Awesome
<p align="center" > <a href="https://www.fibratus.io" > <img src="logo.png" alt="Fibratus"> </a> </p> <h2 align="center">Fibratus</h2> <p align="center"> A modern tool for Windows kernel exploration and observability with a focus on security <br> <a href="https://www.fibratus.io/#/setup/installation"><strong>Get Started »</strong></a> <br> <br> <strong> <a href="https://www.fibratus.io">Docs</a> • <a href="https://github.com/rabbitstack/fibratus/tree/master/filaments">Filaments</a> • <a href="https://github.com/rabbitstack/fibratus/releases">Download</a> • <a href="https://github.com/rabbitstack/fibratus/discussions">Discussions</a> </strong> </p>
What is Fibratus?
Fibratus is a tool for exploration and tracing of the Windows kernel. It lets you trap system-wide events such as process life-cycle, file system I/O, registry modifications or network requests among many other observability signals. In a nutshell, Fibratus allows for gaining deep operational visibility into the Windows kernel but also processes running on top of it. It requires no drivers nor third-party software.
Events can be shipped to a wide array of output sinks or dumped to capture files for local inspection and forensics analysis. The powerful filtering engine permits drilling into the event flux entrails and the rules engine is capable of detecting stealthy adversary attacks and sophisticated threats.
You can use filaments to extend Fibratus with your own arsenal of tools and so leverage the power of the Python ecosystem
Quick start
Check the walkthrough on how to load and create detection rules.
- Observe Microsoft Outlook attachments creating on the file system
fibratus run file.operation = 'create' and file.name icontains '\\Content.Outlook\\'
- Hunt remote thread creations
fibratus run kevt.name = 'CreateThread' and kevt.pid != thread.pid
- Record network interactions to the capture file
fibratus capture kevt.category = 'net' -o conns.kcap
- Replay events from the capture
fibratus replay net.dport in (443, 80) -k conns.kcap
- Run the filament for watching file system changes
fibratus run -f watch_files
Features
- :zap: blazing fast
- :satellite: collects a wide spectrum of kernel events - from process to network observability signals
- :mag: super powerful filtering and rule engine
- :snake: running Python scriptlets on top of kernel event flow
- :minidisc: capturing event flux to kcap files and replaying anywhere
- :rocket: transporting events to Elasticsearch, RabbitMQ or console sinks
- :scissors: transforming kernel events
- :dart: scanning malicious processes and files with Yara
- :file_folder: PE (Portable Executable) introspection
Documentation
Setup
- Installation
- Building from source
- Running as standalone binary
- Running as Windows Service
- CLI
- Configuration
Events
Filters and Rules
Captures
Filaments
Outputs
Transformers
Alerts
PE (Portable Executable)
YARA
Troubleshooting
<p align="center"> Developed with ❤️ by <strong>Nedim Šabić Šabić</strong> </p> <p align="center"> Logo designed with ❤️ by <strong><a name="logo" target="_blank" href="https://github.com/karinkasweet/">Karina Slizova</a></strong> </p>