Building an Open-Source MDR/SOC Solution with Fibratus and ETW Detection

Listen to this Post

Featured Image

Source:

GitHub – N0vaSky/NovaEDR-deploy
Fibratus – Windows Kernel Exploration Tool

Joshua Strickland, a Threat Hunter at Red Canary, has developed an open-source MDR/SOC solution using Fibratus for ETW-based threat detection. The setup includes real-time alerts sent to Discord, malware sandboxing for DFIR testing, and monitoring capabilities for personal and family systems.

You Should Know:

1. Key Components of the Setup

  • Fibratus: A Windows kernel exploration tool that captures ETW events for threat detection.
  • Discord Webhooks: Used for real-time alerting.
  • Custom EDR Agent: Manages detection logic and malware analysis.

2. Setting Up Fibratus for ETW Event Collection

Install Fibratus on Windows:

choco install fibratus

Start Fibratus in CLI mode:

fibratus run

3. Configuring Discord Alerts

Use a Python script to forward alerts via Discord webhook:

import requests
import json

WEBHOOK_URL = "YOUR_DISCORD_WEBHOOK_URL"

def send_alert(message):
payload = {"content": message}
requests.post(WEBHOOK_URL, json=payload)

Example: Trigger on suspicious process creation
send_alert("🚨 Suspicious process detected: malware.exe")

4. Developing ETW-Based Detection Rules

Fibratus uses YAML-based rules. Example rule to detect `cmd.exe` spawning powershell.exe:

name: "Suspicious Command Line Execution"
description: "Detects cmd.exe launching powershell.exe"
condition: >
ps.name == "cmd.exe" and 
ps.child.name == "powershell.exe"
output: "Possible PowerShell downgrade attack detected!"

5. Monitoring Malware in a Sandbox

Use Cuckoo Sandbox or Any.Run for dynamic analysis. Automate submissions with:

curl -X POST -H "Authorization: Bearer API_KEY" -F "[email protected]" https://any.run/api/submit

6. DFIR Commands for Incident Response

  • Windows Memory Dump:
    dumpbin /ALL malware.exe > analysis.txt
    
  • Linux-Based Forensic Analysis:
    volatility -f memory.dump windows.pslist
    
  • Network Traffic Inspection:
    tshark -i eth0 -Y "http.request" -w traffic.pcap
    

What Undercode Say:

This open-source MDR/SOC solution demonstrates how security professionals can leverage Fibratus and ETW for real-time threat detection. By integrating Discord alerts and sandbox testing, Joshua has created a scalable, customizable defense mechanism. Future enhancements could include automated threat hunting with Sigma rules and integrating YARA for malware detection.

Prediction:

As open-source EDR solutions gain traction, expect more integrations with SIEM platforms like ELK or Splunk. Fibratus may evolve into a full-fledged XDR platform with cloud-based rule management.

Expected Output:

  • A functional Fibratus-based EDR with Discord alerts.
  • Custom ETW detection rules for TTPs.
  • Automated malware analysis workflows.
  • DFIR-ready command references for Windows & Linux.

References:

Reported By: Joshua T – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram