{"id":29631407,"url":"https://github.com/dobin/detonator","last_synced_at":"2026-02-06T13:04:04.922Z","repository":{"id":301744190,"uuid":"1010064266","full_name":"dobin/detonator","owner":"dobin","description":"Orchestrate detonating your MalDev in VMs with different EDRs to see their detection surface. ","archived":false,"fork":false,"pushed_at":"2026-01-17T20:24:16.000Z","size":1351,"stargazers_count":13,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-01-17T22:07:23.600Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://detonator.r00ted.ch","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dobin.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-06-28T09:08:28.000Z","updated_at":"2026-01-17T20:24:19.000Z","dependencies_parsed_at":"2026-01-04T23:03:12.095Z","dependency_job_id":null,"html_url":"https://github.com/dobin/detonator","commit_stats":null,"previous_names":["dobin/detonator"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/dobin/detonator","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dobin%2Fdetonator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dobin%2Fdetonator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dobin%2Fdetonator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dobin%2Fdetonator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dobin","download_url":"https://codeload.github.com/dobin/detonator/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dobin%2Fdetonator/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29162145,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-06T12:44:37.655Z","status":"ssl_error","status_checked_at":"2026-02-06T12:44:13.991Z","response_time":59,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-07-21T11:38:02.051Z","updated_at":"2026-02-06T13:04:04.915Z","avatar_url":"https://github.com/dobin.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Detonator\n\nOrchestrate detonating your MalDev in VMs with different EDRs to see their detection surface. \n\nDetonator provides a Web and REST interface for [DetonatorAgents](https://github.com/dobin/DetonatorAgent). It lets you choose one of your VM's with a installed EDR to execute your\nmalware or inital access chain, and see what detection occur. \n\nYou can freely use it on [detonator.r00ted.ch](https://detonator.r00ted.ch). \n\n\n## Installation\n\nFirst, install and setup [DetonatorAgent](https://github.com/dobin/DetonatorAgent) \non your analysis VM. I assume its localhost:\n\n```bash\n# Test if DetonatorAgent is reachable\n$ curl http://127.0.0.1:8080/api/lock/status\n{\"in_use\":false}\n```\n\nInstall python stuff:\n\n```bash\n# Install Deps\n$ apt install python3-poetry\n\n# Install dependencies\n$ poetry install\n```\n\nCreate `profiles_init.yaml` (e.g. by copying `profiles_init.yaml.sample`) \nand configure it something like: \n\n```yaml\nlocaldetonator:\n  type: Live\n  comment: My First Detonator VM\n  port: 8080\n  vm_ip: 127.0.0.1\n```\n\nThen create the DB:\n```\n# Create DB\n$ poetry run python migrate_profiles_yaml.py\n```\n\nAnd run the server:\n```bash\n$ poetry run python -m detonator\n```\n\nAccess the web interface on `http://localhost:5000`. \nThe REST API is at `http://localhost:8000`. \n\n\n## Usage\n\nTo submit a file on the previously configured `localdetonator`:\n\n```bash\n$ poetry run python -m detonatorcmd submission sample.exe --profile localdetonator\nFile ID: 1, Submission ID: 1\n.........................\nSubmission Result: not_detected\n```\n\nAll the gathered data:\n```\n$ curl http://localhost:8000/api/submissions/1 | jq\n{\n  \"id\": 1,\n  \"file_id\": 1,\n  \"profile_id\": 2,\n  \"project\": \"\",\n  \"comment\": \"\",\n  \"runtime\": 10,\n  \"drop_path\": \"\",\n  \"execution_mode\": \"exec\",\n  \"server_logs\": \"[2025-12-25T15:54:19.106464] DB: Submission created\\n...\",\n  \"status\": \"finished\",\n  \"user\": \"admin\",\n  \"agent_logs\": \"[2025-12-25 15:54:39.306 UTC] information: Exec: Execute request received for file: 74As_U3lf_mimikatz.exe\\n...\",\n  \"process_output\": \"\",\n  \"rededr_events\": null,\n  \"rededr_logs\": null,\n  \"edr_verdict\": \"detected\",\n  \"vm_instance_name\": null,\n  \"vm_ip_address\": null,\n  \"alerts\": [\n    {\n      \"id\": 2,\n      \"alert_id\": \"{2A4B3551-632C-4CB6-8363-553BF2B43FFB}\",\n      \"source\": \"Defender Local Plugin\",\n      \"title\": \"HackTool:Win32/Mimikatz!pz\",\n      \"severity\": \"High\",\n      \"category\": \"Tool\",\n      \"detection_source\": \"Real-Time Protection\",\n      \"detected_at\": \"2025-12-25T15:54:39.617000\",\n      \"created_at\": \"2025-12-25T15:54:49.880929\"\n    }\n  ],\n  \"file\": {\n    \"filename\": \"74As_U3lf_mimikatz.exe\",\n    \"source_url\": \"\",\n    \"comment\": \"\",\n    \"exec_arguments\": \"\",\n    \"user\": \"admin\",\n    \"created_at\": \"2025-12-25T15:54:19.090903\",\n    \"id\": 14,\n    \"file_hash\": \"61c0810a23580cf492a6ba4f7654566108331e7a4134c968c2d6a05261b2d8a1\"\n  },\n  \"profile\": {...},\n  \"created_at\": \"2025-12-25T15:54:19.106841\",\n  \"updated_at\": \"2025-12-25T15:54:52.415311\",\n  \"completed_at\": \"2025-12-25T15:54:49.896003\"\n}\n```\n\n\n## Architecture\n\nYou can use Detonator in three different setups: \n* **Live**: The simplest, just attach a running DetonatorAgent instance\n* **Proxmox**: Using Proxmox to revert VMs to their snapshots\n* **Azure**: Instantiate new VM for each submission (experimental)\n\n## Setup Guides\n\nMore documentation:\n* [Configure with reverse proxy](https://github.com/dobin/detonator/doc/setup-reverseproxy.md)\n* [Configure MDE log gathering](https://github.com/dobin/detonator/doc/gather-mde.md)\n* [Integrating with Proxmox](https://github.com/dobin/detonator/doc/setup-proxmox.md) (stable)\n* [Integrating with Azure](https://github.com/dobin/detonator/doc/setup-azure.md) (experimental)\n* [Overview](https://github.com/dobin/detonator/doc/overview) of code architecture (mostly Claude generated. Probably obsolete)\n\n\n## Other EDRs than Defender/MDE\n\nOnly Defender/MDE is supported currently. \n\nThere are two ways to get the EDR data: \n* Local log events gathered by DetonatorAgent, and then parsed by Detonator\n* Cloud log events gathered by Detonator\n\nTo implement your own EDR, consult: \n* [Implementing a new EDR](https://github.com/dobin/detonator/doc/implement-edr.md). \n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdobin%2Fdetonator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdobin%2Fdetonator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdobin%2Fdetonator/lists"}