How to set up Noriben with Procmon on Windows?

Download Procmon from Microsoft, place it in the same directory as Noriben.py, and run the script with arguments like --cmd for malware execution. The README provides a usage guide, but step-by-step setup instructions are limited.

Can Noriben analyze malware on Linux or macOS?

Noriben itself is Python-based and can run on any platform, but it requires Procmon for event logging, which is Windows-only. The automation script NoribenSandbox.py is designed for OSX, but full cross-platform analysis isn't natively supported.

Noriben or Cuckoo Sandbox: which is better for a small security lab?

Noriben is lighter and more portable, ideal for manual or scripted analysis with flexibility, while Cuckoo offers more comprehensive automation but is complex to set up. Choose Noriben for hands-on control, Cuckoo for scalable, automated pipelines.

How to automate malware execution with Noriben in a VM?

Use the NoribenSandbox.py script to manage VM snapshots, copy malware, run Noriben with timeouts, and retrieve reports. It's optimized for OSX but can be adapted with modifications for other systems.

Does Noriben support real-time monitoring of malware activities?

Noriben uses Procmon to capture events during execution, but it's not designed for continuous real-time monitoring; it logs activities for a specified duration or until manually stopped, then generates reports.

How do I add custom whitelists for known benign files in Noriben?

Use the --hash option with a file containing MD5, SHA1, or SHA256 hashes of benign files, as mentioned in the key features. This helps reduce noise in reports by ignoring trusted system activity.

Open-Awesome

Noriben

NOASSERTIONPython2.0

A portable Python script that automates malware analysis by collecting runtime indicators using Sysinternals Procmon.

GitHub

1.3k stars228 forks0 contributors

What is Noriben?

Noriben is a portable malware analysis sandbox that automates the collection and reporting of runtime indicators from malware samples. It integrates with Sysinternals Procmon to log system events, generate activity reports, and support features like YARA scanning and VirusTotal lookups. The tool is designed to simplify both automated and interactive malware analysis in controlled environments.

Target Audience

Security researchers, malware analysts, and digital forensics professionals who need a lightweight, scriptable tool for analyzing suspicious software and extracting Indicators of Compromise (IOCs).

Value Proposition

Noriben offers a simple, portable alternative to complex sandboxes, with no pre-filtering required and built-in whitelists to reduce noise. Its flexibility supports manual interaction (e.g., debugging) and automation, making it ideal for tailored malware analysis workflows.

Overview

Noriben - Portable, Simple, Malware Analysis Sandbox

Use Cases

Best For

Analyzing malware that requires manual interaction or debugging to execute
Automating malware execution and report collection in virtualized environments
Scanning files with YARA rules during dynamic analysis
Generating generalized IOCs by converting absolute paths to environment variables
Conducting software audits to monitor application behavior
Integrating VirusTotal lookups into malware analysis pipelines

Not Ideal For

Cross-platform malware analysis requiring native Linux or macOS support without Windows dependencies
Large-scale, fully automated sandboxing pipelines needing minimal manual configuration and GUI interfaces
Teams that require integrated real-time monitoring without relying on external tools like Procmon
Environments where strict vendor-agnostic or open-source-only toolchains are mandated

Pros & Cons

Pros

Seamless Procmon Integration

Leverages Sysinternals Procmon to log system-wide events without pre-filtering, with built-in whitelists to reduce noise, as highlighted in the key features.

Flexible Analysis Modes

Supports both automated execution with timeouts and manual interaction like debugging, enabling tailored malware analysis scenarios, as demonstrated in the video example.

Enhanced IOC Development

Features path generalization to convert absolute paths to Windows environment variables (e.g., %AppData%), improving Indicator of Compromise extraction for better reporting.

Threat Detection Integration

Integrates YARA scanning for file analysis and VirusTotal API for hash lookups, enhancing threat detection capabilities directly from the command line.

Cons

Windows Dependency

Heavily relies on Sysinternals Procmon for event logging, making it unsuitable for non-Windows environments and adding setup complexity for cross-platform use.

Limited Automation Platform Support

The NoribenSandbox.py automation script is currently limited to OSX with plans for porting, restricting automated workflows on other host operating systems.

Sparse Documentation

While the README provides basic usage, detailed tutorials or comprehensive documentation are minimal, potentially increasing the learning curve for complex scenarios.

Frequently Asked Questions

Related Projects

malice.io

VirusTotal Wanna Be - Now with 100% more Hipster

Stars1,861

Forks284

Last commit3 years ago

DRAKVUF

DRAKVUF Black-box Binary Analysis

Stars1,240

Forks265

Last commit19 days ago

HaboMalHunter

HaboMalHunter is a sub-project of Habo Malware Analysis System (https://habo.qq.com), which can be used for automated malware analysis and security assessment on the Linux system.

Stars751

Forks221

Last commit3 years ago

Limon

Limon is a sandbox developed as a research project written in python, which automatically collects, analyzes, and reports on the run time indicators of Linux malware. It allows one to inspect Linux malware before execution, during execution, and after execution (post-mortem analysis) by performing static, dynamic and memory analysis using open source tools

Stars403

Forks118

Last commit10 years ago

Community-curated · Updated weekly · 100% open source

Found a gem we're missing?

Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.

Submit a project Star on GitHub

Noriben

NOASSERTIONPython2.0

A portable Python script that automates malware analysis by collecting runtime indicators using Sysinternals Procmon.

GitHub

1.3k stars228 forks0 contributors

What is Noriben?

Target Audience

Security researchers, malware analysts, and digital forensics professionals who need a lightweight, scriptable tool for analyzing suspicious software and extracting Indicators of Compromise (IOCs).

Value Proposition

Overview

Noriben - Portable, Simple, Malware Analysis Sandbox

Use Cases

Best For

Analyzing malware that requires manual interaction or debugging to execute
Automating malware execution and report collection in virtualized environments
Scanning files with YARA rules during dynamic analysis
Generating generalized IOCs by converting absolute paths to environment variables
Conducting software audits to monitor application behavior
Integrating VirusTotal lookups into malware analysis pipelines

Not Ideal For

Cross-platform malware analysis requiring native Linux or macOS support without Windows dependencies
Large-scale, fully automated sandboxing pipelines needing minimal manual configuration and GUI interfaces
Teams that require integrated real-time monitoring without relying on external tools like Procmon
Environments where strict vendor-agnostic or open-source-only toolchains are mandated

Pros & Cons

Pros

Seamless Procmon Integration

Leverages Sysinternals Procmon to log system-wide events without pre-filtering, with built-in whitelists to reduce noise, as highlighted in the key features.

Flexible Analysis Modes

Supports both automated execution with timeouts and manual interaction like debugging, enabling tailored malware analysis scenarios, as demonstrated in the video example.

Enhanced IOC Development

Features path generalization to convert absolute paths to Windows environment variables (e.g., %AppData%), improving Indicator of Compromise extraction for better reporting.

Threat Detection Integration

Integrates YARA scanning for file analysis and VirusTotal API for hash lookups, enhancing threat detection capabilities directly from the command line.

Cons

Windows Dependency

Heavily relies on Sysinternals Procmon for event logging, making it unsuitable for non-Windows environments and adding setup complexity for cross-platform use.

Limited Automation Platform Support

The NoribenSandbox.py automation script is currently limited to OSX with plans for porting, restricting automated workflows on other host operating systems.

Sparse Documentation

While the README provides basic usage, detailed tutorials or comprehensive documentation are minimal, potentially increasing the learning curve for complex scenarios.

Frequently Asked Questions

Related Projects

malice.io

VirusTotal Wanna Be - Now with 100% more Hipster

Stars1,861

Forks284

Last commit3 years ago

DRAKVUF

DRAKVUF Black-box Binary Analysis

Stars1,240

Forks265

Last commit19 days ago

HaboMalHunter

HaboMalHunter is a sub-project of Habo Malware Analysis System (https://habo.qq.com), which can be used for automated malware analysis and security assessment on the Linux system.

Stars751

Forks221

Last commit3 years ago

Limon

Stars403

Forks118

Last commit10 years ago

Community-curated · Updated weekly · 100% open source

Found a gem we're missing?

Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.

Submit a project Star on GitHub