Deepfence YaraHunter scans container images, running Docker containers, and filesystems to find indicators of malware. It uses a YARA ruleset to identify resources that match known malware signatures, and may indicate that the container or filesystem has been compromised.
YaraHunter can be used in the following ways:
Key capabilities:
YaraHunter is a work-in-progress (check the Roadmap and issues list), and will be integrated into the ThreatMapper threat discovery platform. We welcome any contributions to help to improve this tool.
For full instructions, refer to the YaraHunter Documentation.
Images may be compromised with the installation of a cryptominer such as XMRig. In the following example, we'll scan a legitimiate cryptominer image that contains the same xmrig software that is often installed through an exploit:
Pull the official yarahunter image:
docker pull quay.io/deepfenceio/deepfence_malware_scanner_ce:2.4.0
or Build it from source clone this repo and run below command
make docker
Pull the image that needs to be scanned for example metal3d/xmrig
and scan it:
docker pull metal3d/xmrig
docker run -i --rm --name=deepfence-yarahunter \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /tmp:/home/deepfence/output \
quay.io/deepfenceio/deepfence_malware_scanner_ce:2.4.0 \
--image-name metal3d/xmrig:latest \
--output=json > xmrig-scan.json
This returns, among other things, clear indication of the presence of XMRig. Note that we store the output (xmrig-scan.json
) for quick and easy manipulation:
# Extract the IOC array values. From these, extract the values of the 'Matched Rule Name' key
cat /tmp/xmrig-scan.json | jq '.IOC[] | ."Matched Rule Name"'
This returns a list of the IOCs identified in the container we scanned.
To get table formatted output omit --output=json
flag
Thank you for using YaraHunter.
For any security-related issues in the YaraHunter project, contact productsecurity at deepfence dot io.
Please file GitHub issues as needed, and join the Deepfence Community Slack channel.
The Deepfence YaraHunter project (this repository) is offered under the Apache2 license.
Contributions to Deepfence YaraHunter project are similarly accepted under the Apache2 license, as per GitHub's inbound=outbound policy.
This tool is not meant to be used for hacking. Please use it only for legitimate purposes like detecting indicator of compromise on the infrastructure you own, not on others' infrastructure. DEEPFENCE shall not be liable for loss of profit, loss of business, other financial loss, or any other loss or damage which may be caused, directly or indirectly, by the inadequacy of YaraHunter for any purpose or use thereof or by any defect or deficiency therein.