YAMAGoya: The Ultimate Open-Source Shield for Memory and System Defense

by ddos · January 22, 2026

YAMAGoya (Yet Another Memory Analyzer for malware detection and Guarding Operations with YARA and Sigma) is a C# application that leverages Event Tracing for Windows (ETW) to capture real-time system events. It applies detection rules written in YAML format (for custom correlation logic) and can also parse Sigma rules for standardized threat detection. In addition, it supports in-memory scanning using YARA to detect fileless or stealth malware.

The tool runs entirely in userland, avoiding kernel-mode dependencies and simplifying integration with community-based signatures.

Features

Userland-Only
No kernel drivers are required, ensuring minimal OS risk and simpler deployment.
Real-Time Monitoring
Utilizes ETW to monitor file I/O, process creation/termination, registry events, DNS queries, network traffic, PowerShell scripts, and more.
Multi-Format Detection Rules
- YAML: Allows correlating multiple event types using regex or other matching logic.
- Sigma: Parses and applies Sigma rules for community-driven threat detection.
Memory Scanning with YARA
Scans system memory using YARA rules to detect fileless or stealth malware.
GUI / CLI Interfaces
Run via command-line or launch the GUI.

GUI Usage

Run YAMAGoya.exe with no arguments (or double-click the executable) to launch the GUI.
The GUI provides a user-friendly interface with four main tabs:

Main Tab

Session Status Display: Shows current ETW session status with color-coded indicators
Rules Folder Selection: Browse and select the folder containing your detection rules
Start/Stop Detection: Large buttons to begin and end monitoring operations

Alert Monitoring Tab

Real-time Alert Display: Live monitoring of security alerts with timestamps
Color-coded Alerts: Detected threats are highlighted in red for immediate attention
Log File Access: Quick access to open the current log file

Settings Tab

Configure advanced detection options:

Kill Process Mode: Automatically terminate detected malicious processes
Rule Format Selection:
- Use Sigma rules (standardized threat detection)
- Use custom YAML rules (custom correlation logic)
YARA Memory Scanning: Enable memory scanning with configurable interval (default: 1 hour)
Logging Configuration:
- Event Log: Save alerts to Windows Event Log
- Text Log: Save alerts to text files with custom directory path
Custom ETW Session Name: Set an ETW session name (default: YAMAGoya)

Download

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal