What's new in fibratus 2.0.0
Sep 2, 2023
- New features:
- New VirtualAlloc and VirtualFree events. Read more
- New MapViewFile and UnmapViewFile events and mapped-files state. Read more
- New DuplicateHandle event Read more
- DNS telemetry via QueryDns and ReplyDns events Read more
- New RegCloseKey event
- Image signature information exposed via parameters and image.signature.type/image.signature.level filter fields Read more
- Image format parameters and filter fields
- Decorate non-open disposition CreateFile events with image format parameters
- Macros for detecting loading of unsigned/untrusted modules
- ps.sid filter field contains the raw SID value, e.g. S-1-5-18
- Parse and append create_options parameter to CreateFile events
- Certificate info and filter fields for LoadImage/UnloadImage events
- Expand pe filter field set and allow lazily value extraction Read more
- Support for expressions with bare boolean filter fields
- Enhancements:
- Significant core refactoring to aim for a more sustainable codebase growth
- Refactored many tests to embrace table-driven testing
- Introduce a new set of parameter types such as flags, system status code, file path, address, etc.
- Switch to golang.org/sys/windows package for the vast majority of API calls and structures
- Use the syscall generator to produce stubs for the API calls not available through golang.org/sys/windows
- Bump golangci-lint linters to version 1.52.2
- Event consumer tests to verify the correctness of captured events
- Trace controller tests to verify real-world tracing session management
- Harden driver handle objects decoration of the file path parameters
- Expand the size of the Ktype type to accommodate 2-bytes event hook identifiers
- Switch to the upstream saferwall/pe package for version resource parsing
- Only allow a single instance of the Fibratus process to be run simultaneously
- Configuration changes:
- Disable initial handle snapshot to reduce overall memory utilization
- Added RegCloseKey to the list of ignored events
- Removed the System process image from the list of ignored processes
- Deprecation:
- Remove kstream.raw-event-parsing config flag as binary event parsing is the default option now
- Nuke TDH event parsing functionality
- Sunset Antimalware provider as we can tap into driver loading events via LoadImage events
- Bug fixes:
- Resolution of success system codes should compare the range of information values
- Use only the rule name in the filter field deprecation log message
- Solved yara tests hanging issues
- Breaking changes:
- Convert flags event parameters to uppercase strings
- The sid parameter and the ps.sid filter fields contain the raw SID value instead of the username/domain tuple
- Command line parameters and filter fields contain the original, unexpanded command line
- The major kcap file format version is increased in this version. The side-effect is the inability to replay old capture files
- operation parameter name in the CreateFile event is renamed to create_disposition
- share_mask parameter contains the full permission name, e.g. READ|WRITE|DELETE
- comm parameter name in process events is renamed to cmdline
New in fibratus 1.10.0 (Apr 1, 2023)
- New features:
- filter language grammar for sequence rules and decommission of sequence policy types. Read more
- bound fields and sequence aliases Read more
- file path manipulation filter functions Read more
- registry query value filter function Read more
- yara filter function. This opens up new possibilities in terms of combining behavior and signature-based detections Read more
- new detection tradecraft focused on credentials access tactic. Specifically, the following rules were implemented:
- Suspicious password filter DLL registered
- Potential credentials dumping or exfiltration via malicious password filter DLL
- Suspicious access to Windows DPAPI Master Keys
- Unusual access to Web Browser Credential stores
- LSASS memory dump preparation via SilentProcessExit
- LSASS memory dump via Windows Error Reporting
- Suspicious access to Active Directory domain database
- Unusual access to SSH keys
- Sensitive access to Unattended Panther files
- generic event parameter filter field. The kevt.arg filter field is able to extract any event parameter by its internal name. For example, kev.arg[exe] would extract the process image executable path
- filter fields deprecation strategy. Use fibratus list fields to check deprecated fields status
- process.uuid filter field as a more robust alternative to process id fields that is resistant to repetition
- Enhancements:
- optimization of filter accessors to retain only accessors which are relevant to declared filter fileds
- sunsetting standard library PE parser in favor of saferwall/pe parser
- Bug fixes:
- in/iin operators should operate on LHS/RHS values of slice type
- Breaking changes:
- sequence policy types are no longer supported and should be migrated to sequence rules
New in fibratus 1.8.0 (Nov 30, 2022)
- New features:
- Driver load events Read more
- Initial catalog of detection rules based on the MITRE ATT&CK framework Read more
- Macro expansion in rules Read more
- Beautiful HTML rule alert emails Read more
- Allow enabling/disabling Audit API Calls and Antimalware Engine ETW providers
- Enrich handle events with driver image path for Driver object types
- Add ps.sibling.args filter field
- Field interpolation in alert title and text strings and the ability to use Markdown/HTML syntax Read more
- ~= operator for case-insensitive string comparisons in filters
- Is_minidump filter function for checking the signature of minidump files Read more
- Enhancements:
- Go 1.19 upgrade and migration of deprecated functions
- Bumped libyara to version 4.2
- Bumped Golang CI Lint toolchain
- Add content-type config flag for email alert sender
- Add labels and description attributes in rule groups
- Loading rule files from paths with glob expressions
- Optimize filter field accessors to prevent unnecessary traversing
- Lazy evaluation of binary expressions for and and or operators
- Decommission type/category selector in include/exclude rule policies
- Prevent executing rules in sequence policies if the incoming event is not eligible for evaluation
- Avoid adding duplicate tuples in sequence policies internal state
- Improve registry key formatting from native key names
- Limit the number of handles per proc and per global handle snapshotter state
- Speed up UTF-16 string decoding. Kudos to @skeeto
- Bug fixes:
- Sequence expiration slice out of bounds
- Transition sequence state machine when the rule in include produces a match
- Breaking changes:
- Rule policies with the selector attribute will fail to load. As a workaround, remove the selector attribute and include it as a first condition in the rule.
New in fibratus 1.6.0 (Sep 1, 2022)
- New features:
- Support for stateful runtime detections Read more
- File attributes/status parameters and field filters Read more
- Enhancements:
- Raw ETW event parsing and a number of optimizations leverage 10x performance gains
- Trace controller is refactored to facilitate the addition of new event sources
- Not operator can negate complex paren expressions and functions
- Beautify filter error reporting and make it compatible with multiline filter expressions
- Bug fixes:
- Rule group selector should support OpenProcess and OpenThread events
- Cidr_contains function implementation should return a correct value if no subnets are matched
- Paren expression should be visited recursively
- Process command line normalization wouldn't correctly complete missing command lines for system processes
- Stack overflow when replaying captures with the process ancestor filters
- Breaking changes:
- File and handle object parameters are represented in decimal instead of hex format if --kstream.raw-event-parsing=true
- Event exclusions by process name now require case-sensitive image names
New in fibratus 1.5.0 (Apr 29, 2022)
- New features:
- new OpenProcess and OpenThread events Read more
- eventlog output Read more
- HTTP output Read more
- string filter functions Read more
- ps.sibling.*, ps.domain, and ps.username filter fields Read more
- Enhancements:
- while introducing new event types, a significant refactoring took place to streamline the addition of future event providers
New in fibratus 1.4.2 (Dec 26, 2021)
- New features:
- ability to inject YARA rules matches as event metadata tags Read more
- Bug fixes:
- filament frame buffer rendering issues in Windows Console terminal
- crashes due to race condition when finalizing the capture process
New in fibratus 1.4.1 (Sep 18, 2021)
- PE resource field aliases Read more
- Push matched rule tags into event metadata Read more
- Bump Go to 1.17 for up to 5% performance gains
New in fibratus 1.4.0 (Aug 24, 2021)
- New features:
- Support for rules Read more
- Fuzzy matching operators Read more
- Process ancestry filtering Read more
- Ability to pass arguments to filaments Read more
- Enhancements:
- Add exe parameter to CreateThread events
- Add thread.pid filter field for matching the target thread's process id
- Case-insensitive variants of in, startswith, and endswith operators
- Upgrade Go toolchain to 1.16
- Bug fixes:
- Inform about bad string escape in filter compile error messages
- Fix retrieving executable path for system processes
New in fibratus 1.2.0 (Apr 27, 2021)
- NEW FEATURES:
- filament for identifying an executable or script file remotely downloaded via a TeamViewer transfer session
- reverse DNS lookups
- function support in filters and initial cidr_contains and md5 functions
- dip.names and sip.names filter fields
- unary not operator in filters
- matches and imatches string matching operators
- make the use of fields possible in both LHS/RHS filter expressions
- CI pipeline for automated builds/releases
- code linting via golangci
- full and slim MSI-based Windows installers
- ENHANCEMENTS:
- introduce a new file.extension filter field
- documentation website tweaking
- make all string operators evaluable against lists
- tests refactoring
- satisfy all code linters
- upgrade to the latest go-yara package
- improvements in the handle interceptor when publishing deferred CreateHandle events
- reduce the pressure on the TdhGetPropertySize API call for static parameter types
- prettify fibratus version output
- modularize and improve signal handling
- BUG FIXES:
- circumvent data races in kcap reader/writer
- prevent data races in the AMQP connection
- yara scanner should allocate a new scanner for each run
- fix RecvUDPv4 event type GUID
- the handle interceptor should return the CloseHandle event when entering the deferred map