{"id":13539736,"url":"https://github.com/target/strelka","last_synced_at":"2025-05-13T17:58:33.810Z","repository":{"id":37686588,"uuid":"149654117","full_name":"target/strelka","owner":"target","description":"Real-time, container-based file scanning at enterprise scale","archived":false,"fork":false,"pushed_at":"2025-04-16T23:00:43.000Z","size":30529,"stargazers_count":918,"open_issues_count":15,"forks_count":122,"subscribers_count":40,"default_branch":"master","last_synced_at":"2025-05-13T01:55:22.575Z","etag":null,"topics":["cfc","detection","golang","python3","security","target-cfc","yara"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/target.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-09-20T18:38:12.000Z","updated_at":"2025-05-11T09:41:51.000Z","dependencies_parsed_at":"2024-01-29T17:14:13.773Z","dependency_job_id":"1dcd8a06-411e-4866-a380-4c8f392f13db","html_url":"https://github.com/target/strelka","commit_stats":{"total_commits":1177,"total_committers":49,"mean_commits":"24.020408163265305","dds":0.5921835174171624,"last_synced_commit":"3439953e6aa2dafb68ea73c3977da11f87aeacdf"},"previous_names":[],"tags_count":33,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/target%2Fstrelka","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/target%2Fstrelka/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/target%2Fstrelka/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/target%2Fstrelka/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/target","download_url":"https://codeload.github.com/target/strelka/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253999802,"owners_count":21997336,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cfc","detection","golang","python3","security","target-cfc","yara"],"created_at":"2024-08-01T09:01:31.106Z","updated_at":"2025-05-13T17:58:33.801Z","avatar_url":"https://github.com/target.png","language":"Python","funding_links":[],"categories":["\u003ca id=\"8f92ead9997a4b68d06a9acf9b01ef63\"\u003e\u003c/a\u003e扫描器\u0026\u0026安全扫描\u0026\u0026App扫描\u0026\u0026漏洞扫描","Point-of-use validations","Tools","File Analysis","\u003ca id=\"132036452bfacf61471e3ea0b7bf7a55\"\u003e\u003c/a\u003e工具","Blue Team"],"sub_categories":["\u003ca id=\"de63a029bda6a7e429af272f291bb769\"\u003e\u003c/a\u003e未分类-Scanner","Vulnerability information exchange","Threat Hunting"],"readme":"\u003ch1 align=\"center\"\u003e\n  \u003cimg src=\"./misc/assets/strelka_banner.png\" alt=\"Strelka Banner\" /\u003e\n\u003c/h1\u003e\n\n\u003cdiv align=\"center\"\u003e\n\n[Releases][release]\u0026nbsp;\u0026nbsp;\u0026nbsp;|\u0026nbsp;\u0026nbsp;\u0026nbsp;[Documentation][wiki]\u0026nbsp;\u0026nbsp;\u0026nbsp;|\u0026nbsp;\u0026nbsp;\u0026nbsp;[Pull Requests][pr]\u0026nbsp;\u0026nbsp;\u0026nbsp;|\u0026nbsp;\u0026nbsp;\u0026nbsp;[Issues][issues]\n\n[![GitHub release][img-version-badge]][repo] [![Build Status][img-actions-badge]][actions-ci] [![Pull Requests][img-pr-badge]][pr] [![Slack][img-slack-badge]][slack]  [![License][img-license-badge]][license]\n\n\u003c/div\u003e\n\nStrelka is a real-time, container-based file scanning system used for threat hunting, threat detection, and incident response. Originally based on the design established by Lockheed Martin's [Laika BOSS](https://github.com/lmco/laikaboss) and similar projects (see: [related projects](#related-projects)), Strelka's purpose is to perform file extraction and metadata collection at enterprise scale.\n\nStrelka differs from its sibling projects in a few significant ways:\n* Core codebase is Go and Python3.10+\n* Server components run in containers for ease and flexibility of deployment\n* OS-native client applications for Windows, Mac, and Linux\n* Built using [libraries and formats](#architecture) that allow cross-platform, cross-language support\n\n## Features\nStrelka is a modular data scanning platform, allowing users or systems to submit files for the purpose of analyzing, extracting, and reporting file content and metadata. Coupled with a [SIEM](https://en.wikipedia.org/wiki/Security_information_and_event_management), Strelka is able to aggregate, alert, and provide analysts with the capability to better understand their environment without having to perform direct data gathering or time-consuming file analysis.\n\n![Strelka Features](./misc/assets/strelka_features.png)\n\n## Quickstart\n\nRunning a file through Strelka is simple. In this section, Strelka capabilities of extraction and analysis are demonstrated for a one-off analysis.\n\n*Please review the [documentation](https://target.github.io/strelka/) for details on how to properly build and deploy Strelka in an enterprise environment.*\n\n#### Step 1: Install prerequisites\n\n```bash\n# Ubuntu 23.04\nsudo apt install -y wget git docker docker-compose golang jq \u0026\u0026 \\\nsudo usermod -aG docker $USER \u0026\u0026 \\\nnewgrp docker\n````\n\n#### Step 2: Download Strelka\n\n```bash\ngit clone https://github.com/target/strelka.git \u0026\u0026 \\\ncd strelka\n```\n\n#### Step 3: Download and install preferred yara rules (optional)\n\n```bash\nrm configs/python/backend/yara/rules.yara \u0026\u0026 \\\ngit clone https://github.com/Yara-Rules/rules.git configs/python/backend/yara/rules/ \u0026\u0026 \\\necho 'include \"./rules/index.yar\"' \u003e configs/python/backend/yara/rules.yara\n```\n\n#### Step 4a: Pull precompiled images and start Strelka\n**Note**: You can skip the `go build` process and use the `Strelka UI` at `http://0.0.0.0:9980` to analyze files.\n\n```bash\ndocker compose -f build/docker-compose-no-build.yaml up -d \u0026\u0026 \\\ngo build github.com/target/strelka/src/go/cmd/strelka-oneshot\n```\n\n#### Step 4b: Build and start Strelka\n**Note**: You can skip the `go build` process and use the `Strelka UI` at `http://0.0.0.0:9980` to analyze files.\n\n```bash\ndocker compose -f build/docker-compose.yaml build \u0026\u0026 \\\ndocker compose -f build/docker-compose.yaml up -d \u0026\u0026 \\\ngo build github.com/target/strelka/src/go/cmd/strelka-oneshot\n```\n\n#### Step 5: Prepare a file to analyze\n\nUse any malware sample, or other file you'd like Strelka to analyze.\n\n```bash\nwget https://github.com/ytisf/theZoo/raw/master/malware/Binaries/Win32.Emotet/Win32.Emotet.zip -P samples/\n```\n\n#### Step 6: Analyze the file with Strelka using the dockerized oneshot\n\n```bash\n./strelka-oneshot -f samples/Win32.Emotet.zip -l - | jq\n```\n\n#### What's happening here?\n\n1. Strelka determined that the submitted file was an encrypted ZIP (See: [taste.yara](configs/python/backend/taste/taste.yara) [backend.yaml](configs/python/backend/backend.yaml))\n2. [ScanEncryptedZip](src/python/strelka/scanners/scan_encrypted_zip.py) used a dictionary to crack the ZIP file password, and extract the compressed file\n3. The extracted file was sent back into the Strelka pipeline by the scanner, and Strelka determined that the extracted file was an EXE\n4. [ScanPe](src/python/strelka/scanners/scan_pe.py) dissected the EXE file and added useful metadata to the output\n5. [ScanYara](src/python/strelka/scanners/scan_yara.py) analyzed the EXE file, using the provided rules, and added numerous matches to the output, some indicating the file might be malicious\n\n*The following output has been edited for brevity.*\n\n```json\n{\n  \"file\": {\n    \"depth\": 0,\n    \"flavors\": {\n      \"mime\": [\"application/zip\"],\n      \"yara\": [\"encrypted_zip\", \"zip_file\"]\n    },\n    \"scanners\": [\n      \"ScanEncryptedZip\",\n      \"ScanEntropy\",\n      \"ScanFooter\",\n      \"ScanHash\",\n      \"ScanHeader\",\n      \"ScanYara\",\n      \"ScanZip\"\n    ]\n  },\n  \"scan\": {\n    \"encrypted_zip\": {\n      \"cracked_password\": \"infected\",\n      \"elapsed\": 0.114269,\n      \"total\": {\"extracted\": 1, \"files\": 1}\n    }\n  }\n}\n```\n```json\n{\n  \"file\": {\n    \"depth\": 1,\n    \"flavors\": {\n      \"mime\": [\"application/x-dosexec\"],\n      \"yara\": [\"mz_file\"]\n    },\n    \"name\": \"29D6161522C7F7F21B35401907C702BDDB05ED47.bin\",\n    \"scanners\": [\n      \"ScanEntropy\",\n      \"ScanFooter\",\n      \"ScanHash\",\n      \"ScanHeader\",\n      \"ScanPe\",\n      \"ScanYara\"\n    ]\n  },\n  \"scan\": {\n    \"pe\": {\n      \"address_of_entry_point\": 5168,\n      \"base_of_code\": 4096,\n      \"base_of_data\": 32768,\n      \"checksum\": 47465,\n      \"compile_time\": \"2015-03-31T08:53:51\",\n      \"elapsed\": 0.013076,\n      \"file_alignment\": 4096,\n      \"file_info\": {\n        \"company_name\": \"In CSS3\",\n        \"file_description\": \"Note: In CSS3, the text-decoration property is a shorthand property for text-decoration-line, text-decoration-color, and text-decoration-style, but this is currently.\",\n        \"file_version\": \"1.00.0065\",\n        \"fixed\": {\"operating_systems\": [\"WINDOWS32\"]},\n        \"internal_name\": \"Callstb\",\n        \"original_filename\": \"NOFAstb.exe\",\n        \"product_name\": \"Goodreads\",\n        \"product_version\": \"1.00.0065\",\n        \"var\": {\"character_set\": \"Unicode\", \"language\": \"U.S. English\"}\n      }\n    },\n    \"yara\": {\n      \"elapsed\": 0.068918,\n      \"matches\": [\n        \"SEH__vba\",\n        \"SEH_Init\",\n        \"Big_Numbers1\",\n        \"IsPE32\",\n        \"IsWindowsGUI\",\n        \"HasOverlay\",\n        \"HasRichSignature\",\n        \"Microsoft_Visual_Basic_v50v60\",\n        \"Microsoft_Visual_Basic_v50\",\n        \"Microsoft_Visual_Basic_v50_v60\",\n        \"Microsoft_Visual_Basic_v50_additional\",\n        \"Microsoft_Visual_Basic_v50v60_additional\"\n      ],\n      \"tags\": [\n        \"AntiDebug\",\n        \"SEH\",\n        \"Tactic_DefensiveEvasion\",\n        \"Technique_AntiDebugging\",\n        \"SubTechnique_SEH\",\n        \"PECheck\",\n        \"PEiD\"\n      ]\n    }\n  }\n}\n```\n\n#### What's next?\n\nIf Strelka was deployed and ingesting files in your environment, you might be collecting these events in your SIEM. With this analysis, you could write a rule that looks for events matching the suspicious yara tags, alerting you to a potentially malicious file.\n\n```\nscan.yara.tags:(\"Technique_AntiDebugging\" \u0026\u0026 \"SubTechnique_SEH\")\n```\n\n## Fileshot UI\n\n[Strelka's UI](https://github.com/target/strelka-ui) is available when you build the provided containers. This web interface allows you to upload files to Strelka and capture the events, which are stored locally.\n\nNavigate to http://localhost:9980/ and use the login strelka/strelka.\n\n![Strelka UI](docs/images/strelka-ui-018.gif)\n\n## Potential Uses\nWith over 50 file scanners for the most common file types (e.g., exe, docx, js, zip), Strelka provides users with the ability to gain new insights into files on their host, network, or enterprise. While Strelka *is not* a detection engine itself (although it does utilize [YARA](https://virustotal.github.io/yara/), it can provide enough metadata to identify suspicious or malicious files. Some potential uses for Strelka include:\n\n![Strelka Uses](./misc/assets/strelka_uses.png)\n\n## Additional Documentation\nMore documentation about Strelka can be found in the [README](https://target.github.io/strelka/), including:\n- [Installation](https://target.github.io/strelka/#/?id=installation)\n- [Deployment](https://target.github.io/strelka/#/?id=deployment)\n- [Design](https://target.github.io/strelka/#/?id=design)\n- [Architecture](https://target.github.io/strelka/#/?id=architecture)\n- [FAQ](https://target.github.io/strelka/#/?id=frequently-asked-questions)\n\n## Contribute\nGuidelines for contributing can be found [here](https://github.com/target/strelka/blob/master/CONTRIBUTING.md).\n\n## Known Issues\n\n\n### Issues with Loading YARA Rules\nUsers are advised to precompile their YARA rules for optimal performance and to avoid potential issues during runtime. \nUsing precompiled YARA files helps in reducing load time and resource usage, especially in environments with a large \nset of rules. Ensure to use the [compiled option in the Strelka configuration](https://github.com/target/strelka/blob/master/configs/python/backend/backend.yaml) \nto point to the precompiled rules file. \n\n### Other Issues\nSee [issues labeled `bug`](https://github.com/target/strelka/issues?q=is%3Aissue+is%3Aopen+label%3Abug) in the tracker for any additional issues.\n\n## Related Projects\n* [Laika BOSS](https://github.com/lmco/laikaboss)\n* [File Scanning Framework](https://github.com/EmersonElectricCo/fsf)\n* [Assemblyline](https://cybercentrecanada.github.io/assemblyline4_docs/)\n\n## Licensing\nStrelka and its associated code is released under the terms of the [Apache 2.0 License](https://github.com/target/strelka/blob/master/LICENSE).\n\n\u003cdiv align=\"center\"\u003e\n  \u003cimg src=\"./misc/assets/target_banner.png\" alt=\"Target Banner\" /\u003e\n\u003c/div\u003e\n\n\u003c!--\nLinks\n--\u003e\n[release]:https://github.com/target/strelka/releases/latest \"Strelka Latest Release ➶\"\n[issues]:https://github.com/target/strelka/issues \"Strelka Issues ➶\"\n[pull-requests]:https://github.com/target/strelka/pulls \"Strelka Pull Requests ➶\"\n[wiki]:https://target.github.io/strelka/#/ \"Strelka Documentation ➶\"\n[repo]:https://github.com/target/strelka \"Strelka Repository ➶\"\n[slack]:https://join.slack.com/t/cfc-open-source/shared_invite/zt-e54crchh-a6x4iDy18D5lVwFKQoEeEQ \"Slack (external link) ➶\"\n[actions-ci]:https://github.com/target/strelka/actions/workflows/build_strelka_nightly.yml \"Github Actions ➶\"\n[pr]:https://github.com/target/strelka/pulls \"Strelka Pull Requests ➶\"\n[license]:https://github.com/target/strelka/blob/master/LICENSE \"Strelka License File ➶\"\n[docker]:https://www.docker.com/ \"Docker (external link) ➶\"\n\n\u003c!--\nBadges\n--\u003e\n[img-version-badge]:https://img.shields.io/github/release/target/strelka.svg?style=for-the-badge\n[img-slack-badge]:https://img.shields.io/badge/slack-join-red.svg?style=for-the-badge\u0026logo=slack\n[img-actions-badge]:https://img.shields.io/github/actions/workflow/status/target/strelka/build_strelka_nightly.yml?branch=master\u0026style=for-the-badge\n[img-pr-badge]:https://img.shields.io/badge/PRs-welcome-orange.svg?style=for-the-badge\u0026logo=data%3Aimage%2Fsvg%2Bxml%3Bbase64%2CPD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c3ZnIGlkPSJzdmcyIiB3aWR0aD0iNjQ1IiBoZWlnaHQ9IjU4NSIgdmVyc2lvbj0iMS4wIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPiA8ZyBpZD0ibGF5ZXIxIj4gIDxwYXRoIGlkPSJwYXRoMjQxNyIgZD0ibTI5Ny4zIDU1MC44N2MtMTMuNzc1LTE1LjQzNi00OC4xNzEtNDUuNTMtNzYuNDM1LTY2Ljg3NC04My43NDQtNjMuMjQyLTk1LjE0Mi03Mi4zOTQtMTI5LjE0LTEwMy43LTYyLjY4NS01Ny43Mi04OS4zMDYtMTE1LjcxLTg5LjIxNC0xOTQuMzQgMC4wNDQ1MTItMzguMzg0IDIuNjYwOC01My4xNzIgMTMuNDEtNzUuNzk3IDE4LjIzNy0zOC4zODYgNDUuMS02Ni45MDkgNzkuNDQ1LTg0LjM1NSAyNC4zMjUtMTIuMzU2IDM2LjMyMy0xNy44NDUgNzYuOTQ0LTE4LjA3IDQyLjQ5My0wLjIzNDgzIDUxLjQzOSA0LjcxOTcgNzYuNDM1IDE4LjQ1MiAzMC40MjUgMTYuNzE0IDYxLjc0IDUyLjQzNiA2OC4yMTMgNzcuODExbDMuOTk4MSAxNS42NzIgOS44NTk2LTIxLjU4NWM1NS43MTYtMTIxLjk3IDIzMy42LTEyMC4xNSAyOTUuNSAzLjAzMTYgMTkuNjM4IDM5LjA3NiAyMS43OTQgMTIyLjUxIDQuMzgwMSAxNjkuNTEtMjIuNzE1IDYxLjMwOS02NS4zOCAxMDguMDUtMTY0LjAxIDE3OS42OC02NC42ODEgNDYuOTc0LTEzNy44OCAxMTguMDUtMTQyLjk4IDEyOC4wMy01LjkxNTUgMTEuNTg4LTAuMjgyMTYgMS44MTU5LTI2LjQwOC0yNy40NjF6IiBmaWxsPSIjZGQ1MDRmIi8%2BIDwvZz48L3N2Zz4%3D\n[img-license-badge]:https://img.shields.io/badge/license-apache-ff69b4.svg?style=for-the-badge\u0026logo=apache\n[img-docker-badge]:https://img.shields.io/badge/Supports-Docker-yellow.svg?style=for-the-badge\u0026logo=docker\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftarget%2Fstrelka","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftarget%2Fstrelka","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftarget%2Fstrelka/lists"}