THOR-style modular triage & threat-hunting for Windows 10/11, built as a portable PowerShell orchestrator that drives best-of-breed binaries (YARA, Hayabusa, EZTools). Runs from a USB stick, no installation. Authorized forensic / IR use only.
WinFIRE is a thin PowerShell orchestrator that loads capability modules (Live Triage,
YARA scanning, artifact collection, Sigma, raw NTFS, memory forensics, deobfuscation) and
aggregates their output into a single normalized, MITRE ATT&CK-mapped HTML + JSON report.
The original design brief lives in .release history is in
CHANGELOG.md.
Repository: https://github.com/Masriyan/WinFire/
| Phase | Modules | State |
|---|---|---|
| 0 | Framework: CLI, Core, Report, MITRE, tooling | ✅ Ready |
| 1 | Live Triage, YARA (files/memory/registry/event logs) | ✅ Ready |
| 2 | Artifacts (Prefetch/Amcache/Shimcache/SRUM), Sigma (Hayabusa) | ✅ Ready |
| 3 | Raw NTFS/MFT, Memory hollowing/injection detection, Deobfuscation | ✅ Ready |
All seven capability modules are promoted from stub to working — WinFIRE now exercises every capability flag end to end. Every module is runnable: when a required binary or privilege is absent it reports that (an Info finding) and never fails the run.
WinFIRE.bat → self-elevates, sets ExecutionPolicy Bypass, calls WinFIRE.ps1
WinFIRE.ps1 → orchestrator: parses flags, loads modules, aggregates findings, reports
modules/*.psm1→ one capability each; every module emits normalized findings
bin/ → you supply yara64.exe, hayabusa, EZTools (see bin/README.md)
rules/yara/ → your YARA rule packs (+ safe demo rules)
config/ → tools.json (binary manifest) + mitre-map.json (ATT&CK lookup)
tools/ → Get-Tools.ps1 (on-demand downloader for GitHub-hosted binaries)
tests/ → Pester unit tests + PSScriptAnalyzer settings
A single finding object (module, severity, title, target, mitre[], evidence) flows
from every module into findings.json and a self-contained report.html.
REM list capabilities
WinFIRE.bat -ListModules
REM rapid persistence triage
WinFIRE.bat -LiveTriage -CaseNumber INC-001 -Investigator "J. Doe"
REM YARA across disk + process memory (needs bin\yara64.exe)
WinFIRE.bat -ScanFiles C:\Users -ScanMemory -RulesPath .\rules\yara
REM everything
WinFIRE.bat -Full -CaseNumber INC-001For a full real-case playbook see usage-sample.md.
-Quick→ Live Triage + registry & event-log YARA-Full/-All→ every available module
-OutputPath, -RulesPath, -CaseNumber, -Investigator, -Purpose,
-HashAlgorithm {MD5|SHA1|SHA256}, -Quiet, -GetTools, -AutoGetTools,
-ListModules, -Help
-AutoGetTools downloads any GitHub-hosted tools the selected modules need but are missing
from bin\ (yara, hayabusa, RawCopy) before the run — opt-in, so offline/isolated hosts
never make network calls. -GetTools -AutoGetTools does the same and exits.
A timestamped case folder WinFIRE_<HOST>_<stamp>/ containing:
report.html— severity summary, ATT&CK coverage, findings tablefindings.json— machine-readable findings (SOAR-friendly)winfire.log— full run lograw/— per-module CSV/JSON artifacts, registry exports, event-log dumps,chain_of_custody.json(tool/version, case, investigator, host, start time, modules)
Process exit code: 0 clean · 1 low/medium/info · 2 high/critical (for automation).
- Windows PowerShell 5.1+ (ships on Win10/11) or PowerShell 7. Administrator for full coverage.
bin\yara64.exeis required for any YARA surface; other binaries unlock Phase 2/3. Get them with-GetTools -AutoGetTools(yara/hayabusa/RawCopy) ortools\Get-Tools.ps1 -Auto. Eric Zimmerman tools are manual — seebin/README.md.- Scope honesty: raw-NTFS defeats user-land API-hooking rootkits only — kernel
rootkits require a driver and are out of scope. WinFIRE will be flagged by AV/EDR
(memory reads, raw volume access) — this is expected for a hunting tool; allowlist it
on the host or run from an isolated context. See
BEFORE USE THIS SCRIPTS.md.
Invoke-ScriptAnalyzer -Recurse . # static lint
Invoke-Pester .\tests # unit tests (cross-platform)Contributions welcome — see CONTRIBUTING.md. Security policy and
vulnerability reporting: SECURITY.md.
Released under the MIT License — see LICENSE.
Authorized forensic / incident-response use only. See prompt.txt for the
original requirements and CHANGELOG.md for history.