Translations (obsolete):
An EDR framework written in Rust
🧪 Access training data · 📖 Read the Documentation · 💬 Request Feature
Owlyshield is an open-source EDR (Endpoint Detection and Response) solution for Linux and Windows servers. It analyzes how processes use files to detect intrusions through vulnerability exploitation, with a particular focus on detecting Command and Control, exfiltration and impact tactics. The project is developed by SitinCloud, a French company.
The main idea behind Owlyshield is to learn the normal behavior of applications (essentially trees of processes) and use this knowledge to identify weak signals of an attack through the use of novelty detection.
Owlyshield's extensibility is a key feature that sets it apart from other EDR solutions. As a framework you can add new algorithms for malware detection, UEBA (User and Entity Behavior Analytics), and novelty detection. You can also use Owlyshield to record and replay file activities for training machine learning models, as we do with our autoencoder feature.
Owlyshield provides powerful and efficient endpoint detection and response capabilities for Linux, Windows, and IoT devices. Its unique focus on file activities makes it highly effective at detecting fileless malware and C&C beacons that may go unnoticed by other EDR solutions.
Although Owlyshield is a framework designed to be customized and extended, it also comes with pre-built, powerful features that are immediately usable :
- Advanced novelty detection with autoencoders (commercial version),
- Ransomware protection in real-time on Windows using XGBoost,
- Novelty detection with embedded training on both Linux (+IoT) and Windows,
- Auto-configuration of SELinux to automatically protect exposed applications.
Owlyshield provides a powerful solution for detecting and responding to threats in real-time. Here are three real-life examples of how Owlyshield protected our customers:
- An attacker exploited a critical CVE in an ESXi server to deploy a payload. Owlyshield detected weak signals of the attack on the ESXi server by analyzing the file activities and identifying unusual behavior in the ESXi process family, indicating the presence of a malicious process.
- A web application built with JHipster had a hidden URL that could be used to dump the JVM memory, but the infrastructure team was not aware of this vulnerability. Owlyshield was able to detect it was exploited by analyzing the file system for unusual activity related to creating the dump file,
- A large and expensive ERP system was accessed by teams of consultants from different countries. One of them, with admin rights, began to slowly corrupt specific files in the ERP system. The attacker used this tactic to make the corruption look like a series of bugs or glitches rather than a deliberate attack.
Installation instructions for Owlyshield can be found in the Releases section of the project's GitHub repository. For usage instructions, please refer to the project's Wiki or see the Contributing section if you prefer to build Owlyshield yourself.
The Pro Edition (commercial edition) includes the following features:
- Integration with Wazuh,
- Nice local interfaces for end users,
- Scheduled tasks to automatically update the application.
Within the scope of free version usage, we will do our best to help you find a solution for any issues you may encounter. However, we prioritize support for subscribers to our commercial version and valued added resellers.
While our products and services can be purchased directly from us (feel free to contact us for a quotation that meets your needs), we believe that it is best for our products to be distributed to end customers indirectly.
Please contact us if you:
- Want to become a distribution partner or use our products as an MSSP – we are open to such partnerships.
- Want to integrate Owlyshield as part of your own EDR/XDR system – we will be happy to provide the best proposal for the appropriate level of professional services to do so.
- Need to protect your critical enterprise servers against crafted attacks or progressive wipers – we can introduce you to our brand-new novelty detection engine based on encoders AI tools (Owlyshield Enterprise Edition).
- Have any questions or would like a presentation of our products.
We offer free access to the Owlyshield Pro Edition to our contributors.
If you discover an undetected ransomware, please open an issue with the tag "undetected" to help us improve the AI engine and understand the new techniques used to avoid detection.
If you have suggestions on how to improve Owlyshield, you can fork the repository and create a pull request or simply open an issue with the tag "enhancement".
Don't forget to give the project a ⭐! Thank you for your contributions.
To contribute:
- Fork the project.
- Create a feature branch:
git checkout -b feature/AmazingFeature
. - Commit your changes:
git commit -m 'Add some AmazingFeature'
. - Push to the branch:
git push origin feature/AmazingFeature
. - Open a pull request.
Distributed under the EUPL v1.2 license. See LICENSE.txt
for more information.
Damien LESCOS - @DamienLescos
Project Link: https://github.com/SitinCloud/Owlyshield/
Company Link: SitinCloud