"Don't just scan files. Visualize the battlefield."
๐น๐ท Tรผrkรงe Dรถkรผmantasyon ฤฐรงin Tฤฑklayฤฑn (Read in Turkish)
ZeroScout is a next-generation threat hunting framework designed for Incident Responders (DFIR), SOC Analysts, and Malware Researchers.
Unlike traditional antivirus scanners that act as a "Black Box", ZeroScout acts as a Cyber Defense HQ. It visualizes the attack surface in a live War Room, identifies the APT Group using genetic code analysis (ImpHash/SSDeep), and automatically generates YARA & SIGMA defense rules.
It operates in a Hybrid Architecture:
- Local Hunter (Offline Mode): Uses advanced heuristics, entropy analysis, and Windows Defender bridging to detect 0-day threats without internet access.
- Cloud Powered (Online Mode): Seamlessly integrates with the high-performance ZeroScout Cloud Engine for military-grade sandbox analysis.
ZeroScout scrapes C2 (Command & Control) IPs from the binary and visualizes the network traffic on a live ASCII World Map directly in your terminal.
See where the attack is coming from, in real-time.
New malware variant? ZeroScout analyzes the Code DNA (ImpHash) and TTP behaviors to identify the actor behind the file.
"This file is unknown, but its DNA matches Lazarus Group with 92% confidence."
Stop writing detection rules manually. ZeroScout generates deployable defense codes instantly:
- YARA Rules: For endpoint scanning.
- SIGMA Rules: For SIEM correlation.
Scan an entire directory (e.g., Downloads folder, USB Drive) in seconds. ZeroScout filters the noise and highlights only high-risk artifacts with specific reasons (e.g., "High Entropy", "Process Injection").
ZeroScout provides a comprehensive, interactive terminal dashboard combining multiple intelligence streams.
Due to the dynamic nature of the dashboard, it is highly recommended to showcase this feature using a video or GIF in your README.
Example Video: Watch the ZeroScout Live War Room in Action
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ ๐งฌ GENETIC ATTRIBUTION โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ ACTOR: [High-Risk Threat Actor] โ
โ CONFIDENCE: 92% [โโโโโโโโโโโโโโโโโโโ] โ
โ Analysis: Code DNA (ImpHash) and TTP behaviors match known APT28 profiles. โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
Installing this project as a Python package automatically installs all dependencies and makes the CLI tool ready to use.
# 1. Clone the repository
git clone https://github.com/SUmidcyber/ZeroScout.git
cd ZeroScout
# 2. Install dependencies (Kurulum iรงin burayฤฑ kullan)
# Bu, ZeroScout'u sisteminizde bir komut olarak eriลilebilir kฤฑlar.
pip install .
# Veya sadece test iรงin:
# pip install -r requirements.txt
# 3. Ready to hunt!
python -m zeroscout.cli scan "malware.exe"Analyze a single file to open the War Room and generate defense rules.
python -m zeroscout.cli scan "C:\Users\Admin\Desktop\suspicious.exe"Quickly scan a folder to find hidden threats among thousands of files.
python -m zeroscout.cli scan "C:\Windows\System32"ZeroScout Cloud Engine'i kullanmak iรงin ZEROSCOUT_API_KEY ortam deฤiลkenini ayarlamanฤฑz gerekir. Anahtar bulunamazsa, sistem otomatik olarak Yerel Avcฤฑ Moduna geรงer.
# Windows (PowerShell)
$env:ZEROSCOUT_API_KEY="your_api_key_here"
# Linux / Mac
export ZEROSCOUT_API_KEY="your_api_key_here"| Component | Technology | Purpose |
|---|---|---|
| Core Engine | Python 3 | Main logic and CLI handling. |
| Visuals | Rich Library | Dashboard-style terminal interface. |
| Static Analysis | Pefile & Math | Entropy calculation, Header analysis, ImpHash. |
| Signatures | YARA & Regex | Identifying strings, IP addresses, and patterns. |
| Cloud Bridge | REST API | Connection to Sandbox Engine. |
ZeroScout is for educational and defensive purposes only. The authors are not responsible for any misuse of this tool. Always analyze malware in an isolated environment (VM).
Developed by Umid Mammadov
ZeroScout Technologies