Modern threats have evolved far beyond static malware files. Today’s adversaries rely on fileless malware, obfuscation, and memory-resident techniques that easily bypass traditional antivirus tools. To counter these stealthy behaviors, JPCERT/CC has released YAMAGoya, an open-source endpoint monitoring tool that combines Sigma and YARA rules for real-time detection.
YAMAGoya integrates Windows Event Tracing (ETW) with in-memory scanning, enabling defenders to identify malicious activity whether it resides on disk or only in memory. The tool monitors file creation and deletion, process execution, registry updates, PowerShell and WMI activity, DLL loads, DNS queries, and network connections.
A major advantage of YAMAGoya is its driverless design. By avoiding kernel-level components, it reduces deployment complexity, compatibility issues, and operational risk. It supports both a graphical interface and command-line execution, making it suitable for manual investigations as well as automated pipelines.
YAMAGoya works with community-developed Sigma rules for Windows event patterns and YARA signatures for file and memory analysis. It also supports custom YAML rules that correlate multiple suspicious events. This allows organizations to define behavioral patterns such as coordinated file creation, process execution, DLL loading, and network communication occurring within a short time window. Even if a threat leaves no permanent footprint, its collective behavior can still be detected.
By leveraging shared Sigma and YARA rule sets, YAMAGoya gives defenders access to a constantly updated catalog of threat detection logic without relying on proprietary engines or vendor lock-in.
Why This Matters
The increase in fileless and memory-resident attacks makes traditional signature models insufficient. Hybrid detection approaches that combine behavioral monitoring with memory scanning are now essential. Community-driven rules provide rapid updates aligned with emerging threats. Real-time visibility supports regulatory and compliance requirements by ensuring complete activity logging.
Conclusion
YAMAGoya represents a practical shift in endpoint defense strategy. Its combination of live behavioral monitoring, memory scanning, and community-driven rule support offers organizations an effective way to detect sophisticated, evasive threats. As adversaries adopt more stealth-focused techniques, defenders require tools that deliver visibility, adaptability, and speed.
About COE Security
COE Security helps organizations across cloud services, software development, enterprise infrastructure, financial services, and managed IT environments secure their endpoints and meet regulatory obligations.
We support organizations by:
• Assessing threat exposure and selecting appropriate Sigma and YARA rules • Deploying and configuring host monitoring across large environments • Integrating custom detection rules and threat intelligence • Setting up alerting, logging, and compliance-ready reporting • Conducting threat hunting, incident response planning, and security audits
To stay updated and cyber safe, follow COE Security on LinkedIn.