docs: Documentation for release 2.3.0

Author: rabbitstack

CONTRIBUTING.md

@@ -118,7 +118,7 @@ $ ./make
 
 ### Running For The First Time
 
-By default, Fibratus operates in rule engine mode. It loads the rule set from the `%PROGRAM FILES%\Fibratus\Rules` directory and sends security alerts to the [systray](/alerts/senders/systray) notification area. Optionally, it takes response actions when the rule is fired, such as killing the process.
+By default, Fibratus operates in rule engine mode. It loads the rule set from the `%PROGRAM FILES%\Fibratus\Rules` directory and sends security alerts to [Eventlog](/alerts/senders/eventlog). Optionally, it takes response actions when the rule is fired, such as killing the process.
 Alternatively, Fibratus can forward events to [output](/outputs/introduction) sinks, if it started in event forwarding mode.
 
 To start Fibratus in event forwarding mode run the next command from the root directory of this repo:
@@ -129,7 +129,6 @@ $ .\cmd\fibratus\fibratus.exe run --forward
 
 If you want to run Fibratus in rule engine mode, follow the next steps:
 
-- run the systray server or disable the systray alert sender in the configuration file. You can start the systray server by running the `.\cmd\fibratus\fibratus-systray.exe` binary.
 - modify the configuration file to set the location to the rule files. Go to the `filters` section, and specify the absolute path to the `Rules` and `Macros` directories of this repository.
   ```
   filters:
@@ -169,5 +168,3 @@ $ ./make.bat pkg
 ```
 
 The resulting MSI is placed in the `build\msi` directory.
-
-

README.md

@@ -34,17 +34,28 @@ Events can also be shipped to a wide array of [output sinks](https://www.fibratu
 
 In a nutshell, the Fibratus mantra is defined by the pillars of **realtime behavior detection**, **memory scanning**, and **forensics** capabilities.
 
+
+### Installation
+
+- Download the latest [MSI package](https://github.com/rabbitstack/fibratus/releases) and follow the [UI](https://www.fibratus.io/#/setup/installation) wizard or
+alternatively install via `msiexec` in silent mode
+
+```
+$ msiexec /i fibratus-2.3.0-amd64.msi /qn
+```
+
 ### Quick start
 
 ---
 
-- [Install](https://www.fibratus.io/#/setup/installation) Fibratus from the latest [MSI package](https://github.com/rabbitstack/fibratus/releases)
 - spin up a command line prompt
 - list credentials from the vault by using the `VaultCmd` tool
+
 ```
 $ VaultCmd.exe /listcreds:"Windows Credentials" /all
 ```
-- `Credential discovery via VaultCmd.exe` rule should trigger displaying the alert in the systray notification area
+
+`Credential discovery via VaultCmd.exe` rule should trigger and emit the alert to the [Eventlog](https://www.fibratus.io/#/alerts/senders/eventlog). Check the short demo [here](https://www.fibratus.io/#/alerts/senders/images/eventlog.gif).
 
 ### Documentation
 

docs/_coverpage.md

@@ -4,7 +4,7 @@
   <img src='logo.png'></img>
 </div>
 
-# fibratus <small>2.2.1</small>
+# fibratus <small>2.3.0</small>
 
 >  Adversary tradecraft detection, protection, and hunting
 

docs/_sidebar.md

@@ -54,6 +54,8 @@
   * [Alert Senders](alerts/senders.md)
     * <ion-icon name="mail-unread-outline"></ion-icon> [Mail](alerts/senders/mail.md)
     * <ion-icon name="logo-slack"></ion-icon> [Slack](alerts/senders/slack.md)
+    * <ion-icon name="chatbubble"></ion-icon> [Systray](alerts/senders/systray.md)
+    * <ion-icon name="server"></ion-icon> [Eventlog](alerts/senders/eventlog.md)
   * [Filament Alerting](alerts/filaments.md)
 * <ion-icon name="terminal-outline"></ion-icon> PE
   * [Portable Executable Introspection](/pe/introduction.md)

docs/alerts/introduction.md

@@ -4,6 +4,7 @@ Fibratus has the ability to generate security alerts when the detection or [YARA
 
 The alert has the following key components:
 
+- **id** the alert identifier represented as UUID.
 - **title** summarizes the purpose of the alert.
 - **text** is the message that further explains what this alert is about as well as actors involved.
 - **tags** contains a sequence of tags for categorizing the alerts.

docs/alerts/senders.md

@@ -5,4 +5,5 @@ You can send alert notifications to your team through email, Slack, or incident
 - [Mail](/alerts/senders/mail)
 - [Slack](/alerts/senders/mail)
 - [Systray](/alerts/senders/systray)
+- [Eventlog](/alerts/senders/eventlog)
 

docs/alerts/senders/eventlog.md

@@ -0,0 +1,24 @@
+# Eventlog
+
+The `eventlog` alert sender sends alerts to the [Windows Eventlog](https://sematext.com/glossary/what-is-windows-event-log/).
+
+<p align="center">
+  <img src="alerts/senders/images/eventlog.gif" style="border-radius: 4px; backdrop-filter: blur(15px) saturate(3); filter: drop-shadow(0 0 0.75rem rgba(30, 30, 30, 0.4));" />
+</p>
+
+### Configuration {docsify-ignore}
+
+The `eventlog` alert sender configuration is located in the `alertsenders.eventlog` section.
+
+#### enabled
+
+Indicates whether the `eventlog` alert sender is enabled.
+
+**default**: `true`
+
+#### verbose
+
+Enables/disables the verbose mode. In verbose mode, the full event context, including all parameters and the process information are included
+in the log message.
+
+**default**: `true`

docs/alerts/senders/images/eventlog.gif

@@ -10,7 +10,7 @@ The `systray` alert sender configuration is located in the `alertsenders.systray
 
 Indicates whether the `systray` alert sender is enabled.
 
-**default**: `true`
+**default**: `false`
 
 #### sound
 
@@ -23,4 +23,3 @@ Indicates if the associated sound is played when the balloon notification is sho
 Instructs not to display the balloon notification if the current user is in quiet time. During this time, most notifications should not be sent or shown. This lets a user become accustomed to a new computer system without those distractions. Quiet time also occurs for each user after an operating system upgrade or clean installation.
 
 **default**: `false`
-

docs/alerts/senders/systray.md

@@ -88,6 +88,16 @@ The following tables summarize available field names that can be used in filter
 | ps.uuid  | Unique process identifier resistant to repetition | `ps.uuid > 10000400`   |
 | ps.parent.uuid  | Unique parent process identifier resistant to repetition  | `ps.parent.uuid = 1843450000440`   |
 | ps.child.uuid  | Unique child process identifier resistant to repetition  | `ps.child.uuid > 20030000000`   |
+| ps.child.pe.file.name | Original file name of the child process executable supplied at compile-time | `ps.child.pe.file.name = 'NOTEPAD.EXE'` |
+| ps.child.is_wow64 | Indicates if the 32-bit child process is created in 64-bit Windows system | `ps.child.is_wow64` |
+| ps.child.is_packaged | Indicates if the child process is packaged with the MSIX technology | `ps.child.is_packaged` |
+| ps.child.is_protected | Indicates if the child process is a protected process | `ps.child.is_protected` |
+| ps.is_wow64 | Indicates if the process generating the event is a 32-bit child process is created in 64-bit Windows system | `ps.is_wow64` |
+| ps.is_packaged | Indicates if the process process generating the event is packaged with the MSIX technology | `ps.is_packaged` |
+| ps.is_protected | Indicates if the process generating the event is a protected process | `ps.is_protected` |
+| ps.parent.is_wow64 | Indicates if the parent process generating the event is a 32-bit process created in 64-bit Windows system | `ps.parent.is_wow64` |
+| ps.parent.is_packaged | Indicates if the parent process generating the event is packaged with the MSIX technology | `ps.parent.is_packaged` |
+| ps.parent.is_protected | Indicates if the parent process generating the event is a protected process | `ps.parent.is_protected` |
 
 
 ### Thread
@@ -100,11 +110,11 @@ The following tables summarize available field names that can be used in filter
 | thread.kstack.limit | Limit of the thread's kernel space stack | `thread.kstack.limit = 'a85d800000'`   |
 | thread.ustack.base | Base address of the thread's user space stack | `thread.ustack.base = '7ffe0000'`   |
 | thread.ustack.limit | Limit of the thread's user space stack | `thread.ustack.limit = '8ffe0000'`   |
-| thread.entrypoint | Starting address of the function to be executed by the thread | `thread.entrypoint = '7efe0000'`   |
+| thread.start_address | Start address of the function to be executed by the thread | `thread.start_address = '7efe0000'`   |
 | thread.access.mask | Thread access rights | `thread.access.mask = '0x1800'`   |
 | thread.access.mask.names | Thread access human-readable rights | `thread.access.mask.names in ('QUERY_LIMITED_INFORMATION')`   |
 | thread.access.status | Thread access status | `thread.access.status = 'Success'`   |
-
+| thread.teb_address | The base address of the thread environment block | `thread.teb_address = '8f30893000'`   |
 
 ### Callstack
 | Field Name  | Description | Example     |
@@ -140,6 +150,7 @@ The following tables summarize available field names that can be used in filter
 | image.is_dll | Indicates if the loaded image is a DLL | `image.is_dll` |
 | image.is_driver | Indicates if the loaded image is a driver | `image.is_driver` |
 | image.is_exec | Indicates if the loaded image is an executable | `image.is_exec` |
+| image.is_dotnet | Indicates if the loaded image is a .NET assembly | `image.is_dotnet` |
 
 ### File
 | Field Name  | Description | Example     |
@@ -162,7 +173,11 @@ The following tables summarize available field names that can be used in filter
 | file.is_driver_vulnerable | Indicates if the dropped driver is vulnerable | `file.is_driver_vulnerable` |
 | file.is_dll | Indicates if the created file is a DLL | `file.is_dll` |
 | file.is_driver | Indicates if the created file is a driver | `file.is_driver` |
-| file.is_exec | Indicates if the crated file is an executable | `file.is_exec` |
+| file.is_exec | Indicates if the created file is an executable | `file.is_exec` |
+| file.info_class | Identifies the file information class | `file.info_class = 'Allocation'` |
+| file.info.allocation_size | Represents the file allocation size set via `NtSetInformationFile` syscall | `file.info.allocation_size > 645400` |
+| file.info.eof_size | Represents the file EOF size set via `NtSetInformationFile` syscall | `file.info.eof_size > 1000` |
+| file.info.is_disposition_file_delete | Indicates if the file is deleted when its handle is closed | `file.info.is_disposition_file_delete = true` |
 
 
 ### Registry
@@ -254,4 +269,3 @@ The following tables summarize available field names that can be used in filter
 | pe.cert.before  | PE certificate enrollment date | `pe.cert.before contains '2024-02-01 00:05:42 +0000 UTC'`   |
 | pe.is_modified | Indicates if on-disk and in-memory PE headers differ | `pe.is_modified'`   |
 | pe.is_modified | Indicates if on-disk and in-memory PE headers differ | `pe.is_modified'`   |
-| pe.ps.child.file.name | Original file name of the child process executable supplied at compile-time | `pe.ps.child.file.name = 'NOTEPAD.EXE'` |