Reading Time: 3 Minutes

Offensive Security Tool: Fibratus

GitHub Link

What is Fibratus?

Fibratus by rabbitstack, is a tool for exploration and tracing of the Windows kernel. It lets you trap system-wide events such as process life-cycle, file system I/O, registry modifications or network requests among many other observability signals. In a nutshell, Fibratus allows for gaining deep operational visibility into the Windows kernel but also processes running on top of it.

Events can be shipped to a wide array of output sinks or dumped to capture files for local inspection and forensics analysis. The powerful filtering engine permits drilling into the event flux entrails.

You can use filaments to extend Fibratus with your own arsenal of tools and so leverage the power of the Python ecosystem.

See Also: Complete Offensive Security and Ethical Hacking Course

Quick start

⦿ Observe Microsoft Outlook attachments creating on the file system

fibratus run file.operation = 'create' and file.name icontains '\\Content.Outlook\\'

⦿ Hunt remote thread creations

fibratus run kevt.name = 'CreateThread' and kevt.pid != thread.pid

⦿ Record network interactions to the capture file

fibratus capture kevt.category = 'net' -o conns.kcap

⦿ Replay events from the capture

fibratus replay net.dport in (443, 80) -k conns.kcap

⦿ Run the filament for watching file system changes

fibratus run -f watch_files

See Also: Offensive Security Tool: Scapy

Features

• Blazing fast
• Collects a wide spectrum of kernel events – from process to network observability signals
• Super powerful filtering engine
• Running Python scriptlets on top of kernel event flow
• Capturing event flux to kcap files and replaying anywhere
• Transporting events to Elasticsearch, RabbitMQ or console sinks
• Transforming kernel events
• Scanning malicious processes and files with Yara
• PE (Portable Executable) introspection

See Also: Malware Posing as Russia DDoS Tool Bites Ukraine Hackers

Documentation

Setup

• Installation
• Building from source
• Running as standalone binary
• Running as Windows Service
• CLI
• Configuration

Events

• Anatomy of an event
• Process
• Thread
• Image
• File
• Registry
• Network
• Handle

Filters

• Needle in the haystack
• Prefiltering
• Filtering
• Operators
• Functions
• Paths
• Fields
• Rules

Captures

• Immortalizing the event flux
• Capturing
• Replaying

Filaments

• Python meets kernel events
• Executing
• Internals
• Writing filaments

Outputs

• Transporting kernel events
• Console
• Null
• RabbitMQ
• Elasticsearch

Transformers

• Parsing, enriching, transforming
• Remove
• Rename
• Replace
• Tags
• Trim

Alerts

• Watchdogging kernel events
• Mail
• Slack
• Filament alerting

PE (Portable Executable)

• Portable Executable introspection
• Sections
• Symbols
• Resources

YARA

• Pattern matching swiss knife
• Scanning processes
• Alerts

Troubleshooting

• Logs
• Stats
• Profiling

See Also: Hacking stories: MafiaBoy, the hacker who took down the Internet