[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-3494":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":14,"subscribersCount":14,"size":14,"stars1d":14,"stars7d":15,"stars30d":16,"stars90d":14,"forks30d":14,"starsTrendScore":14,"compositeScore":17,"rankGlobal":9,"rankLanguage":9,"license":18,"archived":19,"fork":19,"defaultBranch":20,"hasWiki":21,"hasPages":19,"topics":22,"createdAt":9,"pushedAt":9,"updatedAt":23,"readmeContent":24,"aiSummary":25,"trendingCount":14,"starSnapshotCount":14,"syncStatus":13,"lastSyncTime":26,"discoverSource":27},3494,"vanguard","ridgelinecyberdefence\u002Fvanguard","ridgelinecyberdefence","Cross-platform incident response toolkit. 28 pre-built use cases, single binary, zero install. Memory, disk, network, and cloud collection with automated timeline generation.",null,"Go",136,7,2,0,1,59,2.71,"MIT License",false,"main",true,[],"2026-06-12 02:00:51","# VanGuard — Enterprise Incident Response Toolkit\n\n> Cross-platform DFIR toolkit for enterprise incident response. Velociraptor-native, air-gap compatible, portable — no installation required.\n\nVanGuard is a self-contained incident response toolkit built in Go that gives DFIR teams a single binary for triage, threat hunting, memory forensics, disk collection, remote operations, and Velociraptor management — on both Windows and Linux, with or without network access.\n\n## Why VanGuard\n\nMost IR workflows require juggling dozens of separate tools, remembering command-line flags, and manually tracking evidence. VanGuard consolidates the full IR lifecycle into one portable binary with built-in case management, evidence hashing, chain of custody, and professional HTML reporting.\n\n**Key differentiators:**\n- **Single binary, zero install** — runs from any directory with no installation required\n- **Velociraptor as a first-class citizen** — full server lifecycle, agent deployment, offline collectors, and VQL queries from one interface\n- **28 pre-built IR use cases** — ransomware, BEC, lateral movement, credential theft, rootkit detection, and more — each with MITRE ATT&CK mapping and phased artifact collection\n- **Air-gapped by design** — every feature works offline; online capabilities are enhancements, not requirements\n- **Dual interface** — keyboard-driven TUI for terminal\u002FSSH sessions, plus a web UI for browser-based workflows\n- **Evidence integrity built in** — dual MD5+SHA256 hashing, append-only chain of custody, HMAC-SHA256 tamper-evident audit logging\n\n## Capabilities\n\n### Velociraptor Operations\nFull Velociraptor lifecycle management from a single menu: server initialisation with auto-generated certificates, client package creation, agent deployment via WinRM\u002FSSH\u002FPSExec, offline collector generation, collection import, hunt management, and web UI access. Passwords are generated securely and never written to logs or config files.\n\n### Quick Triage\nRapid artifact collection using native OS commands — no external tools required. Collects 20+ Windows artifact categories (processes, services, event logs, scheduled tasks, browser history, registry hives, DNS cache, network connections) and 15+ Linux categories (processes, cron, systemd, SSH config, auth logs, kernel modules). Each artifact is hashed and registered as case evidence automatically.\n\n### Threat Hunting & Scanning\nIntegrates Hayabusa (Sigma-based event log analysis), Chainsaw (event log hunting), Loki (IOC scanning), and YARA (custom rule scanning). Live hunting analyses running system state for LOLBin execution, suspicious autoruns, named pipe anomalies, DLL hijacking indicators, rogue systemd units, SUID binaries, and C2 network patterns — all without external tools.\n\n### Memory Forensics\nCapture memory with DumpIt, WinPMEM (Windows), AVML, or LiME (Linux) — locally or on remote targets via WinRM\u002FSSH. Analyse dumps with Volatility3 across multiple plugin categories: process analysis, network connections, malware detection, registry extraction, timeline generation, and YARA scanning. Remote capture uses randomised temp paths to prevent pre-placement attacks.\n\n### Disk Artifact Collection\nWindows: KAPE target-based collection and EZ Tools parsing (MFTECmd, EvtxECmd, PECmd, RECmd). Linux: UAC profile-based collection, native log\u002Fconfig harvesting, and targeted file copy with per-file SHA256 verification.\n\n### Remote Operations\nExecute triage, hunting, and memory capture across multiple remote endpoints simultaneously. Supports WinRM (NTLM authentication), SSH (key and password), and PSExec with bounded concurrent execution. Credentials used for remote connections are handled securely and never written to disk or logs.\n\n### Analysis & Reporting\nGenerate self-contained HTML incident reports with embedded CSS (no external dependencies — works air-gapped). Build super-timelines by merging all parsed artifacts into chronologically sorted CSV. Correlate findings into 30-minute host clusters with automatic MITRE ATT&CK technique extraction.\n\n### Use Cases Library (28 pre-built workflows)\n\n**Windows (13):**\n\n| ID | Use Case | Severity |\n|----|----------|----------|\n| UC-WIN-001 | Ransomware Investigation | Critical |\n| UC-WIN-002 | Business Email Compromise | High |\n| UC-WIN-003 | Lateral Movement Detection | High |\n| UC-WIN-004 | Persistence Discovery | High |\n| UC-WIN-005 | Credential Theft | Critical |\n| UC-WIN-006 | Data Exfiltration | High |\n| UC-WIN-007 | Insider Threat | High |\n| UC-WIN-008 | PowerShell Attacks | High |\n| UC-WIN-009 | LOLBins Investigation | Medium |\n| UC-WIN-010 | Initial Access | High |\n| UC-WIN-011 | Full System Triage | Medium |\n| UC-WIN-012 | Timeline Analysis | Medium |\n| UC-WIN-013 | Active Directory Attacks (DCSync, Kerberoasting) | Critical |\n\n**Linux (12):**\n\n| ID | Use Case | Severity |\n|----|----------|----------|\n| UC-LNX-001 | Web Server Compromise | Critical |\n| UC-LNX-002 | SSH Brute Force | High |\n| UC-LNX-003 | Cryptominer Detection | High |\n| UC-LNX-004 | Container Escape | Critical |\n| UC-LNX-005 | Rootkit Detection | Critical |\n| UC-LNX-006 | Persistence Discovery | High |\n| UC-LNX-007 | Privilege Escalation | High |\n| UC-LNX-008 | Log Tampering | High |\n| UC-LNX-009 | Cloud Credential Exposure | Critical |\n| UC-LNX-010 | Full Linux Triage | Medium |\n| UC-LNX-011 | Network Intrusion | High |\n| UC-LNX-012 | Supply Chain Compromise | Critical |\n\n**Cross-Platform (3):** IOC Sweep, YARA Hunt, Baseline Comparison\n\nEach use case defines phased Velociraptor artifact collection with MITRE ATT&CK mapping, estimated completion time, and severity classification. Customise by editing YAML files in `usecases\u002F`.\n\n### Update System\nOnline: automatic checks for Sigma, YARA, and Hayabusa rule updates plus tool binary updates via GitHub releases API. Offline: create update bundles as ZIP files with SHA256-verified manifests for air-gapped transfer and application.\n\n### Case Management & Evidence Integrity\nSQLite-backed case database tracking cases, targets, evidence, findings, and timeline events. Every collected artifact is dual-hashed (MD5+SHA256) at collection time with an append-only chain of custody record. HMAC-SHA256 tamper-evident audit logging provides cryptographic proof of evidence handling.\n\n## Integrated Tools\n\n| Tool | Purpose | Platform |\n|------|---------|----------|\n| [Velociraptor](https:\u002F\u002Fgithub.com\u002FVelocidex\u002Fvelociraptor) | Primary IR platform — server, agents, VQL, hunts | Windows, Linux |\n| [Hayabusa](https:\u002F\u002Fgithub.com\u002FYamato-Security\u002Fhayabusa) | Windows event log analysis (Sigma rules) | Windows, Linux |\n| [Chainsaw](https:\u002F\u002Fgithub.com\u002FWithSecureLabs\u002Fchainsaw) | Event log hunting | Windows, Linux |\n| [Loki](https:\u002F\u002Fgithub.com\u002FNeo23x0\u002FLoki) | IOC scanner (YARA + hashes) | Windows, Linux |\n| [KAPE](https:\u002F\u002Fwww.kroll.com\u002Fen\u002Fservices\u002Fcyber-risk\u002Fincident-response-litigation-support\u002Fkroll-artifact-parser-extractor-kape) | Disk triage collection | Windows |\n| [EZ Tools](https:\u002F\u002Fericzimmerman.github.io\u002F) | Forensic parsers (MFT, EVTX, Prefetch, Registry) | Windows |\n| [UAC](https:\u002F\u002Fgithub.com\u002Ftclahr\u002Fuac) | Unix Artifacts Collector | Linux |\n| [DumpIt](https:\u002F\u002Fwww.comae.com\u002F) | Memory capture | Windows |\n| [WinPMEM](https:\u002F\u002Fgithub.com\u002FVelocidex\u002FWinPmem) | Memory capture | Windows |\n| [AVML](https:\u002F\u002Fgithub.com\u002Fmicrosoft\u002Favml) | Memory capture | Linux |\n| [Volatility3](https:\u002F\u002Fgithub.com\u002Fvolatilityfoundation\u002Fvolatility3) | Memory analysis framework | Windows, Linux |\n\nAll tools are downloaded at runtime from GitHub releases. Downloads are HTTPS-only with domain validation.\n\n## Installation\n\n### Pre-built Binaries\n\nDownload from [GitHub Releases](https:\u002F\u002Fgithub.com\u002Fridgelinecyberdefence\u002Fvanguard\u002Freleases):\n\n| Platform | Binary | Checksum |\n|----------|--------|----------|\n| Windows 64-bit | `vanguard-windows-amd64.exe` | `vanguard-checksums.sha256` |\n| Linux 64-bit | `vanguard-linux-amd64` | `vanguard-checksums.sha256` |\n\n```bash\n# Linux\nchmod +x vanguard-linux-amd64\nsudo .\u002Fvanguard-linux-amd64\n```\n\n```powershell\n# Windows (run as Administrator)\n.\\vanguard-windows-amd64.exe\n```\n\n### Build from Source\n\nRequires Go 1.22+ and GCC (CGO is required for SQLite).\n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002Fridgelinecyberdefence\u002Fvanguard.git\ncd vanguard\nCGO_ENABLED=1 go build -trimpath -o vanguard .\u002Fcmd\u002Fvanguard\u002F\n```\n\nWindows (PowerShell):\n```powershell\n.\\build.ps1\n```\n\n## Quick Start\n\n1. **Launch** VanGuard as Administrator\u002Froot\n2. **Create a case** — Configuration → Case Management → New Case\n3. **Set analyst name** — Configuration → Settings\n4. **Download tools** — Configuration → Tool Management\n5. **Run triage** — Quick Triage → Local Quick Triage\n6. **Hunt for threats** — Threat Hunting → select Hayabusa, Loki, or YARA\n7. **Generate report** — Analysis & Reporting → Generate Report\n\nFor Velociraptor-based workflows:\n1. **Initialize server** — Velociraptor Operations → Initialize Server\n2. **Deploy agents** — Velociraptor Operations → Deploy Agent (WinRM\u002FSSH\u002FPSExec)\n3. **Run use case** — Use Cases Library → select a pre-built workflow\n4. **Collect and analyse** — results are automatically registered as case evidence\n\n## Air-Gapped Deployment\n\nVanGuard is designed for environments with no internet access:\n\n1. On a connected machine: download tools and rules via the Configuration and Update menus\n2. Copy the entire VanGuard directory to a USB drive\n3. Run directly from USB on the air-gapped target — all tools and rules are self-contained\n4. For rule updates: create an offline bundle (Update → Create Offline Bundle), transfer via USB, apply on the air-gapped system with SHA256 verification\n\n## Security & Evidence Handling\n\nVanGuard is built for environments where evidence integrity and operational security matter:\n\n- **Tamper-evident audit trail** — every action on evidence is cryptographically logged, giving you a defensible chain of custody for legal proceedings\n- **Automatic evidence hashing** — every collected artifact is dual-hashed (MD5 + SHA256) at capture time, so you can prove evidence hasn't been modified\n- **Append-only custody chain** — evidence handling events are recorded and cannot be retroactively altered\n- **Credential isolation** — passwords and keys used for remote connections are never written to disk or logs, protecting your operational credentials during IR\n- **Self-contained reports** — HTML reports work without internet access, with no external dependencies that could leak investigation details\n\n## Documentation\n\n| Document | Description |\n|----------|-------------|\n| [Installation Guide](docs\u002Finstallation.md) | Download, build, and deploy |\n| [Quick Start](docs\u002Fquick-start.md) | First run and common workflows |\n| [User Guide](docs\u002Fuser-guide.md) | Comprehensive reference for all modules |\n| [Air-Gapped Deployment](docs\u002Fair-gapped-deployment.md) | Offline setup and update bundles |\n| [Contributing](CONTRIBUTING.md) | Development setup and contribution guidelines |\n| [Changelog](CHANGELOG.md) | Version history and release notes |\n\n## Project Structure\n","VanGuard 是一个跨平台的企业级事件响应工具包，旨在简化数字取证与事件响应（DFIR）流程。它使用 Go 语言编写，提供单一可执行文件，无需安装即可运行，支持 Windows 和 Linux 系统，并且能在无网络环境下工作。该工具集成了 28 个预构建的事件响应用例，涵盖勒索软件、商业电子邮件入侵等多种威胁类型，每个用例都与 MITRE ATT&CK 框架映射，并支持分阶段证据收集。VanGuard 还原生支持 Velociraptor 的全生命周期管理，包括服务器初始化、客户端部署及 VQL 查询等，同时具备内存取证、快速取证、威胁狩猎等功能。其内置了证据完整性保护机制，如双重哈希和防篡改日志记录。适用于需要高效处理网络安全事件的企业环境，尤其是在需要快速响应且可能面临网络限制的情况下。","2026-06-11 02:54:37","CREATED_QUERY"]