ETWMonitor
ETWMonitor copied to clipboard
Processus-Thief
Windows notifier tool that detects RDP, SMB and RPC connections by monitoring ETW event logs
trafficstars
ETWMonitor
Windows notifier tool that detects suspicious connections by monitoring ETW event logs
Server dashboard screen :
Crowdsec integration with IP address reputation :
Suspicious loaded DLL by processes detection :
Changelog
Final version :
- Loaded DLL by processes detections
V 2.3 :
- Crowdsec IP reputation integration (match ip in TCPIP logs)
- Alerts can be sent by email
- Statistics in server dashboard rely on real data
- Correction of bug that keeps CPU usage over 90%
V 2.1 :
- Client updates detection rules defined in a server XML file automatically
- No more compilation required for new rules creation
V 2.0 :
- Client-server support
- Client agent launched on startup as Windows service
V 1.1 :
- Detect and notify WinRM connections
V 1.0 :
- Detect and notify RDP, SMB and RPC connections
What da fuck is this ?
On Windows, ETW (for Event Tracing for Windows) is a mechanism to trace and log events that are raised
by user-mode applications and kernel-mode drivers.
ETWMonitor monitors events in real time to detect suspicious network connections.
Installation
- You can download latest compiled version from Release page
Also see installations instructions here : INSTALLATION HOW TO.pdf
Future improvements
No more improvements are planned for the moment.
Maintainability
Desktop version is no more maintained.
Only client-version will be maintained to get faster updates.
You can still add Agent version updates to Desktop version manually if needed.
Metadata
75
Stars
7
Forks
Watchers
Owner
Processus-Thief
Metadata
Windows notifier tool that detects RDP, SMB and RPC connections by monitoring ETW event logs