Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/rabbitstack/fibratus

Adversary tradecraft detection, protection, and hunting
https://github.com/rabbitstack/fibratus

adversary blueteam edr etw golang instrumentation python security windows windows-kernel

Last synced: 2 days ago
JSON representation

Adversary tradecraft detection, protection, and hunting

Awesome Lists containing this project

README

        

---



Fibratus

Fibratus


Adversary tradecraft detection, protection, and hunting


Get Started »





Docs
  •  
Rules
  •  
Filaments
  •  
Download
  •  
Discussions

Fibratus detects, protects, and eradicates advanced adversary tradecraft by scrutinizing
and asserting a wide spectrum of system events against a behavior-driven [rule engine](https://www.fibratus.io/#/filters/rules) and [YARA](https://www.fibratus.io/#/yara/introduction) memory scanner.

Events can also be shipped to a wide array of [output sinks](https://www.fibratus.io/#/outputs/introduction) or dumped to [capture](https://www.fibratus.io/#/captures/introduction) files for local inspection and forensics analysis. You can use [filaments](https://www.fibratus.io/#/filaments/introduction) to extend Fibratus with your own arsenal of tools and so leverage the power of the Python ecosystem.

In a nutshell, the Fibratus mantra is defined by the pillars of **realtime behavior detection**, **memory scanning**, and **forensics** capabilities.

### Installation

- Download the latest [MSI package](https://github.com/rabbitstack/fibratus/releases) and follow the [UI](https://www.fibratus.io/#/setup/installation) wizard or
alternatively install via `msiexec` in silent mode

```
$ msiexec /i fibratus-2.3.0-amd64.msi /qn
```

### Quick start

---

- spin up a command line prompt
- list credentials from the vault by using the `VaultCmd` tool

```
$ VaultCmd.exe /listcreds:"Windows Credentials" /all
```

`Credential discovery via VaultCmd.exe` rule should trigger and emit the alert to the [Eventlog](https://www.fibratus.io/#/alerts/senders/eventlog). Check the short demo [here](https://www.fibratus.io/alerts/senders/images/eventlog.gif).

### Documentation

To fully exploit and learn about Fibratus capabilities, read the [docs](https://www.fibratus.io).

### Rules

Detection rules live in the [`rules`](/rules) directory of this repository. The CLI provides a set of
commands to explore the rule catalog, validate the rules, or [create a new rule](https://github.com/rabbitstack/fibratus/tree/master/rules#structure) from the template.

To describe all rules in the catalog, use the `fibratus rules list` command. It is possible to pass the
`-s` flag to show rules summary by MITRE tactics and techniques.

### Contributing

We love contributions. To start contributing to Fibratus, please read our [contribution guidelines](https://github.com/rabbitstack/fibratus/blob/master/CONTRIBUTING.md).

### Code Signing Policy

Free code signing provided by [SignPath.io], certificate by
[SignPath Foundation]. All releases are automatically signed.

[SignPath.io]: https://signpath.io
[SignPath Foundation]: https://signpath.org

---


Developed with ❤️ by Nedim Šabić Šabić



Logo designed with ❤️ by Karina Slizova