Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/rabbitstack/fibratus
Adversary tradecraft detection, protection, and hunting
https://github.com/rabbitstack/fibratus
adversary blueteam edr etw golang instrumentation python security windows windows-kernel
Last synced: 2 days ago
JSON representation
Adversary tradecraft detection, protection, and hunting
- Host: GitHub
- URL: https://github.com/rabbitstack/fibratus
- Owner: rabbitstack
- License: other
- Created: 2016-03-25T11:28:46.000Z (over 8 years ago)
- Default Branch: master
- Last Pushed: 2024-10-27T16:19:12.000Z (about 2 months ago)
- Last Synced: 2024-10-29T15:34:27.515Z (about 1 month ago)
- Topics: adversary, blueteam, edr, etw, golang, instrumentation, python, security, windows, windows-kernel
- Language: Go
- Homepage: https://www.fibratus.io
- Size: 14 MB
- Stars: 2,209
- Watchers: 71
- Forks: 189
- Open Issues: 30
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- Funding: .github/FUNDING.yml
- License: LICENSE.MD
- Code of conduct: CODE_OF_CONDUCT.md
Awesome Lists containing this project
- awesome-ctf - Fibratus - Tool for exploration and tracing of the Windows kernel. (Forensics)
- awesome-ctf - Fibratus - Tool for exploration and tracing of the Windows kernel. (Forensics)
- awesome-ctf - Fibratus - Tool for exploration and tracing of the Windows kernel. (Forensics)
- go-awesome - Fibratus - Windows kernel exploit and tracking tool (Open source library / Security)
- awesome-hacking-lists - rabbitstack/fibratus - Adversary tradecraft detection, protection, and hunting (Go)
README
---
Fibratus
Adversary tradecraft detection, protection, and hunting
Get Started »
Docs
•
Rules
•
Filaments
•
Download
•
Discussions
Fibratus detects, protects, and eradicates advanced adversary tradecraft by scrutinizing
and asserting a wide spectrum of system events against a behavior-driven [rule engine](https://www.fibratus.io/#/filters/rules) and [YARA](https://www.fibratus.io/#/yara/introduction) memory scanner.Events can also be shipped to a wide array of [output sinks](https://www.fibratus.io/#/outputs/introduction) or dumped to [capture](https://www.fibratus.io/#/captures/introduction) files for local inspection and forensics analysis. You can use [filaments](https://www.fibratus.io/#/filaments/introduction) to extend Fibratus with your own arsenal of tools and so leverage the power of the Python ecosystem.
In a nutshell, the Fibratus mantra is defined by the pillars of **realtime behavior detection**, **memory scanning**, and **forensics** capabilities.
### Installation
- Download the latest [MSI package](https://github.com/rabbitstack/fibratus/releases) and follow the [UI](https://www.fibratus.io/#/setup/installation) wizard or
alternatively install via `msiexec` in silent mode```
$ msiexec /i fibratus-2.3.0-amd64.msi /qn
```### Quick start
---
- spin up a command line prompt
- list credentials from the vault by using the `VaultCmd` tool```
$ VaultCmd.exe /listcreds:"Windows Credentials" /all
````Credential discovery via VaultCmd.exe` rule should trigger and emit the alert to the [Eventlog](https://www.fibratus.io/#/alerts/senders/eventlog). Check the short demo [here](https://www.fibratus.io/alerts/senders/images/eventlog.gif).
### Documentation
To fully exploit and learn about Fibratus capabilities, read the [docs](https://www.fibratus.io).
### Rules
Detection rules live in the [`rules`](/rules) directory of this repository. The CLI provides a set of
commands to explore the rule catalog, validate the rules, or [create a new rule](https://github.com/rabbitstack/fibratus/tree/master/rules#structure) from the template.To describe all rules in the catalog, use the `fibratus rules list` command. It is possible to pass the
`-s` flag to show rules summary by MITRE tactics and techniques.### Contributing
We love contributions. To start contributing to Fibratus, please read our [contribution guidelines](https://github.com/rabbitstack/fibratus/blob/master/CONTRIBUTING.md).
### Code Signing Policy
Free code signing provided by [SignPath.io], certificate by
[SignPath Foundation]. All releases are automatically signed.[SignPath.io]: https://signpath.io
[SignPath Foundation]: https://signpath.org---
Developed with ❤️ by Nedim Šabić Šabić
Logo designed with ❤️ by Karina Slizova