Skip to content

OpenSource-For-Freedom/wraith

BranchesTags

Repository files navigation

WRAITH 
 ██╗    ██╗██████╗  █████╗ ██╗████████╗██╗  ██╗
 ██║    ██║██╔══██╗██╔══██╗██║╚══██╔══╝██║  ██║
 ██║ █╗ ██║██████╔╝███████║██║   ██║   ███████║
 ██║███╗██║██╔══██╗██╔══██║██║   ██║   ██╔══██║
 ╚███╔███╔╝██║  ██║██║  ██║██║   ██║   ██║  ██║
  ╚══╝╚══╝ ╚═╝  ╚═╝╚═╝  ╚═╝╚═╝   ╚═╝   ╚═╝  ╚═╝

Windows Runtime Analysis & Intrusion Threat Hunter
Unix backbone · OpenSource intelligence pipeline · Expecto Patronum

Deploy Windows 10/11 .NET 8 Python 3.10+ License Hits

A native Windows threat-hunting application that orchestrates 14 scan modules across YARA signatures, behavioral heuristics, persistence mechanisms, supply-chain checks, and live process analysis — all surfaced through a dark-themed WPF dashboard. WRAITH runs alongside Windows Defender and feeds Microsoft Sentinel with true-positive event sources via the OpenSource intelligence pipeline.

Installation · Scan Modules · Usage · Output · Docs

Installation

  • Install from release packaged source.

Screenshots

WRAITH scan animation

WRAITH live scan

Findings surface in real time as each of the 14 modules completes — YARA matches, heuristic hits, persistence entries, and process anomalies stream into the same feed ranked by severity.

More screenshots

Dashboard

WRAITH dashboard

Every row shows severity, module, finding name, path/process, and entropy score. Click any row for details. Use the toolbar to kill a live process, export the report, or clear the list.

Severity filter

WRAITH severity filter

Filter by severity (CRITICAL → INFO) in real time without re-running. Scan-root, look-back window, and scan mode are all set before clicking EXPECTO PATRONUM.

Full results & process kill

WRAITH full results

WRAITH kill process

After the scan the summary bar shows counts per severity tier. Select any finding tied to a live process and hit Kill Process — WRAITH confirms PID and name before terminating. No silent kills.

Start menu try for automated, persistance and Quarantine Vault

WRAITH start menu automated control feature

Remote monitoring

Tie in a Slack or Discord webhook to push SOC alerts from the running machine to your selected server. Findings are formatted as bordered ASCII tables for clean rendering in notification channels. This feature is active and working.

WRAITH SOC Alert webhook feature

Auto-Quarantine & Trust Gates

WRAITH's automated response engine evaluates every finding against a two-gate trust system before any containment action:

  1. Trusted path — paths matching prefixes in wraith.policy.json (e.g. C:\Windows\, C:\Program Files\, %USERPROFILE%\AppData\Local\Packages\Microsoft.*) are always skipped, regardless of severity.
  2. Trusted signer — files signed by a keyword-matched subject in TrustedSignerKeywords are always skipped.

Both gates apply to all severity levels including Critical — a Critical YARA hit on a Microsoft-signed Windows DLL will not be quarantined. Policy paths support environment variable tokens (%USERPROFILE%, %SYSTEMROOT%, etc.) which are expanded at runtime.

Requirements

Dependency Minimum Notes
Windows 10 21H1 / 11 x64 — Win10 guide
.NET SDK 8.0 Download — only needed to build from source
Python 3.10+ Download — check Add to PATH
Administrator Required UAC prompt on launch

Quick Start

git clone https://github.com/YOUR_USERNAME/wraith.git
cd wraith
LAUNCH.bat

LAUNCH.bat on first run will:

  1. Create a Python virtual environment (.venv/)
  2. Install all Python dependencies
  3. Build the .NET 8 WPF app (Release)
  4. Create a desktop shortcut
  5. Launch WRAITH

Scan Modules

Module What it hunts
YARA Signature matches — APT28/Sofacy, Lazarus, GrizzlyBear, WannaCry, RATs, webshells, malicious scripts
Heuristics Behavioural entropy analysis, obfuscated commands, suspicious parent-child process trees
Persistence Registry Run keys, scheduled tasks, startup folders, services, WMI subscriptions
Processes Injected threads, hollowed images, unbacked memory, unsigned binaries in unusual paths
Network Outbound connections to suspicious ranges, listening ports, unusual DNS activity
Events Windows Event Log anomaly parsing (configurable look-back window, 1–720 h)
CISA KEV Live check of CISA's Known Exploited Vulnerabilities catalogue against installed software
npm / .NET Supply Chain 200+ indicator typosquat and dependency-confusion checks across npm, NuGet, Node.js, and AI/ML package ecosystems — including AI API key harvesters, LLM provider typosquats, CVE-flagged packages, and cryptominer drop packages; AI API key exfiltration patterns detected in postinstall scripts
Windows Security Firewall state, Defender status, audit policy gaps, UAC configuration
Rootkit SSDT / IDT hooks, hidden drivers, DKOM object unlinking indicators
ADS Alternate Data Streams on NTFS — a classic hiding place for payloads
Browser Suspicious extensions, modified hosts file, malicious bookmark indicators
Defender Integration layer — surfaces quarantined items and threat history
Credentials SAM / LSA / DPAPI anomalies, plain-text credential indicators in memory

Usage

GUI (recommended)

LAUNCH.bat
  • Set scan root (default C:\)
  • Choose Full Scan or Quick Persistence Only
  • Set Event Log look-back window (hours)
  • Click EXPECTO PATRONUM
  • Export findings as JSON / CSV / HTML from the toolbar

Headless quick scan (no build required)

.\quick-scan.ps1
.\quick-scan.ps1 -Hours 168 -OutPath C:\wraith-report.json

Stop a running instance

LAUNCH.bat -Close

Output

Findings are rated CRITICAL / HIGH / MEDIUM / LOW / INFO and include:

  • Rule / heuristic name that triggered
  • Full file path or process image
  • Entropy score (for binary analysis)
  • Process status (live / terminated)
  • Last-run timestamp
  • One-click process kill for live threats

Reports can be exported to JSON, CSV, or a self-contained HTML page.

Project Structure

WRAITH/                  .NET 8 WPF front-end
  Models/                ThreatFinding, ScanResult
  ViewModels/            MainViewModel (MVVM)
  Services/              ScanOrchestrator, ReportExporter
  Converters/            Severity -> colour, etc.
scanner/                 Python scan engine (14 modules)
  rules/                 Bundled YARA rule sets
quick-scan.ps1           Standalone headless scanner (no build needed)
WRAITH.ps1               Master launcher / venv bootstrap
LAUNCH.bat               Entry point
SETUP.bat                One-time dependency installer
Library & framework references
Library Purpose Docs
.NET 8 WPF GUI framework docs.microsoft.com/wpf
YARA 4.x Signature engine virustotal.github.io/yara
yara-python Python YARA bindings pypi: yara-python
pywin32 Win32 API access pypi: pywin32
psutil Process & network info psutil.readthedocs.io
requests CISA KEV API docs.python-requests.org
python-magic File entropy & MIME pypi: python-magic
CIM / WMI Service & process enumeration Win32 Provider
Windows Event Log Event parsing Get-WinEvent
CISA KEV Known Exploited Vulnerabilities cisa.gov/kev

License

MIT — see LICENSE

About

WRAITH is a Windows incident and threat hunting/triage tool built to complement native defenses by surfacing persistence, anomaly, and forensic indicators that may be overlooked, deprioritized, or disconnected across the host.

www.wraithsec.io

Topics

intelligence threat-hunting cve-scanning yara-rules

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Contributing

Contributing
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases 52

WRAITH Latest
May 4, 2026
+ 51 releases

Contributors

Languages