v1.10.0
github-actions
released this
31 Mar 21:57
·
264 commits
to master
since this release
Release Notes
New features
- filter language grammar for sequence rules and decommission of sequence policy types Read more
- bound fields and sequence aliases Read more
- file path manipulation filter functions Read more
- registry query value filter function Read more
yara
filter function. This opens up new possibilities in terms of combining behavior and signature-based detections Read more- new detection tradecraft focused on credentials access tactic. Specifically, the following rules were implemented:
- Suspicious password filter DLL registered
- Potential credentials dumping or exfiltration via malicious password filter DLL
- Suspicious access to Windows DPAPI Master Keys
- Unusual access to Web Browser Credential stores
- LSASS memory dump preparation via SilentProcessExit
- LSASS memory dump via Windows Error Reporting
- Suspicious access to Active Directory domain database
- Unusual access to SSH keys
- Sensitive access to Unattended Panther files
- generic event parameter filter field. The
kevt.arg
filter field is able to extract any event parameter by its internal name. For example,kevt.arg[exe]
would extract the process image executable path - filter fields deprecation strategy. Use
fibratus list fields
to check deprecated fields status process.uuid
filter field as a more robust alternative to process id fields that is resistant to repetition
Enhancements
- optimization of filter accessors to retain only accessors that are relevant to declared filter fields
- sunsetting standard library PE parser in favor of saferwall/pe parser
Bug fixes
in/iin
operators should operate on LHS/RHS values of slice type
Breaking changes
- sequence policy types are no longer supported and should be migrated to sequence rules