----------------️ Tool===================Opening: Mecha Hayabusa is a tool that bridges the Hayabusa Windows event log CSV output with large language models using the Model Context Protocol (MCP). The project aims to enable a structured, LLM-driven DFIR workflow rather than a simple free-text search over logs.Key Features:• Automatic ingestion of Hayabusa CSV timelines into a local DuckDB instance to enable fast, structured queries over large log datasets.• Read-only SQL execution against the logs table with built-in safety constraints to avoid destructive operations.• Cross-field search, dataset profiling, time-window summarization, and host-centric timeline assembly for focused investigations.• Extraction of Indicators of Compromise (IOCs), aggregation of rule titles, and parsing of Details fields from Hayabusa output.• Base64 PowerShell decoding and correlation routines to identify lateral movement patterns across hosts.• A dedicated investigation skill that codifies a DFIR workflow and supports standardized incident report generation in Japanese and English.Technical Implementation:Mecha Hayabusa converts Hayabusa CSV timelines into a local DuckDB database, exposing read-only query capabilities and structured summarization endpoints over an MCP-compatible HTTP transport. The system exposes dataset management (list, switch, unload), profiling endpoints, and specialized analysis primitives (IOC extraction, PowerShell decoding, lateral correlation). Integration with LLMs is mediated through MCP, allowing the model to orchestrate a sequence of analysis steps (triage, hypothesis development, host-level deep dives, and report generation) rather than returning isolated search hits.Use Cases:• Incident responders who need rapid host-centric timelines and cross-host correlation from exported Hayabusa results.• Threat hunters seeking automated ATT&CK tactic classification and IOC extraction from large CSV exports.• Organizations that want consistent, LLM-assisted incident reports in multiple languages, improving repeatability of DFIR workflows.Limitations:• Functionality depends on structured Hayabusa CSV exports; format deviations will reduce effectiveness.• The system performs read-only SQL and analysis; it is not designed for endpoint remediation or live collection.• Accuracy of natural-language summaries and report content depends on the connected LLM and its prompt/context handling.Closing:Mecha Hayabusa represents a targeted approach to integrating structured log storage (DuckDB) with LLM orchestration via MCP to operationalize repeatable DFIR investigations and report generation. #tool #DFIR #MCP #DuckDB #Hayabusa Source: https://github.com/Yamato-Security/mecha-hayabusa

----------------️ Tool: YARA-X (Rust-based pattern matcher)===================Opening: YARA-X is a ground-up reimplementation of YARA written in Rust. Its stated goals are improved performance, stronger memory safety, and a more user-friendly rule execution model for malware researchers. VirusTotal reports long-running production use, scanning billions of files with tens of thousands of rules.Key Features:• Rule model: Supports YARA-like rules composed of named strings (binary and textual), metadata, and boolean conditions.• String types: Includes support for raw byte patterns, case-insensitive strings, regular expressions, and wildcards.• Performance and safety: Implemented in Rust to reduce memory-unsafety risks and to enable optimizations for faster scanning at scale.Technical implementation:• Language and packaging: Implemented in Rust and published on crates.io (crate name: yara-x).• Execution model: Rules evaluate a set of pattern matches plus a boolean expression; the engine optimizes string matching and condition evaluation for throughput.• Production maturity: VirusTotal indicates YARA-X is battle-tested in production, used to process very large corpora and to reconcile discrepancies and bugs.Use cases:• Large-scale static scanning pipelines for malware classification and triage.• Rule development for incident response, threat hunting, and detection engineering.• Embedding into analysis platforms that require safe, high-performance pattern matching.Limitations and considerations:• Rule-level differences exist relative to legacy YARA; rule authors must consult compatibility notes when migrating.• Although YARA remains maintained (bug fixes/minor features), new modules and feature development are focused on YARA-X, which may affect long-term ecosystem transitions.Conclusion: YARA-X represents a deliberate modernization of a core malware analysis capability: the project emphasizes Rust-driven safety and performance while preserving YARA-like authoring semantics. For teams developing or running large-scale detection pipelines, YARA-X offers a production-hardened alternative to YARA. yara_x #yara #tool Source: https://github.com/VirusTotal/yara-x?tab=readme-ov-file

Sniffnet v1.5.0 releasedhttps://secburg.com/posts/sniffnet-150-released/#sniffing #sniffnet #network #tools #tool

----------------️ Tool===================Opening: Heimdall is an open‑source DFIR investigation cockpit designed for CSIRT, SOC and DFIR teams that centralizes ingestion, parsing, correlation and visualization of forensic artifacts in a real‑time interface.Key Features:• Ingestion & Storage: chunked uploads (up to 256 GB) with automatic resume, integrated object storage (MinIO) patterns and mandatory ClamAV scanning for each file.• Parsing & Indexing: asynchronous worker queue using BullMQ to parse artifacts with tools such as Hayabusa, Zimmerman Tools and tshark, and index results into a per‑case Elasticsearch Super Timeline.• Threat Hunting & Correlation: built‑in YARA engine for per‑file/per‑case scans, Sigma hunts on the Super Timeline, GitHub rules import, and TAXII 2.1 / STIX 2.1 threat intel ingestion with automatic correlation.• Detection & Enrichment: automatic detections including timestomping heuristics, double‑extension checks, C2 beaconing scoring, persistence enumerations, and IOC enrichment via VirusTotal and AbuseIPDB.• Automation & Reporting: parallel SOAR engine with DFIR playbooks (ransomware, RDP, phishing), Legal Hold manifests signed with HMAC‑SHA256, and enriched PDF export including kill‑chain mapping and triage outputs.• Local AI Assistance: global AI chat and Case Copilot via Ollama with SSE streaming and support for models such as qwen3 and mistral for contextual analyst assistance.Technical Implementation: Heimdall combines a web UI with a worker queue architecture. Ingested artifacts are chunked and stored to object storage; workers perform parsing using existing forensic tools and write structured events to Elasticsearch. The Super Timeline aggregates multi‑source artifacts for temporal correlation and Sigma/YARA rules run against parsed events and files.Use Cases: centralized case management for DFIR teams, automated triage and scoring of incoming evidence, timeline reconstruction across disk/EVTX/PCAP/RAM, and coordinated hunting using threat intel feeds.Limitations & Considerations: resource demands for Elasticsearch and parsing workers can be significant for large volumes; Volatility 3 / VolWeb integration is marked as "soon"; reliance on third‑party engines implies varying parsing coverage per artifact type.Overall: Heimdall positions itself as a comprehensive, extensible DFIR cockpit that stitches existing forensic engines into a unified investigation workflow. #tool #DFIR #elasticsearch #YARA #SOAR Source: https://raiseix.github.io/Heimdall-DFIR/