Skip to content

Releases: rabbitstack/fibratus

v2.3.0

09 Dec 12:32
Compare
Choose a tag to compare

Release Notes

New features

  • #3acb68b: Eventlog alert sender
  • #fb4eac8: Augment process events with process flags
  • #bfdceb7: Augment process state with creation flags
  • #2511296: Add process creation flags filter fields
  • #6957a63: Persist process creation flags to capture
  • #4d62566: Add image.is_dotnet filter field
  • #b600df7: Add teb parameter and thread.teb_address filter field
  • #67fffab: Add additional file filter fields
  • #c66f028: Revamped YARA scanner
  • #9d1aa6a: MSI code signing

New rules

  • #a158eca: AppDomain Manager injection via CLR search order hijacking
  • #be05bab: .NET assembly loaded by unmanaged process
  • #9219478: Potential injection via .NET debugging
  • #aef70db: Hidden local account creation
  • #227ace7: DLL loaded via a callback function
  • #40cfe0a: Process execution from a self-deleting binary
  • #48be943: Image load via NTFS transaction
  • #3cbc71f: DLL loaded via APC queue
  • #b664239: Hidden registry key creation
  • #cb070a1: Clear Eventlog

Enhancements

  • #747b5f2: Bump Go from 1.21 to 1.23
  • #53b5457: Bump saferwall/pe from 1.4.4 to 1.5.4
  • #cb89ca5: Bump www.velocidex.com/golang/go-ntfs to latest version
  • #2f33b81: Add alert identifier
  • #c161273: Route saferwall/pe log messages to logrus
  • #dd0a1a6: Surface missing labels in rules validation subcommand
  • #14ed9a2: Expose StringShort methods for process/event types
  • #7847552: Launch systray server manually
  • #c5c131c: Disable CLR metadata parsing

Refactoring

  • #1ef56d8: Rename entrypoint parameter and thread.entrypoint filter field to start_address and thread.start_address respectively
  • #b4fb489: Rename pe.ps.child.file.name filter field to ps.child.pe.file.name
  • #84f301d: Unify ETW event processing pipeline
  • #1cab108: Move template rendering to email sender
  • #015e7f0: Generate Eventlog message compiler input file
  • #2f66468: Create a common eventlog package

Bug fixes

  • #98dc366: Solidify environment variable parsing from PEB
  • #8d2f6de: Correct the usage of the not operator on bool fields
  • #095f0dc: Slice NTFS data buffer
  • #1c5bd11: Avoid parsing an empty PE byte buffer
  • #c78eb4b: Prevent loading malformed YAML configuration
  • #7ccfa70: Fix parsing of image file characteristics
  • #f7e8dc5: Skip reading hidden registry key value
  • #b69ade4: Release file only by file object
  • #a8dc8da: Panic redirection to logs

Breaking changes

  • YARA configuration settings were restructured as per commit leading to removal of some properties

v2.2.1

13 Sep 15:44
Compare
Choose a tag to compare

Release Notes

Enhancements

  • #60d965c: Bump github.com/sirupsen/logrus from 1.4.1 to 1.9.3
  • #f0b9a4f: Disables quoting for all values in the log messages
  • #f410e6a: Dump events in rule matches
  • #092923b: Show Fibratus version in logs
  • #7a25286: Improve Vulnerable or malicious driver dropped rule
  • #dee37b7: Introduce open_remote_thread rule macro
  • #ca70858: Reduce Potential SAM hive dumping false positives
  • #cdf7f5f: Reduce Unsigned DLL injection via remote thread false positives

Bug fixes

  • #3517665: Fix the path of the systray server binary
  • #f7608c5: Set systray server named pipe security descriptor
  • #dffe9b4: Disable alert senders in capture replay mode
  • #e9be320: Resolve indentation mess-up in Yara config and allow systray sender
  • #48c1dc5: Compose attachment text with alert title and text

v2.2.0

04 Sep 17:42
d16117f
Compare
Choose a tag to compare

Release Notes

New features

  • PE headers modification detection with pe.is_modified filter field
  • NTFS parser for reading file data via raw device access
  • New SetThreadContext event. Read more
  • Detection of vulnerable and malicious drivers via loldrivers dataset
  • Add the ability to control process handle table initialization
  • Rules validation CLI command and CI pipeline for automated rule validation
  • Rules listing CLI command
  • Kernel stack enrichment of process, file, thread, registry, and DLL events. Read more
  • Callstack filter fields. Read more
  • Introduce min-engine-version attribute in detection rules
  • Overhauled detection rule design and rule engine performance improvements
  • Permit disabling the rule engine via configuration flag
  • New Systray alert sender. Read more
  • Allow starting Fibratus in event forwarding mode
  • Rule template creation via CLI

New rules

  • Unusual file written or modified in Startup folder
  • Unusual process modified the registry run key
  • Network connection via startup folder executable or script
  • Suspicious persistence via registry modification
  • Suspicious Startup shell folder modification
  • Script interpreter host or untrusted process persistence
  • Suspicious Office template created
  • Potential Process Doppelganging
  • Vulnerable or malicious driver dropped
  • Vulnerable or malicious driver loaded
  • Potential process hollowing
  • Suspicious DLL loaded by LSASS
  • Process spawned via remote thread
  • Potential thread execution hijacking
  • Process injection via section mapping
  • DLL Side-Loading via a copied binary
  • Executable file creation from a macro-enabled Microsoft Office document
  • RID hijacking
  • Process spawned from macro-enabled Microsoft Office document
  • Thread context set from unbacked memory
  • Macro execution via script interpreters
  • Suspicious Microsoft Office embedded object
  • Unsigned DLL injection via remote thread
  • Suspicious port monitor loaded
  • Potential privilege escalation via phantom DLL hijacking
  • Remote thread creation into LSASS rule

Enhancements

  • Move registry persistence and startup shell folder key names to macro lists for improved readability
  • Lift configuration file obligation and rely on default values
  • Initialize default rules paths
  • Establish the textual format as a default logger formatting output
  • Improve inbound/outbound network rule macros
  • Bump Go toolchain version to 1.21.x
  • Bump golang.org/x/net package to 0.17.0
  • Upgrade deprecated Github workflow actions
  • More efficient event exclusion with event masks
  • Dynamic event enablement by inspecting the loaded rule set
  • Introduce system providers support to run specific providers in separate tracing sessions
  • Improve System Binary Proxy Execution via Rundll32 rule
  • Improve Regsvr32 scriptlet execution rule
  • Garbage-collect partials from rule indices
  • Migrate MSI package building to Wix 5.0.0
  • Upgrade deprecated actions in GHA workflows

Refactoring

  • Sunset hex parameter types in favor of a new Address type
  • Revamp trace controller and consumer infrastructure

Bug fixes

  • Add missing flag/enum parameter values in the kcap parameter constructor
  • Harden command line parsing and exe enrichment
  • Empty capture file and replay crashes
  • Revisit partial key computation

Breaking changes

  • Detection rules layout has changed from group-based to individual files. This will be the final and definitive rule description format. As a consequence, certain attributes has changed while other mandatory attributes were added. All old rules must be migrated to the new format.

v2.0.0

01 Sep 17:59
2268bda
Compare
Choose a tag to compare

Release Notes

New features

  • New VirtualAlloc and VirtualFree events. Read more
  • New MapViewFile and UnmapViewFile events and mapped-files state. Read more
  • New DuplicateHandle event Read more
  • DNS telemetry via QueryDns and ReplyDns events Read more
  • New RegCloseKey event
  • Image signature information exposed via parameters and image.signature.type/image.signature.level filter fields Read more
  • Image format parameters and filter fields
  • Decorate non-open disposition CreateFile events with image format parameters
  • Macros for detecting loading of unsigned/untrusted modules
  • ps.sid filter field contains the raw SID value, e.g. S-1-5-18
  • Parse and append create_options parameter to CreateFile events
  • Certificate info and filter fields for LoadImage/UnloadImage events
  • Expand pe filter field set and allow lazily value extraction Read more
  • Support for expressions with bare boolean filter fields

Enhancements

  • Significant core refactoring to aim for a more sustainable codebase growth
  • Refactored many tests to embrace table-driven testing
  • Introduce a new set of parameter types such as flags, system status code, file path, address, etc.
  • Switch to golang.org/sys/windows package for the vast majority of API calls and structures
  • Use the syscall generator to produce stubs for the API calls not available through golang.org/sys/windows
  • Bump golangci-lint linters to version 1.52.2
  • Event consumer tests to verify the correctness of captured events
  • Trace controller tests to verify real-world tracing session management
  • Harden driver handle objects decoration of the file path parameters
  • Expand the size of the Ktype type to accommodate 2-bytes event hook identifiers
  • Switch to the upstream saferwall/pe package for version resource parsing
  • Only allow a single instance of the Fibratus process to be run simultaneously

Configuration changes

  • Disable initial handle snapshot to reduce overall memory utilization
  • Added RegCloseKey to the list of ignored events
  • Removed the System process image from the list of ignored processes

Deprecation

  • Remove kstream.raw-event-parsing config flag as binary event parsing is the default option now
  • Nuke TDH event parsing functionality
  • Sunset Antimalware provider as we can tap into driver loading events via LoadImage events

Bug fixes

  • Resolution of success system codes should compare the range of information values
  • Use only the rule name in the filter field deprecation log message
  • Solved yara tests hanging issues

Breaking changes

  • Convert flags event parameters to uppercase strings
  • The sid parameter and the ps.sid filter fields contain the raw SID value instead of the username/domain tuple
  • Command line parameters and filter fields contain the original, unexpanded command line
  • The major kcap file format version is increased in this version. The side-effect is the inability to replay old capture files
  • operation parameter name in the CreateFile event is renamed to create_disposition
  • share_mask parameter contains the full permission name, e.g. READ|WRITE|DELETE
  • comm parameter name in process events is renamed to cmdline

v1.10.0

31 Mar 21:57
6ff3913
Compare
Choose a tag to compare

Release Notes

New features

  • filter language grammar for sequence rules and decommission of sequence policy types Read more
  • bound fields and sequence aliases Read more
  • file path manipulation filter functions Read more
  • registry query value filter function Read more
  • yara filter function. This opens up new possibilities in terms of combining behavior and signature-based detections Read more
  • new detection tradecraft focused on credentials access tactic. Specifically, the following rules were implemented:
    • Suspicious password filter DLL registered
    • Potential credentials dumping or exfiltration via malicious password filter DLL
    • Suspicious access to Windows DPAPI Master Keys
    • Unusual access to Web Browser Credential stores
    • LSASS memory dump preparation via SilentProcessExit
    • LSASS memory dump via Windows Error Reporting
    • Suspicious access to Active Directory domain database
    • Unusual access to SSH keys
    • Sensitive access to Unattended Panther files
  • generic event parameter filter field. The kevt.arg filter field is able to extract any event parameter by its internal name. For example, kevt.arg[exe] would extract the process image executable path
  • filter fields deprecation strategy. Use fibratus list fields to check deprecated fields status
  • process.uuid filter field as a more robust alternative to process id fields that is resistant to repetition

Enhancements

  • optimization of filter accessors to retain only accessors that are relevant to declared filter fields
  • sunsetting standard library PE parser in favor of saferwall/pe parser

Bug fixes

  • in/iin operators should operate on LHS/RHS values of slice type

Breaking changes

  • sequence policy types are no longer supported and should be migrated to sequence rules

v1.8.0

30 Nov 15:55
286afff
Compare
Choose a tag to compare

Release Notes

New features

  • driver load events Read more
  • initial catalog of detection rules based on the MITRE ATT&CK framework Read more
  • macro expansion in rules Read more
  • beautiful HTML rule alert emails Read more
  • allow enabling/disabling Audit API Calls and Antimalware Engine ETW providers
  • enrich handle events with driver image path for Driver object types
  • add ps.sibling.args filter field
  • field interpolation in alert title and text strings and the ability to use Markdown/HTML syntax Read more
  • ~= operator for case-insensitive string comparisons in filters
  • is_minidump filter function for checking the signature of minidump files Read more

Enhancements

  • Go 1.19 upgrade and migration of deprecated functions
  • bumped libyara to version 4.2
  • bumped Golang CI Lint toolchain
  • add content-type config flag for email alert sender
  • add labels and description attributes in rule groups
  • loading rule files from paths with glob expressions
  • optimize filter field accessors to prevent unnecessary traversing
  • lazy evaluation of binary expressions for and and or operators
  • decommission type/category selector in include/exclude rule policies
  • prevent executing rules in sequence policies if the incoming event is not eligible for evaluation
  • avoid adding duplicate tuples in sequence policies internal state
  • improve registry key formatting from native key names
  • limit the number of handles per proc and per global handle snapshotter state
  • speed up UTF-16 string decoding. Kudos to @skeeto

Bug fixes

  • sequence expiration slice out of bounds
  • transition sequence state machine when the rule in include produces a match

Breaking changes

  • rule policies with the selector attribute will fail to load. As a workaround, remove the selector attribute and include it as a first condition in the rule.

v1.6.0

31 Aug 17:51
92ae744
Compare
Choose a tag to compare

Release Notes

New features

  • support for stateful runtime detections Read more
  • file attributes/status parameters and field filters Read more

Enhancements

  • raw ETW event parsing and a number of optimizations leverage 10x performance gains
  • trace controller is refactored to facilitate the addition of new event sources
  • not operator can negate complex paren expressions and functions
  • beautify filter error reporting and make it compatible with multiline filter expressions

Bug fixes

  • rule group selector should support OpenProcess and OpenThread events
  • cidr_contains function implementation should return a correct value if no subnets are matched
  • paren expression should be visited recursively
  • process command line normalization wouldn't correctly complete missing command lines for system processes
  • stack overflow when replaying captures with the process ancestor filters

Breaking changes

  • file and handle object parameters are represented in decimal instead of hex format if --kstream.raw-event-parsing=true
  • event exclusions by process name now require case-sensitive image names

v1.5.0

29 Apr 13:59
3fd25bf
Compare
Choose a tag to compare

Release Notes

New features

Enhancements

  • while introducing new event types, a significant refactoring took place to streamline the adoption of future event providers

v1.4.2

25 Dec 20:59
2fd5fd5
Compare
Choose a tag to compare

Release Notes

New features

  • ability to inject YARA rules matches as event metadata tags Read more

Bug fixes

  • filament frame buffer rendering issues in Windows Console terminal
  • crashes due to race condition when finalizing the capture process

v1.4.1

18 Sep 10:56
cf1c419
Compare
Choose a tag to compare

Release Notes

Enhancements

  • PE resource field aliases Read more
  • push matched rule tags into event metadata Read more
  • bump Go to 1.17 for up to 5% performance gains