Nedim Šabić²
Nedim Šabić²
Hi, Would you find it beneficial adding [Fibratus](https://www.fibratus.io) in the list of available tools? Fibratus is a tool for Windows kernel tracing and observability. It includes a powerful filter engine,...
Besides the pattern is declared [here](https://github.com/sematext/logagent-js/blob/99adca779aa6a15ca492fb335fd8eb777c48fd7b/patterns.yml#L87), it seems like Logagent is not able to parse Go stack traces.
Since we're gathering imported symbols via [PE](https://github.com/rabbitstack/fibratus/tree/master/pkg/pe) parsing, we could compute the import hash, most commonly referred to [imphash](https://www.mandiant.com/resources/tracking-malware-import-hashing). We could simply adapt the [pefile-go](https://github.com/omarghader/pefile-go/blob/b1abcb010d7d45cfcbe572dc15e315cf6f55c859/pe/pe.go#L542) imphash logic to an existing...
These functions would enable us to build filters that evaluate process relationships. The `ancestor_of` function returns the parent of the process that's executing the kernel event. For example, `ancestor_of('cmd.exe')` would...
Windows API provides the `CryptQueryObject` function to obtain details about the certificate that signed the executable. We should invoke this function in the process/image interceptors and augment the corresponding events...
### Description [ALPC](https://en.wikipedia.org/wiki/Local_Inter-Process_Communication) is the Windows internal messaging system. ALPC is frequently utilized by malware actors to inject shellcode into benign processes. If we could get the visibility into ALPC...
### Description In stringent security environments, it might be desirable to encrypt all the capture data including processes, handles, and, of course, kernel events. For this purpose, the `cap` configuration...
This can be accomplished by creating the event object via the `CreateEvent` API call. If it results in `ERROR_ALREADY_EXISTS` error code then we forbid spinning up a new instance. Otherwise,...
We should supervise the status of the `NT Kernel Logger` ETW session periodically. Some threat actors might sweep and end all running ETW sessions on the machine. If the NT...
### Description It might be useful to automatically upload the capture file to the [S3](https://aws.amazon.com/s3/) bucket. For this purpose, the CLI should get an additional flag that would indicate whether...