ProcFilter
#Threat Defense#Threat Management
An informational repo about hunting for adversaries in your IT environment.
ProcFilter: A Process Filtering System for Windows
ProcFilter is a process filtering system designed for Windows that includes built-in YARA integration. With YARA, rules can be enhanced using custom meta tags, allowing for a tailored response when matches occur.
It operates as a Windows service
It operates as a Windows service and is integrated with Microsoft's ETW API, which allows the results to be displayed in the Windows Event Log.
Installation, Activation, and Removal Process
Installation, activation, and removal can be performed dynamically without the need for a reboot. ProcFilter is designed for malware analysts, enabling them to create YARA signatures that safeguard their Windows environments against specific threats.
It does not include a large signature set
Focus on being lightweight, precise, and targeted instead of broad or all-encompassing. ProcFilter is designed for use in controlled analysis environments where custom plugins can execute artifact-specific actions. It is built for easy adoption, and its integration with Git and Event Log reduces the need for additional tools or infrastructure to implement rules or collect results. ProcFilter is compatible with Windows 7 and later versions, as well as Windows Server 2008 and newer systems. Installers are available for ProcFilter in both x86 and x64 Release/Debug formats. Note: Unpatched Windows 7 systems require hotfix 3033929 to load the driver component.
