{"id":13450143,"url":"https://github.com/rabbitstack/fibratus","last_synced_at":"2025-05-13T21:11:42.673Z","repository":{"id":38706732,"uuid":"54714794","full_name":"rabbitstack/fibratus","owner":"rabbitstack","description":"Adversary tradecraft detection, protection, and hunting ","archived":false,"fork":false,"pushed_at":"2025-05-06T19:16:46.000Z","size":17264,"stargazers_count":2330,"open_issues_count":30,"forks_count":198,"subscribers_count":69,"default_branch":"master","last_synced_at":"2025-05-08T17:25:30.421Z","etag":null,"topics":["adversary","blueteam","edr","etw","golang","instrumentation","mitre","python","security","windows","windows-kernel"],"latest_commit_sha":null,"homepage":"https://www.fibratus.io","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rabbitstack.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE.MD","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":["rabbitstack"]}},"created_at":"2016-03-25T11:28:46.000Z","updated_at":"2025-05-07T06:20:19.000Z","dependencies_parsed_at":"2023-11-06T10:49:34.850Z","dependency_job_id":"63d88ec4-d5d3-41e3-bf83-3c01f5963be7","html_url":"https://github.com/rabbitstack/fibratus","commit_stats":{"total_commits":944,"total_committers":10,"mean_commits":94.4,"dds":0.4661016949152542,"last_synced_commit":"e05823d6523f45d5909675f9156ed68bc3f0f182"},"previous_names":[],"tags_count":27,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rabbitstack%2Ffibratus","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rabbitstack%2Ffibratus/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rabbitstack%2Ffibratus/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rabbitstack%2Ffibratus/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rabbitstack","download_url":"https://codeload.github.com/rabbitstack/fibratus/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253865470,"owners_count":21975926,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["adversary","blueteam","edr","etw","golang","instrumentation","mitre","python","security","windows","windows-kernel"],"created_at":"2024-07-31T07:00:31.441Z","updated_at":"2025-05-13T21:11:42.585Z","avatar_url":"https://github.com/rabbitstack.png","language":"Go","readme":"---\n\n\u003cp align=\"center\" \u003e\n  \u003ca href=\"https://www.fibratus.io\" \u003e\n    \u003cimg src=\"logo.png\" alt=\"Fibratus\"\u003e\n  \u003c/a\u003e\n\u003c/p\u003e\n\n\u003ch2 align=\"center\"\u003eFibratus\u003c/h2\u003e\n\n\u003cp align=\"center\"\u003e\n  Adversary tradecraft detection, protection, and hunting\n  \u003cbr\u003e\n  \u003ca href=\"https://www.fibratus.io/#/setup/installation\"\u003e\u003cstrong\u003eGet Started »\u003c/strong\u003e\u003c/a\u003e\n  \u003cbr\u003e\n  \u003cbr\u003e\n  \u003cstrong\u003e\n    \u003ca href=\"https://www.fibratus.io\"\u003eDocs\u003c/a\u003e\n    \u0026nbsp;\u0026nbsp;\u0026bull;\u0026nbsp;\u0026nbsp;\n    \u003ca href=\"https://github.com/rabbitstack/fibratus/tree/master/rules\"\u003eRules\u003c/a\u003e\n    \u0026nbsp;\u0026nbsp;\u0026bull;\u0026nbsp;\u0026nbsp;\n    \u003ca href=\"https://github.com/rabbitstack/fibratus/tree/master/filaments\"\u003eFilaments\u003c/a\u003e\n    \u0026nbsp;\u0026nbsp;\u0026bull;\u0026nbsp;\u0026nbsp;\n    \u003ca href=\"https://github.com/rabbitstack/fibratus/releases\"\u003eDownload\u003c/a\u003e\n    \u0026nbsp;\u0026nbsp;\u0026bull;\u0026nbsp;\u0026nbsp;\n    \u003ca href=\"https://github.com/rabbitstack/fibratus/discussions\"\u003eDiscussions\u003c/a\u003e\n  \u003c/strong\u003e\n\u003c/p\u003e\n\nFibratus detects, protects, and eradicates advanced adversary tradecraft by scrutinizing\nand asserting a wide spectrum of system events against a behavior-driven [rule engine](https://www.fibratus.io/#/filters/rules) and [YARA](https://www.fibratus.io/#/yara/introduction) memory scanner.\n\nEvents can also be shipped to a wide array of [output sinks](https://www.fibratus.io/#/outputs/introduction) or dumped to [capture](https://www.fibratus.io/#/captures/introduction) files for local inspection and forensics analysis. You can use [filaments](https://www.fibratus.io/#/filaments/introduction) to extend Fibratus with your own arsenal of tools and so leverage the power of the Python ecosystem. \n\nIn a nutshell, the Fibratus mantra is defined by the pillars of **realtime behavior detection**, **memory scanning**, and **forensics** capabilities.\n\n\n### Installation\n\n- Download the latest [MSI package](https://github.com/rabbitstack/fibratus/releases) and follow the [UI](https://www.fibratus.io/#/setup/installation) wizard or\nalternatively install via `msiexec` in silent mode\n\n```\n$ msiexec /i fibratus-2.3.0-amd64.msi /qn\n```\n\n### Quick start\n\n---\n\n- spin up a command line prompt\n- list credentials from the vault by using the `VaultCmd` tool\n\n```\n$ VaultCmd.exe /listcreds:\"Windows Credentials\" /all\n```\n\n`Credential discovery via VaultCmd.exe` rule should trigger and emit the alert to the [Eventlog](https://www.fibratus.io/#/alerts/senders/eventlog). Check the short demo [here](https://www.fibratus.io/alerts/senders/images/eventlog.gif).\n\n### Documentation\n\nTo fully exploit and learn about Fibratus capabilities, read the [docs](https://www.fibratus.io).\n\n### Rules\n\nDetection rules live in the [`rules`](/rules) directory of this repository. The CLI provides a set of\ncommands to explore the rule catalog, validate the rules, or [create a new rule](https://github.com/rabbitstack/fibratus/tree/master/rules#structure) from the template.\n\nTo describe all rules in the catalog, use the `fibratus rules list` command. It is possible to pass the\n`-s` flag to show rules summary by MITRE tactics and techniques.\n\n### Contributing\n\nWe love contributions. To start contributing to Fibratus, please read our [contribution guidelines](https://github.com/rabbitstack/fibratus/blob/master/CONTRIBUTING.md).\n\n### Code Signing Policy\n\nFree code signing provided by [SignPath.io], certificate by\n[SignPath Foundation]. All releases are automatically signed.\n\n[SignPath.io]: https://signpath.io\n[SignPath Foundation]: https://signpath.org\n\n---\n\n\u003cp align=\"center\"\u003e\n  Developed with ❤️ by \u003cstrong\u003eNedim Šabić Šabić\u003c/strong\u003e\n\u003c/p\u003e\n\u003cp align=\"center\"\u003e\n  Logo designed with ❤️ by \u003cstrong\u003e\u003ca name=\"logo\" target=\"_blank\" href=\"https://github.com/karinkasweet/\"\u003eKarina Slizova\u003c/a\u003e\u003c/strong\u003e\n\u003c/p\u003e\n","funding_links":["https://github.com/sponsors/rabbitstack"],"categories":["Detector","开源类库","IR Tools Collection","Debugging and Reverse Engineering","Network","Forensics","Go","Open source library","Go (531)","Python","Uncategorized","Windows Utilities","windows","Tools","Honeypots","Operating Systems","\u003ca id=\"b478e9a9a324c963da11437d18f04998\"\u003e\u003c/a\u003e工具","Awesome Penetration Testing (\"https://github.com/Muhammd/Awesome-Pentest\")","IR tools Collection"],"sub_categories":["安全","Windows Evidence Collection","Other Resources","Monitoring / Logging","Security","Uncategorized","Web Exploitation Books","Windows Utilities","Windows","\u003ca id=\"c3cda3278305549f4c21df25cbf638a4\"\u003e\u003c/a\u003e内核\u0026\u0026驱动","Penetration Testing Report Templates","Tools"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frabbitstack%2Ffibratus","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frabbitstack%2Ffibratus","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frabbitstack%2Ffibratus/lists"}