D‑Eyes: Fast Incident‑Response Scanning for Ransomware, Malware & Host Configs

Project Overview

D‑Eyes is an open‑source detection and response tool from NSFOCUS, supporting Windows and Linux operating systems.

Supported Use Cases

Emergency response: detect ransomware, mining malware, webshells and other malicious samples, assisting security engineers in tracing intrusion artifacts.

(TODO) Baseline checking: help detect and remediate OS configuration defects.

(TODO) Software‑supply‑chain security: extract SBOM of web applications and assess component risks.

Supported Detection Rules

Ransomware (47): Babuk, BadEncript, BadRabbit, BCrypt, BlackMatter, Cerber, Chaos, ChupaCabra, Common, Conti, Cryakl, CryptoLocker, cryt0y, DarkSide, Fonix, GandCrab, Globeimposter, Henry217, HiddenTear, LockBit, Locky, Magniber, Makop, MBRLocker, MedusaLocker, Nemty, NoCry, Petya, Phobos, Povlsomware, QNAPCrypt, Sarbloh, Satana, ScreenLocker, Sodinokibi, Stop, Termite, TeslaCrypt, Thanos, Tohnichi, TrumpLocker, Venus, VoidCrypt, Wannacrypt, Wannacrypt, WannaDie, WannaRen, Zeppelin.

Mining (5): Wannamine, ELFcoinminer, givemexyz family, Monero, TrojanCoinMiner.

Botnet (5): BlackMoon, Festi, Gafgyt, Kelihos, Mykings.

Webshell (≥8): Supports detection of common tools such as China Chopper, Cknife, Weevely, AntSword, Behinder, Godzilla, etc.

Tool Usage

Run the program with administrator or root privileges, then execute D‑Eyes commands from its directory. Main commands include:

filescan, fs      # Scan file system
processscan, ps   # Scan processes
host               # Show basic host information
users              # List all users on the host
top                # Show top 15 CPU‑using processes
netstat            # Show host network information
task               # List all tasks on the host
autoruns           # Show all autorun entries
summary            # Export host basic information to SummaryBaseInfo.txt
check              # Check vulnerability exploitation status
help, h            # Show command list or help for a specific command

Command options:

--path, -P <value>        # Path for filescan (default "C://")
--pid, -p <value>         # Process ID for processscan ("-1" for all)
-r, --rule <value>       # Specify YARA rule, e.g., -r Ransom.Wannacrypt
-t, --threads <value>    # Number of threads for file scan (default 5)
-v, --vul <value>        # Vulnerability check flag (default 0)
--help, -h               # Show help (default false)

File Scanning

If malicious files are found, D‑Eyes creates an D‑Eyes.xlsx report in its directory; otherwise, it only prints a message.

1. Default scan (5 threads on C: drive): D‑Eyes fs
2. Scan specific path: D‑Eyes fs -P D:\tmp
   Multiple paths: D‑Eyes fs -P C:\Windows\TEMP,D:\tmp,D:\tools
3. Specify thread count: D‑Eyes fs -P C:\Windows\TEMP,D:\tmp -t 3
4. Scan with a single rule: D‑Eyes fs -P D:\tmp -t 3 -r Ransom.Wannacrypt

Rule names correspond to YARA files without the .yar extension, e.g., -r Ransom.Wannacrypt.

Process Scanning

Process scan results are displayed directly in the terminal.

1. Default scan (all processes): D‑Eyes ps
2. Scan specific PID: D‑Eyes ps -p 1234
3. Scan with rule: D‑Eyes ps -p 1234 -r Ransom.Wannacrypt
4. Detect processes connecting to external IPs listed in <code>ip.config</code> (one IP per line).

Export Host Basic Information

Running ./D‑Eyes summary generates SummaryBaseInfo.txt containing system info, user list, scheduled tasks, and IP details.

Linux Host Self‑Check

Supported modules include empty‑password account detection, SSH wrapper checks, SSH key‑less login detection, sudoer checks, alias checks, setuid checks, SSH brute‑force detection, rootkit detection, command history analysis, recent successful login display, scheduled task inspection, environment variable checks, service startup checks, TCP wrappers, inetd and xinetd config checks, and preload configuration checks.

./D‑Eyes sc

Export Network Information

Running ./D‑Eyes netstat creates RemoteConnectionIP.csv with all external IP connections, which can be uploaded to the NSFOCUS NTI threat analysis platform.