Fibratus

Adversary tradecraft detection, protection, and hunting

Description

---

Fibratus detects, protects, and eradicates advanced adversary tradecraft by scrutinizing and asserting a wide spectrum of system events against a behavior-driven rule engine and YARA memory scanner.

Events can also be shipped to a wide array of output sinks or dumped to capture files for local inspection and forensics analysis. You can use filaments to extend Fibratus with your own arsenal of tools and leverage the power of the Python ecosystem.

Capabilities

---

• Realtime behavior detection
• Memory scanning
• Forensics capabilities

Installation

---

Download the latest MSI package and follow the UI wizard or install via msiexec in silent mode:

$ msiexec /i fibratus-2.3.0-amd64.msi /qn

Quick Start

---

• Spin up a command line prompt
• List credentials from the vault by using the VaultCmd tool

$ VaultCmd.exe /listcreds:"Windows Credentials" /all

Documentation

---

To fully exploit and learn about Fibratus capabilities, read the documentation.

Rules

---

Detection rules live in the rules directory of this repository. The CLI provides a set of commands to explore the rule catalog, validate the rules, or create a new rule from the template.

Contributing

---

We love contributions. To start contributing to Fibratus, please read our contribution guidelines.

Code Signing Policy

---

Free code signing provided by SignPath.io, certificate by SignPath Foundation. All releases are automatically signed.

Developed with ❤️ by Nedim Šabić Šabić Logo designed with ❤️ by Karina Slizova

> Visit Fibratus Website <