FivePM is a modern, Streamlit-based cybersecurity tool designed to detect and visualize threat indicators across text and log files.
It combines regex-based IOC detection with GeoIP enrichment, ASN lookup, and interactive dashboards — built for threat hunters, DFIR analysts, and blue teams.
FivePM scans files and directories for a wide range of Indicators of Compromise (IOCs), including:
- Network Indicators: IPv4, IPv6, domains, URLs, email addresses
- Cryptocurrency: Bitcoin and Ethereum wallet addresses
- Malware Signatures: Mimikatz, Metasploit, Cobalt Strike, Empire, etc.
- Attack Techniques: Reverse shells, credential dumping, lateral movement
- Hashes & Encryption: MD5, SHA1, SHA256, AES/XOR/RC4 keys
- Obfuscation & Suspicious Behavior: Base64, certutil, encoded payloads
- Vulnerabilities: CVE identifiers and suspicious command usage
- Automatically downloads and manages GeoLite2-City and GeoLite2-ASN databases
- Maps suspicious IPs to countries, cities, and organizations (ASN)
- Displays interactive geo-maps using Plotly for visual threat localization
- Real-time, tabbed Streamlit dashboard:
- Indicators Overview: Count and classify IOCs by type
- GeoIP Visualization: Interactive world map of source IPs
- Detailed Findings: Per-file breakdown of indicators and context lines
- Statistics View: Top matches, unique entities, and indicator distributions
- Optimized for large datasets (sampling + summarization)
- Folder and file-based scanning
- Automatic database verification and recovery
- Export results to CSV for further analysis
- Python 3.9+
pippackage manager- Internet access for downloading GeoLite2 databases (first-time setup)
git clone https://github.com/dfirvault/FivePM.git
cd FivePM
pip install -r requirements.txtstreamlit run fivepm.pyOn first launch, FivePM will automatically download the required GeoLite2 databases (City + ASN).
- Launch the app with
streamlit run fivepm.py - Choose input method in the sidebar:
- Upload File — single log or text file
- Select Directory — recursively scan an entire folder
- Click Scan to begin analysis
- View results in the interactive dashboard
- Optionally, export summaries via the Export Results panel
| Category | Examples |
|---|---|
| Network Indicators | IPs, domains, URLs, emails |
| Hashes | MD5, SHA1, SHA256 |
| Malware & Tools | Mimikatz, Cobalt Strike, Metasploit, Empire |
| Credential Access | lsass.exe, procdump, sekurlsa::logonpasswords |
| Lateral Movement | PsExec, WinRM, WMIExec |
| Persistence | schtasks, registry run keys |
| Defense Evasion | AMSI bypass, UAC bypass, Process hollowing |
| Crypto & Encoding | AES/XOR/RC4 keys, Base64 strings |
| Vulnerabilities | CVE-XXXX-XXXX patterns |
FivePM automatically manages and validates GeoLite2 databases:
- City DB —
GeoLite2-City.mmdb - ASN DB —
GeoLite2-ASN.mmdb
If missing or corrupted, the tool will prompt you to download replacements.
| Library | Purpose |
|---|---|
| Streamlit | Web UI framework |
| GeoIP2 | IP geolocation |
| Plotly | Interactive visualizations |
| Pandas | Data manipulation |
| Requests | HTTP downloads |
| Logging | Event tracking and diagnostics |
Install all dependencies via:
pip install -r requirements.txtExample requirements.txt:
streamlit
geoip2
plotly
pandas
requests
- FivePM uses local scanning — your data never leaves your machine.
- The GeoLite2 databases are fetched directly from a public GitHub mirror.
- No cloud APIs or telemetry are used.
Jacob Wilson
Cybersecurity Investigator & Threat Researcher
📍 Australia
This project is licensed under the MIT License — see LICENSE for details.
Pull requests and feature suggestions are welcome!
Some planned features:
- 🔥 Integration with VirusTotal / AbuseIPDB lookups
- 🧮 Machine learning–based IOC clustering
- 🌐 Web dashboard deployment via Docker
💡 FivePM helps analysts rapidly detect, enrich, and visualize indicators of compromise — turning raw logs into actionable intelligence.