[pull] master from rabbitstack:master #3
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fix the wrong indentation in the rule labels and provide the feedback to user after creating the rule file.
If we fail to obtain the process start time use the one from the event timestamp.
Foreach adds iteration capabilities to the rule language. The decision to keep the function implementation outside the functions package is deliberate. The function mostly operates with raw expressions, and if the function lived in the functions package, that would create a cyclic import, but also likely to unleash more painful side effects. For the sake of simplicity it is better to keep the function close to the parser and AST evaluation. Foreach accepts three required and multiple optional arguments. The first argument is the iterable value typically yielded by the pseudo field. The function recognizes process internal state collections such as modules, threads, memory mappings, or thread stack frames. Obviously, it is also possible to iterate over a simple string slice. The second argument represents the bound variable which is an item associated with every element in the slice. The bound variable is accessed in the third argument, the predicate. It is usually followed by the segment that denotes the accessed value. Unsurprisingly, the predicate is commonly a binary expression which can be formed of not/paren expressions, other functions, and so on. The predicate is executed on every item in the slice. If the predicate evaluates to true, the function also returns the true value. Lastly, foreach function can receive an optional list of fields from the outer context, i.e. outside predicate loop. Therefore, for the predicate to access the field not defined within the scope of the iterable, it must capture the field first. Note that the side effect of introducing the foreach function is observed in the form of deprecation of previous segment/paths fields. This trend will follow in subsequent pull requests, untangling and overly simplifying the accessor codebase.
To improve rules efficacy against false positives, we ensure the process has a valid state by checking the process executable path. In `Hidden registry key creation` rule, add the exception for the `lsass.exe` process.
The parser got the ability to produce field literals with optional arguments. New bare bound variable and segment bound variable literals are added for a cleaner and more accurate representation of bare bounded variables, bound segments and bound fields respectively.
Most functions now support bare and segment bound argument types.
Rework the value accessors to operate with the new field type that encapsulates the field argument. Additionally, bound segments are propagated to all accessors and currently used in the PE accessor to determine if the section entropy needs to be calculated.
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.21.0 to 0.33.0. - [Commits](golang/net@v0.21.0...v0.33.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [dawidd6/action-download-artifact](https://github.com/dawidd6/action-download-artifact) from 2 to 6. - [Release notes](https://github.com/dawidd6/action-download-artifact/releases) - [Commits](dawidd6/action-download-artifact@v2...v6) --- updated-dependencies: - dependency-name: dawidd6/action-download-artifact dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
When the single address is symbolized and its backing module is not found in the current process modules, query the parent process modules.
Incorporate the new thread.start_address.symbol and thread.start_address.module fields to extract the symbol corresponding to the thread start address and its module respectively.
The new filter fields allow accessing the attributes of the last user/kernel space frame. Additionally, symbols/module filter fields are modified to accept the frame index and only retrieve the symbol/module name of the accessed frame. The callstack segments are added to access signature info of the iterated frame.
Keep the stack walk events indexed by stack id. The stack id is a tuple of pid,tid associated with the thread executing the code. For every unique stack id, the queue of pending events is maintained. When the corresponding stack walk event arrives, the oldest event is pulled from the queue and enriched with stack addresses.
Keep all resolved symbols in the map and always consult when symbolizing the frame.
The symbols are now heavily cached making the fast mode obsolete.
Make the rules validation first-class citizen of the pull request and master workflows.
Make the substr function accept the third argument as optional. If the third argument is not given, the string is sliced from the start index to its length.
If the suspicious section of view mapping already produced a rule match for the process, we don't keep running the scans for that process.
After exhaustive triaging, it was spotted that the system registry provider can miss stackwalk samples. This can have disastrous consequences such as wrongly attributing stack return addresses or accumulated events. To elegantly mitigate the problem, we enable the registry flags on the system logger and receive all events within the same session.
Refactor the rule engine code by moving it into a separate package and segregating the main building blocks into distinct source files. Along the way, shift the state machine states from expression names to simple integer indices representing sequence ids.
The match all rule engine strategy permits a single event to trigger multiple rules.
Identifies the execution via Windows script interpreter of the executable file written by the Microsoft Office process.
…tion Identifies the modification of the Windows Defender process, path, or IP address registry key exclusions by suspicious processes. Adversaries may alter the Windows Defender exclusions to bypass defenses.
Detects suspicious processes modifying Windows Defender configuration settings via registry to disable protection features.
Identifies Microsoft Office process creating a DLL or other variant of an executable object which is later loaded by a trusted binary. Adversaries may exploit this behavior by delivering malicious modules via Microsoft Office documents.
The condition on whether the Microsoft Office process is spawned by the script interpreter should be evaluated on the ps.name field.
Reduce false positives in various rules by adding exceptions for process executables or file paths.
Historically, Fibratus has been envisioned as a tool to exclusively interact with the NT Kernel Logger ETW provider. Since then, more providers have been integrated, some of them operating in userspace. Thus, the assumption that the provenance of all events is coming out the kernel is no longer valid. It is semantically more correct to represent all types, packages, and identifier in a generic way. The most prominent example is the `Kevent` structure being renamed to `Event`.
Most notable change is the refactoring of KstreamConfig to EventSourceConfig type along with other changes that trim the `k` prefix from types, identifiers or methods.
Move away from FNV hash-based filter indexing to two separate buckets - one for event types filters and one for category filters.
Unified security telemetry session serves as a container for the events published by all ETW providers except the core NT Kernel Logger provider. By enabling all providers inside the same session, we can preserve event ordering and save extra resources allocated for the ETW session buffers.
The new bitmask implementation is introduced to deal with event id bits testing.
…ble by the expression
Avoid unnecessary conversion to rune slice to alleviate the pressure on the heap allocator.
This provider is fundamentally employed to enrich the process state with additional attributes such as integrity level and token elevation info.
If the event arrives from the provider and the process state hasn't been populated with the expected module, we leverage the internal load image event to append the module.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.1)
Can you help keep this open source service alive? 💖 Please sponsor : )