%2Ffactual-rules-generator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CIRCL%2Ffactual-rules-generator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CIRCL","download_url":"https://codeload.github.com/CIRCL/factual-rules-generator/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248923766,"owners_count":21183953,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["computer-forensics","dfir","yara","yara-rules"],"created_at":"2024-11-16T05:16:30.044Z","updated_at":"2025-04-14T17:07:12.515Z","avatar_url":"https://github.com/CIRCL.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# factual-rules-generator\n\nFactual-rules-generator is an open source project which aims to generate [YARA rules](https://github.com/CIRCL/factual-rules) about installed software from a running operating system.\n\nThe goal of the software is to be able to use a set of rules against collected or acquired digital forensic evidences and find installed software in a timely fashion.\n\nThe software can be used to baseline known software from Windows system and create a set of rules for finding similar installation on other systems.\n\n## Dependencies\n\n- pefile\n- psutil\n- ndjson\n- python-tlsh\n\n- [PyInstaller](https://pyinstaller.readthedocs.io/en/stable/) (to change client.py to client.exe)\n\n- ssdeep\n  - On [Ubuntu](https://python-ssdeep.readthedocs.io/en/latest/installation.html#install-on-ubuntu-16-04): \n    - `sudo apt-get install build-essential libffi-dev python3 python3-dev python3-pip libfuzzy-dev`\n    - `pip install ssdeep`\n\n## Tools requirement\n\nSome tools are required on the host operating system some are Unix standard tools and some additional ones:\n\n- xxd\n- curl\n\nFor the Windows virtual machine, the following software is required to be installed:\n\n- [SDelete](https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete)\n- [AsA (AttackSurfaceAnalyzer)](https://github.com/microsoft/AttackSurfaceAnalyzer)\n\n## Install\n\n- Install all Python dependencies defined [requirements.txt](https://github.com/CIRCL/factual-rules-generator/blob/main/requirements.txt)\n- Create a shared folder to communicate with VM\n- Install a Windows VM\n    - Install [chocolatey](https://docs.chocolatey.org/en-us/choco/setup) on Windows VM\n    - Complete `bin/OnWindows/Varclient.py`\n    - Change `bin/OnWindows/client.py` in an executable file with [PyInstaller](https://pyinstaller.readthedocs.io/en/stable/) and put in startup folder\n- Update `etc/allVariables.py` to match your desired configuraiton\n\nIn `test/` [some examples](https://github.com/CIRCL/factual-rules-generator/blob/main/test/app.txt) of software to install is given, the following specific format is required: \n\n- First, select the name of the packages to install using [chocolatey](https://community.chocolatey.org/packages) before `:`, or the name of the file in case of msi or exe file.\n- Second, after `:` there's the name of the exe to extract and run it (without extension).\n- The second part after `,` follow the same system with the word `installer` first and after `:` the type of installer :\n  - choco\n  - msiexec\n  - exe\n- Finally, the third part, `uninstaller` follow by `:` and the uninstaller like choco, msiexec or exe\n\n## Run and generate the rules \n\n-  `bin/Generator.py` is the only script to run, don't forget to update `etc/allVariables.py` (critical step).\n\n## Public YARA rules repository\n\n- [factual-rules](https://github.com/CIRCL/factual-rules) - Sample rules generated from some very common software.\n\n## Overview of factual rules generator \n\n![Factual rules generator - workflow](https://github.com/CIRCL/factual-rules-generator/blob/main/img/StructureAutoGene.png?raw=true)\n\n## License\n\n~~~\n    Factual-rules-generator is an open source project which aims to generate YARA rules about installed software from a machine. \n\n    Copyright (C) 2021-2022 David Cruciani\n    Copyright (C) 2021-2022 CIRCL - Computer Incident Response Center Luxembourg\n\n    This program is free software: you can redistribute it and/or modify\n    it under the terms of the GNU Affero General Public License as published by\n    the Free Software Foundation, either version 3 of the License, or\n    (at your option) any later version.\n\n    This program is distributed in the hope that it will be useful,\n    but WITHOUT ANY WARRANTY; without even the implied warranty of\n    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n    GNU Affero General Public License for more details.\n\n    You should have received a copy of the GNU Affero General Public License\n    along with this program.  If not, see \u003chttp://www.gnu.org/licenses/\u003e.\n~~~\n\n\n\n\n\n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcircl%2Ffactual-rules-generator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcircl%2Ffactual-rules-generator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcircl%2Ffactual-rules-generator/lists"}