Malcore Playbook is a powerful framework for automating malware analysis, malware triaging, and analyst workflows using modular recipes and scripting. Designed for SOC analysts, threat hunters, and cybersecurity professionals, Malcore Playbook allows users to build chains to automate workflows, and extract actionable intelligence from suspicious files through a simple, flexible scripting language, and individual recipes.
It is advised to use the this method for installation:
pip install malcore-playbookThen you can easily update by running: pip install malcore-playbook --upgrade
You are also able to install manually like so:
git clone https://github.com/PenetrumLLC/Malcore-Playbook.git && \
cd Malcore-Playbook && \
python setup.py install && \
malcore-playbookusage: malcore-playbook --recipe RECIPE[,RECIPE,..] --filename FILE [--chain --script [SCRIPT]
--kwargs ARG1=VAL1[,ARG2=VAL2,...]]
optional arguments:
-h, --help show this help message and exit
required arguments:
-r RECIPE-NAME [RECIPE-NAME ...], --recipe RECIPE-NAME [RECIPE-NAME ...]
Recipes to execute one at a time, pass multiple using a comma seperated list
(eg, recipe1,recipe2,...)
-c, --chain Pass this to chain recipes together with a script, must pass the --script flag with this
--filename FILENAME, -f FILENAME, --file-to-analyze FILENAME
The filename that you want to process with the recipes. This is required for the recipes to work
chain related arguments:
--chain-script CHAIN-SCRIPT, -S CHAIN-SCRIPT, --script CHAIN-SCRIPT, -C CHAIN-SCRIPT
Pass either a filename or a raw chain script in order to execute the MalScript chain
recipe related arguments:
--list-remote, --list-remote-recipes, -lR
List all remote recipes that are available for download
--list-local, --list-local-recipes, -lL
List all local recipes that are available to execute
--download-remote RECIPE-NAME [RECIPE-NAME ...], --download-recipe RECIPE-NAME [RECIPE-NAME ...],
--download RECIPE-NAME [RECIPE-NAME ...], -D RECIPE-NAME [RECIPE-NAME ...]
Pass a remote recipe name to download it to your recipe folder
(pass 'all' to download all available recipes)
--recipe-updates ACTION
Check for recipe updates
--kwargs [KWARGS [KWARGS ...]]
Key and value pairs to pass to the recipe IE: arg1=var1,arg2=var2
misc arguments:
--force Force actions that would otherwise fail
--output OUTPUT-TYPE, -O OUTPUT-TYPE, --output-type OUTPUT-TYPE
Pass to control the type of output you want, default is JSON files stored in: C:\Users\saman\.mcpb
--hide Hide the banner
--version Show version numbers and exit
MalScript is a domain-specific scripting language (DSL) built specifically for the Malcore Playbook. This language is designed to automate malware analysis and file triaging workflows. By providing the ability to chain recipes and execute them conditionally, MalScript provides a powerful declarative automation to help automate reverse engineers and analysts. MalScript combines function and imperative elements to support rule-based execution, and data inspection on real-time analysis results.
Full language documentation can be found HERE
The help menu:
Executing a single recipe
Downloading recipes:
Executing a recipe chain and saving it to a text file: