{"id":13705980,"url":"https://github.com/sk4la/plast","last_synced_at":"2025-05-05T17:31:18.973Z","repository":{"id":133518283,"uuid":"140967394","full_name":"sk4la/plast","owner":"sk4la","description":"Modular command-line threat hunting tool \u0026 framework.","archived":false,"fork":false,"pushed_at":"2020-07-20T16:56:25.000Z","size":1095,"stargazers_count":17,"open_issues_count":1,"forks_count":4,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-11-13T13:39:21.192Z","etag":null,"topics":["apt","digital-forensics","framework","incident-response","ioc","python","python3","threat-hunting","yara"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sk4la.png","metadata":{"files":{"readme":"README.adoc","changelog":null,"contributing":"CONTRIBUTING.adoc","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2018-07-14T18:05:03.000Z","updated_at":"2024-09-21T12:38:13.000Z","dependencies_parsed_at":null,"dependency_job_id":"d9c252e7-1d32-4192-8f85-24e290ce9992","html_url":"https://github.com/sk4la/plast","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sk4la%2Fplast","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sk4la%2Fplast/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sk4la%2Fplast/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sk4la%2Fplast/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sk4la","download_url":"https://codeload.github.com/sk4la/plast/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252542252,"owners_count":21764934,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["apt","digital-forensics","framework","incident-response","ioc","python","python3","threat-hunting","yara"],"created_at":"2024-08-02T22:00:50.774Z","updated_at":"2025-05-05T17:31:18.582Z","avatar_url":"https://github.com/sk4la.png","language":"Python","funding_links":[],"categories":["Tools"],"sub_categories":[],"readme":"= +plast+ — Modular Threat Hunting Tool \u0026 Framework\nNelson (sk4la) \u003chttps://github.com/sk4la\u003e\n:imagesdir: ./resources/rendered\n:hide-uri-scheme:\n:uri-repo: https://github.com/sk4la/plast\n:uri-blob: {uri-repo}/blob/master\n:uri-license: {uri-blob}/LICENSE\n:uri-contrib: {uri-blob}/CONTRIBUTING.adoc\n:uri-python: https://www.python.org\n:uri-yara: https://virustotal.github.io/yara/\n:uri-framework: {uri-blob}/plast/framework\n\nimage:https://img.shields.io/badge/python-3.7-blue.svg[link={uri-python}] image:https://img.shields.io/badge/License-GPLv3-blue.svg[link={uri-license}]\n\nimage::logo.png[alt=plast, align=\"center\", width=60%, link={uri-repo}]\n\n`plast` (_\"Programme Libre d'Analyse STatique\"_ in french) is a command-line and heavily modular *threat-hunting tool*. It comes with several modules that allow processing of multiple data sources, trigger automatic action(s) upon detection and produce customized output.\n\n`plast` 's engine uses {uri-yara}[YARA] under the hood, leveraged through https://docs.python.org/3.7/library/multiprocessing.html[multiprocessing] tasks to perform rule-based detection on multiple types of input.\n\nThe main goal of the `plast` project is to provide an *efficient and effortless* way to detect https://en.wikipedia.org/wiki/indicator_of_compromise[indicators of compromise] during incident-response operations.\n\nIt provides a comprehensive framework that easily allows to add functionalities to the tool in just a few lines of code, without worrying about efficiency and scalability. `plast` embeds all referenced modules in one single tool, allowing it to be used on the field as a *standalone utility*.\n\n`plast` is entirely written in https://www.python.org/[Python 3] which makes it compatible with all GNU/Linux, BSD and macOS distributions. Nevertheless, some minimal dependencies are required.\n\nNote that running `plast` on Microsoft Windows operating systems is totally untested at the moment.\n\nimage::usage.png[alt=Usage, align=\"center\", link={uri-repo}]\n\nimage::flow.png[alt=Flow, align=\"center\", link={uri-repo}]\n\n== Getting Started\n\nFollow these steps to get a copy of the project up and running on a live system.\n\n=== Prerequisites\n\nFollow the steps described below to install the project on your system.\n\nInstall the latest https://www.python.org/[Python 3] environment (here using the Debian package management utility `apt`):\n\n[source,sh]\n----\napt install -y python3 python3-pip\n----\n\nIf you plan on building a developpement environment, you may also need to install the following package:\n\n[source,sh]\n----\napt install -y python3-venv\n----\n\nNote that modules have their own dependencies, and thus may not be listed here (though standard `plast` module(s) will always raise an error pointing to the missing libraries).\n\nAlso, if you plan on compiling hash-based YARA rules, you will need to install the https://www.openssl.org/[OpenSSL] library:\n\n[source,sh]\n----\napt install -y libssl-dev\n----\n\n=== Installation\n\nInstalling `plast` as a system-wide utility is as simple as:\n\n[source,sh]\n----\n./setup.py install\n----\n\nIt might be necessary to `chmod u+x setup.py` to be able to execute the `setup.py` file.\n\nTo install a basic developpement environment, issue the following commands:\n\n[source,sh,subs=\"attributes\"]\n----\ngit clone {uri-repo}.git plast\ncd plast\npython3 -m venv .env\nsource .env/bin/activate\npip install --upgrade pip \u0026\u0026 pip install -r REQUIREMENTS\n----\n\n== Usage\n\nimage::usage.png[alt=Usage, align=\"center\", link={uri-repo}]\n\n=== Manual\n\nUse the following command to display the main help menu:\n\n[source,sh]\n----\nplast --help\n----\n\nEach `Pre` module also has a custom help menu that can be called like this (e.g. with the `raw` module):\n\n[source,sh]\n----\nplast raw --help\n----\n\n=== Basic examples\n\nThe following command will recursively look for every file in the `case` directory, process them using the `raw` module (which basically does nothing but feed the core engine) and feeds the match(es) to every registered `Callback` and `Post` module:\n\n[source,sh]\n----\nplast -ri case -o out raw\n----\n\nOne can easily choose which modules will be invoked during processing by setting the `--callbacks` and `--post` arguments accordingly:\n\n[source,sh]\n----\nplast -ri case --callbacks pineapple kiwi --post banana apple orange -o out raw\n----\n\nModules are called by their basename without extension (e.g. `banana` for `banana.py`). Disabled or non-existing modules will be ignored.\n\nCustom `plast` modules dwell in the `framework.modules` package.\n\nNot that in cases like below, one may need to add a dummy `-` before any positional argument to break the previous list-based argument's parsing:\n\n[source,sh]\n----\nplast -o out -ri case - raw\n----\n\n=== Data type inference\n\nIn case no positional argument is supplied, `plast` implements several techniques (based on magic numbers and MIME-type guessing) to infer the data type of the provided evidence(s).\n\nThis is useful when one does not necessarily know which preprocessing module to invoke when processing exotic evidence(s).\n\n[source,sh]\n----\nplast -i $CASES/sample.pdf -o out\n----\n\nSee more examples in {uri-contrib}[CONTRIBUTING.adoc].\n\n=== Adding YARA rulesets\n\nHmmm, https://virustotal.github.io/yara/[what's a YARA rule again?]\n\nYARA rulesets dwell in the `rulesets` directory. To add custom YARA rulesets, simply drop any `.yar` or `.yara` file(s) to this directory.\n\nCustom rulesets extensions can be added in the `YARA_EXTENSION_FILTERS` list in the `configuration.json` file.\n\nSee https://yara.readthedocs.io/en/v3.7.1/writingrules.html[this page] to learn how to write custom YARA rules.\n\n== Contributing\n\nEveryone is welcome to contribute to the project. I'll be glad to include community modules to the public repository.\n\nPlease refer to the instructions provided in {uri-contrib}[CONTRIBUTING.adoc] before submitting pull requests (PR) though.\n\n== Similar Projects\n\nThe initiative that made me create `plast` comes from a lack of modular tools in the https://github.com/search?q=%23threat-hunting[#threat-hunting] field.\n\nSimilar projects exist though, including:\n\n* FireEye's IOC Finder (https://www.fireeye.com/services/freeware/ioc-finder.html): _\"The FireEye Indicators of Compromise (IOC) Finder is a free tool for collecting host system data and reporting the presence of IOCs.\"_\n* Nextron's Loki (https://github.com/Neo23x0/Loki): _\"LOKI is an open-source IOC and YARA scanner written in Python.\"_\n* ioc-finder (https://github.com/fhightower/ioc-finder)\n* ELAT (https://github.com/reed1713/ELAT)\n* FSF (https://github.com/EmersonElectricCo/fsf): _\"FSF is a modular, recursive file scanning solution. FSF enables analysts to extend the utility of the YARA signatures they write and define actionable intelligence within a file. This is accomplished by recursively scanning a file and looking for opportunities to extract file objects using a combination of YARA signatures (to define opportunities) and programmable logic (to define what to do with the opportunity). The framework allows you to build out your intelligence capability by empowering you to apply observations wrought out of the analytical process...\"_\n* Kaspersky's KLara (https://github.com/KasperskyLab/klara): _\"KLara project is aimed at helping Threat Intelligence researchers hunt for new malware using YARA.\"_\n* Laika BOSS (https://github.com/lmco/laikaboss): _\"Laika is an object scanner and intrusion detection system that strives to achieve scalability, flexibility and verbosity.\"_\n* malscan (https://github.com/usualsuspect/malscan): _\" `malscan` is a tool to scan process memory for YARA matches and execute Python scripts if a match is found. This is useful for extracting configurations from malware process memory for example.\"_\n* Spyre (https://github.com/DCSO/spyre): _\"Spyre is a simple YARA scanner, the main goal is easy operationalization of YARA rules. Comprehensive rule sets are not included. Spyre is intended to be used as an investigation tool by incident responders with an appropriate skill level. It is not meant to be used as any kind of endpoint protection service.\"_\n* stoQ (https://github.com/PUNCH-Cyber/stoq): _\"stoQ is an automation framework that helps to simplify the more mundane and repetitive tasks an analyst is required to do. It allows analysts and DevSecOps teams the ability to quickly transition from different data sources, databases, decoders/encoders, and numerous other tasks. stoQ was designed to be enterprise-ready and scalable, while also being lean enough for individual security researchers.\"_\n* yaraPCAP (https://github.com/kevthehermit/YaraPcap): _\"YARA scanner for IMAP feeds and saved streams.\"_\n* yextend (https://github.com/BayshoreNetworks/yextend): _\"YARA-integrated software to handle archive file data. `yextend` was written for the sake of augmenting YARA. YARA by itself is great but we realized that it could not natively handle archived content in the granular way that we needed it to. For instance, if we were hunting for malware and it happened to be buried a few levels into archived content, YARA in its native form could not help us. So what we have done is natively handle the inflation of archived content. And we pass the inflated content of each discovered resource to YARA so that it can work its magic natively on one file's payload. Then YARA does what it does quite well in terms of pattern matching and such based on a given set of rules.\"_\n* yaraprocessor (https://github.com/MITRECND/yaraprocessor): _\" `yaraprocessor` was originally written for Chopshop. Combined with Chopshop, it allows for dynamic scanning of payloads plucked from network packet capture. Historically, signature based tools operate over the entire PCAP file. With Chopshop and `yaraprocessor`, YARA can be ran against individual packet payloads as well as a concatenation of some or all of the payloads. Ideally, this makes writing signatures easier. Check out the Chopshop module `yarashop` to see it in action!\"_\n\n== Versioning\n\nPlease refer to the current `git` repository to retrieve the latest version of the project.\n\n== Copyright \u0026 Licensing\n\nCopyright (c) 2018 Nelson (sk4la). Free use of this software is granted under the terms of the GNU GPLv3 license.\n\nSee the {uri-license}[LICENSE] file for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsk4la%2Fplast","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsk4la%2Fplast","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsk4la%2Fplast/lists"}