Releases: rabbitstack/fibratus
Releases · rabbitstack/fibratus
v2.3.0
Release Notes
New features
- #3acb68b: Eventlog alert sender
- #fb4eac8: Augment process events with process flags
- #bfdceb7: Augment process state with creation flags
- #2511296: Add process creation flags filter fields
- #6957a63: Persist process creation flags to capture
- #4d62566: Add
image.is_dotnet
filter field - #b600df7: Add
teb
parameter andthread.teb_address
filter field - #67fffab: Add additional file filter fields
- #c66f028: Revamped YARA scanner
- #9d1aa6a: MSI code signing
New rules
- #a158eca: AppDomain Manager injection via CLR search order hijacking
- #be05bab: .NET assembly loaded by unmanaged process
- #9219478: Potential injection via .NET debugging
- #aef70db: Hidden local account creation
- #227ace7: DLL loaded via a callback function
- #40cfe0a: Process execution from a self-deleting binary
- #48be943: Image load via NTFS transaction
- #3cbc71f: DLL loaded via APC queue
- #b664239: Hidden registry key creation
- #cb070a1: Clear Eventlog
Enhancements
- #747b5f2: Bump
Go
from1.21
to1.23
- #53b5457: Bump
saferwall/pe
from1.4.4
to1.5.4
- #cb89ca5: Bump
www.velocidex.com/golang/go-ntfs
to latest version - #2f33b81: Add alert identifier
- #c161273: Route
saferwall/pe
log messages tologrus
- #dd0a1a6: Surface missing labels in rules validation subcommand
- #14ed9a2: Expose
StringShort
methods for process/event types - #7847552: Launch systray server manually
- #c5c131c: Disable CLR metadata parsing
Refactoring
- #1ef56d8: Rename
entrypoint
parameter andthread.entrypoint
filter field tostart_address
andthread.start_address
respectively - #b4fb489: Rename
pe.ps.child.file.name
filter field tops.child.pe.file.name
- #84f301d: Unify ETW event processing pipeline
- #1cab108: Move template rendering to email sender
- #015e7f0: Generate Eventlog message compiler input file
- #2f66468: Create a common eventlog package
Bug fixes
- #98dc366: Solidify environment variable parsing from PEB
- #8d2f6de: Correct the usage of the
not
operator on bool fields - #095f0dc: Slice NTFS data buffer
- #1c5bd11: Avoid parsing an empty PE byte buffer
- #c78eb4b: Prevent loading malformed YAML configuration
- #7ccfa70: Fix parsing of image file characteristics
- #f7e8dc5: Skip reading hidden registry key value
- #b69ade4: Release file only by file object
- #a8dc8da: Panic redirection to logs
Breaking changes
- YARA configuration settings were restructured as per commit leading to removal of some properties
v2.2.1
Release Notes
Enhancements
- #60d965c: Bump
github.com/sirupsen/logrus
from 1.4.1 to 1.9.3 - #f0b9a4f: Disables quoting for all values in the log messages
- #f410e6a: Dump events in rule matches
- #092923b: Show Fibratus version in logs
- #7a25286: Improve
Vulnerable or malicious driver dropped
rule - #dee37b7: Introduce
open_remote_thread
rule macro - #ca70858: Reduce
Potential SAM hive dumping
false positives - #cdf7f5f: Reduce
Unsigned DLL injection via remote thread
false positives
Bug fixes
- #3517665: Fix the path of the systray server binary
- #f7608c5: Set systray server named pipe security descriptor
- #dffe9b4: Disable alert senders in capture replay mode
- #e9be320: Resolve indentation mess-up in Yara config and allow systray sender
- #48c1dc5: Compose attachment text with alert title and text
v2.2.0
Release Notes
New features
- PE headers modification detection with
pe.is_modified
filter field - NTFS parser for reading file data via raw device access
- New
SetThreadContext
event. Read more - Detection of vulnerable and malicious drivers via loldrivers dataset
- Add the ability to control process handle table initialization
- Rules validation CLI command and CI pipeline for automated rule validation
- Rules listing CLI command
- Kernel stack enrichment of process, file, thread, registry, and DLL events. Read more
- Callstack filter fields. Read more
- Introduce
min-engine-version
attribute in detection rules - Overhauled detection rule design and rule engine performance improvements
- Permit disabling the rule engine via configuration flag
- New
Systray
alert sender. Read more - Allow starting Fibratus in event forwarding mode
- Rule template creation via CLI
New rules
- Unusual file written or modified in Startup folder
- Unusual process modified the registry run key
- Network connection via startup folder executable or script
- Suspicious persistence via registry modification
- Suspicious Startup shell folder modification
- Script interpreter host or untrusted process persistence
- Suspicious Office template created
- Potential Process Doppelganging
- Vulnerable or malicious driver dropped
- Vulnerable or malicious driver loaded
- Potential process hollowing
- Suspicious DLL loaded by LSASS
- Process spawned via remote thread
- Potential thread execution hijacking
- Process injection via section mapping
- DLL Side-Loading via a copied binary
- Executable file creation from a macro-enabled Microsoft Office document
- RID hijacking
- Process spawned from macro-enabled Microsoft Office document
- Thread context set from unbacked memory
- Macro execution via script interpreters
- Suspicious Microsoft Office embedded object
- Unsigned DLL injection via remote thread
- Suspicious port monitor loaded
- Potential privilege escalation via phantom DLL hijacking
- Remote thread creation into LSASS rule
Enhancements
- Move registry persistence and startup shell folder key names to macro lists for improved readability
- Lift configuration file obligation and rely on default values
- Initialize default rules paths
- Establish the textual format as a default logger formatting output
- Improve inbound/outbound network rule macros
- Bump
Go
toolchain version to 1.21.x - Bump
golang.org/x/net
package to 0.17.0 - Upgrade deprecated Github workflow actions
- More efficient event exclusion with event masks
- Dynamic event enablement by inspecting the loaded rule set
- Introduce system providers support to run specific providers in separate tracing sessions
- Improve
System Binary Proxy Execution via Rundll32
rule - Improve
Regsvr32 scriptlet execution
rule - Garbage-collect partials from rule indices
- Migrate MSI package building to
Wix
5.0.0 - Upgrade deprecated actions in GHA workflows
Refactoring
- Sunset hex parameter types in favor of a new
Address
type - Revamp trace controller and consumer infrastructure
Bug fixes
- Add missing flag/enum parameter values in the
kcap
parameter constructor - Harden command line parsing and exe enrichment
- Empty capture file and replay crashes
- Revisit partial key computation
Breaking changes
- Detection rules layout has changed from group-based to individual files. This will be the final and definitive rule description format. As a consequence, certain attributes has changed while other mandatory attributes were added. All old rules must be migrated to the new format.
v2.0.0
Release Notes
New features
- New
VirtualAlloc
andVirtualFree
events. Read more - New
MapViewFile
andUnmapViewFile
events and mapped-files state. Read more - New
DuplicateHandle
event Read more - DNS telemetry via
QueryDns
andReplyDns
events Read more - New
RegCloseKey
event - Image signature information exposed via parameters and
image.signature.type
/image.signature.level
filter fields Read more - Image format parameters and filter fields
- Decorate non-open disposition
CreateFile
events with image format parameters - Macros for detecting loading of unsigned/untrusted modules
ps.sid
filter field contains the raw SID value, e.g.S-1-5-18
- Parse and append
create_options
parameter toCreateFile
events - Certificate info and filter fields for
LoadImage
/UnloadImage
events - Expand
pe
filter field set and allow lazily value extraction Read more - Support for expressions with bare boolean filter fields
Enhancements
- Significant core refactoring to aim for a more sustainable codebase growth
- Refactored many tests to embrace table-driven testing
- Introduce a new set of parameter types such as flags, system status code, file path, address, etc.
- Switch to
golang.org/sys/windows
package for the vast majority of API calls and structures - Use the syscall generator to produce stubs for the API calls not available through
golang.org/sys/windows
- Bump
golangci-lint
linters to version1.52.2
- Event consumer tests to verify the correctness of captured events
- Trace controller tests to verify real-world tracing session management
- Harden driver handle objects decoration of the file path parameters
- Expand the size of the
Ktype
type to accommodate 2-bytes event hook identifiers - Switch to the upstream
saferwall/pe
package for version resource parsing - Only allow a single instance of the Fibratus process to be run simultaneously
Configuration changes
- Disable initial handle snapshot to reduce overall memory utilization
- Added
RegCloseKey
to the list of ignored events - Removed the
System
process image from the list of ignored processes
Deprecation
- Remove
kstream.raw-event-parsing
config flag as binary event parsing is the default option now - Nuke TDH event parsing functionality
- Sunset Antimalware provider as we can tap into driver loading events via
LoadImage
events
Bug fixes
- Resolution of success system codes should compare the range of information values
- Use only the rule name in the filter field deprecation log message
- Solved
yara
tests hanging issues
Breaking changes
- Convert flags event parameters to uppercase strings
- The
sid
parameter and theps.sid
filter fields contain the raw SID value instead of the username/domain tuple - Command line parameters and filter fields contain the original, unexpanded command line
- The major kcap file format version is increased in this version. The side-effect is the inability to replay old capture files
operation
parameter name in theCreateFile
event is renamed tocreate_disposition
share_mask
parameter contains the full permission name, e.g.READ|WRITE|DELETE
comm
parameter name in process events is renamed tocmdline
v1.10.0
Release Notes
New features
- filter language grammar for sequence rules and decommission of sequence policy types Read more
- bound fields and sequence aliases Read more
- file path manipulation filter functions Read more
- registry query value filter function Read more
yara
filter function. This opens up new possibilities in terms of combining behavior and signature-based detections Read more- new detection tradecraft focused on credentials access tactic. Specifically, the following rules were implemented:
- Suspicious password filter DLL registered
- Potential credentials dumping or exfiltration via malicious password filter DLL
- Suspicious access to Windows DPAPI Master Keys
- Unusual access to Web Browser Credential stores
- LSASS memory dump preparation via SilentProcessExit
- LSASS memory dump via Windows Error Reporting
- Suspicious access to Active Directory domain database
- Unusual access to SSH keys
- Sensitive access to Unattended Panther files
- generic event parameter filter field. The
kevt.arg
filter field is able to extract any event parameter by its internal name. For example,kevt.arg[exe]
would extract the process image executable path - filter fields deprecation strategy. Use
fibratus list fields
to check deprecated fields status process.uuid
filter field as a more robust alternative to process id fields that is resistant to repetition
Enhancements
- optimization of filter accessors to retain only accessors that are relevant to declared filter fields
- sunsetting standard library PE parser in favor of saferwall/pe parser
Bug fixes
in/iin
operators should operate on LHS/RHS values of slice type
Breaking changes
- sequence policy types are no longer supported and should be migrated to sequence rules
v1.8.0
Release Notes
New features
- driver load events Read more
- initial catalog of detection rules based on the MITRE ATT&CK framework Read more
- macro expansion in rules Read more
- beautiful HTML rule alert emails Read more
- allow enabling/disabling Audit API Calls and Antimalware Engine ETW providers
- enrich handle events with driver image path for
Driver
object types - add
ps.sibling.args
filter field - field interpolation in alert title and text strings and the ability to use Markdown/HTML syntax Read more
~=
operator for case-insensitive string comparisons in filtersis_minidump
filter function for checking the signature ofminidump
files Read more
Enhancements
- Go 1.19 upgrade and migration of deprecated functions
- bumped
libyara
to version 4.2 - bumped Golang CI Lint toolchain
- add
content-type
config flag for email alert sender - add
labels
anddescription
attributes in rule groups - loading rule files from paths with glob expressions
- optimize filter field accessors to prevent unnecessary traversing
- lazy evaluation of binary expressions for
and
andor
operators - decommission type/category selector in
include
/exclude
rule policies - prevent executing rules in sequence policies if the incoming event is not eligible for evaluation
- avoid adding duplicate tuples in sequence policies internal state
- improve registry key formatting from native key names
- limit the number of handles per proc and per global handle snapshotter state
- speed up UTF-16 string decoding. Kudos to @skeeto
Bug fixes
- sequence expiration slice out of bounds
- transition sequence state machine when the rule in
include
produces a match
Breaking changes
- rule policies with the
selector
attribute will fail to load. As a workaround, remove the selector attribute and include it as a first condition in the rule.
v1.6.0
Release Notes
New features
- support for stateful runtime detections Read more
- file attributes/status parameters and field filters Read more
Enhancements
- raw ETW event parsing and a number of optimizations leverage 10x performance gains
- trace controller is refactored to facilitate the addition of new event sources
not
operator can negate complex paren expressions and functions- beautify filter error reporting and make it compatible with multiline filter expressions
Bug fixes
- rule group selector should support
OpenProcess
andOpenThread
events cidr_contains
function implementation should return a correct value if no subnets are matched- paren expression should be visited recursively
- process command line normalization wouldn't correctly complete missing command lines for system processes
- stack overflow when replaying captures with the process ancestor filters
Breaking changes
- file and handle object parameters are represented in decimal instead of hex format if
--kstream.raw-event-parsing=true
- event exclusions by process name now require case-sensitive image names
v1.5.0
Release Notes
New features
- new
OpenProcess
andOpenThread
events Read more - eventlog output Read more
- HTTP output Read more
- string filter functions Read more
ps.sibling.*
,ps.domain
, andps.username
filter fields Read more
Enhancements
- while introducing new event types, a significant refactoring took place to streamline the adoption of future event providers