# malware-exquacker

**Repository Path**: mirrors_elastic/malware-exquacker

## Basic Information

- **Project Name**: malware-exquacker
- **Description**: No description available
- **Primary Language**: Unknown
- **License**: Apache-2.0
- **Default Branch**: main
- **Homepage**: None
- **GVP Project**: No

## Statistics

- **Stars**: 0
- **Forks**: 0
- **Created**: 2022-08-16
- **Last Updated**: 2026-03-14

## Categories & Tags

**Categories**: Uncategorized

**Tags**: None

## README

# 🦆 🦆 malware-exquacker 🦆 🦆

![](media/banner.png)

Implementing a battling of malducks to stream malware data captured from the
Elastic Endpoint to Elastic Cloud as configuration data.

## Our Inspiration

```text
Malware can be 'fowl'
 But we can 'quack' its secrets
With our friend malduck
```

## Our Goal

Build a solution that can execute in a container that can stream events from an
Elasticsearch cluster that contains captured bytes from malware detected on the
endpoint, process it using malduck with an ECS-friendly output, then store it
in Elasticsearch (optionally, a different cluster)

## Building

When you check out this repo, you need to check it out with the submodule. The
[submodule](https://github.com/elastic/malware-exquacker-modules) contains the Python modules
used for detecting and extracting malware configuration data.

```shell
git clone --recurse-submodules https://github.com/elastic/malware-exquacker.git
```

Now that you have the repo cloned, we recommmend building and running with Docker.
You can do this in one step.

Build quietly and run:

```bash
docker run --rm -it $(docker build -q .) --help
```

Successful execution will require a configuration, for instance the following .env file (which can be passed to docker):

```bash
INPUT_CLOUD_ID=security-cluster:id
INPUT_ELASTICSEARCH_APIKEY=XXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXX
INPUT_ELASTICSEARCH_INDEX=logs-endpoint.alerts-*
OUTPUT_CLOUD_ID=security-cluster:id
OUTPUT_ELASTICSEARCH_APIKEY=XXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXX
```

Then, you can run like so:

```bash
docker run --rm -it --env-file .env $(docker build -q .) --help
```

![](media/example-output.png)

## TODO

- Build and publish docker container for config extractor
- In entrypoint, update modules by env var, if set