YAMAGoya is an open-source, real-time threat monitoring and hunting tool developed by JPCERT/CC (Japan’s Computer Emergency Response Team Coordination Center). Released in November 2025, it focuses on detecting advanced threats like fileless malware and obfuscated attacks on Windows systems by combining live behavioral monitoring with rule-based detection, without requiring kernel drivers.
Purpose
YAMAGoya addresses gaps in traditional endpoint detection tools that depend on proprietary engines. It empowers security teams to use community-driven rules (like Sigma and YARA) for proactive threat hunting, incident response, and identifying suspicious system behaviors that evade static file scans.
Key Features
• Userland Operation: Runs entirely in user mode for easier deployment and lower risk—no kernel components needed.
• Real-Time Monitoring: Tracks events across files, processes, registry, DNS, network (IPv4/IPv6), PowerShell, and WMI.
• Rule Support: Integrates Sigma rules for event correlation, YARA for memory scanning, and custom YAML for multi-event attack pattern detection.
• Interfaces: Includes a graphical user interface (GUI) for visual alerts and logs, plus command-line interface (CLI) for scripting and automation.
• Alerting and Response: Generates alerts in Windows Event Log (with IDs like 9001 for Sigma matches) and supports optional “kill mode” to terminate suspicious processes.
• Memory Scanning: Detects in-memory malware that doesn’t touch the filesystem.
How It Works
At its core, YAMAGoya leverages Event Tracing for Windows (ETW) to capture system events in real time without significant performance overhead. It processes these events against detection rules:
• Sigma Rules: Applied to ETW events for pattern matching (e.g., suspicious process creation); limited to Windows OS categories.
• YARA Rules: Scans process memory for malware signatures, ideal for packed or fileless threats.
• Custom YAML Rules: Users define correlated behaviors, like “file creation followed by process execution and outbound network connection” within a 10-second window. Full matches trigger alerts (Event ID 8001); partials log as debug info (Event ID 8002).
When a rule matches, it logs details (e.g., timestamps, process IDs) to text files and the Event Log. The tool doesn’t include built-in rules—users must supply them from sources like the Sigma or YARA repositories.
Supported Events
• File creation/deletion
• Process execution/opening
• DLL loading
• Registry modifications
• DNS queries
• Network connections (IPv4/IPv6)
• PowerShell script execution
• WMI commands
Installation and Usage
1. Download: Get pre-built binaries from the GitHub Releases page. Or build from source via the README.
2. Requirements: Windows 10/11, admin privileges (for ETW sessions). No additional installs needed.
3. Run:
• GUI: Double-click YAMAGoya.exe and configure rules via the interface.
• CLI Example (Sigma monitoring): YAMAGoya.exe --session --sigma "C:\Path\To\Sigma\Rules" --all
• CLI Example (YARA memory scan): YAMAGoya.exe --session --yara "C:\Path\To\YARA\Rules" --all
4. View alerts in the GUI’s “Alert” tab or Windows Event Viewer (Application log).
Limitations and Future Plans
It complements (but doesn’t replace) antivirus software and requires user-maintained rules. Potential weaknesses include ETW bypasses by sophisticated attackers and limited Sigma scope. JPCERT/CC encourages community contributions via GitHub for enhancements like expanded rule support.