{"id":36852709,"url":"https://github.com/codeyourweb/irma","last_synced_at":"2026-01-12T14:39:34.700Z","repository":{"id":52825829,"uuid":"325798695","full_name":"codeyourweb/irma","owner":"codeyourweb","description":"enpoint detection / live analysis \u0026 sandbox host / signatures quality test","archived":false,"fork":false,"pushed_at":"2021-04-22T20:48:59.000Z","size":2014,"stargazers_count":39,"open_issues_count":0,"forks_count":7,"subscribers_count":4,"default_branch":"main","last_synced_at":"2024-06-19T00:33:16.291Z","etag":null,"topics":["endpoint-detection-response","live-forensic","threat-hunting","yara-scanner"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/codeyourweb.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-12-31T12:45:38.000Z","updated_at":"2024-04-06T13:18:43.000Z","dependencies_parsed_at":"2022-09-26T19:01:11.320Z","dependency_job_id":null,"html_url":"https://github.com/codeyourweb/irma","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/codeyourweb/irma","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codeyourweb%2Firma","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codeyourweb%2Firma/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codeyourweb%2Firma/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codeyourweb%2Firma/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/codeyourweb","download_url":"https://codeload.github.com/codeyourweb/irma/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codeyourweb%2Firma/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28340403,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-12T12:22:26.515Z","status":"ssl_error","status_checked_at":"2026-01-12T12:22:10.856Z","response_time":98,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["endpoint-detection-response","live-forensic","threat-hunting","yara-scanner"],"created_at":"2026-01-12T14:39:34.585Z","updated_at":"2026-01-12T14:39:34.683Z","avatar_url":"https://github.com/codeyourweb.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# IRMA - Incident Response - Minimal Analysis\n\n## What is this project designed for?\n_IRMA_ is a lightweight tool made for live forensics on Windows Platform. It is \nfocused on three use cases:\n* enpoint detection - live analysis, quarantine and eradication of malware on a workstation \n* live analysis \u0026 sandbox host - logging and instant notifications for malware TTP's assessment\n* signatures quality test - scan your endpoint baseline and check for false positives\n\n## How IRMA scan for malware behaviour?\n_IRMA_ is intended to work with both user or administrator rights.\nBased on your user privileges it can:\n* implements the YARA library and regularly scan the workstation's files and memory\n* search for execution context (parent process, regkey, scheduled task persistence)\nEvery suspect behaviour could be text logged, notified to the user, and/or eradicated \n\n## What does it scan?\nCurrently, _IRMA_ is able to:\n* list running processes and log for suspiscious actions\n* list common persistence mecanisms (registry keys / scheduled tasks / startup folder links)\n* perform YARA scan on files and memory\n* dump / quarantine suspiscious artefacts\n* spawn fake analysis processes to make the computer look like an analysis platform\n\n### Installation \nFeel free to download compiled release of this software. If you want to compile \nfrom sources, it could be a little bit tricky cause it's stronly depends of \n_go-yara_ and CGO compilation. You'll find a detailed documentation [here](README.windows-compilation.md)\n\n### Usage \n```\nusage: irma [-h|--help] -c|--configuration \"\u003cvalue\u003e\" [-b|--builder \"\u003cvalue\u003e\"]\n\n            Incident Response - Minimal Analysis\n\nArguments:\n\n  -h  --help           Print help information\n  -c  --configuration  yaml configuration file\n  -b  --builder        create a standalone launcher executable with packed\n                       rules and configuration.\n``` \n\n### Scan according to your needs\n_IRMA_ embeds a configuration file in order to define which files to scan, and \nwhere to scan them. \n\n``` \nirma.exe -c configuration.yaml\n``` \n\n### EDR, rules and configuration packing\n_IRMA_ builder mode lets you create a standalone, static compiled, self-extracting \narchive. It contains irma binary, configuration file, and signatures. Hence, this \nbinary could be deployed on any other system and launch without additional \nconfiguration.\n\n``` \nirma.exe -c configuration.yaml -b irma-sfx-binary.exe\n``` \n\n## About this project and future versions\nI undertook this project initially in order to learn Go. Then little by little \nI tried to understand how to use the Win32 API and finally to read the process \nmemory on a Windows system. Initially focused on system oriented live forensics, \nI plan to enhance _IRMA_ functionalities with network based detection \u0026 analysis.\n\nFurther versions may contains:\n* SNORT/Suricata rules analysis\n* Transfer of analysis results to a SIEM\n* Agent management platform - Command and control ability\n\nFeel free to ask for new features or create pull request if your interested in \nthis project.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcodeyourweb%2Firma","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcodeyourweb%2Firma","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcodeyourweb%2Firma/lists"}