A modern tool for the Windows kernel exploration and tracing

Overview

Fibratus

Fibratus

A modern tool for the Windows kernel exploration and observability
Get Started »

Docs   •   Filaments   •   Download   •   Discussions

What is Fibratus?

Fibratus is a tool for exploration and tracing of the Windows kernel. It lets you trap system-wide events such as process life-cycle, file system I/O, registry modifications or network requests among many other observability signals. In a nutshell, Fibratus allows for gaining deep operational visibility into the Windows kernel but also processes running on top of it.

Events can be shipped to a wide array of output sinks or dumped to capture files for local inspection and forensics analysis. The powerful filtering engine permits drilling into the event flux entrails.

You can use filaments to extend Fibratus with your own arsenal of tools and so leverage the power of the Python ecosystem.

Features

  • blazing fast
  • 📡 collects a wide spectrum of kernel events - from process to network observability signals
  • 🔍 super powerful filtering engine
  • 🐍 running Python scriptlets on top of kernel event flow
  • 💽 capturing event flux to kcap files and replaying anywhere
  • 🚀 transporting events to Elasticsearch, RabbitMQ or console sinks
  • ✂️ transforming kernel events
  • 🐞 scanning malicious processes and files with Yara
  • 📁 PE (Portable Executable) introspection

Documentation


Setup

Events

Filters

Captures

Filaments

Outputs

Transformers

Alerts

PE (Portable Executable)

YARA

Troubleshooting


Developed with ❤️ by Nedim Šabić Šabić

Logo designed with ❤️ by Karina Slizova

Issues
  • how can i make it run?

    how can i make it run?

    Hello after a lot's of afford it's not running and i am exhausted. i have some question that you may help me. 1- is it possible run at windows 2008 or 2012? 2- portable version not working in windows 8.1 and i have lot's of error so what should i do? 3- should i turn off windows or any related security product? 4- pip installing not working hear is error screenshot 5- Does we need to change windows env like use test mode? 6- can you make a program as service?

    please make video tutorial to install it. or publish virtual machine that the program is installed at.

    type: help wanted 
    opened by jjjan 32
  • Nuitka compiler error

    Nuitka compiler error

    When compiling with nuitka a get an error (What sould i do?): Thxs for reply:

    E:\Python27\libs/libpython27.a(dmmes01026.o):(.idata$7+0x0): undefined reference to `_head_C__build27_cpython_PCBuild_libpython27_a'

    E:\Python27\libs/libpython27.a(dmmes00712.o):(.idata$7+0x0): undefined reference to `_head_C__build27_cpython_PCBuild_libpython27_a'

    E:\Python27\libs/libpython27.a(dmmes00245.o):(.idata$7+0x0): undefined reference to `_head_C__build27_cpython_PCBuild_libpython27_a'

    E:\Python27\libs/libpython27.a(dmmes00236.o):(.idata$7+0x0): undefined reference to `_head_C__build27_cpython_PCBuild_libpython27_a'

    E:\Python27\libs/libpython27.a(dmmes00648.o):(.idata$7+0x0): undefined reference to `_head_C__build27_cpython_PCBuild_libpython27_a'

    E:\Python27\libs/libpython27.a(dmmes00343.o):(.idata$7+0x0): more undefined references to `_head_C__build27_cpython_PCBuild_libpython27_a' follow

    collect2: ld returned 1 exit status

    g++: unrecognized option '-static-libstdc++'

    type: help wanted 
    opened by fuuddanni 16
  • Why there‘s no output?

    Why there‘s no output?

    I'm using Windows 10, Python34. I think I have strictly followed the installation steps, but it always stops without result output and any error info, as the following picture:

    image

    By the way, I don't think the warning of pyyaml has impact on my problem, because using pyyaml==1.1.0 will solve this warning but still no output.

    type: bug 
    opened by Nimunru 11
  • Logging to elasticsearch errors using standalone installer

    Logging to elasticsearch errors using standalone installer

    Hi,

    Awesome tool, good work.

    I'm getting the error below while using the standalone installer and attempting to log network connections to elasticsearch.

    The command I used was fibratus run --filters Send Recv Connect Disconnect Reconnect

    Looking for suggestions. Thanks

    Traceback (most recent call last):
      File "kstream\kstreamc.pyx", line 324, in kstreamc.KEventStreamCollector._proc
    ess_kevent (kstream\kstreamc.cpp:3341)
      File "fibratus\entrypoint.py", line 373, in _on_next_kevent
      File "fibratus\entrypoint.py", line 424, in _aggregate
      File "fibratus\output\aggregator.py", line 49, in aggregate
      File "fibratus\output\elasticsearch.py", line 56, in emit
    fibratus.errors.InvalidPayloadError: invalid payload for bulk indexing. list exp
    ected but <class 'dict'> found
    None
    Traceback (most recent call last):
      File "kstream\kstreamc.pyx", line 324, in kstreamc.KEventStreamCollector._proc
    ess_kevent (kstream\kstreamc.cpp:3341)
      File "fibratus\entrypoint.py", line 373, in _on_next_kevent
      File "fibratus\entrypoint.py", line 424, in _aggregate
      File "fibratus\output\aggregator.py", line 49, in aggregate
      File "fibratus\output\elasticsearch.py", line 56, in emit
    fibratus.errors.InvalidPayloadError: invalid payload for bulk indexing. list exp
    ected but <class 'dict'> found
    None
    Traceback (most recent call last):
      File "kstream\kstreamc.pyx", line 324, in kstreamc.KEventStreamCollector._proc
    ess_kevent (kstream\kstreamc.cpp:3341)
      File "fibratus\entrypoint.py", line 373, in _on_next_kevent
      File "fibratus\entrypoint.py", line 424, in _aggregate
      File "fibratus\output\aggregator.py", line 49, in aggregate
      File "fibratus\output\elasticsearch.py", line 56, in emit
    fibratus.errors.InvalidPayloadError: invalid payload for bulk indexing. list exp
    ected but <class 'dict'> found
    None
    
    
    type: help wanted 
    opened by DynaMc 10
  • Issue with connection.py in multiprocess module

    Issue with connection.py in multiprocess module

    Hi !

    I've installed everything to make Fibratus work in an 64 bits Windows 7 environment with Python3.4

    Anyway, when I try "fibratus run" I get the following error, for which I've found zero documentation:

    ImportError : Cannot import name 'WAIT_ABANDONED_0' (from the _winapi lib)

    Do you have an idea about how to solve that issue ?

    Thanks a lot for your work !

    type: wontfix 
    opened by zorga 7
  • Subscribing other ETW events

    Subscribing other ETW events

    Hi @rabbitstack

    Is it possible to subscribe other ETW events via Fibratus?

    image

    For example, I would like to subscribe for DNS client events which is {1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}. Does Fibratus support that today or needs to be implemented to support other event types?

    Thanks.

    scope: kevents 
    opened by yusufozturk 5
  • How I know which process execute the file operation?

    How I know which process execute the file operation?

    I'm new about fibratus. And I can get events data when using cmd to excute "fibratus run > C:/1.txt" command. But the file events is such as "303340 2021-09-28 17:18:20.9101198 +0800 CST - 0 . (4294967295) - ReadFile (file_name➜ C:\pagefile.sys, file_object➜ fffffa80028cb4a0, io_size➜ 16384, irp➜ fffffa80034b7a80, offset➜ 442601472, type➜ file)". I can not get relations about this file event with the original process. So what should i do?

    opened by AliefBIT 5
  • Avoid backslash line continuation, |=, simplify with or

    Avoid backslash line continuation, |=, simplify with or

    A space to the right of a backslash would break your script yet it is invisible to the reader. |= shortens long lines and executes faster. Or will gracefully deal with other Falsey values such as: [], {}, 0, False, etc.

    opened by cclauss 5
  • Spec file not building a working executable

    Spec file not building a working executable

    Hello,

    I was able to run pyinstaller using the spec file to generate an executable. However, when I try to run the executable only help and version options are working aprropriately. While I try to use or run with any other options, the execution ends without displayin any ourtput or error to the screen. I also tried building with debug flag, the output is still not helpful.

    Please let me know if you know about the issue or any fix that you can recomment.

    Environment: Windows 7, VS 2015, Python 3.4.

    type: help wanted 
    opened by padcoder 4
  • Error when using registry_persistence_detection filament

    Error when using registry_persistence_detection filament

    When I use the registry_persistence_detection filament, I get the following error message: "ERROR: Fibratus: Unexpected filament error 'DotD' object has no attribute 'key'"

    This occurs when I execute a sample of Spora Ranwomware, the program executes, write a registery key but Fibratus throws this error.

    type: bug 
    opened by dreadlocked 4
  • skips images in fibratus.yml do not work

    skips images in fibratus.yml do not work

    I put explorer.exe under skips images in fibratus.yml. When I start fibratus, I can see the output like "Fibratus: Adding skips for images ['explorer.exe',...]". However, from the traces, there are still lots of events generated by explorer.exe.

    type: bug 
    opened by jialongzhang 4
  • chore(deps): bump github.com/sirupsen/logrus from 1.4.1 to 1.9.0

    chore(deps): bump github.com/sirupsen/logrus from 1.4.1 to 1.9.0

    Bumps github.com/sirupsen/logrus from 1.4.1 to 1.9.0.

    Release notes

    Sourced from github.com/sirupsen/logrus's releases.

    v1.9.0

    No release notes provided.

    v1.8.1

    No release notes provided.

    v1.8.0

    Correct versioning number replacing v1.7.1

    v1.7.1

    Code quality:

    • use go 1.15 in travis
    • use magefile as task runner

    Fixes:

    • small fixes about new go 1.13 error formatting system
    • Fix for long time race condiction with mutating data hooks

    Features:

    • build support for zos

    Add new BufferPool and LogFunction APIs

    • a new buffer pool management API has been added
    • a set of <LogLevel>Fn() functions have been added
    • the dependency toward a windows terminal library has been removed

    Release v1.6.0

    v1.5.0

    This new release introduces:

    • Ability to DisableHTMLEscape when using the JSON formatter: sirupsen/logrus#524
    • Support/fixes for go 1.14
    • Many many bugfixes

    v1.4.2

    No release notes provided.

    Changelog

    Sourced from github.com/sirupsen/logrus's changelog.

    1.8.1

    Code quality:

    • move magefile in its own subdir/submodule to remove magefile dependency on logrus consumer
    • improve timestamp format documentation

    Fixes:

    • fix race condition on logger hooks

    1.8.0

    Correct versioning number replacing v1.7.1.

    1.7.1

    Beware this release has introduced a new public API and its semver is therefore incorrect.

    Code quality:

    • use go 1.15 in travis
    • use magefile as task runner

    Fixes:

    • small fixes about new go 1.13 error formatting system
    • Fix for long time race condiction with mutating data hooks

    Features:

    • build support for zos

    1.7.0

    Fixes:

    • the dependency toward a windows terminal library has been removed

    Features:

    • a new buffer pool management API has been added
    • a set of <LogLevel>Fn() functions have been added

    1.6.0

    Fixes:

    • end of line cleanup
    • revert the entry concurrency bug fix whic leads to deadlock under some circumstances
    • update dependency on go-windows-terminal-sequences to fix a crash with go 1.14

    Features:

    • add an option to the TextFormatter to completely disable fields quoting

    1.5.0

    Code quality:

    • add golangci linter run on travis

    Fixes:

    ... (truncated)

    Commits
    • f8bf765 Merge pull request #1343 from sirupsen/dbd-upd-dep
    • ebc9029 update dependencies
    • 56c843c Merge pull request #1337 from izhakmo/fix-cve
    • 41b4ee6 update gopkg.in/yaml.v3 to v3.0.1
    • f98ed3e Merge pull request #1333 from nathanejohnson/bumpxsys
    • 2b8f60a bump version of golangci-lint
    • 0db10ef bump version of golang.org/x/sys dependency
    • 85981c0 Merge pull request #1263 from rubensayshi/fix-race
    • 79c5ab6 Merge pull request #1283 from sirupsen/dbd-log-doc
    • 5f8c666 Improve Log methods documentation
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    deps 
    opened by dependabot[bot] 0
  • chore(deps): bump github.com/spf13/viper from 1.6.2 to 1.12.0

    chore(deps): bump github.com/spf13/viper from 1.6.2 to 1.12.0

    Bumps github.com/spf13/viper from 1.6.2 to 1.12.0.

    Release notes

    Sourced from github.com/spf13/viper's releases.

    v1.12.0

    This release makes YAML v3 and TOML v2 the default versions used for encoding.

    You can switch back to the old versions by adding viper_yaml2 and viper_toml1 to the build tags.

    Please note that YAML v2 and TOML v1 are considered deprecated from this release and may be removed in a future release.

    Please provide feedback in discussions and report bugs on the issue tracker. Thanks!

    What's Changed

    Exciting New Features 🎉

    Enhancements 🚀

    Dependency Updates ⬆️

    New Contributors

    Full Changelog: https://github.com/spf13/viper/compare/v1.11.0...v1.12.0

    v1.11.0

    What's Changed

    Exciting New Features 🎉

    Enhancements 🚀

    Bug Fixes 🐛

    ... (truncated)

    Commits
    • 4322cf2 feat: make toml2 the default
    • 8d02999 feat: make yaml3 the default
    • 7c35aa9 chore(deps): update yaml3
    • 433821f feat: add etcd3 support to remote
    • 2080d43 chore: update crypt
    • da55858 chore: fix Error log calls in mergeMaps
    • f50ce90 Add in MustBindEnv.
    • 3b836e5 build(deps): bump github.com/subosito/gotenv from 1.2.0 to 1.3.0
    • 5d65186 build(deps): bump github.com/pelletier/go-toml/v2 from 2.0.0 to 2.0.1
    • 9f85518 build(deps): bump github.com/spf13/cast from 1.4.1 to 1.5.0
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    deps 
    opened by dependabot[bot] 0
  • chore(deps): bump github.com/olivere/elastic/v7 from 7.0.20 to 7.0.32

    chore(deps): bump github.com/olivere/elastic/v7 from 7.0.20 to 7.0.32

    Bumps github.com/olivere/elastic/v7 from 7.0.20 to 7.0.32.

    Release notes

    Sourced from github.com/olivere/elastic/v7's releases.

    Release 7.0.32

    • Update dependencies
    • Update CI to Go 1.17 and Go 1.18
    • Add tracer for OpenTelemetry
    • Add max_analyzed_offset to highlighter (#1591)
    • Fix all missing fields reported by strict decoder
    • Deprecate all methods reported as being deprecated
    • Make SeqNoAndPrimaryTerm the preferred function (#1593)
    • Update to ES 7.17.1
    • Fix PIT Search Recipe NewPointInTime Call (#1577)
    • Fix data stream timestamp field (#1570)

    See the 7.0.32 milestone and the changelog: https://github.com/olivere/elastic/compare/v7.0.31...v7.0.32

    Release 7.0.31

    • Redact URL in tracing transports (both OpenCensus as well as OpenTracing) (#1459)
    • Allow multiple inner hits in CollapseBuilder (#1553)
    • Add tests for Cluster Reroute API (#1560)
    • Add IntervalQueryRuleFuzzy (#1564)
    • Fix IntervalQueryRulePrefix (#1566)

    See the 7.0.31 milestone and the changelog: https://github.com/olivere/elastic/compare/v7.0.30...v7.0.31

    Release 7.0.30

    • Redact password from URL in logging (#1559)
    • Add Rank Feature Query (#1428)
    • Removed unsupported fields from Sampler aggregation (#1251)
    • Update Nodes Stats API to latest API (#1535)
    • Add max_docs parameter to DeleteByQuery API (#1537)
    • Fix prefix query with case insensitive setting (#1546)

    Full Changelog: https://github.com/olivere/elastic/compare/v7.0.29...v7.0.30

    Release 7.0.29

    • GeoBoundingBoxQuery now updated to latest release. It now e.g. supports Geo hashes and WKT (#1530).
    • Add support for XPack Rollup API (#1531)

    See here for details.

    Release 7.0.28

    This release fixes a number of bugs and adds some features added in recent versions.

    • Add runtime fields/mappings #1527
    • Allow Point In Time API without keep alive #1524

    See the 7.0.28 milestone for details.

    Release 7.0.25

    This release fixes a number of bugs and adds some features added in recent versions.

    ... (truncated)

    Commits
    • acdec24 Release 7.0.32
    • 69ec2cd Increase health check timeout on tests
    • 414af00 Increase sniffer timeout in tests
    • 7bcdab4 Skip flaky tests on Go 1.18
    • dd99ab5 Update recipes and add tracing by OpenTelemetry
    • 4d9e00c Update dependencies
    • 4ba3d45 Fix typo
    • e5be2e0 Update to latest two Go versions
    • 751f1dc Fix deprecations and missing fields
    • fa42b0c Add max_analyzed_offset to highlighter
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    deps 
    opened by dependabot[bot] 0
  • chore(deps): bump github.com/Microsoft/go-winio from 0.4.14 to 0.5.2

    chore(deps): bump github.com/Microsoft/go-winio from 0.4.14 to 0.5.2

    Bumps github.com/Microsoft/go-winio from 0.4.14 to 0.5.2.

    Release notes

    Sourced from github.com/Microsoft/go-winio's releases.

    v0.5.2

    What's Changed

    Full Changelog: https://github.com/microsoft/go-winio/compare/v0.5.1...v0.5.2

    v0.5.1

    What's Changed

    Full Changelog: https://github.com/microsoft/go-winio/compare/v0.5.0...v0.5.1

    v0.5.0

    • Added GetFileStandardInfo which returns information from the GetFileInformationByHandleEx syscall with FileStandardInfo specified.

    v0.4.20

    What's Changed

    Full Changelog: https://github.com/microsoft/go-winio/compare/v0.4.19...v0.4.20

    v0.4.19

    • Temporarily reverted implementation of GetFileStandardInfo which returns information from the GetFileInformationByHandleEx syscall with FileStandardInfo specified to address moby/moby#42307

    v0.4.18

    • Added SeSecurityPrivilege constant.

    v0.4.17

    • Added build constraints to Windows specific files.
    • Fixed error handling for GetFileSystemType.
    • pkg/etw now supports setting a provider group ID.
    • Switched from os/exec to golang.org/x/sys/execabs for launching processes. This removes a generally unintended affect where the current directory would be searched for the binary to be launched.
    • Added GetFileStandardInfo which returns information from the GetFileInformationByHandleEx syscall with FileStandardInfo specified.

    v0.4.16

    • Added new bindings, functions, and exported all of the flags in the vhd package. This is to facilitate finer grained control in managing vhds.

    v0.4.15

    ... (truncated)

    Commits
    • dfd7da8 Merge pull request #231 from helsaawy/he/close
    • 0aa6c0a HvsockConn shutdown, and .IsClosed() function
    • 7689f4c Merge pull request #220 from ambarve/encode_functions
    • 7de02db Fix 'OpenVirtualDiskParameters' BOOL fields (#226)
    • 184126a backuptar: Export tar header parsing functions
    • 01a3671 Merge pull request #227 from bitgestalt/use_stdlib_errors
    • 568b5c2 Merge pull request #225 from bitgestalt/fix_test_empty_name
    • c4cf81c Replace github.com/pkg/errors with stdlib errors
    • 05c1e88 Fix TestLookupEmptyNameFails
    • 60c1574 Merge pull request #169 from dcormier/dc/guid
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    deps 
    opened by dependabot[bot] 0
  • Compute PE imphash

    Compute PE imphash

    Since we're gathering imported symbols via PE parsing, we could compute the import hash, most commonly referred to imphash.

    We could simply adapt the pefile-go imphash logic to an existing code in fibratus by creating a new pkg/pe/imphash.go source file.

    It would be valuable to provide a config flag by which users could control the imphash calculation. Capture file marshaling logic needs adjustments in order to support the new Imphash field in PE metadata. Similarly, we should register a new filter field to allow building filter expressions such as pe.imphash = '2c26ec4a570a502ed3e8484295581989'.

    needs: docs needs: filters scope: pe 
    opened by rabbitstack 0
  • Not enough Kparams are reported for some kernel events

    Not enough Kparams are reported for some kernel events

    Hi,

    When I read a file, I see duplicate file events (even seq numbers are different, events are the same):

    Seq: 1350561
    Pid: 8632
    Tid: 19508
    Type: ReadFile
    CPU: 11
    Name: ReadFile
    Category: file
    Description: Reads data from the file or I/O device
    Host: DESKTOP-751NEI0,
    Timestamp: 2021-11-13 14:41:29.7629507 +0100 CET,
    Kparams: file_name➜ C:\test\yusufpapurcu.txt, file_object➜ ffffbb8962e90e90, io_size➜ 4096, irp➜ ffffbb896124ab78, offset➜ 0, type➜ file,
    Metadata: ,
    
    Pid:  8632
    Ppid: 8620
    Name: powershell.exe
    Comm: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
    Exe:  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Cwd:  C:\Users\Yusuf-I9\
    SID:  DESKTOP-751NEI0\Yusuf-I9
    Args: []
    Session ID: 1
    
    Seq: 1350563
    Pid: 8632
    Tid: 19508
    Type: ReadFile
    CPU: 11
    Name: ReadFile
    Category: file
    Description: Reads data from the file or I/O device
    Host: DESKTOP-751NEI0,
    Timestamp: 2021-11-13 14:41:29.7631256 +0100 CET,
    Kparams: file_name➜ C:\test\yusufpapurcu.txt, file_object➜ ffffbb8962e90e90, io_size➜ 4096, irp➜ ffffbb896124ab78, offset➜ 0, type➜ file,
    Metadata: ,
    
    Pid:  8632
    Ppid: 8620
    Name: powershell.exe
    Comm: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
    Exe:  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Cwd:  C:\Users\Yusuf-I9\
    SID:  DESKTOP-751NEI0\Yusuf-I9
    Args: []
    Session ID: 1
    

    Probably they are not duplicate and they have some more details and maybe we don't see it here? Because if you look these audit events from Event Log, it gives you more details like "ReadAttributes", "ReadEA", "READ_CONTROL" etc.

    So I believe first event was reading ACL of the file, then second one was reading the content of the file. But since there is no detail about ACL etc, we see them as duplicate events. If we can see that first event was actually reading the ACL of the file, we can skip that one to make number of events less.

    I hope I was able to explain well :) Sorry if I wrote it difficult.

    Thanks in advance.

    type: enhancement scope: kevents 
    opened by yusufozturk 16
Releases(v1.5.0)
  • v1.5.0(Apr 29, 2022)

  • v1.4.2(Dec 25, 2021)

  • v1.4.1(Sep 18, 2021)

  • v1.4.0(Aug 24, 2021)

    Release Notes

    New features

    Enhancements

    • add exe parameter to CreateThread events
    • add thread.pid filter field for matching the target thread's process id
    • case-insensitive variants of in, startswith, and endswith operators
    • upgrade Go toolchain to 1.16

    Bug fixes

    • inform about bad string escape in filter compile error messages
    • fix retrieving executable path for system processes
    Source code(tar.gz)
    Source code(zip)
    fibratus-1.4.0-amd64.msi(17.43 MB)
    fibratus-1.4.0-slim-amd64.msi(5.81 MB)
  • v1.2.0(Apr 27, 2021)

    Release Notes

    New features

    • filament for identifying an executable or script file remotely downloaded via a TeamViewer transfer session
    • reverse DNS lookups
    • function support in filters and initial cidr_contains and md5 functions
    • dip.names and sip.names filter fields
    • unary not operator in filters
    • matches and imatches string matching operators
    • make the use of fields possible in both LHS/RHS filter expressions
    • full and slim MSI-based Windows installers

    Enhancements

    • introduce a new file.extension filter field
    • documentation website tweaking
    • make all string operators evaluable against lists
    • tests refactoring
    • satisfy all code linters
    • upgrade to the latest go-yara package
    • improvements in the handle interceptor when publishing deferred CreateHandle events
    • reduce the pressure on the TdhGetPropertySize API call for static parameter types
    • prettify fibratus version output
    • modularize and improve signal handling

    Bug fixes

    • circumvent data races in kcap reader/writer
    • prevent data races in the AMQP connection
    • yara scanner should allocate a new scanner for each run
    • fix RecvUDPv4 event type GUID
    • the handle interceptor should return the CloseHandle event when entering the deferred map
    Source code(tar.gz)
    Source code(zip)
    fibratus-1.2.0-amd64.msi(17.41 MB)
    fibratus-1.2.0-slim-amd64.msi(5.89 MB)
  • 1.0.0(Dec 2, 2020)

  • v0.7.2(Jul 22, 2017)

  • v0.7.1(Apr 17, 2017)

  • v0.7.0(Mar 24, 2017)

  • v0.6.1(Mar 4, 2017)

    • support for RenameFile and SetFileInformation kernel events
    • pid and file_object fields in file system events
    • filament processing in thread context
    • several bug fixes
    Source code(tar.gz)
    Source code(zip)
  • v0.6.0(Jan 22, 2017)

    • high performance GIL-free kernel event stream collector
    • image meta registry provides PE (Portable Exectuable) headers, sections, imports, file information, etc
    • streaming kernel events to multiple output sinks
    • switched to logbook for detailed startup logging info
    Source code(tar.gz)
    Source code(zip)
  • v0.4.1(Nov 5, 2016)

  • v0.4.0(Nov 1, 2016)

    • per-pid process spying support (--pid command line flag)
    • excluding processes from the trace through the configuration file
    • ElasticSearch output adapter
    • performance improvements on the kernel stream collector
    Source code(tar.gz)
    Source code(zip)
  • v0.3.0(Oct 1, 2016)

  • v0.2.3(Aug 20, 2016)

  • v0.2.0(Aug 20, 2016)

    • in process filament execution
    • streaming kernel events via output adapters (SMTP, AMQP)
    • writing to console using the standard Windows API
    • asciiart package
    • fixed landscape style violations and code smells
    • shipping new filaments
    • resolve filaments directory from environment variable
    • check for the kernel event filters when calling the process method on filament
    • initialize the kernel event params when hive or key does not satisfy the condition in RegSetValue or RegQueryValue
    • yaml configuration file parser
    • changed setup.py to install kstreamc to site-packages
    • --no-enum-handles to disable the system handles enumeration on startup
    • migrated from coveralls to codecov
    • added more unit tests
    • improved code coverage
    • code refactoring and comments
    • new logo
    Source code(tar.gz)
    Source code(zip)
  • v0.1.0(May 28, 2016)

Owner
Nedim Šabić²
The place where bunnies dwell, and bits become colossal
Nedim Šabić²
A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.

age age is a simple, modern and secure file encryption tool, format, and library. It features small explicit keys, no config options, and UNIX-style c

Filippo Valsorda 11.1k Aug 11, 2022
Search and store the best cryptos for the best scalable and modern application development.

Invst Hunt Search and store the best cryptos for the best scalable and modern application development. Layout Creating... Project Challenge The Techni

Fábio Morais 1 Nov 12, 2021
Windows 11 TPM 2.0 and Secure Boot Setup.exe/Registry bypass written in Go.

Win11-Patcher Windows 11 TPM 2.0 and Secure Boot Setup.exe bypass written in Go. Compiling Requires Go (no shit) Requires a version of 7zip that you c

Fire 25 Aug 3, 2022
Gofrette is a reverse shell payload developed in Golang that bypasses Windows defender and many others anti-virus.

Gofrette Gofrette is a reverse shell payload developed in Golang that bypasses Windows defender and many others anti-virus.

null 12 Jul 19, 2022
null 988 Aug 8, 2022
Based on user32.dll, go language is implemented to call function MessageBoxW of Windows platform

go-mbw 一个通过user32.dll调用 Windows 平台的MessageBoxW函数的 Go 语言库 A Go lib for call windows platform function MessageBoxW from user32.dll. 安装(Install) go get g

null 1 May 16, 2022
Log4j 2 (CVE-2021-44228) vulnerability scanner for Windows OS

log4j-scanner Log4j 2 (CVE-2021-44228) vulnerability scanner for Windows OS. Example Usage Usage .\log4j-scanner.exe Terminal is used to output resul

null 0 Dec 13, 2021
Golang Port Knocking for Linux + Windows

Vishnu(The Hidden Backdoor) RS{JOIN_REDTEAM} Taken from the Trimurit, the triple deity of supreme divinity. Vishnu is known as "The Preserver". This p

RITSEC Redteam 9 May 15, 2022
Static binary analysis tool to compute shared strings references between binaries and output in JSON, YAML and YARA

StrTwins StrTwins is a binary analysis tool, powered by radare, that is capable to find shared code string references between executables and output i

Anderson 2 May 3, 2022
DirDar is a tool that searches for (403-Forbidden) directories to break it and get dir listing on it

DirDar v1.0 Description ??‍☠️ bypass forbidden directories - find and identify dir listing - you can use it as directory brute-forcer as well Compatab

Mohammed Al-Barbari 320 Jul 25, 2022
A fast tool to mass scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin (CVE-2021-26855).

proxylogscan This tool to mass scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and imperson

dw1 139 Jul 25, 2022
A scalable overlay networking tool with a focus on performance, simplicity and security

What is Nebula? Nebula is a scalable overlay networking tool with a focus on performance, simplicity and security. It lets you seamlessly connect comp

Slack 10.3k Aug 11, 2022
EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptography methods, key files and more.

EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptograp

American Express 502 Aug 9, 2022
Nuclei is a fast tool for configurable targeted vulnerability scanning based on templates offering massive extensibility and ease of use.

Fast and customisable vulnerability scanner based on simple YAML based DSL. How • Install • For Security Engineers • For Developers • Documentation •

ProjectDiscovery 9.2k Aug 7, 2022
A tool for secrets management, encryption as a service, and privileged access management

Vault Please note: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault, please respo

HashiCorp 25.3k Aug 15, 2022
🌘🦊 DalFox(Finder Of XSS) / Parameter Analysis and XSS Scanning tool based on golang

Finder Of XSS, and Dal(달) is the Korean pronunciation of moon. What is DalFox ?? ?? DalFox is a fast, powerful parameter analysis and XSS scanner, bas

HAHWUL 1.9k Aug 11, 2022
kubescape is the first tool for testing if Kubernetes is deployed securely as defined in Kubernetes Hardening Guidance by to NSA and CISA

Kubescape is the first tool for testing if Kubernetes is deployed securely as defined in Kubernetes Hardening Guidance by to NSA and CISA Tests are configured with YAML files, making this tool easy to update as test specifications evolve.

ARMO 6.1k Aug 11, 2022
🌀 Dismap - Asset discovery and identification tool

?? Dismap - Asset discovery and identification tool [English readme Click Me] Dismap 定位是一个资产发现和识别工具;其特色功能在于快速识别 Web 指纹信息,定位资产类型。辅助红队快速定位目标资产信息,辅助蓝队发现疑

之乎者也 1.2k Aug 8, 2022
A pledge(2) and unveil(2)'d tool for verifying GnuPG signatures.

ogvt A pledge(2) and unveil(2)'d tool for verifying GnuPG signatures. Success ./ogvt -file test/uptime.txt -sig test/uptime.txt.asc -pub test/adent.p

Aaron Bieber 2 Nov 25, 2021