https://github.com/processust/etwmonitor

Windows notifier tool that detects suspicious connections by monitoring ETW event logs
https://github.com/processust/etwmonitor

Last synced: 10 months ago
JSON representation

Windows notifier tool that detects suspicious connections by monitoring ETW event logs

• Host: GitHub
• URL: https://github.com/processust/etwmonitor
• Owner: ProcessusT
• Created: 2022-10-29T14:42:23.000Z (about 3 years ago)
• Default Branch: main
• Last Pushed: 2022-12-08T15:19:51.000Z (about 3 years ago)
• Last Synced: 2025-04-12T02:12:35.152Z (10 months ago)
• Language: PHP
• Homepage:
• Size: 152 MB
• Stars: 117
• Watchers: 3
• Forks: 11
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# ETWMonitor



  


  

  


  






Windows notifier tool that detects suspicious connections by monitoring ETW event logs










  Server dashboard screen :









Crowdsec integration with IP address reputation :









Suspicious loaded DLL by processes detection :













## Changelog




Final version :


- Loaded DLL by processes detections





V 2.3 :


- Crowdsec IP reputation integration (match ip in TCPIP logs)


- Alerts can be sent by email


- Statistics in server dashboard rely on real data


- Correction of bug that keeps CPU usage over 90%





V 2.1 :


- Client updates detection rules defined in a server XML file automatically


- No more compilation required for new rules creation





V 2.0 :


- Client-server support


- Client agent launched on startup as Windows service





V 1.1 :


- Detect and notify WinRM connections





V 1.0 :


- Detect and notify RDP, SMB and RPC connections






## What da fuck is this ?




On Windows, ETW (for Event Tracing for Windows) is a mechanism to trace and log events that are raised


by user-mode applications and kernel-mode drivers.


ETWMonitor monitors events in real time to detect suspicious network connections.








## Installation




- You can download latest compiled version from Release page


Also see installations instructions here : INSTALLATION HOW TO.pdf








    

## Future improvements




No more improvements are planned for the moment.





## Maintainability




Desktop version is no more maintained.


Only client-version will be maintained to get faster updates.


You can still add Agent version updates to Desktop version manually if needed.