Detection Engineering Toolkit — Generate YARA, Sigma, MITRE ATT&CK mappings, IOC reports, and HTML reports from suspicious binaries.
Project description
Malforge
Detection Engineering Toolkit
Generate YARA · Sigma · MITRE ATT&CK · IOC Reports · HTML Reports
from a suspicious binary. One command.
What It Does
Malforge takes a suspicious binary and produces five actionable outputs:
sample.exe → malforge analyze → YARA Rule
Sigma Rule
MITRE ATT&CK Mapping
IOC Report (JSON)
HTML Threat Report
It runs a 10-stage analysis pipeline entirely offline — no cloud, no sandbox, no Docker required:
- File hashing — MD5, SHA1, SHA256, entropy
- PE parsing — Headers, sections, imports, exports, timestamps
- String extraction — ASCII/Unicode strings, categorized (URLs, IPs, registry, paths)
- Heuristic analysis — Process injection, keylogging, crypto, anti-debug, packing detection
- IOC extraction — Network indicators, file hashes, registry keys with confidence scoring
- MITRE ATT&CK mapping — ~13 techniques mapped from heuristics and IOCs
- YARA rule generation — From suspicious APIs + network IOCs, auto-validated
- Sigma rule generation — From file paths, registry, DNS, and network IOCs
- HTML report — Standalone, dark-themed, professional threat report
- Plugin hooks — Extend with your own analysis steps
Install
pip install malforge
Requires Python 3.11+ and yara-python (compiled automatically by pip on most systems).
Quick Start
# Analyze a suspicious binary
malforge analyze sample.exe
# Custom output directory
malforge analyze sample.exe -o ./results
# JSON report only (skip HTML)
malforge analyze sample.exe --format json
# Skip Sigma rule generation
malforge analyze sample.exe --no-sigma
# Show version
malforge --version
Output
malforge_output/
├── report.html # Standalone HTML threat report
├── report.json # Full analysis data
├── iocs.json # Extracted IOCs with confidence scores
├── mitre_mapping.json # ATT&CK technique mappings
└── rules/
├── yara_rule.yar # Auto-generated YARA rule
└── sigma_rule.yml # Auto-generated Sigma rule
Sample YARA Rule Output
rule Malforge_a1b2c3d4 {
meta:
author = "Malforge"
description = "Auto-generated detection rule from static analysis."
date = "2026-06-30"
hash = "a1b2c3d4..."
tlp = "WHITE"
strings:
$s0 = "VirtualAllocEx" ascii wide nocase
$s1 = "WriteProcessMemory" ascii wide nocase
$s2 = "CreateRemoteThread" ascii wide nocase
$ioc_url0 = "http://evil.com/payload.exe" ascii wide
$ioc_ip1 = "203.0.113.50" ascii wide
condition:
uint16(0) == 0x5a4d
and all of ($s*)
and any of ($ioc_*)
}
Sample Sigma Rule Output
title: Suspicious Activity — Malforge a1b2c3d4
id: 8f14e45f-ceea-367f-a27f-c790a516b3b9
status: experimental
description: Auto-generated Sigma rule for sample a1b2c3d4...
author: Malforge
date: 2026/06/30
logsource:
category: process_creation
product: windows
detection:
selection_files:
Image|endswith:
- '\cmd.exe'
selection_registry:
TargetObject|contains:
- 'HKLM\Software\Microsoft\Windows\CurrentVersion\Run'
selection_dns:
QueryName|endswith:
- 'malicious-domain.com'
condition: selection_files or selection_registry or selection_dns
falsepositives:
- Unknown
level: medium
How It Works
┌─────────────────────────────────────────────────────┐
│ malforge analyze │
│ │
│ sample.exe ──▶ Read bytes + compute hashes │
│ │ │
│ ├──▶ PE Analyzer (pefile) │
│ │ └── headers, sections, imports, exports │
│ │ │
│ ├──▶ String Extractor │
│ │ └── URLs, IPs, registry, suspicious │
│ │ │
│ ├──▶ Heuristic Engine │
│ │ └── injection, keylog, crypto, packing │
│ │ │
│ ├──▶ IOC Extractor │
│ │ └── typed IOCs with confidence scores │
│ │ │
│ ├──▶ MITRE ATT&CK Mapper │
│ │ └── technique IDs + tactics + evidence │
│ │ │
│ ├──▶ YARA Generator ──▶ Validator │
│ │ │
│ ├──▶ Sigma Generator │
│ │ │
│ └──▶ Report Generator │
│ ├── report.json │
│ ├── report.html │
│ ├── iocs.json │
│ ├── mitre_mapping.json │
│ └── rules/ (yara + sigma) │
└─────────────────────────────────────────────────────┘
Plugin System
Extend Malforge with custom analysis steps:
# my_plugin.py
from malforge.plugins.base import MalforgePlugin
class VirusTotalPlugin(MalforgePlugin):
name = "virustotal"
version = "1.0.0"
def on_analysis_complete(self, result: dict) -> dict:
# Add VirusTotal lookup results
result["virustotal"] = {"detected": True, "positives": 42}
return result
Register in your plugin's pyproject.toml:
[project.entry-points."malforge.plugins"]
virustotal = "my_plugin:VirusTotalPlugin"
pip install my-malforge-plugin
malforge plugins list # Shows: virustotal v1.0.0
malforge analyze sample.exe # Plugin runs automatically
Project Structure
malforge/
├── src/malforge/
│ ├── cli.py # Click CLI entry point
│ ├── analyzer.py # 10-stage pipeline orchestrator
│ ├── analysis/ # PE parsing, string extraction, heuristics
│ ├── detection/ # YARA + Sigma generation, YARA validation
│ ├── ioc/ # IOC extraction with confidence scoring
│ ├── mitre/ # ATT&CK technique mapping
│ ├── report/ # JSON + HTML report generation
│ └── plugins/ # Plugin base class + entry point loader
├── tests/ # pytest test suite
├── pyproject.toml # Package config (pip install malforge)
├── CONTRIBUTING.md # Plugin dev guide + contribution workflow
└── LICENSE # MIT
Development
git clone https://github.com/prxcode/malforge.git
cd malforge
python -m venv .venv && .venv\Scripts\activate
pip install -e ".[dev]"
pytest tests/ -v
What This Is NOT
Malforge is a static analysis + detection engineering tool. It does not:
- Execute malware (no sandbox/dynamic analysis)
- Perform full reverse engineering
- Replace commercial EDR or threat intelligence platforms
- Claim memory forensics capabilities
It does one workflow well: binary → detection artifacts. If you need dynamic analysis, pair it with CAPEv2 or ANY.RUN.
Contributing
See CONTRIBUTING.md for development setup, plugin development, and PR guidelines.
License
MIT — see LICENSE.
Author
Priyanshu — @prxcode
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file malforge-1.0.0.tar.gz.
File metadata
- Download URL: malforge-1.0.0.tar.gz
- Upload date:
- Size: 30.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
178bcf8a822f4ade55b0cfec20a4da1993b59d0a6634ca4be6406e9e2f562544
|
|
| MD5 |
1b4a92dec8c4627357ef4f63fba893c1
|
|
| BLAKE2b-256 |
9ea2e28eb132661db387719baaf5bffe981b8aa6ac0c3b931d3b9d11f4a98f72
|
Provenance
The following attestation bundles were made for malforge-1.0.0.tar.gz:
Publisher:
publish.yml on prxcode/malforge
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
malforge-1.0.0.tar.gz -
Subject digest:
178bcf8a822f4ade55b0cfec20a4da1993b59d0a6634ca4be6406e9e2f562544 - Sigstore transparency entry: 2046990602
- Sigstore integration time:
-
Permalink:
prxcode/malforge@02c748f8bde16fc74511ba27ae1f5d8e03244158 -
Branch / Tag:
refs/tags/v1.0.0 - Owner: https://github.com/prxcode
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@02c748f8bde16fc74511ba27ae1f5d8e03244158 -
Trigger Event:
push
-
Statement type:
File details
Details for the file malforge-1.0.0-py3-none-any.whl.
File metadata
- Download URL: malforge-1.0.0-py3-none-any.whl
- Upload date:
- Size: 30.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b18c7050c70476f1429994e8523604491d3d28bc601f82b5309498a473d9ed4f
|
|
| MD5 |
4c68381cee9f3aeaba648c36dcd7b633
|
|
| BLAKE2b-256 |
57f2a5fa8165e0b77d675db869dd4784a6563e83db23dbd043c18aedf5481644
|
Provenance
The following attestation bundles were made for malforge-1.0.0-py3-none-any.whl:
Publisher:
publish.yml on prxcode/malforge
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
malforge-1.0.0-py3-none-any.whl -
Subject digest:
b18c7050c70476f1429994e8523604491d3d28bc601f82b5309498a473d9ed4f - Sigstore transparency entry: 2046990701
- Sigstore integration time:
-
Permalink:
prxcode/malforge@02c748f8bde16fc74511ba27ae1f5d8e03244158 -
Branch / Tag:
refs/tags/v1.0.0 - Owner: https://github.com/prxcode
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@02c748f8bde16fc74511ba27ae1f5d8e03244158 -
Trigger Event:
push
-
Statement type: