fibratus

Generally speaking, Event Tracking for Windows has the role of logging kernel data that system administrators can use to make a well informed decision on how to improve overall security. Fibratus is a tool designed especially for the collection of kernel-associated data and can capture all relevant activity, from process and thread creation and termination to file system I/O, network activity as well as DLL loading and unloading.

The idea behind the tool is to enable administrators to gather all system data responsible for the deep operational visibility into the Windows kernel along with the processes that run on top of it. All events captured can be dumped to capture files locally where administrators can further analyze the data.

The tool also packs a powerful filtering system that enables admins to take a closer look and find anything of interest blazing fast. The filters are supported in various places, including in the run command, replay command use when recovering the event flow or the capture command when dumping the event flow. While it may look intimidating at first, you should bear in mind that the tool comes with extensive documentation that explains the ins and outs of filters and other features.

Even though the command-line application is self-sufficient, the developer added filaments that can extend the functionality of the tool. Filaments are basically lightweight Python modules or scripts that act as extension points with endless possibilities. It is worth mentioning that these scripts always run on top of the kernel flux and therefore, can take into account all parameters, process state and other variables of the event.

Fibratus is a powerful program designed for system administrators who want to deep explore security events of the Windows kernel.