Fibratus relies on Windows ETW API to collect the raw information emitted from the operating system’s kernel. The kernel stream collector (kstreamc) deals with the basic decoding of the ETW data by installing the callback interface on the kernel event stream. Each of the kernel events is routed from the collector to a chain of parsers. Before hitting the parsers, the event queries the thread registry to get the process associated with the occurrence of the kernel event.

Changelog v1.8

New features

  • driver load events Read more
  • initial catalog of detection rules based on the MITRE ATT&CK framework Read more
  • macro expansion in rules Read more
  • beautiful HTML rule alert emails Read more
  • allow enabling/disabling Audit API Calls and Antimalware Engine ETW providers
  • enrich handle events with driver image path for Driver object types
  • add ps.sibling.args filter field
  • field interpolation in alert title and text strings and the ability to use Markdown/HTML syntax Read more
  • ~= operator for case-insensitive string comparisons in filters
  • is_minidump filter function for checking the signature of minidump files Read more

Enhancements

  • Go 1.19 upgrade and migration of deprecated functions
  • bumped libyara to version 4.2
  • bumped Golang CI Lint toolchain
  • add content-type config flag for email alert sender
  • add labels and description attributes in rule groups
  • loading rule files from paths with glob expressions
  • optimize filter field accessors to prevent unnecessary traversing
  • lazy evaluation of binary expressions for and and or operators
  • decommission type/category selector in include/exclude rule policies
  • prevent executing rules in sequence policies if the incoming event is not eligible for evaluation
  • avoid adding duplicate tuples in sequence policies internal state
  • improve registry key formatting from native key names
  • limit the number of handles per proc and per global handle snapshotter state
  • speed up UTF-16 string decoding. Kudos to @skeeto

Bug fixes

  • sequence expiration slice out of bounds
  • transition sequence state machine when the rule in include produces a match

Breaking changes

  • rule policies with the selector attribute will fail to load. As a workaround, remove the selector attribute and include it as a first condition in the rule.