v3.0.0

Release Notes

Explore the full changelog here.

New features

Direct/indirect syscall evasion scanners

Evasion scanners are designed to detect attempts by malware to bypass defenses by abusing direct or indirect syscall techniques.

Unprecedented performance and precision

Performance gains and improved precision in many areas spanning the rule engine, event processing and callstack symbolization.

Process token enrichment

Events are enriched with detailed information about process access tokens, such as integrity level and elevation type.

50+ curated detection rules

The system includes a new extended set of detection rules that covering privilege escalation, defense evasion and execution tactics.

Console output colourization

Terminal output is enhanced with color-coded formatting to make different event types, parameters, or fields easier to distinguish at a glance.

Eventlog alerts in JSON format

Alerts can be emitted to the Windows Event Log in structured JSON format, making them easier to parse, forward, and integrate with external systems such as SIEMs or log pipelines.

Breaking changes

• removal of ps.child.* filter fields. Migrate to ps.* fields instead
• LoadImage and UnloadImage events renamed to LoadModule and UnloadModule
• registry.value field semantics change. It now returns the value name. Use registry.data to obtain the value data

v2.4.0

Release Notes

New features

• #370b43e: Enable callstack for VirtualAlloc events
• #8e81077: Enable callstack for OpenProcess and OpenThread events
• #efdd5e3: Introduce *.path filter fields
• #9df026f: New intersects operator
• #9a14aa9: New foreach function
• #bdf9844: New CreateSymbolicLinkObject event type
• #1f97cc2: Incorporate thread pool event telemetry
• #47564c2: Expose thread pool filter fields
• #a83dd8b: Add thread start address symbol and module filter fields
• #3b8494e: Add additional callstack filter fields
• #b0dabe0: Introduce match-all rule engine strategy
• #19776aa: New isolate rule action

New rules

• #122e4b1: Suspicious object symbolic link creation
• #d87f913: LSASS memory dump via MiniDumpWriteDump
• #328f7be: Potential ClickFix infection chain via Run window
• #fd099e9: Executable file dropped by an unsigned service DLL
• #f317da0: LSASS handle leak via Seclogon
• #34c72bb: DLL loaded via LdrpKernel32 overwrite
• #6659103: Suspicious access to the hosts file
• #31fe23d: LSASS access from unsigned executable
• #20f33d9: Suspicious Netsh Helper DLL execution
• #aa2b51c: Potential shellcode execution via ETW logger thread
• #9ef00e5: Suspicious execution via WMI from a Microsoft Office process
• #a72f48f: LSASS process clone creation via reflection
• #b99ea16: Potential process creation via shellcode
• #1cf8151: Suspicious XSL script execution
• #e624865: Suspicious HTML Application script execution
• #2e056be: Suspicious print processor loaded
• #070e642: Suspicious Vault client DLL load
• #fadd559: Suspicious Microsoft Office add-in loaded
• #8d82205: Potential port monitor or print processor persistence via registry modification
• #03532e9: Microsoft Office file execution via WMI
• #7df0828: Microsoft Office file execution via script interpreter
• #bd0f9a0: Suspicious Windows Defender exclusions registry modification
• #78c98cf: Windows Defender protection tampering via registry
• #cca922a: DLL Side-Loading via Microsoft Office dropped file

Enhancements

• #5fab88d: Bump golang.org/x/net from 0.21.0 to 0.38.0
• #efc84b3: Symbolize thread start address
• #c73c2c3: Append/remove module by base address
• #913b71a: Speed up filter expression String methods
• #21eb54b: Expand registry persistence keys list macro
• #eab4790: Improve callstack decorator
• #a84c1a1: Speed up symbol resolution
• #ad606f0: substr function with optional argument
• #4dabdf7: Limit YARA memory map scans
• #ae6e263: Remove system registry provider session
• #fc38e3e: Revamp and improve rule engine
• #56b83a0: Speed up image file characteristics parsing
• #48c0492: Better expvar insights for the Stackwalk decorator
• #4473838: Improve Unsigned DLL injection via remote thread rule
• #965c28e: Improve Credential discovery via VaultCmd tool rule
• #3588421: New background and banner in MSI installer

Refactoring

• #318f593: Store memory mappings per process
• #43dad32: Introduce field arguments in the rule grammar
• #4c5fd06: Move callstack into independent package

Bug fixes

• #de9d99f: Invalid thread id for MapViewFile/UnmapViewFile events
• #97e5764: Private allocation size computation
• #0026453: Use iin operator in LSASS memory dump via Windows Error Reporting rule
• #ea6f95c: Adjust rule YAML indentation in the fibratus rules create CLI
• #5caa7da: Use process start time from event timestamp
• #83c8046: Check if the process executable is not empty to make rules more resistant against false positives
• #efeeafa: Lookup parent modules in the callstack symbolizer
• #099900b: Correct the condition in Process spawned from macro-enabled Microsoft Office document rule
• #33d4a67: Overwrite Key Control Block (KCB) handle
• #933bd8a: Ensure event source is closed once
• #01a80ff: Improve Hidden local account creation rule
• #dac9381: Erratic driver identification
• #1e951d5: Interpolation for arg-based filter fields
• #de500a8: Add process executable exceptions for Potential process injection via tainted memory section rule
• #a94d08a: Add expire sequence condition for the CreateThread event
• #3b8bb5c: Check/initialize process state before out-of-order sequence evaluation
• #3d1006a: Exclusion for OneDrive to tune false positives in Potential process hollowing rule
• #a367399: Lookup live modules in symbolizer
• #0a08b8c: Allow interpolation for filter fields with underscore symbol
• #e37d1a6: Reduce Potential privilege escalation via phantom DLL hijacking rule false positives
• #9f8d98c: Add CompatTelRunner.exe exclusion for Unusual process modified registry run key rule
• #3355c0e: Rework Script interpreter host or untrusted process persistence rule for better resistance to false positives
• #c490363: Rework callstack final user frame heuristics
• #4dc6121: Use the correct form of the not operator in rules
• #495fbb9: Spurious process executable override
• #2b39cf4: Use ps.name field in Macro execution via script interpreter rule
• #4b411be: General rule false positives reduction

Breaking changes

• registry.key, image.name, and file.name now yield the base registry, image, or file name path. Use registry.path, image.path or file.path to obtain the full path
• ps.ancestor indexed-field now always returns the ancestor process name for the given level. Use the foreach function in conjunction with the ps._ancestors pseudo field to evaluate other process attributes
• ps.modules field has been removed. Use the foreach function in conjunction with the ps._modules pseudo field to evalu...

v2.3.0

Release Notes

New features

• #3acb68b: Eventlog alert sender
• #fb4eac8: Augment process events with process flags
• #bfdceb7: Augment process state with creation flags
• #2511296: Add process creation flags filter fields
• #6957a63: Persist process creation flags to capture
• #4d62566: Add image.is_dotnet filter field
• #b600df7: Add teb parameter and thread.teb_address filter field
• #67fffab: Add additional file filter fields
• #c66f028: Revamped YARA scanner
• #9d1aa6a: MSI code signing

New rules

• #a158eca: AppDomain Manager injection via CLR search order hijacking
• #be05bab: .NET assembly loaded by unmanaged process
• #9219478: Potential injection via .NET debugging
• #aef70db: Hidden local account creation
• #227ace7: DLL loaded via a callback function
• #40cfe0a: Process execution from a self-deleting binary
• #48be943: Image load via NTFS transaction
• #3cbc71f: DLL loaded via APC queue
• #b664239: Hidden registry key creation
• #cb070a1: Clear Eventlog

Enhancements

• #747b5f2: Bump Go from 1.21 to 1.23
• #53b5457: Bump saferwall/pe from 1.4.4 to 1.5.4
• #cb89ca5: Bump www.velocidex.com/golang/go-ntfs to latest version
• #2f33b81: Add alert identifier
• #c161273: Route saferwall/pe log messages to logrus
• #dd0a1a6: Surface missing labels in rules validation subcommand
• #14ed9a2: Expose StringShort methods for process/event types
• #7847552: Launch systray server manually
• #c5c131c: Disable CLR metadata parsing

Refactoring

• #1ef56d8: Rename entrypoint parameter and thread.entrypoint filter field to start_address and thread.start_address respectively
• #b4fb489: Rename pe.ps.child.file.name filter field to ps.child.pe.file.name
• #84f301d: Unify ETW event processing pipeline
• #1cab108: Move template rendering to email sender
• #015e7f0: Generate Eventlog message compiler input file
• #2f66468: Create a common eventlog package

Bug fixes

• #98dc366: Solidify environment variable parsing from PEB
• #8d2f6de: Correct the usage of the not operator on bool fields
• #095f0dc: Slice NTFS data buffer
• #1c5bd11: Avoid parsing an empty PE byte buffer
• #c78eb4b: Prevent loading malformed YAML configuration
• #7ccfa70: Fix parsing of image file characteristics
• #f7e8dc5: Skip reading hidden registry key value
• #b69ade4: Release file only by file object
• #a8dc8da: Panic redirection to logs

Breaking changes

• YARA configuration settings were restructured as per commit leading to removal of some properties

v2.2.1

Release Notes

Enhancements

• #60d965c: Bump github.com/sirupsen/logrus from 1.4.1 to 1.9.3
• #f0b9a4f: Disables quoting for all values in the log messages
• #f410e6a: Dump events in rule matches
• #092923b: Show Fibratus version in logs
• #7a25286: Improve Vulnerable or malicious driver dropped rule
• #dee37b7: Introduce open_remote_thread rule macro
• #ca70858: Reduce Potential SAM hive dumping false positives
• #cdf7f5f: Reduce Unsigned DLL injection via remote thread false positives

Bug fixes

• #3517665: Fix the path of the systray server binary
• #f7608c5: Set systray server named pipe security descriptor
• #dffe9b4: Disable alert senders in capture replay mode
• #e9be320: Resolve indentation mess-up in Yara config and allow systray sender
• #48c1dc5: Compose attachment text with alert title and text

v2.2.0

Release Notes

New features

• PE headers modification detection with pe.is_modified filter field
• NTFS parser for reading file data via raw device access
• New SetThreadContext event. Read more
• Detection of vulnerable and malicious drivers via loldrivers dataset
• Add the ability to control process handle table initialization
• Rules validation CLI command and CI pipeline for automated rule validation
• Rules listing CLI command
• Kernel stack enrichment of process, file, thread, registry, and DLL events. Read more
• Callstack filter fields. Read more
• Introduce min-engine-version attribute in detection rules
• Overhauled detection rule design and rule engine performance improvements
• Permit disabling the rule engine via configuration flag
• New Systray alert sender. Read more
• Allow starting Fibratus in event forwarding mode
• Rule template creation via CLI

New rules

• Unusual file written or modified in Startup folder
• Unusual process modified the registry run key
• Network connection via startup folder executable or script
• Suspicious persistence via registry modification
• Suspicious Startup shell folder modification
• Script interpreter host or untrusted process persistence
• Suspicious Office template created
• Potential Process Doppelganging
• Vulnerable or malicious driver dropped
• Vulnerable or malicious driver loaded
• Potential process hollowing
• Suspicious DLL loaded by LSASS
• Process spawned via remote thread
• Potential thread execution hijacking
• Process injection via section mapping
• DLL Side-Loading via a copied binary
• Executable file creation from a macro-enabled Microsoft Office document
• RID hijacking
• Process spawned from macro-enabled Microsoft Office document
• Thread context set from unbacked memory
• Macro execution via script interpreters
• Suspicious Microsoft Office embedded object
• Unsigned DLL injection via remote thread
• Suspicious port monitor loaded
• Potential privilege escalation via phantom DLL hijacking
• Remote thread creation into LSASS rule

Enhancements

• Move registry persistence and startup shell folder key names to macro lists for improved readability
• Lift configuration file obligation and rely on default values
• Initialize default rules paths
• Establish the textual format as a default logger formatting output
• Improve inbound/outbound network rule macros
• Bump Go toolchain version to 1.21.x
• Bump golang.org/x/net package to 0.17.0
• Upgrade deprecated Github workflow actions
• More efficient event exclusion with event masks
• Dynamic event enablement by inspecting the loaded rule set
• Introduce system providers support to run specific providers in separate tracing sessions
• Improve System Binary Proxy Execution via Rundll32 rule
• Improve Regsvr32 scriptlet execution rule
• Garbage-collect partials from rule indices
• Migrate MSI package building to Wix 5.0.0
• Upgrade deprecated actions in GHA workflows

Refactoring

• Sunset hex parameter types in favor of a new Address type
• Revamp trace controller and consumer infrastructure

Bug fixes

• Add missing flag/enum parameter values in the kcap parameter constructor
• Harden command line parsing and exe enrichment
• Empty capture file and replay crashes
• Revisit partial key computation

Breaking changes

• Detection rules layout has changed from group-based to individual files. This will be the final and definitive rule description format. As a consequence, certain attributes has changed while other mandatory attributes were added. All old rules must be migrated to the new format.

v2.0.0

Release Notes

New features

• New VirtualAlloc and VirtualFree events. Read more
• New MapViewFile and UnmapViewFile events and mapped-files state. Read more
• New DuplicateHandle event Read more
• DNS telemetry via QueryDns and ReplyDns events Read more
• New RegCloseKey event
• Image signature information exposed via parameters and image.signature.type/image.signature.level filter fields Read more
• Image format parameters and filter fields
• Decorate non-open disposition CreateFile events with image format parameters
• Macros for detecting loading of unsigned/untrusted modules
• ps.sid filter field contains the raw SID value, e.g. S-1-5-18
• Parse and append create_options parameter to CreateFile events
• Certificate info and filter fields for LoadImage/UnloadImage events
• Expand pe filter field set and allow lazily value extraction Read more
• Support for expressions with bare boolean filter fields

Enhancements

• Significant core refactoring to aim for a more sustainable codebase growth
• Refactored many tests to embrace table-driven testing
• Introduce a new set of parameter types such as flags, system status code, file path, address, etc.
• Switch to golang.org/sys/windows package for the vast majority of API calls and structures
• Use the syscall generator to produce stubs for the API calls not available through golang.org/sys/windows
• Bump golangci-lint linters to version 1.52.2
• Event consumer tests to verify the correctness of captured events
• Trace controller tests to verify real-world tracing session management
• Harden driver handle objects decoration of the file path parameters
• Expand the size of the Ktype type to accommodate 2-bytes event hook identifiers
• Switch to the upstream saferwall/pe package for version resource parsing
• Only allow a single instance of the Fibratus process to be run simultaneously

Configuration changes

• Disable initial handle snapshot to reduce overall memory utilization
• Added RegCloseKey to the list of ignored events
• Removed the System process image from the list of ignored processes

Deprecation

• Remove kstream.raw-event-parsing config flag as binary event parsing is the default option now
• Nuke TDH event parsing functionality
• Sunset Antimalware provider as we can tap into driver loading events via LoadImage events

Bug fixes

• Resolution of success system codes should compare the range of information values
• Use only the rule name in the filter field deprecation log message
• Solved yara tests hanging issues

Breaking changes

• Convert flags event parameters to uppercase strings
• The sid parameter and the ps.sid filter fields contain the raw SID value instead of the username/domain tuple
• Command line parameters and filter fields contain the original, unexpanded command line
• The major kcap file format version is increased in this version. The side-effect is the inability to replay old capture files
• operation parameter name in the CreateFile event is renamed to create_disposition
• share_mask parameter contains the full permission name, e.g. READ|WRITE|DELETE
• comm parameter name in process events is renamed to cmdline

v1.10.0

Release Notes

New features

• filter language grammar for sequence rules and decommission of sequence policy types Read more
• bound fields and sequence aliases Read more
• file path manipulation filter functions Read more
• registry query value filter function Read more
• yara filter function. This opens up new possibilities in terms of combining behavior and signature-based detections Read more
• new detection tradecraft focused on credentials access tactic. Specifically, the following rules were implemented:
  • Suspicious password filter DLL registered
  • Potential credentials dumping or exfiltration via malicious password filter DLL
  • Suspicious access to Windows DPAPI Master Keys
  • Unusual access to Web Browser Credential stores
  • LSASS memory dump preparation via SilentProcessExit
  • LSASS memory dump via Windows Error Reporting
  • Suspicious access to Active Directory domain database
  • Unusual access to SSH keys
  • Sensitive access to Unattended Panther files
• generic event parameter filter field. The kevt.arg filter field is able to extract any event parameter by its internal name. For example, kevt.arg[exe] would extract the process image executable path
• filter fields deprecation strategy. Use fibratus list fields to check deprecated fields status
• process.uuid filter field as a more robust alternative to process id fields that is resistant to repetition

Enhancements

• optimization of filter accessors to retain only accessors that are relevant to declared filter fields
• sunsetting standard library PE parser in favor of saferwall/pe parser

Bug fixes

• in/iin operators should operate on LHS/RHS values of slice type

Breaking changes

• sequence policy types are no longer supported and should be migrated to sequence rules

v1.8.0

Release Notes

New features

• driver load events Read more
• initial catalog of detection rules based on the MITRE ATT&CK framework Read more
• macro expansion in rules Read more
• beautiful HTML rule alert emails Read more
• allow enabling/disabling Audit API Calls and Antimalware Engine ETW providers
• enrich handle events with driver image path for Driver object types
• add ps.sibling.args filter field
• field interpolation in alert title and text strings and the ability to use Markdown/HTML syntax Read more
• ~= operator for case-insensitive string comparisons in filters
• is_minidump filter function for checking the signature of minidump files Read more

Enhancements

• Go 1.19 upgrade and migration of deprecated functions
• bumped libyara to version 4.2
• bumped Golang CI Lint toolchain
• add content-type config flag for email alert sender
• add labels and description attributes in rule groups
• loading rule files from paths with glob expressions
• optimize filter field accessors to prevent unnecessary traversing
• lazy evaluation of binary expressions for and and or operators
• decommission type/category selector in include/exclude rule policies
• prevent executing rules in sequence policies if the incoming event is not eligible for evaluation
• avoid adding duplicate tuples in sequence policies internal state
• improve registry key formatting from native key names
• limit the number of handles per proc and per global handle snapshotter state
• speed up UTF-16 string decoding. Kudos to @skeeto

Bug fixes

• sequence expiration slice out of bounds
• transition sequence state machine when the rule in include produces a match

Breaking changes

• rule policies with the selector attribute will fail to load. As a workaround, remove the selector attribute and include it as a first condition in the rule.

v1.6.0

Release Notes

New features

• support for stateful runtime detections Read more
• file attributes/status parameters and field filters Read more

Enhancements

• raw ETW event parsing and a number of optimizations leverage 10x performance gains
• trace controller is refactored to facilitate the addition of new event sources
• not operator can negate complex paren expressions and functions
• beautify filter error reporting and make it compatible with multiline filter expressions

Bug fixes

• rule group selector should support OpenProcess and OpenThread events
• cidr_contains function implementation should return a correct value if no subnets are matched
• paren expression should be visited recursively
• process command line normalization wouldn't correctly complete missing command lines for system processes
• stack overflow when replaying captures with the process ancestor filters

Breaking changes

• file and handle object parameters are represented in decimal instead of hex format if --kstream.raw-event-parsing=true
• event exclusions by process name now require case-sensitive image names

v1.5.0

Release Notes

New features

• new OpenProcess and OpenThread events Read more
• eventlog output Read more
• HTTP output Read more
• string filter functions Read more
• ps.sibling.*, ps.domain, and ps.username filter fields Read more

Enhancements

• while introducing new event types, a significant refactoring took place to streamline the adoption of future event providers