{"id":22647444,"url":"https://github.com/processust/etwmonitor","last_synced_at":"2025-04-12T02:12:45.505Z","repository":{"id":62269957,"uuid":"559254609","full_name":"ProcessusT/ETWMonitor","owner":"ProcessusT","description":"Windows notifier tool that detects suspicious connections by monitoring ETW event logs","archived":false,"fork":false,"pushed_at":"2022-12-08T15:19:51.000Z","size":159432,"stargazers_count":117,"open_issues_count":0,"forks_count":11,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-04-12T02:12:35.152Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ProcessusT.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-10-29T14:42:23.000Z","updated_at":"2024-12-22T09:22:51.000Z","dependencies_parsed_at":"2023-01-25T14:15:53.933Z","dependency_job_id":null,"html_url":"https://github.com/ProcessusT/ETWMonitor","commit_stats":null,"previous_names":["processust/etwmonitor"],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ProcessusT%2FETWMonitor","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ProcessusT%2FETWMonitor/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ProcessusT%2FETWMonitor/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ProcessusT%2FETWMonitor/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ProcessusT","download_url":"https://codeload.github.com/ProcessusT/ETWMonitor/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248505926,"owners_count":21115354,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-09T07:33:37.641Z","updated_at":"2025-04-12T02:12:45.477Z","avatar_url":"https://github.com/ProcessusT.png","language":"PHP","readme":"# ETWMonitor\n\n\u003cdiv align=\"center\"\u003e\n  \u003cbr\u003e\n  \u003ca href=\"https://twitter.com/intent/follow?screen_name=ProcessusT\" title=\"Follow\"\u003e\u003cimg src=\"https://img.shields.io/twitter/follow/ProcessusT?label=ProcessusT\u0026style=social\"\u003e\u003c/a\u003e\n  \u003cbr\u003e\n  \u003cbr\u003e\n\u003c/div\u003e\n\n\n\u003cdiv align=\"center\"\u003e\n\u003ch2\u003eWindows notifier tool that detects suspicious connections by monitoring ETW event logs\u003c/h2\u003e\u003cbr /\u003e\n\u003cbr /\u003e\n\u003cbr\u003e\n  Server dashboard screen :\u003cbr /\u003e\u003cbr /\u003e\n\u003cimg src=\"https://github.com/Processus-Thief/ETWMonitor/raw/main/assets/ETWMonitor_server.PNG\" width=\"80%;\"\u003e\n\u003cbr /\u003e\u003cbr /\u003e\nCrowdsec integration with IP address reputation :\u003cbr /\u003e\u003cbr /\u003e\n\u003cimg src=\"https://github.com/Processus-Thief/ETWMonitor/raw/main/assets/ETWMonitor_server2.PNG\" width=\"80%;\"\u003e\n\u003cbr /\u003e\u003cbr /\u003e\nSuspicious loaded DLL by processes detection :\u003cbr /\u003e\u003cbr /\u003e\n\u003cimg src=\"https://raw.githubusercontent.com/Processus-Thief/ETWMonitor/main/assets/mimikatz_detection.PNG\" width=\"80%;\"\u003e\n\u003cbr /\u003e\n\u003c/div\u003e\n\u003cbr\u003e\n\n\n## Changelog\n\u003cbr /\u003e\nFinal version :\u003cbr /\u003e\n- Loaded DLL by processes detections\u003cbr /\u003e\n\u003cbr /\u003e\nV 2.3 :\u003cbr /\u003e\n- Crowdsec IP reputation integration (match ip in TCPIP logs)\u003cbr /\u003e\n- Alerts can be sent by email\u003cbr /\u003e\n- Statistics in server dashboard rely on real data\u003cbr /\u003e\n- Correction of bug that keeps CPU usage over 90%\u003cbr /\u003e\n\u003cbr /\u003e\nV 2.1 :\u003cbr /\u003e\n- Client updates detection rules defined in a server XML file automatically\u003cbr /\u003e\n- No more compilation required for new rules creation\u003cbr /\u003e\n\u003cbr /\u003e\nV 2.0 :\u003cbr /\u003e\n- Client-server support\u003cbr /\u003e\n- Client agent launched on startup as Windows service\u003cbr /\u003e\n\u003cbr /\u003e\nV 1.1 :\u003cbr /\u003e\n- Detect and notify WinRM connections\u003cbr /\u003e\n\u003cbr /\u003e\nV 1.0 :\u003cbr /\u003e\n- Detect and notify RDP, SMB and RPC connections\u003cbr /\u003e\n\n\u003cbr /\u003e\u003cbr /\u003e\n\n## What da fuck is this ?\n\u003cbr /\u003e\nOn Windows, ETW (for Event Tracing for Windows) is a mechanism to trace and log events that are raised\u003cbr /\u003e\nby user-mode applications and kernel-mode drivers.\u003cbr /\u003e\nETWMonitor monitors events in real time to detect suspicious network connections.\u003cbr /\u003e\n\u003cbr /\u003e\n\u003cbr /\u003e\n\n## Installation\n\u003cbr\u003e\n- You can download latest compiled version from \u003ca href=\"https://github.com/Processus-Thief/ETWMonitor/releases\"\u003eRelease page\u003c/a\u003e\u003cbr /\u003e\nAlso see installations instructions here : \u003ca href=\"https://github.com/Processus-Thief/ETWMonitor/blob/main/ETW%20Monitor%20-%20How%20to%20install%20client-server%20version.pdf\"\u003eINSTALLATION HOW TO.pdf\u003c/a\u003e\n\u003cbr\u003e\u003cbr\u003e\n\u003cbr\u003e\n    \n## Future improvements\n\n\u003cbr /\u003e\nNo more improvements are planned for the moment.\n\u003cbr /\u003e\u003cbr /\u003e\n\n## Maintainability\n\u003cbr /\u003e\nDesktop version is no more maintained.\u003cbr /\u003e\nOnly client-version will be maintained to get faster updates.\u003cbr /\u003e\nYou can still add Agent version updates to Desktop version manually if needed.\u003cbr /\u003e\n\u003cbr /\u003e\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fprocessust%2Fetwmonitor","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fprocessust%2Fetwmonitor","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fprocessust%2Fetwmonitor/lists"}