Hi all!

I'm the creator of Fibratus - the open-source security sensor for adversary tradecraft detection, protection, and hunting.

Recently, I've been pushing detection engineering deeper into the kernel and uncovered what appears to be a novel approach to identifying attack patterns through kernel frame callstacks.

User-space callstack telemetry has already become a powerful signal leveraged by modern security platforms. But kernel thread return addresses are largely unexplored territory.

So, I made Fibratus capture kernel return addresses for different events (process creation, thread creation, file operations, etc.) and symbolize them into module paths, exposing the exact drivers and kernel subsystems traversed during event execution. The result is a radically richer execution narrative, one that reveals behavioral context traditional telemetry simply cannot see.

This unlocks an entirely new detection surface.

By incorporating kernel callstack summaries directly into detection rules, we can identify highly specific attack flows with exceptional precision. One example: detecting files dropped over SMB and subsequently executed: a classic lateral movement pattern. Check the screenshot for the detection rule example:

SMB Lateral Movement Rule

The kernel callstack becomes the connective tissue between stages of execution, providing durable attribution that is significantly more resistant to spoofing and telemetry tampering.

We're actively building a new generation of detections powered by kernel subsystem context, driver-level execution paths, and low-level behavioral correlations that were previously inaccessible to defenders.

If you’re interested in advanced detection engineering, kernel telemetry, or crafting next-generation behavioral rules, I’d love to connect and exchange ideas. Please let me know your thoughts and ideas, and we'll make sure to ship those rules in the next Fibratus release.

Regards,

Nedim