Strelka is a real-time, container-based file scanning system used for threat hunting, threat detection, and incident response. Originally based on the design established by Lockheed Martin's Laika BOSS and similar projects (see: related projects), Strelka's purpose is to perform file extraction and metadata collection at enterprise scale.
Strelka differs from its sibling projects in a few significant ways:
- Core codebase is Go and Python3.6+
- Server components run in containers for ease and flexibility of deployment
- OS-native client applications for Windows, Mac, and Linux
- Built using libraries and formats that allow cross-platform, cross-language support
Strelka is a modular data scanning platform, allowing users or systems to submit files for the purpose of analyzing, extracting, and reporting file content and metadata. Coupled with a SIEM, Strelka is able to aggregate, alert, and provide analysts with the capability to better understand their environment without having to perform direct data gathering or time-consuming file analysis.
This section should be used as a demonstration of Strelka. Please review the documentation for details on how to properly build and deploy Strelka.
By default, Strelka is configured to use a minimal "quickstart" deployment that allows users to test the system. As noted above, this configuration is not recommended for production deployments, but may suffice for environments with very low file volume (<50k files per day). Using two Terminal windows, do the following:
# Terminal 1
$ docker-compose -f build/docker-compose.yaml up
Step 2: Build Strelka-Fileshot (File Submitter)
# Terminal 2
$ go build github.com/target/strelka/src/go/cmd/strelka-fileshot
Step 3: Add File Paths / Patterns to be Scanned to a [fileshot.yaml] file (https://github.com/target/strelka/blob/master/docs/README.md#fileshot)
...
files:
patterns:
- '/glob/to/your/files/*.doc'
- '/glob/to/your/files/*.exe'
...
# Terminal 2
$ ./strelka-fileshot -c fileshot.yaml
$ cat strelka.log | jq .
Terminal 1 runs a full Strelka cluster with logs printed to stdout and Terminal 2 is used to send files to the cluster. fileshot.yaml
will need the patterns
field updated to identify files to scan, by default scan results will be written to ./strelka.log
.
With over 50 file scanners for the most common file types (e.g., exe, docx, js, zip), Strelka provides users with the ability to gain new insights into files on their host, network, or enterprise. While Strelka is not a detection engine itself (although it does utilize YARA, it can provide enough metadata to identify suspicious or malicious files. Some potential uses for Strelka include:
More documentation about Strelka can be found in the README, including:
Guidelines for contributing can be found here.
Strelka and its associated code is released under the terms of the Apache 2.0 License.