How to Use
Once the binaries are compiled you will have a
krakenin the appropriate platform build folder.
krakencan be launched without any arguments and it will perform a scan of detected autorun entries and running processes and terminate. It will not communicate any results to any remote server.
krakencan also be launched using the following arguments:
Usage of kraken:
--backend string Specify a particular hostname to the backend to connect to (overrides the default)
--daemon Enable daemon mode (this will also enable the report flag)
--debug Enable debug logs
--folder string Specify a particular folder to be scanned (overrides the default full filesystem)
--no-autoruns Disable scanning of autoruns
--no-filesystem Disable scanning of filesystem
--no-process Disable scanning of running processes
--report Enable reporting of events to the backend
--rules Specify a particular path to a file or folder containing the Yara rules to use
kraken --backend example.comwill override the default
BACKENDthat was provided during build time.
kraken --reportwill make Kraken report any autoruns or detections to the configured backend server.
kraken --daemonwill execute a first scan and then run continuously. In daemon mode Kraken will monitor any new process creation and scan its binary and memory, as well as check regularly for any new entries registered for autorun. Enabling
--daemonwill automatically enable
--reportas well, even when not explicitly specified.
--debugwill only display all debug log messages, mostly including details on files and processes being scanned.
--no-processwill disable the scanning of autoruns, files stored on disk and running processes, respectively. Note: these flags do not impact the behavior of kraken when running in daemon mode.
If filesystem scanning is enabled, Kraken will recursively scan the entire root folder (
/on *nix systems and any fixed drive mounted on Windows systems). Using
--folderyou can specify a particular folder you want to scan instead.
--rulesoption allows you to specify a path to a file or folder containing the Yara rules you want to use for your scanning. If the compilation of any of these rules fails (for example, because they include modules that are not enabled in the default Yara library), the execution will be aborted. If no
--rulesoption is specified, Kraken will attempt to load a compiled rules file using the following order:
- 1.It will look for a compiled
rulesfile in the current working directory.
- 2.It will look for a ocmpiled
rulesfile in the local Kraken storage folder, in case it is running in daemon mode.
If no compiled
rulesfile is found, Kraken's Yara scanner will be disabled and execution will continue without it.
krakenis launched in daemon mode it will look for a configuration file in either the current working directory or in the persistent directory. This configuration file is mostly used to look up the hostname of the backend Kraken will have to connect to. If a configuration file does not exist, it will create one using the default parameters provided during build time (primarily
krakenis launched in normal mode, it will still look for any configuration file, but it will not write one to disk in the case there isn't one. If no configuration file is found, it will use the default parameters provided provided during build time (again,
To provide it different parameters you can create a
config.yamlfile in the same directory as the
krakenbinary using the following format:
Alternatively, you can specify a custom backend from the command line using
kraken --backend example.com.