Fibratus is a real-time endpoint security tool that detects, protects against, and hunts advanced adversary tradecraft by monitoring system behavior and memory.
Adversary tradecraft detection, protection, and hunting
Fibratus is used by security professionals and incident responders to detect malicious activity on Windows endpoints through behavior-driven rules and memory scanning. It enables real-time intrusion detection, forensic analysis, and proactive hunting of adversary techniques by capturing and analyzing system events and memory artifacts.
Fibratus requires Windows OS for operation and elevated privileges to monitor system events and memory. Users should regularly update detection rules and leverage filaments to tailor the tool to their environment. The automatic code signing of releases enhances trustworthiness and integrity of the binaries.
Download the latest MSI package from the releases page
Run the MSI installer and follow the UI wizard
Alternatively, install silently via command: msiexec /i fibratus-2.4.0-amd64.msi /qnVaultCmd.exe /listcreds:"Windows Credentials" /all
Lists credentials from the Windows vault, triggering detection rules for credential discovery
fibratus rules list
Lists all detection rules available in the rule catalog
fibratus rules list -s
Shows a summary of detection rules categorized by MITRE tactics and techniques