{"id":13875901,"url":"https://github.com/SitinCloud/Owlyshield","last_synced_at":"2025-07-16T10:32:23.922Z","repository":{"id":41840905,"uuid":"415018696","full_name":"SitinCloud/Owlyshield","owner":"SitinCloud","description":"Owlyshield is an EDR framework designed to safeguard vulnerable applications from potential exploitation (C\u0026C, exfiltration and impact).","archived":false,"fork":false,"pushed_at":"2024-07-15T15:28:52.000Z","size":74893,"stargazers_count":381,"open_issues_count":8,"forks_count":25,"subscribers_count":15,"default_branch":"main","last_synced_at":"2024-08-07T06:05:44.346Z","etag":null,"topics":["antivirus","behavior-analysis","command-and-control","cybersecurity","edr","exfiltration","impact","machine-learning","malware","malware-analysis","malware-research","ransomware","threat-hunting"],"latest_commit_sha":null,"homepage":"https://www.sitincloud.com","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"eupl-1.2","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SitinCloud.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2021-10-08T14:30:16.000Z","updated_at":"2024-07-25T07:43:59.000Z","dependencies_parsed_at":"2024-01-13T19:52:47.236Z","dependency_job_id":null,"html_url":"https://github.com/SitinCloud/Owlyshield","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SitinCloud%2FOwlyshield","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SitinCloud%2FOwlyshield/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SitinCloud%2FOwlyshield/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SitinCloud%2FOwlyshield/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SitinCloud","download_url":"https://codeload.github.com/SitinCloud/Owlyshield/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":226122303,"owners_count":17576920,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["antivirus","behavior-analysis","command-and-control","cybersecurity","edr","exfiltration","impact","machine-learning","malware","malware-analysis","malware-research","ransomware","threat-hunting"],"created_at":"2024-08-06T06:00:49.245Z","updated_at":"2024-11-24T03:31:31.709Z","avatar_url":"https://github.com/SitinCloud.png","language":"Rust","funding_links":[],"categories":["Rust","threat-hunting"],"sub_categories":[],"readme":"\u003cdiv id=\"top\"\u003e\u003c/div\u003e\n\nTranslations (obsolete):\n\n- Chinese: / 中文: \u003ca href=./translations/README_CN.md\u003eREADME_CN\u003c/a\u003e\n- Español: \u003ca href=./translations/README_ES.md\u003eREADME_ES\u003c/a\u003e\n- Français: \u003ca href=./translations/README_FR.md\u003eREADME_FR\u003c/a\u003e\n  \u003cbr /\u003e\n\n\u003cdiv align=\"center\"\u003e\n  \u003ca href=\"https://github.com/SitinCloud/Owlyshield\"\u003e\n    \u003cimg src=\"./resources/logo_transparent.png\" alt=\"Logo\" width=\"150\" height=\"150\"\u003e\n  \u003c/a\u003e\n\n\u003ch2 align=\"center\"\u003eOwlyshield\u003c/h2\u003e\n  \u003cp align=\"center\"\u003e\n\t  An EDR framework written in Rust\n  \u003c/p\u003e\n  \u003cp align=\"center\"\u003e\n\t\u003cimg src=\"https://github.com/SitinCloud/Owlyshield/actions/workflows/rust-build.yml/badge.svg\"\u003e\n\t\u003cimg src=\"https://img.shields.io/github/license/SitinCloud/Owlyshield\"\u003e\n  \u003c/p\u003e\n\n  \u003cp align=\"center\"\u003e\n    :test_tube: \u003ca href=\"https://github.com/SitinCloud/malwares-ml\"\u003eAccess training data\u003c/a\u003e\n    ·\n    :book: \u003ca href=\"http://docs.sitincloud.com\"\u003eRead the Documentation\u003c/a\u003e\n    ·\n    :speech_balloon: \u003ca href=\"https://github.com/SitinCloud/Owlyshield/issues\"\u003eRequest Feature\u003c/a\u003e\n  \u003c/p\u003e\n\u003c/div\u003e\n\n## :fast_forward: TL;DR\n\nOwlyshield is an open-source EDR (Endpoint Detection and Response) solution for Linux and Windows servers. It analyzes how processes use files to detect intrusions through vulnerability exploitation, with a particular focus on detecting Command and Control, exfiltration and impact tactics. The project is developed by [SitinCloud](https://www.sitincloud.com), a French company.\n\nThe main idea behind Owlyshield is to learn the normal behavior of applications (essentially trees of processes) and use this knowledge to identify weak signals of an attack through the use of novelty detection.\n\n## :question: An EDR Framework...\n\nOwlyshield's extensibility is a key feature that sets it apart from other EDR solutions.  As a framework you can add new algorithms for malware detection, UEBA (User and Entity Behavior Analytics), and novelty detection. You can also use Owlyshield to record and replay file activities for training machine learning models, as we do with our autoencoder feature.\n\nOwlyshield provides powerful and efficient endpoint detection and response capabilities for Linux, Windows, and IoT devices. Its unique focus on file activities makes it highly effective at detecting fileless malware and C\u0026C beacons that may go unnoticed by other EDR solutions.\n\n\u003cp align=\"right\"\u003e(\u003ca href=\"#top\"\u003eback to top\u003c/a\u003e)\u003c/p\u003e\n\n## :ballot_box_with_check: ...that's comes with pre-built features\n\nAlthough Owlyshield is a framework designed to be customized and extended, it also comes with pre-built, powerful features that are immediately usable :\n\n- [x] Advanced novelty detection with autoencoders (commercial version),\n- [x] Ransomware protection in real-time on Windows using XGBoost,\n- [ ] Novelty detection with embedded training on both Linux (+IoT) and Windows,\n- [ ] Auto-configuration of SELinux to automatically protect exposed applications.\n\n\n\u003cp align=\"center\"\u003e\n\t\u003cimg src=\"./resources/pca_3d.gif\" alt=\"Gif Demo Owlyshield\" style=\"align:center; width: 75%\"\u003e\n\u003c/p\u003e\n\n\u003cp align=\"right\"\u003e(\u003ca href=\"#top\"\u003eback to top\u003c/a\u003e)\u003c/p\u003e\n\n## :see_no_evil: Real-Life Examples\n\nOwlyshield provides a powerful solution for detecting and responding to threats in real-time. Here are three real-life examples of how Owlyshield protected our customers:\n\n- An attacker exploited a critical CVE in an ESXi server to deploy a payload. Owlyshield detected weak signals of the attack on the ESXi server by analyzing the file activities and identifying unusual behavior in the ESXi process family, indicating the presence of a malicious process.\n- A web application built with JHipster had a hidden URL that could be used to dump the JVM memory, but the infrastructure team was not aware of this vulnerability. Owlyshield was able to detect it was exploited by analyzing the file system for unusual activity related to creating the dump file,\n- A large and expensive ERP system was accessed by teams of consultants from different countries. One of them, with admin rights, began to slowly corrupt specific files in the ERP system. The attacker used this tactic to make the corruption look like a series of bugs or glitches rather than a deliberate attack. \n\n\u003cp align=\"right\"\u003e(\u003ca href=\"#top\"\u003eback to top\u003c/a\u003e)\u003c/p\u003e\n\n## :arrow_forward: 2 minutes install\n\nInstallation instructions for Owlyshield can be found in the Releases section of the project's GitHub repository. For usage instructions, please refer to the project's Wiki or see the Contributing section if you prefer to build Owlyshield yourself.\n\n\u003cp align=\"right\"\u003e(\u003ca href=\"#top\"\u003eback to top\u003c/a\u003e)\u003c/p\u003e\n\n## :money_mouth_face: Business\n\n### :arrow_upper_right: Free vs Pro editions\n\nThe Pro Edition (commercial edition) includes the following features:\n\n- Integration with Wazuh,\n- Nice local interfaces for end users,\n- Scheduled tasks to automatically update the application.\n\nWithin the scope of free version usage, we will do our best to help you find a solution for any issues you may\nencounter. However, we prioritize support for subscribers to our commercial version and valued added resellers.\n\n### :moneybag: Business model\n\nWhile our products and services can be purchased directly from us (feel free\nto [contact us](mailto:opensource@sitincloud.com) for a quotation that meets your needs), we believe that it is best for\nour products to be distributed to end customers indirectly.\n\nPlease [contact us](mailto:opensource@sitincloud.com) if you:\n\n- Want to become a distribution partner or use our products as an MSSP – we are open to such partnerships.\n- Want to integrate Owlyshield as part of your own EDR/XDR system – we will be happy to provide the best proposal for\n  the appropriate level of professional services to do so.\n- Need to protect your critical enterprise servers against crafted attacks or progressive wipers – we can introduce you\n  to our brand-new novelty detection engine based on encoders AI tools (Owlyshield Enterprise Edition).\n- Have any questions or would like a presentation of our products.\n\n\u003cp align=\"right\"\u003e(\u003ca href=\"#top\"\u003eback to top\u003c/a\u003e)\u003c/p\u003e\n\n## :mechanical_arm: Contributing\n\nWe offer free access to the Owlyshield Pro Edition to our contributors.\n\nIf you discover an undetected ransomware, please open an issue with the tag \"undetected\" to help us improve the AI\nengine and understand the new techniques used to avoid detection.\n\nIf you have suggestions on how to improve Owlyshield, you can fork the repository and create\na [pull request](https://github.com/SitinCloud/Owlyshield/compare) or simply open\nan [issue](https://github.com/SitinCloud/Owlyshield/issues/new) with the tag \"enhancement\".\n\nDon't forget to give the project a :star:! Thank you for your contributions.\n\nTo contribute:\n\n1. Fork the project.\n2. Create a feature branch: `git checkout -b feature/AmazingFeature`.\n3. Commit your changes: `git commit -m 'Add some AmazingFeature'`.\n4. Push to the branch: `git push origin feature/AmazingFeature`.\n5. Open a pull request.\n\n\u003cp align=\"right\"\u003e(\u003ca href=\"#top\"\u003eback to top\u003c/a\u003e)\u003c/p\u003e\n\n## :book: License\n\nDistributed under the EUPL v1.2 license. See `LICENSE.txt` for more information.\n\n\u003cp align=\"right\"\u003e(\u003ca href=\"#top\"\u003eback to top\u003c/a\u003e)\u003c/p\u003e\n\n## :love_letter: Contact\n\nDamien LESCOS - [@DamienLescos](https://twitter.com/DamienLescos)\n\n- [opensource@sitincloud.com](mailto:opensource@sitincloud.com)\n\nProject Link: [https://github.com/SitinCloud/Owlyshield/](https://github.com/SitinCloud/Owlyshield/)\n\nCompany Link: [SitinCloud](https://www.sitincloud.com)\n\n\u003cp align=\"right\"\u003e(\u003ca href=\"#top\"\u003eback to top\u003c/a\u003e)\u003c/p\u003e\n\n## :pray: Acknowledgments\n\n* [RansomWatch](https://github.com/RafWu/RansomWatch)\n* [Behavioural machine activity for benign and malicious Win7 64-bit executables](https://research.cardiff.ac.uk/converis/portal/detail/Dataset/50524986?auxfun=\u0026lang=en_GB)\n\n\u003cp align=\"right\"\u003e(\u003ca href=\"#top\"\u003eback to top\u003c/a\u003e)\u003c/p\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSitinCloud%2FOwlyshield","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FSitinCloud%2FOwlyshield","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSitinCloud%2FOwlyshield/lists"}