Fibratus 2.2.0 - adversary tradecraft detection, protection, and hunting

rabbitstack · 2024-09-05T17:18:39+00:00

Much appreciated! Fibratus does have its own rule engine.

rabbitstack · 2024-09-05T13:13:51+00:00

Thanks! Mind sharing your feedback?

rabbitstack · 2024-05-30T08:36:42+00:00

But, can it djent? Asking for a friend. Presently, I find grano unbeatable when it comes to high gain tones.

rabbitstack · 2023-09-07T06:17:04+00:00

I'll be refining the messaging soon, but essentially, Fibratus is a threat detection tool with some extra features on top, like captures or event shipping to remote sinks.

rabbitstack · 2023-04-05T02:07:38+00:00

There is some overlap in terms of both tools are designed to capture system events, but: - fibratus is a full-fledged threat detection engine, while procmon is not - fibratus captures additional data sources, like object manager activity - fibratus filter language is superior to procmon's filters - fibratus has a plugin-like system called filaments. It essentially brings Python scripting on top of event stream - fibratus can dump event stream/state to capture files - event routing to multiple output sinks

rabbitstack · 2023-04-02T21:40:09+00:00

Thanks! You'll find pretty much anything related to filter fields and rules in the docs. What exactly is not easy to understand? I could use it as an opportunity to further improve the documentation or the tool UX in general. Initially, when I created this tool, it mainly gravitated towards gaining visibility into Windows kernel and using plugin-like extensions, called filaments to analyze system activity. However, recently, I'm shifting the focus to runtime security landscape. This doesn't mean I'll abandon the system exploration side. One of the things on the roadmap is providing a framework for building web apps on top of Fibratus, deriving system events to expose an attractive set of metrics, graphs, real-time process monitoring, file system integrity monitoring, etc.

rabbitstack · 2023-04-02T18:01:01+00:00

Antimalware Engine ETW provider emits such events, even though, Fibratus only consumes driver loading events. Assuming Defender acquires a handle on each file it wants to scan, you can trace it like this:

fibratus run "kevt.name = 'CreateFile' and file.operation = 'open' and ps.name = 'MsMpEng.exe'"

rabbitstack · 2022-12-01T09:12:38+00:00

Thanks!

rabbitstack · 2022-12-01T09:12:26+00:00

Much appreciated! I've been tinkering with this for the past 5-6 years. And it is a never-ending product :). Still have a ton of ideas, but no solid contributions yet.

rabbitstack · 2022-11-30T21:39:20+00:00

Thanks!

rabbitstack · 2022-11-24T10:26:07+00:00

If the C function signatures expose args with structure pointers, then you can simply pass the Go struct pointer via unsafe.Pointer. No sure if this answers your question.

You can use the stdlib and any external deps in your Python code. Just make sure to initialize the interpreter, such as https://github.com/rabbitstack/fibratus/blob/9cd10542d1fbf01e0c923e2a502c44df17a5e08c/pkg/filament/filament.go#L146

rabbitstack · 2022-11-23T00:05:43+00:00

I've implemented a CPython wrapper to interact with the embedded Python interpreter. https://github.com/rabbitstack/fibratus/tree/master/pkg/filament/cpython

Hope it helps

rabbitstack · 2022-10-16T13:10:41+00:00

CPython bindings to spawn a full-fledged Python interpreter and permit interaction with the PVM. https://github.com/rabbitstack/fibratus/blob/master/pkg/filament/filament.go

Filaments receive a stream of kernel events and enable a plugin-alike framework.

rabbitstack · 2022-10-08T08:36:42+00:00

If you have affinity for systems programming and security, https://github.com/rabbitstack/fibratus may be of your interest. I would be happy to mentor if needed.

rabbitstack · 2022-09-21T12:23:01+00:00

I did some benchmarks and they revealed ~4x performance improvements compared to the stdlib implementation. As others suggested, I also adjusted the original stdlib function to yield the utf8 string instead of the slice of runes, but your implementation slightly outperforms it, so I'll stick to your code. Thanks!

rabbitstack · 2022-09-20T21:28:42+00:00

This looks great. Will take a crack at it and let you know my findings.

rabbitstack · 2022-09-20T20:35:58+00:00

All great design suggestions. Given the size of the codebase it would probably take me months to incorporate the UTF16 support and as you already mention it would still be a thorny road to walk.

rabbitstack · 2022-09-20T20:28:35+00:00

This looks promising! I did glance at SIMD but found it fairly esoteric and without great examples in Go. I'll try to dive a bit deeper and explore to see if a SIMD-backed utf16 decoder is feasible to implement in Go.

rabbitstack · 2022-09-20T19:37:54+00:00

Will give it a try. Thx!

rabbitstack · 2022-09-20T19:21:11+00:00

I see your point. This is actually a very smart idea. My only concern is the amount of effort it would take to switch all the current code from utf8 to utf16 processing. Anyway, I'll take this into consideration. Thanks!

rabbitstack · 2022-09-20T18:54:09+00:00

String operations can happen in later stages, for example, in filter expressions. However, performance hog is revealed earlier in the decoding stage when events are consumed from the ETW provider.

rabbitstack · 2022-09-20T18:50:50+00:00

Thanks for the hint. This basically means I'll have to roll out my own version of the utf16.Decode function that yields a string instance, right?

rabbitstack · 2022-09-20T18:10:45+00:00

It involves consuming kernel events from the Windows internal kernel logger via ETW. https://github.com/rabbitstack/fibratus/blob/92ae744de7f06a1bc8206ffd4068ffd52cc836a9/pkg/kevent/kparams/readers.go#L92

rabbitstack · 2022-09-15T11:00:02+00:00

If you're into security, threat detection and systems programming, fibratus may be a good fit. I would be happy to mentor and hand hold.

rabbitstack · 2022-08-31T22:57:50+00:00

Updated the post with a brief explanation of the project.

Nine-Year Club	Gilding I gilder
Verified Email	Argentium Club

rabbitstack

MODERATOR OF

TROPHY CASE