Convert Figma logo to code with AI

rabbitstack logofibratus

Adversary tradecraft detection, protection, and hunting

2,285
195
2,285
41
View on GitHub

Top Related Projects

google's avatar

UIforETW

1,619

User interface for recording and managing ETW traces

palantir's avatar

windows-event-forwarding

1,235

A repository for using windows event forwarding for incident detection and response

Quick Overview

Fibratus is an open-source tool for Windows kernel exploration and tracing. It allows users to capture, analyze, and monitor various Windows kernel events, providing insights into system behavior, security incidents, and performance issues. Fibratus offers a powerful command-line interface and a Python API for advanced customization and integration.

Pros

  • Comprehensive kernel event tracing capabilities
  • Extensible architecture with support for custom filters and output formats
  • Lightweight and efficient, with minimal performance impact on the system
  • Active development and community support

Cons

  • Limited to Windows operating systems
  • Requires administrative privileges to run
  • Steep learning curve for advanced usage and customization
  • Documentation could be more extensive for some features

Code Examples

  1. Basic event capture using the command-line interface:
fibratus run --filters "process.name = 'chrome.exe'"

This command captures events related to the Chrome browser process.

  1. Using the Python API to create a custom filter:
from fibratus.filament import Filament

class CustomFilter(Filament):
    def on_init(self):
        self.set_filter("process.name = 'explorer.exe' and thread.id = 1234")

    def on_event(self, event):
        print(f"Event: {event.name}, PID: {event.process.pid}")

This example creates a custom filter for events related to the Explorer process with a specific thread ID.

  1. Outputting events to a file in JSON format:
fibratus run --output file://C:\output.json --format json

This command captures events and writes them to a JSON file.

Getting Started

  1. Install Fibratus using pip:

    pip install fibratus

  2. Run Fibratus with administrative privileges:

    fibratus run

  3. Apply filters to capture specific events:

    fibratus run --filters "process.name = 'notepad.exe'"

  4. Explore more advanced features and customization options in the official documentation.

Competitor Comparisons

google logo

UIforETW

1,619

User interface for recording and managing ETW traces

Pros of UIforETW

  • User-friendly graphical interface for ETW tracing
  • Integrates well with Windows Performance Analyzer (WPA)
  • Supports a wide range of ETW providers and customizable tracing options

Cons of UIforETW

  • Limited to Windows operating systems
  • Requires more system resources due to its GUI nature
  • Less suitable for automated or scripted tracing scenarios

Code Comparison

UIforETW (C++):

void CUIforETWDlg::OnBnClickedStarttracing()
{
    StartTracingThread();
    UpdateEnabling();
}

Fibratus (Python):

def start_capture():
    with KcapHandle() as handle:
        handle.start_capture()
    update_ui()

Key Differences

  • UIforETW focuses on GUI-based ETW tracing, while Fibratus is a command-line tool for kernel event capturing
  • UIforETW is Windows-specific, whereas Fibratus aims for cross-platform compatibility
  • Fibratus offers more programmatic control and integration possibilities due to its Python codebase
  • UIforETW provides better visualization and analysis tools through its integration with WPA

Both tools serve different use cases and target audiences, with UIforETW being more suitable for Windows developers and performance analysts, while Fibratus caters to security researchers and system administrators looking for a lightweight, scriptable solution.

palantir logo

windows-event-forwarding

1,235

A repository for using windows event forwarding for incident detection and response

Pros of Windows Event Forwarding

  • Focused on Windows event forwarding and collection
  • Provides comprehensive documentation and deployment guides
  • Integrates well with existing Windows infrastructure

Cons of Windows Event Forwarding

  • Limited to Windows event logs only
  • Requires more complex setup and configuration
  • Less flexible for custom event types or non-Windows systems

Code Comparison

Windows Event Forwarding (WEF configuration example):

<Subscription>
  <SubscriptionId>Security</SubscriptionId>
  <SubscriptionType>SourceInitiated</SubscriptionType>
  <ContentFormat>RenderedText</ContentFormat>
  <Heartbeat>86400</Heartbeat>
  <Query>
    <![CDATA[
      <QueryList>
        <Query Id="0">
          <Select Path="Security">*</Select>
        </Query>
      </QueryList>
    ]]>
  </Query>
</Subscription>

Fibratus (Python code example):

from fibratus.handle import HandleInfo
from fibratus.kevent import KEvent
from fibratus.apidefs.process import PROCESS_QUERY_INFORMATION

@kfilter
def process_open_handle(ketype, kevent, **kwargs):
    if ketype == 'CreateHandle' and kevent.handle_info.type == HandleInfo.FILE:
        print(f"Process {kevent.process.name} opened file: {kevent.handle_info.name}")

While Windows Event Forwarding focuses on collecting and forwarding Windows event logs, Fibratus provides a more flexible and programmable approach to Windows kernel monitoring. Fibratus allows for custom filtering and handling of various system events, making it more suitable for advanced monitoring and analysis scenarios.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Fibratus

Fibratus

Adversary tradecraft detection, protection, and hunting
Get Started »

Docs   •   Rules   •   Filaments   •   Download   •   Discussions

Fibratus detects, protects, and eradicates advanced adversary tradecraft by scrutinizing and asserting a wide spectrum of system events against a behavior-driven rule engine and YARA memory scanner.

Events can also be shipped to a wide array of output sinks or dumped to capture files for local inspection and forensics analysis. You can use filaments to extend Fibratus with your own arsenal of tools and so leverage the power of the Python ecosystem.

In a nutshell, the Fibratus mantra is defined by the pillars of realtime behavior detection, memory scanning, and forensics capabilities.

Installation

  • Download the latest MSI package and follow the UI wizard or alternatively install via msiexec in silent mode
$ msiexec /i fibratus-2.3.0-amd64.msi /qn

Quick start

  • spin up a command line prompt
  • list credentials from the vault by using the VaultCmd tool
$ VaultCmd.exe /listcreds:"Windows Credentials" /all

Credential discovery via VaultCmd.exe rule should trigger and emit the alert to the Eventlog. Check the short demo here.

Documentation

To fully exploit and learn about Fibratus capabilities, read the docs.

Rules

Detection rules live in the rules directory of this repository. The CLI provides a set of commands to explore the rule catalog, validate the rules, or create a new rule from the template.

To describe all rules in the catalog, use the fibratus rules list command. It is possible to pass the -s flag to show rules summary by MITRE tactics and techniques.

Contributing

We love contributions. To start contributing to Fibratus, please read our contribution guidelines.

Code Signing Policy

Free code signing provided by SignPath.io, certificate by SignPath Foundation. All releases are automatically signed.

Developed with ❤️ by Nedim Šabić Šabić

Logo designed with ❤️ by Karina Slizova