Skip to content

v2.4.0

Latest
Latest
Compare
Choose a tag to compare
@github-actions github-actions released this 20 May 17:23
· 27 commits to master since this release
v2.4.0
6e9efb8

Release Notes

New features

  • #370b43e: Enable callstack for VirtualAlloc events
  • #8e81077: Enable callstack for OpenProcess and OpenThread events
  • #efdd5e3: Introduce *.path filter fields
  • #9df026f: New intersects operator
  • #9a14aa9: New foreach function
  • #bdf9844: New CreateSymbolicLinkObject event type
  • #1f97cc2: Incorporate thread pool event telemetry
  • #47564c2: Expose thread pool filter fields
  • #a83dd8b: Add thread start address symbol and module filter fields
  • #3b8494e: Add additional callstack filter fields
  • #b0dabe0: Introduce match-all rule engine strategy
  • #19776aa: New isolate rule action

New rules

  • #122e4b1: Suspicious object symbolic link creation
  • #d87f913: LSASS memory dump via MiniDumpWriteDump
  • #328f7be: Potential ClickFix infection chain via Run window
  • #fd099e9: Executable file dropped by an unsigned service DLL
  • #f317da0: LSASS handle leak via Seclogon
  • #34c72bb: DLL loaded via LdrpKernel32 overwrite
  • #6659103: Suspicious access to the hosts file
  • #31fe23d: LSASS access from unsigned executable
  • #20f33d9: Suspicious Netsh Helper DLL execution
  • #aa2b51c: Potential shellcode execution via ETW logger thread
  • #9ef00e5: Suspicious execution via WMI from a Microsoft Office process
  • #a72f48f: LSASS process clone creation via reflection
  • #b99ea16: Potential process creation via shellcode
  • #1cf8151: Suspicious XSL script execution
  • #e624865: Suspicious HTML Application script execution
  • #2e056be: Suspicious print processor loaded
  • #070e642: Suspicious Vault client DLL load
  • #fadd559: Suspicious Microsoft Office add-in loaded
  • #8d82205: Potential port monitor or print processor persistence via registry modification
  • #03532e9: Microsoft Office file execution via WMI
  • #7df0828: Microsoft Office file execution via script interpreter
  • #bd0f9a0: Suspicious Windows Defender exclusions registry modification
  • #78c98cf: Windows Defender protection tampering via registry
  • #cca922a: DLL Side-Loading via Microsoft Office dropped file

Enhancements

  • #5fab88d: Bump golang.org/x/net from 0.21.0 to 0.38.0
  • #efc84b3: Symbolize thread start address
  • #c73c2c3: Append/remove module by base address
  • #913b71a: Speed up filter expression String methods
  • #21eb54b: Expand registry persistence keys list macro
  • #eab4790: Improve callstack decorator
  • #a84c1a1: Speed up symbol resolution
  • #ad606f0: substr function with optional argument
  • #4dabdf7: Limit YARA memory map scans
  • #ae6e263: Remove system registry provider session
  • #fc38e3e: Revamp and improve rule engine
  • #56b83a0: Speed up image file characteristics parsing
  • #48c0492: Better expvar insights for the Stackwalk decorator
  • #4473838: Improve Unsigned DLL injection via remote thread rule
  • #965c28e: Improve Credential discovery via VaultCmd tool rule
  • #3588421: New background and banner in MSI installer

Refactoring

  • #318f593: Store memory mappings per process
  • #43dad32: Introduce field arguments in the rule grammar
  • #4c5fd06: Move callstack into independent package

Bug fixes

  • #de9d99f: Invalid thread id for MapViewFile/UnmapViewFile events
  • #97e5764: Private allocation size computation
  • #0026453: Use iin operator in LSASS memory dump via Windows Error Reporting rule
  • #ea6f95c: Adjust rule YAML indentation in the fibratus rules create CLI
  • #5caa7da: Use process start time from event timestamp
  • #83c8046: Check if the process executable is not empty to make rules more resistant against false positives
  • #efeeafa: Lookup parent modules in the callstack symbolizer
  • #099900b: Correct the condition in Process spawned from macro-enabled Microsoft Office document rule
  • #33d4a67: Overwrite Key Control Block (KCB) handle
  • #933bd8a: Ensure event source is closed once
  • #01a80ff: Improve Hidden local account creation rule
  • #dac9381: Erratic driver identification
  • #1e951d5: Interpolation for arg-based filter fields
  • #de500a8: Add process executable exceptions for Potential process injection via tainted memory section rule
  • #a94d08a: Add expire sequence condition for the CreateThread event
  • #3b8bb5c: Check/initialize process state before out-of-order sequence evaluation
  • #3d1006a: Exclusion for OneDrive to tune false positives in Potential process hollowing rule
  • #a367399: Lookup live modules in symbolizer
  • #0a08b8c: Allow interpolation for filter fields with underscore symbol
  • #e37d1a6: Reduce Potential privilege escalation via phantom DLL hijacking rule false positives
  • #9f8d98c: Add CompatTelRunner.exe exclusion for Unusual process modified registry run key rule
  • #3355c0e: Rework Script interpreter host or untrusted process persistence rule for better resistance to false positives
  • #c490363: Rework callstack final user frame heuristics
  • #4dc6121: Use the correct form of the not operator in rules
  • #495fbb9: Spurious process executable override
  • #2b39cf4: Use ps.name field in Macro execution via script interpreter rule
  • #4b411be: General rule false positives reduction

Breaking changes

  • registry.key, image.name, and file.name now yield the base registry, image, or file name path. Use registry.path, image.path or file.path to obtain the full path
  • ps.ancestor indexed-field now always returns the ancestor process name for the given level. Use the foreach function in conjunction with the ps._ancestors pseudo field to evaluate other process attributes
  • ps.modules field has been removed. Use the foreach function in conjunction with the ps._modules pseudo field to evaluate other module attributes
  • ps.pe.sections field has been removed. Use the foreach function in conjunction with the pe._sections pseudo field to evaluate other section attributes
  • rarely used callstack indices (ustart, uend, kstart, kend) have been removed
Assets 6
Loading