Skip to content

v2.3.0

Latest
Compare
Choose a tag to compare
@github-actions github-actions released this 09 Dec 12:32
· 16 commits to master since this release

Release Notes

New features

  • #3acb68b: Eventlog alert sender
  • #fb4eac8: Augment process events with process flags
  • #bfdceb7: Augment process state with creation flags
  • #2511296: Add process creation flags filter fields
  • #6957a63: Persist process creation flags to capture
  • #4d62566: Add image.is_dotnet filter field
  • #b600df7: Add teb parameter and thread.teb_address filter field
  • #67fffab: Add additional file filter fields
  • #c66f028: Revamped YARA scanner
  • #9d1aa6a: MSI code signing

New rules

  • #a158eca: AppDomain Manager injection via CLR search order hijacking
  • #be05bab: .NET assembly loaded by unmanaged process
  • #9219478: Potential injection via .NET debugging
  • #aef70db: Hidden local account creation
  • #227ace7: DLL loaded via a callback function
  • #40cfe0a: Process execution from a self-deleting binary
  • #48be943: Image load via NTFS transaction
  • #3cbc71f: DLL loaded via APC queue
  • #b664239: Hidden registry key creation
  • #cb070a1: Clear Eventlog

Enhancements

  • #747b5f2: Bump Go from 1.21 to 1.23
  • #53b5457: Bump saferwall/pe from 1.4.4 to 1.5.4
  • #cb89ca5: Bump www.velocidex.com/golang/go-ntfs to latest version
  • #2f33b81: Add alert identifier
  • #c161273: Route saferwall/pe log messages to logrus
  • #dd0a1a6: Surface missing labels in rules validation subcommand
  • #14ed9a2: Expose StringShort methods for process/event types
  • #7847552: Launch systray server manually
  • #c5c131c: Disable CLR metadata parsing

Refactoring

  • #1ef56d8: Rename entrypoint parameter and thread.entrypoint filter field to start_address and thread.start_address respectively
  • #b4fb489: Rename pe.ps.child.file.name filter field to ps.child.pe.file.name
  • #84f301d: Unify ETW event processing pipeline
  • #1cab108: Move template rendering to email sender
  • #015e7f0: Generate Eventlog message compiler input file
  • #2f66468: Create a common eventlog package

Bug fixes

  • #98dc366: Solidify environment variable parsing from PEB
  • #8d2f6de: Correct the usage of the not operator on bool fields
  • #095f0dc: Slice NTFS data buffer
  • #1c5bd11: Avoid parsing an empty PE byte buffer
  • #c78eb4b: Prevent loading malformed YAML configuration
  • #7ccfa70: Fix parsing of image file characteristics
  • #f7e8dc5: Skip reading hidden registry key value
  • #b69ade4: Release file only by file object
  • #a8dc8da: Panic redirection to logs

Breaking changes

  • YARA configuration settings were restructured as per commit leading to removal of some properties