fibratus

fibratus copied to clipboard

### Description In stringent security environments, it might be desirable to encrypt all the capture data including processes, handles, and, of course, kernel events. For this purpose, the `cap` configuration...

rabbitstack

This can be accomplished by creating the event object via the `CreateEvent` API call. If it results in `ERROR_ALREADY_EXISTS` error code then we forbid spinning up a new instance. Otherwise,...

rabbitstack

We should supervise the status of the `NT Kernel Logger` ETW session periodically. Some threat actors might sweep and end all running ETW sessions on the machine. If the NT...

rabbitstack

### Description It might be useful to automatically upload the capture file to the [S3](https://aws.amazon.com/s3/) bucket. For this purpose, the CLI should get an additional flag that would indicate whether...

rabbitstack

The command should launch the default editor and open the fibratus `.yml` configuration file.

rabbitstack

This transformer should be in charge of encoding the event params by using the specific data encoding algorithm. Users should be able to choose between `hex`, `base64`, and maybe `asn1`...

rabbitstack

### Description Fibratus already knows how to parse the [PE](https://www.fibratus.io/#/pe/introduction) data and extract valuable insights from it. I've been peeking at [pe-sieve](https://github.com/hasherezade/pe-sieve), and I have a feeling it would be...

rabbitstack

These functions would cooperate with the [Yara](https://www.fibratus.io/#/yara/scanning) scanner to trigger rule execution within the filament. The functions should return which rules and strings were matched along with other useful information....

rabbitstack

Logging user SID for file and registry events?

1

I've only read the docs so far, but Fibratus looks great! I'm new to ETW, so am not sure if this is feasible, but I was wondering if it was...

cocowalla

The `encrypt` transformer should encrypt event parameters with a specified crypto algorithm (e.g. AES). The original parameter value should get replaced with its respective hash string. Example config: ``` transformers:...

rabbitstack