Information Security News

YAMAGoya: The Ultimate Open-Source Shield for Memory and System Defense

by ·

YAMAGoya (Yet Another Memory Analyzer for malware detection and Guarding Operations with YARA and Sigma) is a C# application that leverages Event Tracing for Windows (ETW) to capture real-time system events. It applies detection rules written in YAML format (for custom correlation logic) and can also parse Sigma rules for standardized threat detection. In addition, it supports in-memory scanning using YARA to detect fileless or stealth malware.

The tool runs entirely in userland, avoiding kernel-mode dependencies and simplifying integration with community-based signatures.

Features

  • Userland-Only
    No kernel drivers are required, ensuring minimal OS risk and simpler deployment.

  • Real-Time Monitoring
    Utilizes ETW to monitor file I/O, process creation/termination, registry events, DNS queries, network traffic, PowerShell scripts, and more.

  • Multi-Format Detection Rules

    • YAML: Allows correlating multiple event types using regex or other matching logic.
    • Sigma: Parses and applies Sigma rules for community-driven threat detection.

  • Memory Scanning with YARA
    Scans system memory using YARA rules to detect fileless or stealth malware.

  • GUI / CLI Interfaces
    Run via command-line or launch the GUI.

GUI Usage

  1. Run YAMAGoya.exe with no arguments (or double-click the executable) to launch the GUI.
  2. The GUI provides a user-friendly interface with four main tabs:

Main Tab

  • Session Status Display: Shows current ETW session status with color-coded indicators
  • Rules Folder Selection: Browse and select the folder containing your detection rules
  • Start/Stop Detection: Large buttons to begin and end monitoring operations

Alert Monitoring Tab

  • Real-time Alert Display: Live monitoring of security alerts with timestamps
  • Color-coded Alerts: Detected threats are highlighted in red for immediate attention
  • Log File Access: Quick access to open the current log file

Settings Tab

Configure advanced detection options:

  • Kill Process Mode: Automatically terminate detected malicious processes
  • Rule Format Selection:
    • Use Sigma rules (standardized threat detection)
    • Use custom YAML rules (custom correlation logic)
  • YARA Memory Scanning: Enable memory scanning with configurable interval (default: 1 hour)
  • Logging Configuration:
    • Event Log: Save alerts to Windows Event Log
    • Text Log: Save alerts to text files with custom directory path
  • Custom ETW Session Name: Set an ETW session name (default: YAMAGoya)

Download

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Tags: