fibratus

Fibratus

Adversary tradecraft detection, protection, and hunting
Get Started »

Docs   •   Rules   •   Filaments   •   Download   •   Discussions

Fibratus detects, protects, and eradicates advanced adversary tradecraft by scrutinizing

and asserting a wide spectrum of system events against a behavior-driven rule engine and YARA memory scanner.

Events can also be shipped to a wide array of output sinks or dumped to capture files for local inspection and forensics analysis. You can use filaments to extend Fibratus with your own arsenal of tools and so leverage the power of the Python ecosystem.

In a nutshell, the Fibratus mantra is defined by the pillars of realtime behavior detection, memory scanning, and forensics capabilities.

Installation

• Download the latest MSI package and follow the UI wizard or

alternatively install via msiexec in silent mode

$ msiexec /i fibratus-2.4.0-amd64.msi /qn

Quick start

• spin up a command line prompt

• list credentials from the vault by using the VaultCmd tool

$ VaultCmd.exe /listcreds:"Windows Credentials" /all

Credential discovery via VaultCmd tool rule should trigger and emit the alert to the Eventlog. Check the short demo here.

Documentation

To fully exploit and learn about Fibratus capabilities, read the docs.

Rules

Detection rules live in the rules directory of this repository. The CLI provides a set of

commands to explore the rule catalog, validate the rules, or create a new rule from the template.

To describe all rules in the catalog, use the fibratus rules list command. It is possible to pass the

-s flag to show rules summary by MITRE tactics and techniques.

Contributing

We love contributions. To start contributing to Fibratus, please read our contribution guidelines.

Code Signing Policy

Free code signing provided by SignPath.io, certificate by

SignPath Foundation. All releases are automatically signed.

Developed with ❤️ by Nedim Šabić Šabić