Sysmon-Like research tool for ETW
☆384Nov 15, 2022Updated 3 years ago
Alternatives and similar repositories for Sealighter
Users that are interested in Sealighter are comparing it to the libraries listed below
Sorting:
- Run Processes as PPL with ELAM☆177Mar 17, 2022Updated 3 years ago
- Combining Sealighter with unpatched exploits to run the Threat-Intelligence ETW Provider☆197Dec 6, 2022Updated 3 years ago
- PoC memory injection detection agent based on ETW, for offensive and defensive research purposes☆299Apr 10, 2021Updated 4 years ago
- KrabsETW provides a modern C++ wrapper and a .NET wrapper around the low-level ETW trace consumption functions.☆753Dec 15, 2025Updated 2 months ago
- View ETW Provider manifest☆574Nov 1, 2024Updated last year
- Events from all manifest-based and mof-based ETW providers across Windows 10 versions☆329May 2, 2024Updated last year
- Enumerate various traits from Windows processes as an aid to threat hunting☆202Jan 13, 2022Updated 4 years ago
- ☆153Jul 31, 2022Updated 3 years ago
- ETWProcessMon2 is for Monitoring Process/Thread/Memory/Imageloads/TCPIP via ETW + Detection for Remote-Thread-Injection & Payload Detecti…☆319Mar 20, 2024Updated last year
- Event Tracing For Windows (ETW) Resources☆417Oct 30, 2025Updated 4 months ago
- Uses Threat-Intelligence ETW events to identify shellcode regions being hidden by fluctuating memory protections☆169May 17, 2023Updated 2 years ago
- Finding Truth in the Shadows☆123Jan 26, 2023Updated 3 years ago
- Enumerate and disable common sources of telemetry used by AV/EDR.☆819Mar 11, 2021Updated 4 years ago
- ☆181Apr 24, 2025Updated 10 months ago
- ☆825Jun 1, 2023Updated 2 years ago
- Moneta is a live usermode memory analysis tool for Windows with the capability to detect malware IOCs☆807Mar 16, 2024Updated last year
- Walks the CFG bitmap to find previously executable but currently hidden shellcode regions☆133May 17, 2023Updated 2 years ago
- PoC Implementation of a fully dynamic call stack spoofer☆922Jul 20, 2024Updated last year
- Security product hook detection☆327Mar 30, 2021Updated 4 years ago
- A PoC implementation for spoofing arbitrary call stacks when making sys calls (e.g. grabbing a handle via NtOpenProcess)☆557Apr 8, 2025Updated 10 months ago
- A DTrace on Windows Reimplementation☆372Feb 3, 2026Updated 3 weeks ago
- Research on Windows Kernel Executive Callback Objects☆315Feb 22, 2020Updated 6 years ago
- The Definitive Guide To Process Cloning on Windows☆543Jan 3, 2024Updated 2 years ago
- Aims to identify sleeping beacons☆662Jan 25, 2026Updated last month
- Open-source EDR kernel-component for system monitoring and DLL injection☆33Nov 14, 2020Updated 5 years ago
- Process Monitor X v2☆648Jan 22, 2024Updated 2 years ago
- ☆1,787Aug 30, 2024Updated last year
- Document ETW providers☆272Mar 28, 2020Updated 5 years ago
- ☆252Jun 7, 2025Updated 8 months ago
- Detect strange memory regions and DLLs☆185Jan 20, 2022Updated 4 years ago
- A POC for the new injection technique, abusing windows fork API to evade EDRs. https://www.blackhat.com/eu-22/briefings/schedule/index.ht…☆676Dec 23, 2022Updated 3 years ago
- Monitors ETW for security relevant syscalls maintaining the set called by each unique process☆87May 17, 2023Updated 2 years ago
- Two new offensive techniques using Windows Fibers: PoisonFiber (The first remote enumeration & Fiber injection capability POC tool) Phan…☆283Sep 18, 2024Updated last year
- Enumerating and removing kernel callbacks using signed vulnerable drivers☆588Jan 24, 2023Updated 3 years ago
- ☆118Aug 7, 2022Updated 3 years ago
- Jormungandr is a kernel implementation of a COFF loader, allowing kernel developers to load and execute their COFFs in the kernel.☆242Sep 26, 2023Updated 2 years ago
- RpcView is a free tool to explore and decompile Microsoft RPC interfaces☆1,043Sep 24, 2023Updated 2 years ago
- A proof-of-concept Cobalt Strike Reflective Loader which aims to recreate, integrate, and enhance Cobalt Strike's evasion features!☆1,401Nov 22, 2023Updated 2 years ago
- proof-of-concept Windows Driver for injecting DLL into user-mode processes using APC☆1,270May 1, 2024Updated last year