Introduction

Kraken is a simple cross-platform Yara scanner that can be built for Windows, Mac, FreeBSD and Linux. It is primarily intended for incident response, research and ad-hoc detections (not for endpoint protection). Following are the core features:

  • Scan running executables and memory of running processes with provided Yara rules (leveraging go-yara).

  • Scan executables installed for autorun (leveraging go-autoruns).

  • Scan the filesystem with the provided Yara rules.

  • Report any detection to a remote server provided with a Django-based web interface.

  • Run continuously and periodically check for new autoruns and scan any newly-executed processes. Kraken will store events in a local SQLite3 database and will keep copies of autorun and detected executables.

Some features are still under work or almost completed:

  • Installer and launcher to automatically start Kraken at startup.

  • Download updated Yara rules from the server.

Screenshots

License

Kraken is released under the GNU General Public License v3.0 and is copyrighted to Claudio Guarnieri.

Last updated