v2.2.1

Release Notes

Enhancements

• #60d965c: Bump github.com/sirupsen/logrus from 1.4.1 to 1.9.3
• #f0b9a4f: Disables quoting for all values in the log messages
• #f410e6a: Dump events in rule matches
• #092923b: Show Fibratus version in logs
• #7a25286: Improve Vulnerable or malicious driver dropped rule
• #dee37b7: Introduce open_remote_thread rule macro
• #ca70858: Reduce Potential SAM hive dumping false positives
• #cdf7f5f: Reduce Unsigned DLL injection via remote thread false positives

Bug fixes

• #3517665: Fix the path of the systray server binary
• #f7608c5: Set systray server named pipe security descriptor
• #dffe9b4: Disable alert senders in capture replay mode
• #e9be320: Resolve indentation mess-up in Yara config and allow systray sender
• #48c1dc5: Compose attachment text with alert title and text

v2.2.0

Release Notes

New features

• PE headers modification detection with pe.is_modified filter field
• NTFS parser for reading file data via raw device access
• New SetThreadContext event. Read more
• Detection of vulnerable and malicious drivers via loldrivers dataset
• Add the ability to control process handle table initialization
• Rules validation CLI command and CI pipeline for automated rule validation
• Rules listing CLI command
• Kernel stack enrichment of process, file, thread, registry, and DLL events. Read more
• Callstack filter fields. Read more
• Introduce min-engine-version attribute in detection rules
• Overhauled detection rule design and rule engine performance improvements
• Permit disabling the rule engine via configuration flag
• New Systray alert sender. Read more
• Allow starting Fibratus in event forwarding mode
• Rule template creation via CLI

New rules

• Unusual file written or modified in Startup folder
• Unusual process modified the registry run key
• Network connection via startup folder executable or script
• Suspicious persistence via registry modification
• Suspicious Startup shell folder modification
• Script interpreter host or untrusted process persistence
• Suspicious Office template created
• Potential Process Doppelganging
• Vulnerable or malicious driver dropped
• Vulnerable or malicious driver loaded
• Potential process hollowing
• Suspicious DLL loaded by LSASS
• Process spawned via remote thread
• Potential thread execution hijacking
• Process injection via section mapping
• DLL Side-Loading via a copied binary
• Executable file creation from a macro-enabled Microsoft Office document
• RID hijacking
• Process spawned from macro-enabled Microsoft Office document
• Thread context set from unbacked memory
• Macro execution via script interpreters
• Suspicious Microsoft Office embedded object
• Unsigned DLL injection via remote thread
• Suspicious port monitor loaded
• Potential privilege escalation via phantom DLL hijacking
• Remote thread creation into LSASS rule

Enhancements

• Move registry persistence and startup shell folder key names to macro lists for improved readability
• Lift configuration file obligation and rely on default values
• Initialize default rules paths
• Establish the textual format as a default logger formatting output
• Improve inbound/outbound network rule macros
• Bump Go toolchain version to 1.21.x
• Bump golang.org/x/net package to 0.17.0
• Upgrade deprecated Github workflow actions
• More efficient event exclusion with event masks
• Dynamic event enablement by inspecting the loaded rule set
• Introduce system providers support to run specific providers in separate tracing sessions
• Improve System Binary Proxy Execution via Rundll32 rule
• Improve Regsvr32 scriptlet execution rule
• Garbage-collect partials from rule indices
• Migrate MSI package building to Wix 5.0.0
• Upgrade deprecated actions in GHA workflows

Refactoring

• Sunset hex parameter types in favor of a new Address type
• Revamp trace controller and consumer infrastructure

Bug fixes

• Add missing flag/enum parameter values in the kcap parameter constructor
• Harden command line parsing and exe enrichment
• Empty capture file and replay crashes
• Revisit partial key computation

Breaking changes

• Detection rules layout has changed from group-based to individual files. This will be the final and definitive rule description format. As a consequence, certain attributes has changed while other mandatory attributes were added. All old rules must be migrated to the new format.

v2.0.0

Release Notes

New features

• New VirtualAlloc and VirtualFree events. Read more
• New MapViewFile and UnmapViewFile events and mapped-files state. Read more
• New DuplicateHandle event Read more
• DNS telemetry via QueryDns and ReplyDns events Read more
• New RegCloseKey event
• Image signature information exposed via parameters and image.signature.type/image.signature.level filter fields Read more
• Image format parameters and filter fields
• Decorate non-open disposition CreateFile events with image format parameters
• Macros for detecting loading of unsigned/untrusted modules
• ps.sid filter field contains the raw SID value, e.g. S-1-5-18
• Parse and append create_options parameter to CreateFile events
• Certificate info and filter fields for LoadImage/UnloadImage events
• Expand pe filter field set and allow lazily value extraction Read more
• Support for expressions with bare boolean filter fields

Enhancements

• Significant core refactoring to aim for a more sustainable codebase growth
• Refactored many tests to embrace table-driven testing
• Introduce a new set of parameter types such as flags, system status code, file path, address, etc.
• Switch to golang.org/sys/windows package for the vast majority of API calls and structures
• Use the syscall generator to produce stubs for the API calls not available through golang.org/sys/windows
• Bump golangci-lint linters to version 1.52.2
• Event consumer tests to verify the correctness of captured events
• Trace controller tests to verify real-world tracing session management
• Harden driver handle objects decoration of the file path parameters
• Expand the size of the Ktype type to accommodate 2-bytes event hook identifiers
• Switch to the upstream saferwall/pe package for version resource parsing
• Only allow a single instance of the Fibratus process to be run simultaneously

Configuration changes

• Disable initial handle snapshot to reduce overall memory utilization
• Added RegCloseKey to the list of ignored events
• Removed the System process image from the list of ignored processes

Deprecation

• Remove kstream.raw-event-parsing config flag as binary event parsing is the default option now
• Nuke TDH event parsing functionality
• Sunset Antimalware provider as we can tap into driver loading events via LoadImage events

Bug fixes

• Resolution of success system codes should compare the range of information values
• Use only the rule name in the filter field deprecation log message
• Solved yara tests hanging issues

Breaking changes

• Convert flags event parameters to uppercase strings
• The sid parameter and the ps.sid filter fields contain the raw SID value instead of the username/domain tuple
• Command line parameters and filter fields contain the original, unexpanded command line
• The major kcap file format version is increased in this version. The side-effect is the inability to replay old capture files
• operation parameter name in the CreateFile event is renamed to create_disposition
• share_mask parameter contains the full permission name, e.g. READ|WRITE|DELETE
• comm parameter name in process events is renamed to cmdline

v1.10.0

Release Notes

New features

• filter language grammar for sequence rules and decommission of sequence policy types Read more
• bound fields and sequence aliases Read more
• file path manipulation filter functions Read more
• registry query value filter function Read more
• yara filter function. This opens up new possibilities in terms of combining behavior and signature-based detections Read more
• new detection tradecraft focused on credentials access tactic. Specifically, the following rules were implemented:
  • Suspicious password filter DLL registered
  • Potential credentials dumping or exfiltration via malicious password filter DLL
  • Suspicious access to Windows DPAPI Master Keys
  • Unusual access to Web Browser Credential stores
  • LSASS memory dump preparation via SilentProcessExit
  • LSASS memory dump via Windows Error Reporting
  • Suspicious access to Active Directory domain database
  • Unusual access to SSH keys
  • Sensitive access to Unattended Panther files
• generic event parameter filter field. The kevt.arg filter field is able to extract any event parameter by its internal name. For example, kevt.arg[exe] would extract the process image executable path
• filter fields deprecation strategy. Use fibratus list fields to check deprecated fields status
• process.uuid filter field as a more robust alternative to process id fields that is resistant to repetition

Enhancements

• optimization of filter accessors to retain only accessors that are relevant to declared filter fields
• sunsetting standard library PE parser in favor of saferwall/pe parser

Bug fixes

• in/iin operators should operate on LHS/RHS values of slice type

Breaking changes

• sequence policy types are no longer supported and should be migrated to sequence rules

v1.8.0

Release Notes

New features

• driver load events Read more
• initial catalog of detection rules based on the MITRE ATT&CK framework Read more
• macro expansion in rules Read more
• beautiful HTML rule alert emails Read more
• allow enabling/disabling Audit API Calls and Antimalware Engine ETW providers
• enrich handle events with driver image path for Driver object types
• add ps.sibling.args filter field
• field interpolation in alert title and text strings and the ability to use Markdown/HTML syntax Read more
• ~= operator for case-insensitive string comparisons in filters
• is_minidump filter function for checking the signature of minidump files Read more

Enhancements

• Go 1.19 upgrade and migration of deprecated functions
• bumped libyara to version 4.2
• bumped Golang CI Lint toolchain
• add content-type config flag for email alert sender
• add labels and description attributes in rule groups
• loading rule files from paths with glob expressions
• optimize filter field accessors to prevent unnecessary traversing
• lazy evaluation of binary expressions for and and or operators
• decommission type/category selector in include/exclude rule policies
• prevent executing rules in sequence policies if the incoming event is not eligible for evaluation
• avoid adding duplicate tuples in sequence policies internal state
• improve registry key formatting from native key names
• limit the number of handles per proc and per global handle snapshotter state
• speed up UTF-16 string decoding. Kudos to @skeeto

Bug fixes

• sequence expiration slice out of bounds
• transition sequence state machine when the rule in include produces a match

Breaking changes

• rule policies with the selector attribute will fail to load. As a workaround, remove the selector attribute and include it as a first condition in the rule.

v1.6.0

Release Notes

New features

• support for stateful runtime detections Read more
• file attributes/status parameters and field filters Read more

Enhancements

• raw ETW event parsing and a number of optimizations leverage 10x performance gains
• trace controller is refactored to facilitate the addition of new event sources
• not operator can negate complex paren expressions and functions
• beautify filter error reporting and make it compatible with multiline filter expressions

Bug fixes

• rule group selector should support OpenProcess and OpenThread events
• cidr_contains function implementation should return a correct value if no subnets are matched
• paren expression should be visited recursively
• process command line normalization wouldn't correctly complete missing command lines for system processes
• stack overflow when replaying captures with the process ancestor filters

Breaking changes

• file and handle object parameters are represented in decimal instead of hex format if --kstream.raw-event-parsing=true
• event exclusions by process name now require case-sensitive image names

v1.5.0

Release Notes

New features

• new OpenProcess and OpenThread events Read more
• eventlog output Read more
• HTTP output Read more
• string filter functions Read more
• ps.sibling.*, ps.domain, and ps.username filter fields Read more

Enhancements

• while introducing new event types, a significant refactoring took place to streamline the adoption of future event providers

v1.4.2

Release Notes

New features

• ability to inject YARA rules matches as event metadata tags Read more

Bug fixes

• filament frame buffer rendering issues in Windows Console terminal
• crashes due to race condition when finalizing the capture process

v1.4.1

Release Notes

Enhancements

• PE resource field aliases Read more
• push matched rule tags into event metadata Read more
• bump Go to 1.17 for up to 5% performance gains

v1.4.0

Release Notes

New features

• support for rules Read more
• fuzzy matching operators Read more
• process ancestry filtering Read more
• ability to pass arguments to filaments Read more

Enhancements

• add exe parameter to CreateThread events
• add thread.pid filter field for matching the target thread's process id
• case-insensitive variants of in, startswith, and endswith operators
• upgrade Go toolchain to 1.16

Bug fixes

• inform about bad string escape in filter compile error messages
• fix retrieving executable path for system processes