Release Notes

New features

• New VirtualAlloc and VirtualFree events. Read more
• New MapViewFile and UnmapViewFile events and mapped-files state. Read more
• New DuplicateHandle event Read more
• DNS telemetry via QueryDns and ReplyDns events Read more
• New RegCloseKey event
• Image signature information exposed via parameters and image.signature.type/image.signature.level filter fields Read more
• Image format parameters and filter fields
• Decorate non-open disposition CreateFile events with image format parameters
• Macros for detecting loading of unsigned/untrusted modules
• ps.sid filter field contains the raw SID value, e.g. S-1-5-18
• Parse and append create_options parameter to CreateFile events
• Certificate info and filter fields for LoadImage/UnloadImage events
• Expand pe filter field set and allow lazily value extraction Read more
• Support for expressions with bare boolean filter fields

Enhancements

• Significant core refactoring to aim for a more sustainable codebase growth
• Refactored many tests to embrace table-driven testing
• Introduce a new set of parameter types such as flags, system status code, file path, address, etc.
• Switch to golang.org/sys/windows package for the vast majority of API calls and structures
• Use the syscall generator to produce stubs for the API calls not available through golang.org/sys/windows
• Bump golangci-lint linters to version 1.52.2
• Event consumer tests to verify the correctness of captured events
• Trace controller tests to verify real-world tracing session management
• Harden driver handle objects decoration of the file path parameters
• Expand the size of the Ktype type to accommodate 2-bytes event hook identifiers
• Switch to the upstream saferwall/pe package for version resource parsing
• Only allow a single instance of the Fibratus process to be run simultaneously

Configuration changes

• Disable initial handle snapshot to reduce overall memory utilization
• Added RegCloseKey to the list of ignored events
• Removed the System process image from the list of ignored processes

Deprecation

• Remove kstream.raw-event-parsing config flag as binary event parsing is the default option now
• Nuke TDH event parsing functionality
• Sunset Antimalware provider as we can tap into driver loading events via LoadImage events

Bug fixes

• Resolution of success system codes should compare the range of information values
• Use only the rule name in the filter field deprecation log message
• Solved yara tests hanging issues

Breaking changes

• Convert flags event parameters to uppercase strings
• The sid parameter and the ps.sid filter fields contain the raw SID value instead of the username/domain tuple
• Command line parameters and filter fields contain the original, unexpanded command line
• The major kcap file format version is increased in this version. The side-effect is the inability to replay old capture files
• operation parameter name in the CreateFile event is renamed to create_disposition
• share_mask parameter contains the full permission name, e.g. READ|WRITE|DELETE
• comm parameter name in process events is renamed to cmdline

Release Notes

New features

• filter language grammar for sequence rules and decommission of sequence policy types Read more
• bound fields and sequence aliases Read more
• file path manipulation filter functions Read more
• registry query value filter function Read more
• yara filter function. This opens up new possibilities in terms of combining behavior and signature-based detections Read more
• new detection tradecraft focused on credentials access tactic. Specifically, the following rules were implemented:
  • Suspicious password filter DLL registered
  • Potential credentials dumping or exfiltration via malicious password filter DLL
  • Suspicious access to Windows DPAPI Master Keys
  • Unusual access to Web Browser Credential stores
  • LSASS memory dump preparation via SilentProcessExit
  • LSASS memory dump via Windows Error Reporting
  • Suspicious access to Active Directory domain database
  • Unusual access to SSH keys
  • Sensitive access to Unattended Panther files
• generic event parameter filter field. The kevt.arg filter field is able to extract any event parameter by its internal name. For example, kevt.arg[exe] would extract the process image executable path
• filter fields deprecation strategy. Use fibratus list fields to check deprecated fields status
• process.uuid filter field as a more robust alternative to process id fields that is resistant to repetition

Enhancements

• optimization of filter accessors to retain only accessors that are relevant to declared filter fields
• sunsetting standard library PE parser in favor of saferwall/pe parser

Bug fixes

• in/iin operators should operate on LHS/RHS values of slice type

Breaking changes

• sequence policy types are no longer supported and should be migrated to sequence rules

Release Notes

New features

• driver load events Read more
• initial catalog of detection rules based on the MITRE ATT&CK framework Read more
• macro expansion in rules Read more
• beautiful HTML rule alert emails Read more
• allow enabling/disabling Audit API Calls and Antimalware Engine ETW providers
• enrich handle events with driver image path for Driver object types
• add ps.sibling.args filter field
• field interpolation in alert title and text strings and the ability to use Markdown/HTML syntax Read more
• ~= operator for case-insensitive string comparisons in filters
• is_minidump filter function for checking the signature of minidump files Read more

Enhancements

• Go 1.19 upgrade and migration of deprecated functions
• bumped libyara to version 4.2
• bumped Golang CI Lint toolchain
• add content-type config flag for email alert sender
• add labels and description attributes in rule groups
• loading rule files from paths with glob expressions
• optimize filter field accessors to prevent unnecessary traversing
• lazy evaluation of binary expressions for and and or operators
• decommission type/category selector in include/exclude rule policies
• prevent executing rules in sequence policies if the incoming event is not eligible for evaluation
• avoid adding duplicate tuples in sequence policies internal state
• improve registry key formatting from native key names
• limit the number of handles per proc and per global handle snapshotter state
• speed up UTF-16 string decoding. Kudos to @skeeto

Bug fixes

• sequence expiration slice out of bounds
• transition sequence state machine when the rule in include produces a match

Breaking changes

• rule policies with the selector attribute will fail to load. As a workaround, remove the selector attribute and include it as a first condition in the rule.

Release Notes

New features

• support for stateful runtime detections Read more
• file attributes/status parameters and field filters Read more

Enhancements

• raw ETW event parsing and a number of optimizations leverage 10x performance gains
• trace controller is refactored to facilitate the addition of new event sources
• not operator can negate complex paren expressions and functions
• beautify filter error reporting and make it compatible with multiline filter expressions

Bug fixes

• rule group selector should support OpenProcess and OpenThread events
• cidr_contains function implementation should return a correct value if no subnets are matched
• paren expression should be visited recursively
• process command line normalization wouldn't correctly complete missing command lines for system processes
• stack overflow when replaying captures with the process ancestor filters

Breaking changes

• file and handle object parameters are represented in decimal instead of hex format if --kstream.raw-event-parsing=true
• event exclusions by process name now require case-sensitive image names

Release Notes

New features

• new OpenProcess and OpenThread events Read more
• eventlog output Read more
• HTTP output Read more
• string filter functions Read more
• ps.sibling.*, ps.domain, and ps.username filter fields Read more

Enhancements

• while introducing new event types, a significant refactoring took place to streamline the adoption of future event providers

Release Notes

New features

• ability to inject YARA rules matches as event metadata tags Read more

Bug fixes

• filament frame buffer rendering issues in Windows Console terminal
• crashes due to race condition when finalizing the capture process

Release Notes

Enhancements

• PE resource field aliases Read more
• push matched rule tags into event metadata Read more
• bump Go to 1.17 for up to 5% performance gains

Release Notes

New features

• support for rules Read more
• fuzzy matching operators Read more
• process ancestry filtering Read more
• ability to pass arguments to filaments Read more

Enhancements

• add exe parameter to CreateThread events
• add thread.pid filter field for matching the target thread's process id
• case-insensitive variants of in, startswith, and endswith operators
• upgrade Go toolchain to 1.16

Bug fixes

• inform about bad string escape in filter compile error messages
• fix retrieving executable path for system processes

Release Notes

New features

• filament for identifying an executable or script file remotely downloaded via a TeamViewer transfer session
• reverse DNS lookups
• function support in filters and initial cidr_contains and md5 functions
• dip.names and sip.names filter fields
• unary not operator in filters
• matches and imatches string matching operators
• make the use of fields possible in both LHS/RHS filter expressions
• full and slim MSI-based Windows installers

Enhancements

• introduce a new file.extension filter field
• documentation website tweaking
• make all string operators evaluable against lists
• tests refactoring
• satisfy all code linters
• upgrade to the latest go-yara package
• improvements in the handle interceptor when publishing deferred CreateHandle events
• reduce the pressure on the TdhGetPropertySize API call for static parameter types
• prettify fibratus version output
• modularize and improve signal handling

Bug fixes

• circumvent data races in kcap reader/writer
• prevent data races in the AMQP connection
• yara scanner should allocate a new scanner for each run
• fix RecvUDPv4 event type GUID
• the handle interceptor should return the CloseHandle event when entering the deferred map

The new generation Fibratus tool release!