Plaguards is a cutting-edge security tool built to streamline and automate the deobfuscation of obfuscated PowerShell scripts, empowering security teams to rapidly identify Indicators of Compromise (IOCs) and determine whether they represent valid threats (VT) or false positives (FP). Each analysis is documented in a comprehensive PDF report, designed to provide deep insights and actionable intelligence.
As a web app, Plaguards offers users the flexibility to conduct powerful, on-demand analysis from anywhere, at any time, making it invaluable to blue teams tasked with responding to complex malware threats. This innovation not only accelerates workflows but also enhances detection accuracy, positioning Plaguards as a vital asset in proactive threat response.
Plaguards was developed to address a critical need within Incident Response (IR) teams, specifically in handling obfuscated PowerShell scripts—a frequent component in modern malware and ransomware attacks that severely threaten business operations. Despite the availability of numerous deobfuscation tools for JavaScript, there is a notable shortage of static deobfuscation resources for PowerShell, especially amidst the increasing trend of fileless PowerShell-based attacks observed throughout 2024. This gap has left IR teams without effective tools to manage these high-stakes threats.
Most existing tools only focus on detecting obfuscated PowerShell rather than fully deobfuscating it, leaving a crucial aspect of analysis unaddressed. Plaguards fills this void, enabling automated deobfuscation specifically tailored to PowerShell scripts. It empowers IR teams to swiftly parse through obfuscated lines, identify embedded Indicators of Compromise (IOCs) like IP addresses and URLs, and determine if they represent legitimate threats or false positives.
Beyond deobfuscation, Plaguards enhances the overall response workflow by providing templated PDF reports, documenting each deobfuscated line and cross-referencing IOCs with threat intelligence. This capability not only aids in real-time threat assessment but also supports IR teams by delivering comprehensive, actionable insights in a clear and organized format.
Warning
There are known security vulnerabilities within certain versions of Plaguards. Before proceeding, please read through Plaguards Security Advisories for a better understanding of how you might be impacted.
| No. | Main Features | Summary |
|---|---|---|
| 1. | Powershell Deobfuscation | Plaguards introduces deobfuscation features such as: 1. Concat strings value and variable. 2. Concat strings value that has the same variable. 3. Decode base64 -> has 2 patterns: "==" at the end of the string and use "base64fromstring" function. 4. Evaluate Backtick. 5. Seperate Code into Several Lines -> ";" (semicolon) as the separator. 6. Flexible variable value change. 7. Arithmatic operation inside char (plus (+), minus (-), multiply (*), divide (/), XOR (-bxor)). 8. Evaluate replace. 9. Evaluate split. 10. Evaluate join. 11. Recognize and evaluate whitespace. 12. Process ASCII.getstring function. 13. Obtain IOC Parameter Input (Domain and IP). |
| 2. | IOC Checker | Plaguards offers four parameters for analyzing Indicators of Compromise (IOCs): hash, ip, domain, and signature. To initiate a query, users select one of these parameters and provide a second argument as the IOC value to be checked. Plaguards then cross-references this value with public threat intelligence sources, including VirusTotal and Malware Bazaar, via API. The resulting JSON data is parsed into a structured Markdown format, which is then converted into a downloadable, viewable PDF report—delivering actionable insights in a professional, easy-to-read format. |
| 3. | Automated Reporting in PDF format. | Plaguards provides automated PDF reporting for both PowerShell deobfuscation results and IOC checker outcomes, all formatted in an easy-to-read template for clear and accessible insights. |
- VPN Server (Recommended for Production Server).
- Domain for HTTPS (Recommended for Production Server).
- Docker
- Docker Compose v2
- Python 3.x
- Port 8000
Note
(No manual installation needed – we’ll handle everything for you!)
- Clone this repository.
git clone https://github.com/Bread-Yolk/plaguards.git
cd plaguards- Configure your Virus Total API key.
Tip
For instructions on obtaining your API key, Click here.
nano Dockerfile# At Dockerfile
ENV VT_API_KEY="your_api_key_goes_here"- Run the setup script.
chmod 777 plaguards.sh
sudo ./plaguards.sh- By default, Plaguards dashboard will listen at port 8000.
- Clone this repository.
git clone https://github.com/Bread-Yolk/plaguards.git
cd plaguards- Set up a virtual environment.
python3 -m venv plaguards-venv
source plaguards-venv/bin/activate- Configure your Virus Total API key.
Tip
For instructions on obtaining your API key, Click here.
nano plaguards-cli.py# At plaguards-cli.py in line 583
VT_API_KEY = "your_api_key_goes_here"- Install required dependencies.
pip3 install -r requirements.txt
sudo apt-get update
sudo apt-get install -y pandoc texlive texlive-latex-extra texlive-xetex
sudo apt-get install -y texlive-fonts-extra
sudo apt-get install -y apt-utils
cp ./others/eisvogel.latex /usr/share/pandoc/data/templates/eisvogel.latex- Run Plaguards CLI.
sudo python3 plaguards-cli.py example.ps1Note
You can also use .txt files containing powershell payloads.
sudo python3 plaguards-cli.py obfuscated.txt| IOC Checker | PDF Report |
|---|---|
 |
 |
| Powershell Deobfuscation | PDF Report |
|---|---|
 |
 |