docs: Documentation for release 2.3.0

rabbitstack · Dec 9, 2024 · e7573a4 · e7573a4
1 parent 9d1aa6a
commit e7573a4
Show file tree

Hide file tree

Showing 16 changed files with 106 additions and 250 deletions.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -118,7 +118,7 @@ $ ./make
 
 ### Running For The First Time
 
-By default, Fibratus operates in rule engine mode. It loads the rule set from the `%PROGRAM FILES%\Fibratus\Rules` directory and sends security alerts to the [systray](/alerts/senders/systray) notification area. Optionally, it takes response actions when the rule is fired, such as killing the process.
+By default, Fibratus operates in rule engine mode. It loads the rule set from the `%PROGRAM FILES%\Fibratus\Rules` directory and sends security alerts to [Eventlog](/alerts/senders/eventlog). Optionally, it takes response actions when the rule is fired, such as killing the process.
 Alternatively, Fibratus can forward events to [output](/outputs/introduction) sinks, if it started in event forwarding mode.
 
 To start Fibratus in event forwarding mode run the next command from the root directory of this repo:
@@ -129,7 +129,6 @@ $ .\cmd\fibratus\fibratus.exe run --forward
 
 If you want to run Fibratus in rule engine mode, follow the next steps:
 
-- run the systray server or disable the systray alert sender in the configuration file. You can start the systray server by running the `.\cmd\fibratus\fibratus-systray.exe` binary.
 - modify the configuration file to set the location to the rule files. Go to the `filters` section, and specify the absolute path to the `Rules` and `Macros` directories of this repository.
   ```
   filters:
@@ -169,5 +168,3 @@ $ ./make.bat pkg
 ```
 
 The resulting MSI is placed in the `build\msi` directory.
-
-
diff --git a/README.md b/README.md
@@ -34,17 +34,28 @@ Events can also be shipped to a wide array of [output sinks](https://www.fibratu
 
 In a nutshell, the Fibratus mantra is defined by the pillars of **realtime behavior detection**, **memory scanning**, and **forensics** capabilities.
 
+
+### Installation
+
+- Download the latest [MSI package](https://github.com/rabbitstack/fibratus/releases) and follow the [UI](https://www.fibratus.io/#/setup/installation) wizard or
+alternatively install via `msiexec` in silent mode
+
+```
+$ msiexec /i fibratus-2.3.0-amd64.msi /qn
+```
+
 ### Quick start
 
 ---
 
-- [Install](https://www.fibratus.io/#/setup/installation) Fibratus from the latest [MSI package](https://github.com/rabbitstack/fibratus/releases)
 - spin up a command line prompt
 - list credentials from the vault by using the `VaultCmd` tool
+
 ```
 $ VaultCmd.exe /listcreds:"Windows Credentials" /all
 ```
-- `Credential discovery via VaultCmd.exe` rule should trigger displaying the alert in the systray notification area
+
+`Credential discovery via VaultCmd.exe` rule should trigger and emit the alert to the [Eventlog](https://www.fibratus.io/#/alerts/senders/eventlog). Check the short demo [here](https://www.fibratus.io/#/alerts/senders/images/eventlog.gif).
 
 ### Documentation
 

diff --git a/docs/_coverpage.md b/docs/_coverpage.md
@@ -4,7 +4,7 @@
   <img src='logo.png'></img>
 </div>
 
-# fibratus <small>2.2.1</small>
+# fibratus <small>2.3.0</small>
 
 >  Adversary tradecraft detection, protection, and hunting
 

diff --git a/docs/_sidebar.md b/docs/_sidebar.md
@@ -54,6 +54,8 @@
   * [Alert Senders](alerts/senders.md)
     * <ion-icon name="mail-unread-outline"></ion-icon> [Mail](alerts/senders/mail.md)
     * <ion-icon name="logo-slack"></ion-icon> [Slack](alerts/senders/slack.md)
+    * <ion-icon name="chatbubble"></ion-icon> [Systray](alerts/senders/systray.md)
+    * <ion-icon name="server"></ion-icon> [Eventlog](alerts/senders/eventlog.md)
   * [Filament Alerting](alerts/filaments.md)
 * <ion-icon name="terminal-outline"></ion-icon> PE
   * [Portable Executable Introspection](/pe/introduction.md)

diff --git a/docs/alerts/introduction.md b/docs/alerts/introduction.md
@@ -4,6 +4,7 @@ Fibratus has the ability to generate security alerts when the detection or [YARA
 
 The alert has the following key components:
 
+- **id** the alert identifier represented as UUID.
 - **title** summarizes the purpose of the alert.
 - **text** is the message that further explains what this alert is about as well as actors involved.
 - **tags** contains a sequence of tags for categorizing the alerts.

diff --git a/docs/alerts/senders.md b/docs/alerts/senders.md
@@ -5,4 +5,5 @@ You can send alert notifications to your team through email, Slack, or incident
 - [Mail](/alerts/senders/mail)
 - [Slack](/alerts/senders/mail)
 - [Systray](/alerts/senders/systray)
+- [Eventlog](/alerts/senders/eventlog)
 
diff --git a/docs/alerts/senders/eventlog.md b/docs/alerts/senders/eventlog.md
@@ -0,0 +1,24 @@
+# Eventlog
+
+The `eventlog` alert sender sends alerts to the [Windows Eventlog](https://sematext.com/glossary/what-is-windows-event-log/).
+
+<p align="center">
+  <img src="alerts/senders/images/eventlog.gif" style="border-radius: 4px; backdrop-filter: blur(15px) saturate(3); filter: drop-shadow(0 0 0.75rem rgba(30, 30, 30, 0.4));" />
+</p>
+
+### Configuration {docsify-ignore}
+
+The `eventlog` alert sender configuration is located in the `alertsenders.eventlog` section.
+
+#### enabled
+
+Indicates whether the `eventlog` alert sender is enabled.
+
+**default**: `true`
+
+#### verbose
+
+Enables/disables the verbose mode. In verbose mode, the full event context, including all parameters and the process information are included
+in the log message.
+
+**default**: `true`
diff --git a/docs/alerts/senders/images/eventlog.gif b/docs/alerts/senders/images/eventlog.gif
diff --git a/docs/alerts/senders/systray.md b/docs/alerts/senders/systray.md
@@ -10,7 +10,7 @@ The `systray` alert sender configuration is located in the `alertsenders.systray
 
 Indicates whether the `systray` alert sender is enabled.
 
-**default**: `true`
+**default**: `false`
 
 #### sound
 
@@ -23,4 +23,3 @@ Indicates if the associated sound is played when the balloon notification is sho
 Instructs not to display the balloon notification if the current user is in quiet time. During this time, most notifications should not be sent or shown. This lets a user become accustomed to a new computer system without those distractions. Quiet time also occurs for each user after an operating system upgrade or clean installation.
 
 **default**: `false`
-
diff --git a/docs/filters/fields.md b/docs/filters/fields.md
@@ -88,6 +88,16 @@ The following tables summarize available field names that can be used in filter
 | ps.uuid  | Unique process identifier resistant to repetition | `ps.uuid > 10000400`   |
 | ps.parent.uuid  | Unique parent process identifier resistant to repetition  | `ps.parent.uuid = 1843450000440`   |
 | ps.child.uuid  | Unique child process identifier resistant to repetition  | `ps.child.uuid > 20030000000`   |
+| ps.child.pe.file.name | Original file name of the child process executable supplied at compile-time | `ps.child.pe.file.name = 'NOTEPAD.EXE'` |
+| ps.child.is_wow64 | Indicates if the 32-bit child process is created in 64-bit Windows system | `ps.child.is_wow64` |
+| ps.child.is_packaged | Indicates if the child process is packaged with the MSIX technology | `ps.child.is_packaged` |
+| ps.child.is_protected | Indicates if the child process is a protected process | `ps.child.is_protected` |
+| ps.is_wow64 | Indicates if the process generating the event is a 32-bit child process is created in 64-bit Windows system | `ps.is_wow64` |
+| ps.is_packaged | Indicates if the process process generating the event is packaged with the MSIX technology | `ps.is_packaged` |
+| ps.is_protected | Indicates if the process generating the event is a protected process | `ps.is_protected` |
+| ps.parent.is_wow64 | Indicates if the parent process generating the event is a 32-bit process created in 64-bit Windows system | `ps.parent.is_wow64` |
+| ps.parent.is_packaged | Indicates if the parent process generating the event is packaged with the MSIX technology | `ps.parent.is_packaged` |
+| ps.parent.is_protected | Indicates if the parent process generating the event is a protected process | `ps.parent.is_protected` |
 
 
 ### Thread
@@ -100,11 +110,11 @@ The following tables summarize available field names that can be used in filter
 | thread.kstack.limit | Limit of the thread's kernel space stack | `thread.kstack.limit = 'a85d800000'`   |
 | thread.ustack.base | Base address of the thread's user space stack | `thread.ustack.base = '7ffe0000'`   |
 | thread.ustack.limit | Limit of the thread's user space stack | `thread.ustack.limit = '8ffe0000'`   |
-| thread.entrypoint | Starting address of the function to be executed by the thread | `thread.entrypoint = '7efe0000'`   |
+| thread.start_address | Start address of the function to be executed by the thread | `thread.start_address = '7efe0000'`   |
 | thread.access.mask | Thread access rights | `thread.access.mask = '0x1800'`   |
 | thread.access.mask.names | Thread access human-readable rights | `thread.access.mask.names in ('QUERY_LIMITED_INFORMATION')`   |
 | thread.access.status | Thread access status | `thread.access.status = 'Success'`   |
-
+| thread.teb_address | The base address of the thread environment block | `thread.teb_address = '8f30893000'`   |
 
 ### Callstack
 | Field Name  | Description | Example     |
@@ -140,6 +150,7 @@ The following tables summarize available field names that can be used in filter
 | image.is_dll | Indicates if the loaded image is a DLL | `image.is_dll` |
 | image.is_driver | Indicates if the loaded image is a driver | `image.is_driver` |
 | image.is_exec | Indicates if the loaded image is an executable | `image.is_exec` |
+| image.is_dotnet | Indicates if the loaded image is a .NET assembly | `image.is_dotnet` |
 
 ### File
 | Field Name  | Description | Example     |
@@ -162,7 +173,11 @@ The following tables summarize available field names that can be used in filter
 | file.is_driver_vulnerable | Indicates if the dropped driver is vulnerable | `file.is_driver_vulnerable` |
 | file.is_dll | Indicates if the created file is a DLL | `file.is_dll` |
 | file.is_driver | Indicates if the created file is a driver | `file.is_driver` |
-| file.is_exec | Indicates if the crated file is an executable | `file.is_exec` |
+| file.is_exec | Indicates if the created file is an executable | `file.is_exec` |
+| file.info_class | Identifies the file information class | `file.info_class = 'Allocation'` |
+| file.info.allocation_size | Represents the file allocation size set via `NtSetInformationFile` syscall | `file.info.allocation_size > 645400` |
+| file.info.eof_size | Represents the file EOF size set via `NtSetInformationFile` syscall | `file.info.eof_size > 1000` |
+| file.info.is_disposition_file_delete | Indicates if the file is deleted when its handle is closed | `file.info.is_disposition_file_delete = true` |
 
 
 ### Registry
@@ -254,4 +269,3 @@ The following tables summarize available field names that can be used in filter
 | pe.cert.before  | PE certificate enrollment date | `pe.cert.before contains '2024-02-01 00:05:42 +0000 UTC'`   |
 | pe.is_modified | Indicates if on-disk and in-memory PE headers differ | `pe.is_modified'`   |
 | pe.is_modified | Indicates if on-disk and in-memory PE headers differ | `pe.is_modified'`   |
-| pe.ps.child.file.name | Original file name of the child process executable supplied at compile-time | `pe.ps.child.file.name = 'NOTEPAD.EXE'` |
diff --git a/docs/kevents/process.md b/docs/kevents/process.md
@@ -19,6 +19,7 @@ Process events are fired up as a stimulus to the process' life-cycle changes. Wh
 - `start_time` designates the instant when the process was started.
 - `domain` represents the domain name under which the process is started.
 - `username` represents the username that started the process.
+- `flags` represents process creation flags. Can be `WOW64`, `PROTECTED`, or `PACKAGED` to designate 32-bit process is created in 64-bit Windows system,  process is to be run as a protected process, or a process packaged with the **MSIX** technology respectively.
 
 #### OpenProcess
 

diff --git a/docs/kevents/thread.md b/docs/kevents/thread.md
@@ -14,7 +14,8 @@ Thread events are comprised of the following parameters:
 - `ustack_limit` is the limit of the thread's user space stack.
 - `kstack_base` is the base address of the thread's kernel space stack.
 - `kstack_limit` is the limit of the thread's kernel space stack.
-- `entrypoint` is the starting address of the function to be executed by the thread.
+- `start_address` is the start address of the function to be executed by the thread.
+- `teb` is the address of the Thread Environment Block (TEB).
 
 #### OpenThread
 

diff --git a/docs/setup/quick-start.md b/docs/setup/quick-start.md
@@ -1,14 +1,14 @@
 # Quick start
 
-By default, Fibratus operates in rule engine mode. It loads the rule set from the `%PROGRAM FILES%\Fibratus\Rules` directory and sends security alerts to the [systray](/alerts/senders/systray) notification area. Optionally, it takes response actions when the rule is fired, such as killing the process. To see Fibratus in action, we can trigger a rule by performing the following actions:
+By default, Fibratus operates in rule engine mode. It loads the rule set from the `%PROGRAM FILES%\Fibratus\Rules` directory and sends security alerts to [Eventlog](/alerts/senders/eventlog) or other configurable [sinks](/alerts/senders). Optionally, it takes response actions when the rule is fired, such as killing the process. To see Fibratus in action, we can trigger a rule by performing the following actions:
 
 - spin up a command line prompt
 - list credentials from the vault by using the `VaultCmd` tool
 ```
 $ VaultCmd.exe /listcreds:"Windows Credentials" /all
 ```
 
-- `Credential discovery via VaultCmd.exe` rule should trigger displaying the alert in the systray notification area
+- `Credential discovery via VaultCmd.exe` rule should trigger displaying the alert in the Eventlog `Application` channel.
 
 To learn more about detection rules, head to [rules](/filters/rules).
 

diff --git a/docs/yara/alerts.md b/docs/yara/alerts.md
@@ -1,109 +1,6 @@
 # Alerts
 
-Alert notifications are automatically sent via the sender specified by the `alert-via` option. The alert will contain any tag that was defined in the YARA rule. The following is an example of a YARA alert.
-
-```
-Possible malicious process, notepad.exe (8424), detected at 12 Oct 2020 18:33:58 CEST.
-
-Rule matches
-  Rule: FakeNotepad
-  Namespace: default
-  Meta: map[author:Usurper]
-  Tags: [notepad]
-
-Process information
-
-Name: notepad.exe
-PID: 8424
-PPID: 8424
-Comm: "C:\WINDOWS\system32\notepad.exe"
-Cwd: C:\Users\nedo\
-SID: ARCHRABBIT\nedo
-Session ID: 1
-
-Env:
-  ALLUSERSPROFILE: C:\ProgramData
-  APPDATA: C:\Users\nedo\AppData\Roaming
-  COMPUTERNAME: ARCHRABBIT
-  ComSpec: C:\WINDOWS\system32\cmd.exe
-  CommonProgramFiles: C:\Program Files\Common Files
-  CommonProgramFiles(x86): C:\Program Files (x86)\Common Files
-  CommonProgramW6432: C:\Program Files\Common Files
-  DriverData: C:\Windows\System32\Drivers\DriverData
-  ERLANG_HOME: C:\Program Files\erl-23.0
-  FPS_BROWSER_APP_PROFILE_STRING: Internet Explorer
-  FPS_BROWSER_USER_PROFILE_STRING:  
-  SESSIONNAME: Console
-  SystemDrive: C:
-
-Threads:
-  ID: 888 IO prio: 2, Base prio: 8, Page prio: 5, Ustack base: f96af50000, Ustack limit: f96af3f000, Kstack base: ffff9982c4f1c000, Kstack limit: f96af3f000, Entrypoint: 7ff96cad3d60
-  ID: 7084 IO prio: 2, Base prio: 8, Page prio: 5, Ustack base: f96aed0000, Ustack limit: f96aebf000, Kstack base: ffff9982c45cd000, Kstack limit: f96aebf000, Entrypoint: 7ff7a0240110
-  ID: 7492 IO prio: 2, Base prio: 8, Page prio: 5, Ustack base: f96b280000, Ustack limit: f96b26f000, Kstack base: ffff9982c4fc1000, Kstack limit: f96b26f000, Entrypoint: 7ff96cad3d60
-  ID: 13496 IO prio: 2, Base prio: 8, Page prio: 5, Ustack base: f96afd0000, Ustack limit: f96afbf000, Kstack base: ffff9982c4518000, Kstack limit: f96afbf000, Entrypoint: 7ff96acdb0c0
-
-Modules:
-  Name: C:\Windows\System32\notepad.exe, Size: 204800, Checksum: 0, Base address: 7ff7a0220000, Default base address: 7ff7a0220000
-  Name: C:\Windows\System32\ntdll.dll, Size: 2031616, Checksum: 0, Base address: 7ff96caa0000, Default base address: 7ff96caa0000
-  Name: C:\Windows\System32\kernel32.dll, Size: 729088, Checksum: 0, Base address: 7ff96ab50000, Default base address: 7ff96ab50000
-  Name: C:\Program Files\AVG\Antivirus\aswhook.dll, Size: 73728, Checksum: 0, Base address: 7ff94baa0000, Default base address: 7ff94baa0000 Name: C:\Windows\System32\KernelBase.dll, Size: 2764800, Checksum: 0, Base address: 7ff969d00000, Default base address: 7ff969d00000
-  Name: C:\Windows\System32\gdi32.dll, Size: 155648, Checksum: 0, Base address: 7ff96c080000, Default base address: 7ff96c080000
-  Name: C:\Windows\System32\win32u.dll, Size: 135168, Checksum: 0, Base address: 7ff96ab20000, Default base address: 7ff96ab20000
-  Name: C:\Windows\System32\gdi32full.dll, Size: 1654784, Checksum: 0, Base address: 7ff96a880000, Default base address: 7ff96a880000
-  Name: C:\Windows\System32\msvcp_win.dll, Size: 647168, Checksum: 0, Base address: 7ff96a060000, Default base address: 7ff96a060000
-  Name: C:\Windows\System32\ucrtbase.dll, Size: 1024000, Checksum: 0, Base address: 7ff96aa20000, Default base address: 7ff96aa20000
-  Name: C:\Windows\System32\user32.dll, Size: 1654784, Checksum: 0, Base address: 7ff96b8b0000, Default base address: 7ff96b8b0000
-  Name: C:\Windows\System32\msvcrt.dll, Size: 647168, Checksum: 0, Base address: 7ff96c880000, Default base address: 7ff96c880000
-  Name: C:\Windows\System32\combase.dll, Size: 3366912, Checksum: 0, Base address: 7ff96ac40000, Default base address: 7ff96ac40000
-  Name: C:\Windows\System32\rpcrt4.dll, Size: 1179648, Checksum: 0, Base address: 7ff96bc60000, Default base address: 7ff96bc60000
-  Name: C:\Windows\System32\bcryptprimitives.dll, Size: 524288, Checksum: 0, Base address: 7ff969a30000, Default base address: 7ff969a30000 Name: C:\Windows\System32\SHCore.dll, Size: 692224, Checksum: 0, Base address: 7ff96b6b0000, Default base address: 7ff96b6b0000
-  Name: C:\Windows\System32\advapi32.dll, Size: 667648, Checksum: 0, Base address: 7ff96bbb0000, Default base address: 7ff96bbb0000
-  Name: C:\Windows\System32\sechost.dll, Size: 618496, Checksum: 0, Base address: 7ff96b610000, Default base address: 7ff96b610000
-
-Handles:
-  Num: 4 Type: Event, Name: , Object: 0x0, PID: 8424 Num: 12 Type: Event, Name: , Object: 0x0, PID: 8424
-  Num: 16 Type: WaitCompletionPacket, Name: , Object: 0x0, PID: 8424
-  Num: 20 Type: IoCompletion, Name: , Object: 0x0, PID: 8424
-  Num: 24 Type: TpWorkerFactory, Name: , Object: 0x0, PID: 8424
-  Num: 28 Type: IRTimer, Name: , Object: 0x0, PID: 8424
-  Num: 32 Type: WaitCompletionPacket, Name: , Object: 0x0, PID: 8424
-  Num: 36 Type: IRTimer, Name: , Object: 0x0, PID: 8424
-  Num: 40 Type: WaitCompletionPacket, Name: , Object: 0x0, PID: 8424
-  Num: 56 Type: Directory, Name: \KnownDlls, Object: 0x0, PID: 8424
-  Num: 60 Type: Event, Name: , Object: 0x0, PID: 8424 Num: 64 Type: Event, Name: , Object: 0x0, PID: 8424
-  Num: 80 Type: ALPC Port, Name: , Object: 0x0, PID: 8424 Num: 96 Type: Key, Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions, Object: 0x0, PID: 8424
-  Num: 108 Type: Key, Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options, Object: 0x0, PID: 8424
-  Num: 112 Type: Mutant, Name: , Object: 0x0, PID: 8424
-  Num: 116 Type: Event, Name: , Object: 0x0, PID: 8424
-  Num: 120 Type: IoCompletion, Name: , Object: 0x0, PID: 8424
-  Num: 124 Type: WindowStation, Name: \Sessions\1\Windows\WindowStations\WinSta0, Object: 0x0, PID: 8424
-  Num: 128 Type: Desktop, Name: \Default, Object: 0x0, PID: 8424
-  Num: 132 Type: WindowStation, Name: \Sessions\1\Windows\WindowStations\WinSta0, Object: 0x0, PID: 8424
-  Num: 144 Type: Key, Name: HKEY_LOCAL_MACHINE, Object: 0x0, PID: 8424 Num: 152 Type: Event, Name: , Object: 0x0, PID: 8424 Num: 160 Type:
-
-Entrypoint: 20110
-Image base: 140000000
-Build date: 2028-08-09 02:09:05 +0000 UTC
-Number of symbols: 0
-Number of sections: 7
-Sections:
-  Name: .text, Size: 132608, Entropy: 0.000000, Md5:
-  Name: .rdata, Size: 35840, Entropy: 0.000000, Md5:
-  Name: .data, Size: 3072, Entropy: 0.000000, Md5:
-  Name: .pdata, Size: 4096, Entropy: 0.000000, Md5:
-  Name: .didat, Size: 512, Entropy: 0.000000, Md5:
-  Name: .rsrc, Size: 3072, Entropy: 0.000000, Md5:
-  Name: .reloc, Size: 1024, Entropy: 0.000000, Md5:
-Resources:
-  CompanyName: Microsoft Corporation
-  FileDescription: Notepad
-  FileVersion: 10.0.18362.693 (WinBuild.160101.0800)
-  InternalName: Notepad
-  LegalCopyright: © Microsoft Corporation. All rights reserved. 
-  OriginalFilename: NOTEPAD.EXE
-  ProductName: Microsoft® Windows® Operating System
-  ProductVersion: 10.0.18362.693
-```
+Alerts on rule matches are automatically sent via all active alert senders.
 
 ##  Event metadata {docsify-ignore}
 
@@ -140,4 +37,3 @@ The `yara.matches` tag contains the JSON array payload where each object represe
   }
 ]
 ```
-