Repository files navigation

Adversary tradecraft detection, protection, and hunting
Get Started »

Docs   •  Rules   •  Filaments   •  Download   •  Discussions

Fibratus detects, protects, and eradicates advanced adversary tradecraft by scrutinizingand asserting a wide spectrum of system events against a behavior-drivenrule engine andYARA memory scanner.

Events can also be shipped to a wide array ofoutput sinks or dumped tocapture files for local inspection and forensics analysis. You can usefilaments to extend Fibratus with your own arsenal of tools and so leverage the power of the Python ecosystem.

In a nutshell, the Fibratus mantra is defined by the pillars ofrealtime behavior detection,memory scanning, andforensics capabilities.

• Download the latestMSI package and follow theUI wizard oralternatively install viamsiexec in silent mode

$ msiexec /i fibratus-2.4.0-amd64.msi /qn

• spin up a command line prompt
• list credentials from the vault by using theVaultCmd tool

$ VaultCmd.exe /listcreds:"Windows Credentials" /all

Credential discovery via VaultCmd tool rule should trigger and emit the alert to theEventlog. Check the short demohere.

To fully exploit and learn about Fibratus capabilities, read thedocs.

Detection rules live in therules directory of this repository. The CLI provides a set ofcommands to explore the rule catalog, validate the rules, orcreate a new rule from the template.

To describe all rules in the catalog, use thefibratus rules list command. It is possible to pass the-s flag to show rules summary by MITRE tactics and techniques.

We love contributions. To start contributing to Fibratus, please read ourcontribution guidelines.

Free code signing provided bySignPath.io, certificate bySignPath Foundation. All releases are automatically signed.

Developed with ❤️ byNedim Šabić Šabić