DetectionScanner was created to have a simple and fast way to scan Red Team payloads before using them in a campaign. Previously, I would build the payload and then copy it to a virtual machine and manually scan each file with the installed AV product. That step may still be needed if you want to scan against a specific AV product, but this tool should provide a quick first check. If DetectionScanner flags the file as malicious then it might be worth making additional changes to the payload before doing more manual checks in a virtual machine. DetectionScanner could also be added to the CICD pipeline when building payloads.
Getting setup is as easy as cloning the repository and building the image.
- git clone https://github.com/lum8rjack/DetectionScanner
- cd DetectionScanner
- ./build.sh
Once the Docker image is built, it is easy to scan your files and output the results to a text file.
- cd to the directory containing the file(s) that will be scanned
- docker run -it --rm -v $(pwd):/opt/documents/ detectionscanner
- DetectionScanner will first update the ClamAv database if it has been more than 1 day since the last check
- DetectionScanner will then scan the file(s) and save the results to DetectionScanner_results_DATE.txt
- Add additional Yara rules
- Update the results to be easier to read
This project was build using the following projects: