I built Saeros because I was frustrated with the current state of Active Directory security in secure/air-gapped environments.
As of today, solutions that detect live threats such as DCSync, Golden Tickets, or Kerberoasting require heavy agents that pipe gigabytes of logs to the cloud (Splunk, CrowdStrike, SentinelOne) or sync your AD to Azure (Defender for Identity). Other alternatives such as OSSEC, Wazuh or Elastic require heavy setup and are very time consuming. Chainsaw and Hayabusa do not support live detections.
For critical infrastructure or disconnected networks, that isn't an option.
What it does: Saeros is a single-binary agent written in C# that runs on domain controllers. It subscribes to Event Tracing for Windows (ETW), matches them against Sigma rules in real-time, and outputs alerts locally through a powerful console.
Key Takeaways:
- User-Mode Only: This does NOT use kernel drivers. It cannot BSOD your domain controller. - Performance Critical: The agent consumes minimal resources while handling tens of thousands events per second. - Read-Only: It does not attempt to block or terminate processes. - Air-Gap Native: It requires zero internet connection.
The code source is located here: https://github.com/Saeros-Security/Saeros. I released this under the AGPL-3.0 license so security teams can audit the code and verify that it only listens and never talks to the outside world.
I’m looking for your feedbacks.
Thanks!