Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/rabbitstack/fibratus
A modern tool for Windows kernel exploration and tracing with a focus on security
https://github.com/rabbitstack/fibratus
edr golang instrumentation python security windows windows-kernel
Last synced: 3 months ago
JSON representation
A modern tool for Windows kernel exploration and tracing with a focus on security
- Host: GitHub
- URL: https://github.com/rabbitstack/fibratus
- Owner: rabbitstack
- License: other
- Created: 2016-03-25T11:28:46.000Z (about 8 years ago)
- Default Branch: master
- Last Pushed: 2024-03-26T18:09:18.000Z (3 months ago)
- Last Synced: 2024-03-26T23:44:29.890Z (3 months ago)
- Topics: edr, golang, instrumentation, python, security, windows, windows-kernel
- Language: Go
- Homepage: https://www.fibratus.io
- Size: 13.6 MB
- Stars: 2,065
- Watchers: 72
- Forks: 180
- Open Issues: 32
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- Funding: .github/FUNDING.yml
- License: LICENSE.MD
- Code of conduct: CODE_OF_CONDUCT.md
Lists
- awesome-pentest - Fibratus - Tool for exploration and tracing of the Windows kernel. (Windows Utilities / Web Exploitation Books)
- awesome-hacking-lists - fibratus - A modern tool for the Windows kernel exploration and tracing (Go (531))
- awesome-pentest - Fibratus - Tool for exploration and tracing of the Windows kernel (Awesome Penetration Testing ("https://github.com/Muhammd/Awesome-Pentest") / Tools)
- awesome-security - Fibratus - Fibratus is a tool for exploration and tracing of the Windows kernel. It is able to capture the most of the Windows kernel activity - process/thread creation and termination, file system I/O, registry, network activity, DLL loading/unloading and much more. Fibratus has a very simple CLI which encapsulates the machinery to start the kernel event stream collector, set kernel event filters or run the lightweight Python modules called filaments. (Network / Monitoring / Logging)
- awesome-ctf - Fibratus - Tool for exploration and tracing of the Windows kernel. (Forensics)
- awesome-security - Fibratus - Fibratus is a tool for exploration and tracing of the Windows kernel. It is able to capture the most of the Windows kernel activity - process/thread creation and termination, file system I/O, registry, network activity, DLL loading/unloading and much more. Fibratus has a very simple CLI which encapsulates the machinery to start the kernel event stream collector, set kernel event filters or run the lightweight Python modules called filaments. (Network / Monitoring / Logging)
- awesome-incident-response - Fibratus - Tool for exploration and tracing of the Windows kernel. (IR Tools Collection / Windows Evidence Collection)
- awesome-honeypots - Fibratus - Tool for exploration and tracing of the Windows kernel. (Honeypots)
- awesome-malware-analysis - Fibratus - Tool for exploration (Debugging and Reverse Engineering / Other Resources)
- my-awesome-stars - fibratus
- awesome-reverse-engineering - **510**星
- awesome-reverse-engineering - **510**星
- awesome-incident-response - Fibratus - Tool for exploration and tracing of the Windows kernel. (IR Tools Collection / Windows Evidence Collection)
- awesome-stars - fibratus
- awesome - fibratus - A modern tool for the Windows kernel exploration and tracing (Detector)
- go-awesome - Fibratus - Windows 内核漏洞利用和跟踪工具 (开源类库 / 安全)
- awesome-security - Fibratus - Fibratus is a tool for exploration and tracing of the Windows kernel. It is able to capture the most of the Windows kernel activity - process/thread creation and termination, file system I/O, registry, network activity, DLL loading/unloading and much more. Fibratus has a very simple CLI which encapsulates the machinery to start the kernel event stream collector, set kernel event filters or run the lightweight Python modules called filaments. (Network / Monitoring / Logging)
- awesome-pentest - Fibratus - Tool for exploration and tracing of the Windows kernel. (Windows Utilities / Web Exploitation Books)
- paralax-awesome-honeypots - Fibratus - tool for exploration and tracing of the Windows kernel. (<a name="honeypots"></a> Honeypots)
- awesome-incident-response - Fibratus - tool for exploration and tracing of the Windows kernel (IR tools Collection / Windows Evidence Collection)
- paralax-awesome-malware-analysis - Fibratus - Tool for exploration (Debugging and Reverse Engineering / Other Resources)
- awesome-pentest-resource - Fibratus - Tool for exploration and tracing of the Windows kernel. (Windows Utilities / Web Exploitation Books)
- awesome-stars - fibratus
- awesome-penetest - Fibratus - Tool for exploration and tracing of the Windows kernel. (Windows Utilities / Web Exploitation Books)
- awesome-pentest - Fibratus - Tool for exploration and tracing of the Windows kernel. (Tools / Windows Utilities)
- awesome-incident-response - Fibratus - Tool for exploration and tracing of the Windows kernel. (IR tools Collection / Windows Evidence Collection)
- awesome-malware-analysis- - Fibratus - Tool for exploration (Debugging and Reverse Engineering / Other Resources)
- awesome-ctf - Fibratus - Tool for exploration and tracing of the Windows kernel. (Forensics)
- awesome-malware-analysis - Fibratus - Tool for exploration (Debugging and Reverse Engineering / Other Resources)
- awesome-ctf - Fibratus - Tool for exploration and tracing of the Windows kernel. (Forensics)
- awesome-honeypots - Fibratus - Tool for exploration and tracing of the Windows kernel. (Honeypots)
- awesome-pentest - Fibratus - Tool for exploration and tracing of the Windows kernel. (Windows Utilities / Penetration Testing Report Templates)
- awesome-pentest - Fibratus - Tool for exploration and tracing of the Windows kernel. (Tools / Windows Utilities)
- awesome-security - Fibratus - Fibratus is a tool for exploration and tracing of the Windows kernel. It is able to capture the most of the Windows kernel activity - process/thread creation and termination, file system I/O, registry, network activity, DLL loading/unloading and much more. Fibratus has a very simple CLI which encapsulates the machinery to start the kernel event stream collector, set kernel event filters or run the lightweight Python modules called filaments. (Network / Monitoring / Logging)
- awesome-pentest-listas - Fibratus - Tool for exploration and tracing of the Windows kernel. (Tools / Windows Utilities)
- awesome_security - Fibratus - Fibratus is a tool for exploration and tracing of the Windows kernel. It is able to capture the most of the Windows kernel activity - process/thread creation and termination, file system I/O, registry, network activity, DLL loading/unloading and much more. Fibratus has a very simple CLI which encapsulates the machinery to start the kernel event stream collector, set kernel event filters or run the lightweight Python modules called filaments. (Network / Monitoring / Logging)
- awesome-malware-analysis - Fibratus - Tool for exploration (Debugging and Reverse Engineering / Other Resources)
- awesome-csirt - fibratus
- awesome-pentest - Fibratus - Tool for exploration and tracing of the Windows kernel. (Windows Utilities / Web Exploitation Books)
- awesome-incident-response - Fibratus - tool for exploration and tracing of the Windows kernel (IR tools Collection / Windows Evidence Collection)
- awesome-malware-analysis - Fibratus - Tool for exploration (Debugging and Reverse Engineering / Other Resources)
- awesome-incident-response - Fibratus - Tool for exploration and tracing of the Windows kernel. (IR tools Collection / Windows Evidence Collection)
- awesome-pentest - Fibratus - Tool for exploration and tracing of the Windows kernel. (Tools / Windows Utilities)
- awesome-honeypots - Fibratus - Tool for exploration and tracing of the Windows kernel. (Honeypots)
- awesome-CTF - Fibratus - Tool for exploration and tracing of the Windows kernel (Forensics)
- paralax-awesome-pentest - Fibratus - Tool for exploration and tracing of the Windows kernel. (Tools / Windows Utilities)
- awesome-pentest - Fibratus - Tool for exploration and tracing of the Windows kernel. (Tools / Windows Utilities)
- awesome-stars - rabbitstack/fibratus - A modern tool for Windows kernel exploration and tracing with a focus on security (windows)
- awesome-security - Fibratus - Fibratus is a tool for exploration and tracing of the Windows kernel. It is able to capture the most of the Windows kernel activity - process/thread creation and termination, file system I/O, registry, network activity, DLL loading/unloading and much more. Fibratus has a very simple CLI which encapsulates the machinery to start the kernel event stream collector, set kernel event filters or run the lightweight Python modules called filaments. (Network / Monitoring / Logging)
- awesome-incident-response - Fibratus - Tool for exploration and tracing of the Windows kernel. (IR Tools Collection / Windows Evidence Collection)
- awesome-pentest - Fibratus - Tool for exploration and tracing of the Windows kernel. (Windows Utilities / Penetration Testing Report Templates)
- awesome-malware-analysis - Fibratus - Tool for exploration (Debugging and Reverse Engineering / Other Resources)
- awesome-pentest-1 - Fibratus - Tool for exploration and tracing of the Windows kernel (Awesome Penetration Testing ("https://github.com/Muhammd/Awesome-Pentest") / Tools)
- awesome-malware-analysis - Fibratus - Tool for exploration (Debugging and Reverse Engineering / Other Resources)
- awesome-pentest - Fibratus - Tool for exploration and tracing of the Windows kernel. (Windows Utilities / Web Exploitation Books)
- -awesome-honeypots- - Fibratus - Tool for exploration and tracing of the Windows kernel. (Honeypots)
- go-awesome - Fibratus - Windows kernel exploit and tracking tool (Open source library / Security)
- awesome-honeypots - Fibratus - Tool for exploration and tracing of the Windows kernel. (Honeypots)
- awesome-pentest - Fibratus - Tool for exploration and tracing of the Windows kernel. (Windows Utilities / Web Exploitation Books)
- awesome-malware-analysis - Fibratus - Tool for exploration (Debugging and Reverse Engineering / Other Resources)
- awesome-malware-analysis - Fibratus - Tool for exploration (Debugging and Reverse Engineering / Other Resources)
- awesome-reverse-engineering - **510**星
- awesome-hacking-lists - fibratus - Tool for exploration and tracing of the Windows kernel (Python)
- awesome-hacking-lists - rabbitstack/fibratus - A modern tool for Windows kernel exploration and tracing with a focus on security (Go)
- fucking-awesome-honeypots - Fibratus - Tool for exploration and tracing of the Windows kernel. (Honeypots)
- fucking-awesome-malware-analysis - Fibratus - Tool for exploration (Debugging and Reverse Engineering / Other Resources)
- venom - `Fibratus` - Tool for exploration and tracing of the Windows kernel. (Operating Systems / Windows)
- fucking-awesome-pentest - Fibratus - Tool for exploration and tracing of the Windows kernel. (Windows Utilities / Web Exploitation Books)
- fucking-awesome-incident-response - Fibratus - Tool for exploration and tracing of the Windows kernel. (IR Tools Collection / Windows Evidence Collection)
- awesome-csirt - fibratus
README
---
Fibratus
A modern tool for Windows kernel exploration and observability with a focus on security
Get Started »
Docs
•
Filaments
•
Download
•
Discussions
### What is Fibratus?
Fibratus is a tool for exploration and tracing of the **Windows** kernel. It lets you trap system-wide [events](https://www.fibratus.io/#/kevents/anatomy) such as process life-cycle, file system I/O, registry modifications or network requests among many other observability signals. In a nutshell, Fibratus allows for gaining deep operational visibility into the Windows kernel but also processes running on top of it. It requires no drivers nor third-party software.
Events can be shipped to a wide array of [output sinks](https://www.fibratus.io/#/outputs/introduction) or dumped to [capture](https://www.fibratus.io/#/captures/introduction) files for local inspection and forensics analysis. The powerful [filtering](https://www.fibratus.io/#/filters/introduction) engine permits drilling into the event flux entrails and the [rules engine](https://www.fibratus.io/#/filters/rules) is capable of detecting stealthy adversary attacks and sophisticated threats.
You can use [filaments](https://www.fibratus.io/#/filaments/introduction) to extend Fibratus with your own arsenal of tools and so leverage the power of the Python ecosystem
### Quick start
Check the [walkthrough](https://www.fibratus.io/#/filters/rules?id=loading-rules) on how to load and create detection rules.
- Observe Microsoft Outlook attachments creating on the file system
```
fibratus run file.operation = 'create' and file.name icontains '\\Content.Outlook\\'
```
- Hunt remote thread creations
```
fibratus run kevt.name = 'CreateThread' and kevt.pid != thread.pid
```
- Record network interactions to the capture file
```
fibratus capture kevt.category = 'net' -o conns.kcap
```
- Replay events from the capture
```
fibratus replay net.dport in (443, 80) -k conns.kcap
```
- Run the filament for watching file system changes
```
fibratus run -f watch_files
```
### Features
- :zap: blazing fast
- :satellite: collects a wide spectrum of kernel events - from process to network observability signals
- :mag: super powerful filtering and rule engine
- :snake: running Python scriptlets on top of kernel event flow
- :minidisc: capturing event flux to **kcap** files and replaying anywhere
- :rocket: transporting events to Elasticsearch, RabbitMQ or console sinks
- :scissors: transforming kernel events
- :dart: scanning malicious processes and files with Yara
- :file_folder: PE (Portable Executable) introspection
### [Documentation](https://www.fibratus.io)
---
### Setup
* [**Installation**](https://www.fibratus.io/#/setup/installation)
* [**Building from source**](https://www.fibratus.io/#/setup/installation?id=building-from-source)
* [**Running as standalone binary**](https://www.fibratus.io/#/setup/running?id=standalone-binary)
* [**Running as Windows Service**](https://www.fibratus.io/#/setup/running?id=windows-service)
* [**CLI**](https://www.fibratus.io/#/setup/running?id=cli)
* [**Configuration**](https://www.fibratus.io/#/setup/configuration)
### Events
* [**Anatomy of an event**](https://www.fibratus.io/#/kevents/anatomy)
* [**Process**](https://www.fibratus.io/#/kevents/process)
* [**Thread**](https://www.fibratus.io/#/kevents/thread)
* [**Image**](https://www.fibratus.io/#/kevents/image)
* [**File**](https://www.fibratus.io/#/kevents/file)
* [**Registry**](https://www.fibratus.io/#/kevents/registry)
* [**Network**](https://www.fibratus.io/#/kevents/network)
* [**Handle**](https://www.fibratus.io/#/kevents/handle)
### Filters and Rules
* [**Needle in the haystack**](https://www.fibratus.io/#/filters/introduction)
* [**Prefiltering**](https://www.fibratus.io/#/filters/prefiltering)
* [**Filtering**](https://www.fibratus.io/#/filters/filtering)
* [**Operators**](https://www.fibratus.io/#/filters/operators)
* [**Functions**](https://www.fibratus.io/#/filters/functions)
* [**Paths**](https://www.fibratus.io/#/filters/paths)
* [**Fields**](https://www.fibratus.io/#/filters/fields)
* [**Rules**](https://www.fibratus.io/#/filters/rules)
### Captures
* [**Immortalizing the event flux**](https://www.fibratus.io/#/captures/introduction)
* [**Capturing**](https://www.fibratus.io/#/captures/capturing)
* [**Replaying**](https://www.fibratus.io/#/captures/replaying)
### Filaments
* [**Python meets kernel events**](https://www.fibratus.io/#/filaments/introduction)
* [**Executing**](https://www.fibratus.io/#/filaments/executing)
* [**Internals**](https://www.fibratus.io/#/filaments/internals)
* [**Writing filaments**](https://www.fibratus.io/#/filaments/writing)
### Outputs
* [**Transporting kernel events**](https://www.fibratus.io/#/outputs/introduction)
* [**Console**](https://www.fibratus.io/#/outputs/console)
* [**Null**](https://www.fibratus.io/#/outputs/null)
* [**RabbitMQ**](https://www.fibratus.io/#/outputs/rabbitmq)
* [**Elasticsearch**](https://www.fibratus.io/#/outputs/elasticsearch)
* [**Eventlog**](https://www.fibratus.io/#/outputs/eventlog)
* [**HTTP**](https://www.fibratus.io/#/outputs/http)
### Transformers
* [**Parsing, enriching, transforming**](https://www.fibratus.io/#/transformers/introduction)
* [**Remove**](https://www.fibratus.io/#/transformers/remove)
* [**Rename**](https://www.fibratus.io/#/transformers/rename)
* [**Replace**](https://www.fibratus.io/#/transformers/replace)
* [**Tags**](https://www.fibratus.io/#/transformers/tags)
* [**Trim**](https://www.fibratus.io/#/transformers/trim)
### Alerts
* [**Watchdogging kernel events**](https://www.fibratus.io/#/alerts/introduction)
* [**Mail**](https://www.fibratus.io/#/alerts/senders/mail)
* [**Slack**](https://www.fibratus.io/#/alerts/senders/slack)
* [**Filament alerting**](https://www.fibratus.io/#/alerts/filaments)
### PE (Portable Executable)
* [**Portable Executable introspection**](https://www.fibratus.io/#/pe/introduction)
* [**Sections**](https://www.fibratus.io/#/pe/sections)
* [**Symbols**](https://www.fibratus.io/#/pe/symbols)
* [**Resources**](https://www.fibratus.io/#/pe/resources)
### YARA
* [**Pattern matching swiss knife**](https://www.fibratus.io/#/yara/introduction)
* [**Scanning processes**](https://www.fibratus.io/#/yara/scanning)
* [**Alerts**](https://www.fibratus.io/#/yara/alerts)
### Troubleshooting
* [**Logs**](https://www.fibratus.io/#/troubleshooting/logs)
* [**Stats**](https://www.fibratus.io/#/troubleshooting/stats)
* [**Profiling**](https://www.fibratus.io/#/troubleshooting/pprof)
---
Developed with ❤️ by Nedim Šabić Šabić
Logo designed with ❤️ by Karina Slizova