Listen to this Post

Source:
GitHub – N0vaSky/NovaEDR-deploy
Fibratus – Windows Kernel Exploration Tool
Joshua Strickland, a Threat Hunter at Red Canary, has developed an open-source MDR/SOC solution using Fibratus for ETW-based threat detection. The setup includes real-time alerts sent to Discord, malware sandboxing for DFIR testing, and monitoring capabilities for personal and family systems.
You Should Know:
1. Key Components of the Setup
- Fibratus: A Windows kernel exploration tool that captures ETW events for threat detection.
- Discord Webhooks: Used for real-time alerting.
- Custom EDR Agent: Manages detection logic and malware analysis.
2. Setting Up Fibratus for ETW Event Collection
Install Fibratus on Windows:
choco install fibratus
Start Fibratus in CLI mode:
fibratus run
3. Configuring Discord Alerts
Use a Python script to forward alerts via Discord webhook:
import requests
import json
WEBHOOK_URL = "YOUR_DISCORD_WEBHOOK_URL"
def send_alert(message):
payload = {"content": message}
requests.post(WEBHOOK_URL, json=payload)
Example: Trigger on suspicious process creation
send_alert("🚨 Suspicious process detected: malware.exe")
4. Developing ETW-Based Detection Rules
Fibratus uses YAML-based rules. Example rule to detect `cmd.exe` spawning powershell.exe:
name: "Suspicious Command Line Execution" description: "Detects cmd.exe launching powershell.exe" condition: > ps.name == "cmd.exe" and ps.child.name == "powershell.exe" output: "Possible PowerShell downgrade attack detected!"
5. Monitoring Malware in a Sandbox
Use Cuckoo Sandbox or Any.Run for dynamic analysis. Automate submissions with:
curl -X POST -H "Authorization: Bearer API_KEY" -F "[email protected]" https://any.run/api/submit
6. DFIR Commands for Incident Response
- Windows Memory Dump:
dumpbin /ALL malware.exe > analysis.txt
- Linux-Based Forensic Analysis:
volatility -f memory.dump windows.pslist
- Network Traffic Inspection:
tshark -i eth0 -Y "http.request" -w traffic.pcap
What Undercode Say:
This open-source MDR/SOC solution demonstrates how security professionals can leverage Fibratus and ETW for real-time threat detection. By integrating Discord alerts and sandbox testing, Joshua has created a scalable, customizable defense mechanism. Future enhancements could include automated threat hunting with Sigma rules and integrating YARA for malware detection.
Prediction:
As open-source EDR solutions gain traction, expect more integrations with SIEM platforms like ELK or Splunk. Fibratus may evolve into a full-fledged XDR platform with cloud-based rule management.
Expected Output:
- A functional Fibratus-based EDR with Discord alerts.
- Custom ETW detection rules for TTPs.
- Automated malware analysis workflows.
- DFIR-ready command references for Windows & Linux.
References:
Reported By: Joshua T – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


