Features - Rurik/Noriben GitHub Wiki

Current command line help output:

--===[ Noriben v1.8.3
--===[ Brian Baskin [[email protected] / @bbaskin]
usage: Noriben.py [-h] [-c CSV] [-p PML] [-f FILTER] [--config CONFIG]
                  [--hash HASH] [--hashtype {MD5,SHA1,SHA256}] [--headless]
                  [-t TIMEOUT] [--output OUTPUT] [--yara YARA] [--generalize]
                  [--cmd CMD] [-d] [--troubleshoot] [--append APPEND]

optional arguments:
  -h, --help            show this help message and exit
  -c CSV, --csv CSV     Re-analyze an existing Noriben CSV file
  -p PML, --pml PML     Re-analyze an existing Noriben PML file
  -f FILTER, --filter FILTER
                        Specify alternate Procmon Filter PMC
  --config CONFIG       Specify configuration file
  --hash HASH           Specify hash whitelist file
  --hashtype {MD5,SHA1,SHA256}
                        Specify hash type
  --headless            Do not open results on VM after processing
  -t TIMEOUT, --timeout TIMEOUT
                        Number of seconds to collect activity
  --output OUTPUT       Folder to store output files
  --yara YARA           Folder containing YARA rules
  --generalize          Generalize file paths to environment variables.
                        Default: True
  --cmd CMD             Command line to execute (in quotes)
  -d, --debug           Enable debugging
  --troubleshoot        Pause before exiting for troubleshooting
  --append APPEND       Specify external filter files (Wildcard supported)

Common arguments:

-f FILTER, --filter FILTER Specify alternate Procmon Filter PMC

Noriben's major feature is to filter out noise. While the script has many filters contained within, it is preferable for many to use a pre-filter for ProcMon. This is a ProcMon-specific filter file that reduces the amount of output. This makes databases much smaller in size and can cut analysis time greatly.

Noriben is provided with a default ProcmonConfiguration.PMC filter file that handles many common filters. It can be used as a template to create a filter unique to your environment.

--cmd CMD Command line to execute (in quotes)

By default, Noriben will simply execute and track any activity on the system. It requires the user to manually execute a program, or perform steps, during its execution. However, the --cmd option can be used to provide a particular executable to run. For example, if there's a file named malware.exe, a commandline could be:

Noriben.py --cmd "malware.exe"

-t TIMEOUT, --timeout TIMEOUT Number of seconds to collect activity

By default, Noriben does not use a timeout period. It will simply run until stopped by the user.