fibratus Changelog

What's new in fibratus 2.0.0

Sep 2, 2023
  • New features:
  • New VirtualAlloc and VirtualFree events. Read more
  • New MapViewFile and UnmapViewFile events and mapped-files state. Read more
  • New DuplicateHandle event Read more
  • DNS telemetry via QueryDns and ReplyDns events Read more
  • New RegCloseKey event
  • Image signature information exposed via parameters and image.signature.type/image.signature.level filter fields Read more
  • Image format parameters and filter fields
  • Decorate non-open disposition CreateFile events with image format parameters
  • Macros for detecting loading of unsigned/untrusted modules
  • ps.sid filter field contains the raw SID value, e.g. S-1-5-18
  • Parse and append create_options parameter to CreateFile events
  • Certificate info and filter fields for LoadImage/UnloadImage events
  • Expand pe filter field set and allow lazily value extraction Read more
  • Support for expressions with bare boolean filter fields
  • Enhancements:
  • Significant core refactoring to aim for a more sustainable codebase growth
  • Refactored many tests to embrace table-driven testing
  • Introduce a new set of parameter types such as flags, system status code, file path, address, etc.
  • Switch to golang.org/sys/windows package for the vast majority of API calls and structures
  • Use the syscall generator to produce stubs for the API calls not available through golang.org/sys/windows
  • Bump golangci-lint linters to version 1.52.2
  • Event consumer tests to verify the correctness of captured events
  • Trace controller tests to verify real-world tracing session management
  • Harden driver handle objects decoration of the file path parameters
  • Expand the size of the Ktype type to accommodate 2-bytes event hook identifiers
  • Switch to the upstream saferwall/pe package for version resource parsing
  • Only allow a single instance of the Fibratus process to be run simultaneously
  • Configuration changes:
  • Disable initial handle snapshot to reduce overall memory utilization
  • Added RegCloseKey to the list of ignored events
  • Removed the System process image from the list of ignored processes
  • Deprecation:
  • Remove kstream.raw-event-parsing config flag as binary event parsing is the default option now
  • Nuke TDH event parsing functionality
  • Sunset Antimalware provider as we can tap into driver loading events via LoadImage events
  • Bug fixes:
  • Resolution of success system codes should compare the range of information values
  • Use only the rule name in the filter field deprecation log message
  • Solved yara tests hanging issues
  • Breaking changes:
  • Convert flags event parameters to uppercase strings
  • The sid parameter and the ps.sid filter fields contain the raw SID value instead of the username/domain tuple
  • Command line parameters and filter fields contain the original, unexpanded command line
  • The major kcap file format version is increased in this version. The side-effect is the inability to replay old capture files
  • operation parameter name in the CreateFile event is renamed to create_disposition
  • share_mask parameter contains the full permission name, e.g. READ|WRITE|DELETE
  • comm parameter name in process events is renamed to cmdline

New in fibratus 1.10.0 (Apr 1, 2023)

  • New features:
  • filter language grammar for sequence rules and decommission of sequence policy types. Read more
  • bound fields and sequence aliases Read more
  • file path manipulation filter functions Read more
  • registry query value filter function Read more
  • yara filter function. This opens up new possibilities in terms of combining behavior and signature-based detections Read more
  • new detection tradecraft focused on credentials access tactic. Specifically, the following rules were implemented:
  • Suspicious password filter DLL registered
  • Potential credentials dumping or exfiltration via malicious password filter DLL
  • Suspicious access to Windows DPAPI Master Keys
  • Unusual access to Web Browser Credential stores
  • LSASS memory dump preparation via SilentProcessExit
  • LSASS memory dump via Windows Error Reporting
  • Suspicious access to Active Directory domain database
  • Unusual access to SSH keys
  • Sensitive access to Unattended Panther files
  • generic event parameter filter field. The kevt.arg filter field is able to extract any event parameter by its internal name. For example, kev.arg[exe] would extract the process image executable path
  • filter fields deprecation strategy. Use fibratus list fields to check deprecated fields status
  • process.uuid filter field as a more robust alternative to process id fields that is resistant to repetition
  • Enhancements:
  • optimization of filter accessors to retain only accessors which are relevant to declared filter fileds
  • sunsetting standard library PE parser in favor of saferwall/pe parser
  • Bug fixes:
  • in/iin operators should operate on LHS/RHS values of slice type
  • Breaking changes:
  • sequence policy types are no longer supported and should be migrated to sequence rules

New in fibratus 1.8.0 (Nov 30, 2022)

  • New features:
  • Driver load events Read more
  • Initial catalog of detection rules based on the MITRE ATT&CK framework Read more
  • Macro expansion in rules Read more
  • Beautiful HTML rule alert emails Read more
  • Allow enabling/disabling Audit API Calls and Antimalware Engine ETW providers
  • Enrich handle events with driver image path for Driver object types
  • Add ps.sibling.args filter field
  • Field interpolation in alert title and text strings and the ability to use Markdown/HTML syntax Read more
  • ~= operator for case-insensitive string comparisons in filters
  • Is_minidump filter function for checking the signature of minidump files Read more
  • Enhancements:
  • Go 1.19 upgrade and migration of deprecated functions
  • Bumped libyara to version 4.2
  • Bumped Golang CI Lint toolchain
  • Add content-type config flag for email alert sender
  • Add labels and description attributes in rule groups
  • Loading rule files from paths with glob expressions
  • Optimize filter field accessors to prevent unnecessary traversing
  • Lazy evaluation of binary expressions for and and or operators
  • Decommission type/category selector in include/exclude rule policies
  • Prevent executing rules in sequence policies if the incoming event is not eligible for evaluation
  • Avoid adding duplicate tuples in sequence policies internal state
  • Improve registry key formatting from native key names
  • Limit the number of handles per proc and per global handle snapshotter state
  • Speed up UTF-16 string decoding. Kudos to @skeeto
  • Bug fixes:
  • Sequence expiration slice out of bounds
  • Transition sequence state machine when the rule in include produces a match
  • Breaking changes:
  • Rule policies with the selector attribute will fail to load. As a workaround, remove the selector attribute and include it as a first condition in the rule.

New in fibratus 1.6.0 (Sep 1, 2022)

  • New features:
  • Support for stateful runtime detections Read more
  • File attributes/status parameters and field filters Read more
  • Enhancements:
  • Raw ETW event parsing and a number of optimizations leverage 10x performance gains
  • Trace controller is refactored to facilitate the addition of new event sources
  • Not operator can negate complex paren expressions and functions
  • Beautify filter error reporting and make it compatible with multiline filter expressions
  • Bug fixes:
  • Rule group selector should support OpenProcess and OpenThread events
  • Cidr_contains function implementation should return a correct value if no subnets are matched
  • Paren expression should be visited recursively
  • Process command line normalization wouldn't correctly complete missing command lines for system processes
  • Stack overflow when replaying captures with the process ancestor filters
  • Breaking changes:
  • File and handle object parameters are represented in decimal instead of hex format if --kstream.raw-event-parsing=true
  • Event exclusions by process name now require case-sensitive image names

New in fibratus 1.5.0 (Apr 29, 2022)

  • New features:
  • new OpenProcess and OpenThread events Read more
  • eventlog output Read more
  • HTTP output Read more
  • string filter functions Read more
  • ps.sibling.*, ps.domain, and ps.username filter fields Read more
  • Enhancements:
  • while introducing new event types, a significant refactoring took place to streamline the addition of future event providers

New in fibratus 1.4.2 (Dec 26, 2021)

  • New features:
  • ability to inject YARA rules matches as event metadata tags Read more
  • Bug fixes:
  • filament frame buffer rendering issues in Windows Console terminal
  • crashes due to race condition when finalizing the capture process

New in fibratus 1.4.1 (Sep 18, 2021)

  • PE resource field aliases Read more
  • Push matched rule tags into event metadata Read more
  • Bump Go to 1.17 for up to 5% performance gains

New in fibratus 1.4.0 (Aug 24, 2021)

  • New features:
  • Support for rules Read more
  • Fuzzy matching operators Read more
  • Process ancestry filtering Read more
  • Ability to pass arguments to filaments Read more
  • Enhancements:
  • Add exe parameter to CreateThread events
  • Add thread.pid filter field for matching the target thread's process id
  • Case-insensitive variants of in, startswith, and endswith operators
  • Upgrade Go toolchain to 1.16
  • Bug fixes:
  • Inform about bad string escape in filter compile error messages
  • Fix retrieving executable path for system processes

New in fibratus 1.2.0 (Apr 27, 2021)

  • NEW FEATURES:
  • filament for identifying an executable or script file remotely downloaded via a TeamViewer transfer session
  • reverse DNS lookups
  • function support in filters and initial cidr_contains and md5 functions
  • dip.names and sip.names filter fields
  • unary not operator in filters
  • matches and imatches string matching operators
  • make the use of fields possible in both LHS/RHS filter expressions
  • CI pipeline for automated builds/releases
  • code linting via golangci
  • full and slim MSI-based Windows installers
  • ENHANCEMENTS:
  • introduce a new file.extension filter field
  • documentation website tweaking
  • make all string operators evaluable against lists
  • tests refactoring
  • satisfy all code linters
  • upgrade to the latest go-yara package
  • improvements in the handle interceptor when publishing deferred CreateHandle events
  • reduce the pressure on the TdhGetPropertySize API call for static parameter types
  • prettify fibratus version output
  • modularize and improve signal handling
  • BUG FIXES:
  • circumvent data races in kcap reader/writer
  • prevent data races in the AMQP connection
  • yara scanner should allocate a new scanner for each run
  • fix RecvUDPv4 event type GUID
  • the handle interceptor should return the CloseHandle event when entering the deferred map