fibratus

fibratus copied to clipboard

Bumps [github.com/spf13/viper](https://github.com/spf13/viper) from 1.6.2 to 1.12.0. Release notes Sourced from github.com/spf13/viper's releases. v1.12.0 This release makes YAML v3 and TOML v2 the default versions used for encoding. You can switch...

dependabot[bot]

Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.4.1 to 1.9.0. Release notes Sourced from github.com/sirupsen/logrus's releases. v1.9.0 No release notes provided. v1.8.1 No release notes provided. v1.8.0 Correct versioning number replacing v1.7.1 v1.7.1 Code...

dependabot[bot]

chore(deps): bump github.com/olivere/elastic/v7 from 7.0.20 to 7.0.32

1

Bumps [github.com/olivere/elastic/v7](https://github.com/olivere/elastic) from 7.0.20 to 7.0.32. Release notes Sourced from github.com/olivere/elastic/v7's releases. Release 7.0.32 Update dependencies Update CI to Go 1.17 and Go 1.18 Add tracer for OpenTelemetry Add max_analyzed_offset...

dependabot[bot]

Bumps [github.com/Microsoft/go-winio](https://github.com/Microsoft/go-winio) from 0.4.14 to 0.5.2. Release notes Sourced from github.com/Microsoft/go-winio's releases. v0.5.2 What's Changed Allow guid package to be used on non-Windows GOOS targets by @​dcormier in microsoft/go-winio#169 Fix...

dependabot[bot]

Not enough Kparams are reported for some kernel events

16

Hi, When I read a file, I see duplicate file events (even seq numbers are different, events are the same): ``` Seq: 1350561 Pid: 8632 Tid: 19508 Type: ReadFile CPU:...

yusufozturk

Since we're gathering imported symbols via [PE](https://github.com/rabbitstack/fibratus/tree/master/pkg/pe) parsing, we could compute the import hash, most commonly referred to [imphash](https://www.mandiant.com/resources/tracking-malware-import-hashing). We could simply adapt the [pefile-go](https://github.com/omarghader/pefile-go/blob/b1abcb010d7d45cfcbe572dc15e315cf6f55c859/pe/pe.go#L542) imphash logic to an existing...

rabbitstack

Bumps [golang.org/x/text](https://github.com/golang/text) from 0.3.5 to 0.3.7. Commits 383b2e7 language: turn parsing panics into ErrSyntax 3115f89 language: use multiple runs in TestBestMatchAlloc 5c7c50e go.mod: upgrade to go 1.17 c2d28a6 number: match...

dependabot[bot]

These functions would enable us to build filters that evaluate process relationships. The `ancestor_of` function returns the parent of the process that's executing the kernel event. For example, `ancestor_of('cmd.exe')` would...

rabbitstack

Windows API provides the `CryptQueryObject` function to obtain details about the certificate that signed the executable. We should invoke this function in the process/image interceptors and augment the corresponding events...

rabbitstack

### Description [ALPC](https://en.wikipedia.org/wiki/Local_Inter-Process_Communication) is the Windows internal messaging system. ALPC is frequently utilized by malware actors to inject shellcode into benign processes. If we could get the visibility into ALPC...

rabbitstack