docs: 2.2.0 docs (#298)

README.md

@@ -9,14 +9,16 @@
 <h2 align="center">Fibratus</h2>
 
 <p align="center">
-  A modern tool for Windows kernel exploration and observability with a focus on security
+  Adversary tradecraft detection, protection, and hunting
   <br>
   <a href="https://www.fibratus.io/#/setup/installation"><strong>Get Started »</strong></a>
   <br>
   <br>
   <strong>
     <a href="https://www.fibratus.io">Docs</a>
     &nbsp;&nbsp;&bull;&nbsp;&nbsp;
+    <a href="https://github.com/rabbitstack/fibratus/tree/master/rules">Rules</a>
+    &nbsp;&nbsp;&bull;&nbsp;&nbsp;
     <a href="https://github.com/rabbitstack/fibratus/tree/master/filaments">Filaments</a>
     &nbsp;&nbsp;&bull;&nbsp;&nbsp;
     <a href="https://github.com/rabbitstack/fibratus/releases">Download</a>
@@ -27,150 +29,28 @@
 
 ### What is Fibratus?
 
-Fibratus is a tool for exploration and tracing of the **Windows** kernel. It lets you trap system-wide [events](https://www.fibratus.io/#/kevents/anatomy) such as process life-cycle, file system I/O, registry modifications or network requests among many other observability signals. In a nutshell, Fibratus allows for gaining deep operational visibility into the Windows kernel but also processes running on top of it. It requires no drivers nor third-party software.
+Fibratus detects, protects, and erradicates advanced adversary tradecraft by scrutinizing
+and asserting a wide spectrum of system events against a behaviour-driven [rule engine](https://www.fibratus.io/#/filters/rules) and [YARA](https://www.fibratus.io/#/yara/introduction) memory scanner.
 
-Events can be shipped to a wide array of [output sinks](https://www.fibratus.io/#/outputs/introduction) or dumped to [capture](https://www.fibratus.io/#/captures/introduction) files for local inspection and forensics analysis. The powerful [filtering](https://www.fibratus.io/#/filters/introduction) engine permits drilling into the event flux entrails and the [rules engine](https://www.fibratus.io/#/filters/rules) is capable of detecting stealthy adversary attacks and sophisticated threats.
+Events can also be shipped to a wide array of [output sinks](https://www.fibratus.io/#/outputs/introduction) or dumped to [capture](https://www.fibratus.io/#/captures/introduction) files for local inspection and forensics analysis. You can use [filaments](https://www.fibratus.io/#/filaments/introduction) to extend Fibratus with your own arsenal of tools and so leverage the power of the Python ecosystem. 
 
-You can use [filaments](https://www.fibratus.io/#/filaments/introduction) to extend Fibratus with your own arsenal of tools and so leverage the power of the Python ecosystem
+In a nuthsell, Fibratus mantra is defined by the pillars of **realtime behaviour detection**, **memory scanning**, and **forensics** capabilities.
 
 ### Quick start
 
-Check the [walkthrough](https://www.fibratus.io/#/filters/rules?id=loading-rules) on how to load and create detection rules.
-
-- Observe Microsoft Outlook attachments creating on the file system
-
-```
-fibratus run file.operation = 'create' and file.name icontains '\\Content.Outlook\\'
-```
-
-- Hunt remote thread creations
-
-```
-fibratus run kevt.name = 'CreateThread' and kevt.pid != thread.pid
-```
-
-- Record network interactions to the capture file
-
-```
-fibratus capture kevt.category = 'net' -o conns.kcap
-```
-
-- Replay events from the capture
-
-```
-fibratus replay net.dport in (443, 80) -k conns.kcap
-```
-
-- Run the filament for watching file system changes
+---
 
+- [Install](https://www.fibratus.io/#/setup/installation) Fibratus from the latest [MSI package](https://github.com/rabbitstack/fibratus/releases)
+- spin up a command line prompt
+- list credentials from the vault by using the `VaultCmd` tool
 ```
-fibratus run -f watch_files
+$ VaultCmd.exe /listcreds:"Windows Credentials" /all
 ```
+- `Credential discovery via VaultCmd.exe` rule should trigger displaying the alert in the systray notification area
 
-### Features
-
-- :zap: blazing fast
-- :satellite: collects a wide spectrum of kernel events - from process to network observability signals
-- :mag: super powerful filtering and rule engine
-- :snake: running Python scriptlets on top of kernel event flow
-- :minidisc: capturing event flux to **kcap** files and replaying anywhere
-- :rocket: transporting events to Elasticsearch, RabbitMQ or console sinks
-- :scissors: transforming kernel events
-- :dart: scanning malicious processes and files with Yara
-- :file_folder: PE (Portable Executable) introspection
-
-### [Documentation](https://www.fibratus.io)
----
-
-### Setup
-
-* [**Installation**](https://www.fibratus.io/#/setup/installation)
-* [**Building from source**](https://www.fibratus.io/#/setup/installation?id=building-from-source)
-* [**Running as standalone binary**](https://www.fibratus.io/#/setup/running?id=standalone-binary)
-* [**Running as Windows Service**](https://www.fibratus.io/#/setup/running?id=windows-service)
-* [**CLI**](https://www.fibratus.io/#/setup/running?id=cli)
-* [**Configuration**](https://www.fibratus.io/#/setup/configuration)
-
-### Events
-
-* [**Anatomy of an event**](https://www.fibratus.io/#/kevents/anatomy)
-* [**Process**](https://www.fibratus.io/#/kevents/process)
-* [**Thread**](https://www.fibratus.io/#/kevents/thread)
-* [**Image**](https://www.fibratus.io/#/kevents/image)
-* [**File**](https://www.fibratus.io/#/kevents/file)
-* [**Registry**](https://www.fibratus.io/#/kevents/registry)
-* [**Network**](https://www.fibratus.io/#/kevents/network)
-* [**Handle**](https://www.fibratus.io/#/kevents/handle)
-
-### Filters and Rules
-
-* [**Needle in the haystack**](https://www.fibratus.io/#/filters/introduction)
-* [**Prefiltering**](https://www.fibratus.io/#/filters/prefiltering)
-* [**Filtering**](https://www.fibratus.io/#/filters/filtering)
-* [**Operators**](https://www.fibratus.io/#/filters/operators)
-* [**Functions**](https://www.fibratus.io/#/filters/functions)
-* [**Paths**](https://www.fibratus.io/#/filters/paths)
-* [**Fields**](https://www.fibratus.io/#/filters/fields)
-* [**Rules**](https://www.fibratus.io/#/filters/rules)
-
-### Captures
-
-* [**Immortalizing the event flux**](https://www.fibratus.io/#/captures/introduction)
-* [**Capturing**](https://www.fibratus.io/#/captures/capturing)
-* [**Replaying**](https://www.fibratus.io/#/captures/replaying)
-
-### Filaments
-
-* [**Python meets kernel events**](https://www.fibratus.io/#/filaments/introduction)
-* [**Executing**](https://www.fibratus.io/#/filaments/executing)
-* [**Internals**](https://www.fibratus.io/#/filaments/internals)
-* [**Writing filaments**](https://www.fibratus.io/#/filaments/writing)
-
-### Outputs
-
-* [**Transporting kernel events**](https://www.fibratus.io/#/outputs/introduction)
-* [**Console**](https://www.fibratus.io/#/outputs/console)
-* [**Null**](https://www.fibratus.io/#/outputs/null)
-* [**RabbitMQ**](https://www.fibratus.io/#/outputs/rabbitmq)
-* [**Elasticsearch**](https://www.fibratus.io/#/outputs/elasticsearch)
-* [**Eventlog**](https://www.fibratus.io/#/outputs/eventlog)
-* [**HTTP**](https://www.fibratus.io/#/outputs/http)
-
-
-### Transformers
-
-* [**Parsing, enriching, transforming**](https://www.fibratus.io/#/transformers/introduction)
-* [**Remove**](https://www.fibratus.io/#/transformers/remove)
-* [**Rename**](https://www.fibratus.io/#/transformers/rename)
-* [**Replace**](https://www.fibratus.io/#/transformers/replace)
-* [**Tags**](https://www.fibratus.io/#/transformers/tags)
-* [**Trim**](https://www.fibratus.io/#/transformers/trim)
-
-### Alerts
-
-* [**Watchdogging kernel events**](https://www.fibratus.io/#/alerts/introduction)
-* [**Mail**](https://www.fibratus.io/#/alerts/senders/mail)
-* [**Slack**](https://www.fibratus.io/#/alerts/senders/slack)
-* [**Filament alerting**](https://www.fibratus.io/#/alerts/filaments)
-
-### PE (Portable Executable)
-
-* [**Portable Executable introspection**](https://www.fibratus.io/#/pe/introduction)
-* [**Sections**](https://www.fibratus.io/#/pe/sections)
-* [**Symbols**](https://www.fibratus.io/#/pe/symbols)
-* [**Resources**](https://www.fibratus.io/#/pe/resources)
-
-### YARA
-
-* [**Pattern matching swiss knife**](https://www.fibratus.io/#/yara/introduction)
-* [**Scanning processes**](https://www.fibratus.io/#/yara/scanning)
-* [**Alerts**](https://www.fibratus.io/#/yara/alerts)
-
-### Troubleshooting
+### Documentation
 
-* [**Logs**](https://www.fibratus.io/#/troubleshooting/logs)
-* [**Stats**](https://www.fibratus.io/#/troubleshooting/stats)
-* [**Profiling**](https://www.fibratus.io/#/troubleshooting/pprof)
+To fully exploit and learn about Fibratus capabilities, read the [docs](https://www.fibratus.io).
 
 ---
 

docs/_coverpage.md

@@ -4,14 +4,13 @@
   <img src='logo.png'></img>
 </div>
 
-# fibratus <small>2.0.0</small>
+# fibratus <small>2.2.0</small>
 
-> A modern tool for Windows kernel exploration and observability with a focus on security
-
-- <ion-icon class="fast-icon" name="flash"></ion-icon> Fast
-- <ion-icon class="extensible-icon" name="cube"></ion-icon> Extensible
-- <ion-icon class="comprehensive-icon" name="magnet"></ion-icon> Comprehensive
+>  Adversary tradecraft detection, protection, and hunting
 
+- <ion-icon class="fast-icon" name="flash"></ion-icon> Runtime behaviour detection
+- <ion-icon class="comprehensive-icon" name="magnet"></ion-icon> Forensics capabilities
+- <ion-icon class="extensible-icon" name="cube"></ion-icon> Memory scanning
 
 <a href="https://github.com/rabbitstack/fibratus/releases" target="_blank" rel="noopener"><ion-icon name="download"></ion-icon> Download</a>
 <a href="#/setup/installation"><ion-icon name="rocket"></ion-icon> Get Started</a>

docs/_sidebar.md

@@ -2,8 +2,9 @@
   * [What is Fibratus?](overview/what-is-fibratus.md)
 * <ion-icon name="rocket-outline"></ion-icon> Setup
   * [Installation](setup/installation.md)
-  * [Running](setup/running.md)
+  * [Quick Start](setup/quick-start.md)
   * [Configuration](setup/configuration.md)
+  * [CLI](setup/cli.md)
 * <ion-icon name="apps-outline"></ion-icon> Events
   * [Anatomy Of An Event](kevents/anatomy.md)
   * [Process](kevents/process.md)
@@ -22,8 +23,8 @@
   * [Operators](filters/operators.md)
   * [Paths](filters/paths.md)
   * [Functions](filters/functions.md)
-  * [Fields](filters/fields.md)
   * [Rules](filters/rules.md)
+  * [Fields](filters/fields.md)
 * <ion-icon name="server-outline"></ion-icon> Captures
   * [Immortalizing The Event Flux](captures/introduction.md)
   * [Capturing](captures/capturing.md)
@@ -34,7 +35,7 @@
   * [Internals](filaments/internals.md)
   * [Writing Filaments](filaments/writing.md)
 * <ion-icon name="send-outline"></ion-icon> Outputs
-  * [Transporting Kernel Events](outputs/introduction.md)
+  * [Transporting Events](outputs/introduction.md)
   * [Console](outputs/console.md)
   * [Null](outputs/null.md)
   * [RabbitMQ](outputs/rabbitmq.md)
@@ -49,7 +50,7 @@
   * <ion-icon name="pricetags-outline"></ion-icon> [Tags](transformers/tags.md)
   * <ion-icon name="cut-outline"></ion-icon> [Trim](transformers/trim.md)
 * <ion-icon name="locate-outline"></ion-icon> Alerts
-  * [Watchdogging Kernel Events](alerts/introduction.md)
+  * [Firing Alerts](alerts/introduction.md)
   * [Alert Senders](alerts/senders.md)
     * <ion-icon name="mail-unread-outline"></ion-icon> [Mail](alerts/senders/mail.md)
     * <ion-icon name="logo-slack"></ion-icon> [Slack](alerts/senders/slack.md)

docs/alerts/introduction.md

@@ -1,6 +1,6 @@
-# Watchdogging Kernel Events
+# Firing Alerts
 
-Fibratus has the ability to generate alerts when an unexpected flow is detected in the system. Some alerts are generated out of the box, for example, when the [YARA scanner](/yara/scanning) yields rule matches. Other alerts are emitted directly from [filaments](/alerts/filaments) when the conditions are met.
+Fibratus has the ability to generate security alerts when the detection or [YARA](/yara/scanning) rule matches. Additionally, alerts can be emitted directly from [filaments](/alerts/filaments).
 
 The alert has the following key components:
 

docs/alerts/senders.md

@@ -4,3 +4,5 @@ You can send alert notifications to your team through email, Slack, or incident
 
 - [Mail](/alerts/senders/mail)
 - [Slack](/alerts/senders/mail)
+- [Systray](/alerts/senders/systray)
+

docs/alerts/senders/systray.md

@@ -0,0 +1,26 @@
+# Systray
+
+The `systray` alert sender sends alerts to the systray notification area. 
+
+### Configuration {docsify-ignore}
+
+The `systray` alert sender configuration is located in the `alertsenders.systray` section.
+
+#### enabled
+
+Indicates whether the `systray` alert sender is enabled.
+
+**default**: `true`
+
+#### sound
+
+Indicates if the associated sound is played when the balloon notification is shown.
+
+**default**: `true`
+
+#### quiet-mode
+
+Instructs not to display the balloon notification if the current user is in quiet time. During this time, most notifications should not be sent or shown. This lets a user become accustomed to a new computer system without those distractions. Quiet time also occurs for each user after an operating system upgrade or clean installation.
+
+**default**: `false`
+

docs/filters/fields.md

@@ -15,8 +15,8 @@ The following tables summarize available field names that can be used in filter
 | Field Name  | Description | Example     |
 | :---        |    :----   |          :---: |
 | kevt.seq      | Monotonic event sequence number       | `kevt.seq > 666`   |
-| kevt.pid      | Process identifier generating the kernel event       | `kevt.pid = 6`   |
-| kevt.tid      | Thread identifier generating the kernel event       | `kevt.tid = 1024`   |
+| kevt.pid      | Process identifier generating the event       | `kevt.pid = 6`   |
+| kevt.tid      | Thread identifier generating the event       | `kevt.tid = 1024`   |
 | kevt.cpu      | Logical processor core where the event was generated       | `kevt.cpu = 2`   |
 | kevt.name      | Symbolical event name       | `kevt.name = 'CreateThread'`   |
 | kevt.category      | Category to which the event pertains      | `kevt.category = 'registry'`   |
@@ -41,8 +41,8 @@ The following tables summarize available field names that can be used in filter
 ### Process
 | Field Name  | Description | Example     |
 | :---        |    :----   |          :---: |
-| ps.pid         | Process identifier generating the kernel event. Alias for `kevt.pid` | `ps.pid = 1024`   |
-| ps.ppid         | Parent process identifier of the process generating the kernel event | `ps.ppid = 25`   |
+| ps.pid         | Process identifier generating the event. Alias for `kevt.pid` | `ps.pid = 1024`   |
+| ps.ppid         | Parent process identifier of the process generating the event | `ps.ppid = 25`   |
 | ps.name         | Process (image) path name that generates an event | `ps.name = 'cmd.exe'`   |
 | ps.cmdline      | Process command line | `ps.cmdline contains '/E c:\\ads\\file.txt:regfile.reg'`   |
 | ps.exe          | Full name of the process' executable | `ps.exe = 'C:\\Windows\\system32\\cmd.exe'`   |
@@ -106,6 +106,20 @@ The following tables summarize available field names that can be used in filter
 | thread.access.status | Thread access status | `thread.access.status = 'Success'`   |
 
 
+### Callstack
+| Field Name  | Description | Example     |
+| :---        |    :----   |          :---: |
+| thread.callstack.summary     | Callstack summary showing involved modules | `thread.callstack.summary contains 'ntdll.dll\|KERNELBASE.dll'` |
+| thread.callstack.detail      | Detailed information of each stack frame | `thread.callstack.detail contains 'KERNELBASE.dll!CreateProcessW'` |
+| thread.callstack.modules     | List of modules comprising the callstack | `thread.callstack.modules in ('C:\WINDOWS\System32\KERNELBASE.dll')` |
+| thread.callstack.symbols     | List of symbols comprising the callstack | `thread.callstack.symbols in ('ntdll.dll!NtCreateProcess')` |
+| thread.callstack.allocation_sizes | Allocation sizes of private pages | `thread.callstack.allocation_sizes > 10000` |
+| thread.callstack.protections    | Page protections masks of each frame | `thread.callstack.protections in ('RWX', 'WX')'` |
+| thread.callstack.callsite_leading_assembly    | Callsite leading assembly instructions | `thread.callstack.callsite_leading_assembly in ('mov r10,rcx', 'syscall')` |
+| thread.callstack.callsite_trailing_assembly    | Callsite trailing assembly instructions | `thread.callstack.callsite_trailing_assembly in ('add esp, 0xab')` |
+| thread.callstack.is_unbacked    | Indicates if the callstack contains unbacked regions | `thread.callstack.is_unbacked` |
+
+
 ### Image
 | Field Name  | Description | Example     |
 | :---        |    :----   |          :---: |
@@ -121,7 +135,11 @@ The following tables summarize available field names that can be used in filter
 | image.cert.issuer  | Image certificate CA | `image.cert.issuer contains 'US, Washington, Redmond, Microsoft Windows Production PCA 2011`   |
 | image.cert.after  | Image certificate expiration date | `image.cert.after contains '2024-02-01 00:05:42 +0000 UTC'`   |
 | image.cert.before  | Image certificate enrollment date | `image.cert.before contains '2024-02-01 00:05:42 +0000 UTC'`   |
-
+| image.is_driver_malicious  | Indicates if the loaded driver is malicious | `image.is_driver_malicious`  |
+| image.is_driver_vulnerable | Indicates if the loaded driver is vulnerable | `image.is_driver_vulnerable` |
+| image.is_dll | Indicates if the loaded image is a DLL | `image.is_dll` |
+| image.is_driver | Indicates if the loaded image is a driver | `image.is_driver` |
+| image.is_exec | Indicates if the loaded image is an executable | `image.is_exec` |
 
 ### File
 | Field Name  | Description | Example     |
@@ -139,6 +157,12 @@ The following tables summarize available field names that can be used in filter
 | file.view.base | Base address of the mapped/unmapped section view | `file.view.base = '25d42170000'`   |
 | file.view.size | Size of the mapped/unmapped section view | `file.view.size > 1024`   |
 | file.view.type | Type of the mapped/unmapped section view | `file.view.type = 'IMAGE'`   |
+| file.view.protection | Protection rights of the section view | `file.view.protection = 'READONLY'` |
+| file.is_driver_malicious  | Indicates if the dropped driver is malicious | `file.is_driver_malicious`  |
+| file.is_driver_vulnerable | Indicates if the dropped driver is vulnerable | `file.is_driver_vulnerable` |
+| file.is_dll | Indicates if the created file is a DLL | `file.is_dll` |
+| file.is_driver | Indicates if the created file is a driver | `file.is_driver` |
+| file.is_exec | Indicates if the crated file is an executable | `file.is_exec` |
 
 
 ### Registry
@@ -164,6 +188,7 @@ The following tables summarize available field names that can be used in filter
 | net.dip.names | List of destination IP address domain names | `net.dip.names in ('github.com.')` |
 | net.sip.names | List of source IP address domain names | `net.sip.names in ('github.com.')` |
 
+
 ### Handle
 | Field Name  | Description | Example     |
 | :---        |    :----   |          :---: |
@@ -172,6 +197,7 @@ The following tables summarize available field names that can be used in filter
 | handle.name   | Handle name | `handle.name = '\\Device\\NamedPipe\\chrome.12644.28.105826381'`   |
 | handle.type   | Handle type | `handle.type = 'Mutant'`   |
 
+
 ### Memory
 | Field Name  | Description | Example     |
 | :---        |    :----   |          :---: |
@@ -226,3 +252,6 @@ The following tables summarize available field names that can be used in filter
 | pe.cert.issuer  | PE certificate CA | `pe.cert.issuer contains 'US, Washington, Redmond, Microsoft Windows Production PCA 2011'`   |
 | pe.cert.after  | PE certificate expiration date | `pe.cert.after contains '2024-02-01 00:05:42 +0000 UTC'`   |
 | pe.cert.before  | PE certificate enrollment date | `pe.cert.before contains '2024-02-01 00:05:42 +0000 UTC'`   |
+| pe.is_modified | Indicates if on-disk and in-memory PE headers differ | `pe.is_modified'`   |
+| pe.is_modified | Indicates if on-disk and in-memory PE headers differ | `pe.is_modified'`   |
+| pe.ps.child.file.name | Original file name of the child process executable supplied at compile-time | `pe.ps.child.file.name = 'NOTEPAD.EXE'` |