Hipara is an open source endpoint client that leverages the Yara industry-standard framework for scanning files as they are accessed.
Why Hipara? Many other products such as Tanium, OSQuery, etc. do not have this capability. They use Yara in an adhoc manner, greatly increasing the risk of missing malicious activity. By scanning in real-time, Hipara can catch weaponized documents as they are opened by end users, monitor backdoor processes as they are created, and scan webshells.
Begin by uploading a Yara rule to the Hipara Server. We provide one for you to test with at http://demo.hipara.org (username: firstname.lastname@example.org & password: hiparademo). You can watch a video on how to do this on the main Hipara website https://www.hipara.org/ - Remember to change any rule you want active from "Pending approval" to "Deploy"!
Download and install a pre-compiled MSI package onto a 64-bit Windows virtual machine. We provide the latest demo version via Google Drive: Hipara 64-bit Client . After installation, open C:\Program Files\Allsum\Hipara\hipara.exe as administrator (this will soon be the default upon installation).
Update the signatures, then download and execute a file (malware or a test file) that would normally match using Yara. You should see Hipara block the opening/execution of this file and an alert on the Hipara Server (demo.hipara.org)!
You can read further documentation at https://github.com/jbc22/hipara
The Hipara team is focused on two priorities: scalability and speed, and finishing the cmd.exe logging module.
Scalability and speed: Leveraging Google Cloud, the team will spin up tens of thousands Windows instances and collect metrics around speed, looking for any bottlenecks. The team will release a blog post in a few weeks when this is completed.
Using fantastic research performed by the Volatility team and others in the community, Hipara is able to capture all cmd.exe input. Currently, Hipara logs this output to "Program Files\Allsum\Hipara\cmd.txt". The team is working hard to finish integrating this into SIEM solutions. Our demo will soon show it working with Splunk!