WHIDS
Open Windows EDR-oriented agent using Sysmon/ETW feeds with detection-driven artifact collection and MISP/Elastic export.
Why it is included
Rare fully open Windows-focused detection stack for labs and cost-conscious SOCs.
Best for
Windows-heavy estates already standardized on Sysmon where you want artifact capture on alert.
Strengths
- ETW/Sysmon native
- Artifact collection
- ATT&CK mapping
Limitations
- Windows-only; tune for volume; compare to commercial EDR
Good alternatives
Velociraptor · OSQuery on Windows · commercial EDR
Related tools
Security & Privacy
Velociraptor
Endpoint visibility and DFIR: Velociraptor Query Language (VQL), hunts, notebooks, and artifact packs across fleets.
Security & Privacy
Chainsaw
Rapidly search and hunt through Windows event logs (EVTX) using Sigma-like rules and built-in threat detections.
Security & Privacy
MISP
Threat intelligence sharing platform: IOCs, galaxies, taxonomies, sync between communities, and API automation.
Security & Privacy
Impacket
Python classes and scripts for low-level Windows network protocols (SMB, MSRPC, Kerberos, LDAP, etc.).
Security & Privacy
NetExec
Network post-exploitation Swiss Army knife for SMB/WinRM/LDAP/MSSQL/WMI—successor spirit to CrackMapExec.
Security & Privacy
evil-winrm
Ruby WinRM shell for pentesting: remote commands, file upload, Pass-the-Hash, and menu helpers.