Skip to content

v1.10.0

Compare
Choose a tag to compare
@github-actions github-actions released this 31 Mar 21:57
· 264 commits to master since this release
6ff3913

Release Notes

New features

  • filter language grammar for sequence rules and decommission of sequence policy types Read more
  • bound fields and sequence aliases Read more
  • file path manipulation filter functions Read more
  • registry query value filter function Read more
  • yara filter function. This opens up new possibilities in terms of combining behavior and signature-based detections Read more
  • new detection tradecraft focused on credentials access tactic. Specifically, the following rules were implemented:
    • Suspicious password filter DLL registered
    • Potential credentials dumping or exfiltration via malicious password filter DLL
    • Suspicious access to Windows DPAPI Master Keys
    • Unusual access to Web Browser Credential stores
    • LSASS memory dump preparation via SilentProcessExit
    • LSASS memory dump via Windows Error Reporting
    • Suspicious access to Active Directory domain database
    • Unusual access to SSH keys
    • Sensitive access to Unattended Panther files
  • generic event parameter filter field. The kevt.arg filter field is able to extract any event parameter by its internal name. For example, kevt.arg[exe] would extract the process image executable path
  • filter fields deprecation strategy. Use fibratus list fields to check deprecated fields status
  • process.uuid filter field as a more robust alternative to process id fields that is resistant to repetition

Enhancements

  • optimization of filter accessors to retain only accessors that are relevant to declared filter fields
  • sunsetting standard library PE parser in favor of saferwall/pe parser

Bug fixes

  • in/iin operators should operate on LHS/RHS values of slice type

Breaking changes

  • sequence policy types are no longer supported and should be migrated to sequence rules