Fibratus

Fibratus is a tool for exploration and tracing of the Windows kernel. It lets you trap system-wide events such as process life-cycle, file system I/O, registry modifications or network requests among many other observability signals. In a nutshell, Fibratus allows for gaining deep operational visibility into the Windows kernel but also processes running on top of it.

Events can be shipped to a wide array of output sinks or dumped to capture files for local inspection and forensics analysis. The powerful filtering engine permits drilling into the event flux entrails.

You can use filaments to extend Fibratus with your own arsenal of tools and so leverage the power of the Python ecosystem.

Features

• ⚡ blazing fast
• 📡 collects a wide spectrum of kernel events – from process to network observability signals
• 🔍 the super powerful filtering engine
• 🐍 running Python scriptlets on top of kernel event flow
• 💽 capturing event flux to kcap files and replaying anywhere
• 🚀 transporting events to Elasticsearch, RabbitMQ or console sinks
• ✂️ transforming kernel events
• 🐞 scanning malicious processes and files with Yara
• 📁 PE (Portable Executable) introspection

Filtering

Fibratus supports basic filtering capabilities on kernel event names. To capture the specified kernel events, use fibratus run --filters command. For example, fibratus run --filters CreateProcess Send would capture the events related to process creation and data sending over network sockets. For a full list of the kernel, events see the table below.

New features

• New VirtualAlloc and VirtualFree events. Read more
• New MapViewFile and UnmapViewFile events and mapped-files state. Read more
• New DuplicateHandle event Read more
• DNS telemetry via QueryDns and ReplyDns events Read more
• New RegCloseKey event
• Image signature information exposed via parameters and image.signature.type/image.signature.level filter fields Read more
• Image format parameters and filter fields
• Decorate non-open disposition CreateFile events with image format parameters
• Macros for detecting loading of unsigned/untrusted modules
• ps.sid filter field contains the raw SID value, e.g. S-1-5-18
• Parse and append create_options parameter to CreateFile events
• Certificate info and filter fields for LoadImage/UnloadImage events
• Expand pe filter field set and allow lazily value extraction Read more
• Support for expressions with bare boolean filter fields

Enhancements

• Significant core refactoring to aim for a more sustainable codebase growth
• Refactored many tests to embrace table-driven testing
• Introduce a new set of parameter types such as flags, system status code, file path, address, etc.
• Switch to golang.org/sys/windows package for the vast majority of API calls and structures
• Use the syscall generator to produce stubs for the API calls not available through golang.org/sys/windows
• Bump golangci-lint linters to version 1.52.2
• Event consumer tests to verify the correctness of captured events
• Trace controller tests to verify real-world tracing session management
• Harden driver handle objects decoration of the file path parameters
• Expand the size of the Ktype type to accommodate 2-bytes event hook identifiers
• Switch to the upstream saferwall/pe package for version resource parsing
• Only allow a single instance of the Fibratus process to be run simultaneously

Configuration changes

• Disable initial handle snapshot to reduce overall memory utilization
• Added RegCloseKey to the list of ignored events
• Removed the System process image from the list of ignored processes

Deprecation

• Remove kstream.raw-event-parsing config flag as binary event parsing is the default option now
• Nuke TDH event parsing functionality
• Sunset Antimalware provider as we can tap into driver loading events via LoadImage events

Bug fixes

• Resolution of success system codes should compare the range of information values
• Use only the rule name in the filter field deprecation log message
• Solved yara tests hanging issues

Breaking changes

• Convert flags event parameters to uppercase strings
• The sid parameter and the ps.sid filter fields contain the raw SID value instead of the username/domain tuple
• Command line parameters and filter fields contain the original, unexpanded command line
• The major kcap file format version is increased in this version. The side-effect is the inability to replay old capture files
• operation parameter name in the CreateFile event is renamed to create_disposition
• share_mask parameter contains the full permission name, e.g. READ|WRITE|DELETE
• comm parameter name in process events is renamed to cmdline

Download & Usage

Copyright 2015/2016 by Nedim Sabic (RabbitStack)

Source: https://github.com/rabbitstack/