strelka
by target
Strelka is a real-time, container-based file scanning system designed for enterprise-scale threat hunting, file analysis, and incident response.
Real-time, container-based file scanning at enterprise scale
Primary Use Case
Strelka is used by security analysts and incident responders to automate the extraction and analysis of file content and metadata across large environments. It enables real-time threat detection and hunting by integrating with SIEM systems to provide actionable insights without manual file handling.
- Real-time, containerized file scanning for scalability and flexibility
- Modular platform supporting file extraction, metadata collection, and analysis
- Cross-platform OS-native clients for Windows, Mac, and Linux
- Built with Go and Python 3.10+ for performance and extensibility
- Integration capability with SIEM for alerting and environment visibility
- Support for user-submitted files and automated scanning workflows
- Optional YARA rule integration for custom threat detection
- Web UI for file analysis and management
Installation
- sudo apt install -y wget git docker docker-compose golang jq
- sudo usermod -aG docker $USER
- newgrp docker
- git clone https://github.com/target/strelka.git
- cd strelka
- Optionally remove default yara rules: rm configs/python/backend/yara/rules.yara
- Clone preferred yara rules: git clone https://github.com/Yara-Rules/rules.git configs/python/backend/yara/rules/
- Set yara rules index: echo 'include "./rules/index.yar"' > configs/python/backend/yara/rules.yara
- Start Strelka using precompiled images: docker compose -f build/docker-compose-no-build.yaml up -d
- Build the oneshot CLI: go build github.com/target/strelka/src/go/cmd/strelka-oneshot
Usage
>_ ./strelka-oneshot -f samples/Win32.Emotet.zip -l - | jqAnalyze a specified file (e.g., malware sample) using the dockerized oneshot scanner and format output with jq.
>_ docker compose -f build/docker-compose-no-build.yaml up -dStart Strelka services using precompiled Docker images without building from source.
>_ docker compose -f build/docker-compose.yaml build && docker compose -f build/docker-compose.yaml up -dBuild Strelka Docker images from source and start the services.
- Integrate Strelka with SIEM solutions to automate real-time alerting and reduce analyst workload.
- Leverage containerization to scale file scanning across hybrid cloud and on-prem environments efficiently.
- Customize YARA rules to tailor threat detection to organizational-specific malware and file patterns.
- Use Strelka's OS-native clients to enable endpoint file analysis and enrich incident response workflows.
- Incorporate Strelka into purple team exercises to simulate realistic file-based threat hunting scenarios and improve detection tuning.
Docs Take 2 Hours. AI Takes 10 Seconds.
Ask anything about strelka. Installation? Config? Troubleshooting? Get answers trained on real docs and GitHub issues—not generic ChatGPT fluff.
This tool hasn't been indexed yet. Request indexing to enable AI chat.
Admin will review your request within 24 hours
Related Tools
mvt
mvt-project/mvt
MVT (Mobile Verification Toolkit) helps with conducting forensics of mobile devices in order to find signs of a potential compromise.
post-mortems
danluu/post-mortems
A collection of postmortems. Sorry for the delay in merging PRs!
Detect-It-Easy
horsicq/Detect-It-Easy
Program for determining types of files for Windows, Linux and MacOS.
howtheysre
upgundecha/howtheysre
A curated collection of publicly available resources on how technology and tech-savvy organizations around the world practice Site Reliability Engineering (SRE)
awesome-incident-response
meirwah/awesome-incident-response
A curated list of tools for incident response
chainsaw
WithSecureLabs/chainsaw
Rapidly Search and Hunt through Windows Forensic Artefacts