Fibratus
Fibratus is a tool for exploration and tracing of the Windows kernel. It is able to capture the most of the Windows kernel activity - process/thread creation and termination, file system I/O, registry, network activity, DLL loading/unloading and much more. Fibratus has a very simple CLI which encapsulates the machinery to start the kernel event stream collector, set kernel event filters or run the lightweight Python modules called filaments.
Fibratus
Adversary tradecraft detection, protection, and hunting
Get Started »
Docs
•
Rules
•
Filaments
•
Download
•
Discussions
Fibratus detects and eradicates advanced attacker tradecraft by scrutinizing and asserting a wide spectrum of system events against a behavior-driven rule engine and YARA memory scanner.
Events can be routed to a wide range of output sinks or written to capture files for local inspection and forensic analysis. With filaments, you can extend Fibratus with your own tooling and tap into the full power of the Python ecosystem.
In a nutshell, the Fibratus mantra is built on three pillars: realtime behavior detection, memory scanning, and forensics.
Installation and Quick start
For installation and quick start instructions, go here.
Contributing
We love contributions. To start contributing to Fibratus, please read our contribution guidelines.
Code Signing Policy
Free code signing provided by SignPath.io, certificate by SignPath Foundation. All releases are automatically signed.
Developed with ❤️ by Nedim Šabić Šabić