fibratus icon indicating copy to clipboard operation
fibratus copied to clipboard

verified publisher icon rabbitstack

Metadata

A modern tool for Windows kernel exploration and tracing with a focus on security

Results 65 fibratus issues
Sort by recently updated
recently updated
newest added

Revamp Yara memory/file scanning

### Description Presently, the Yara scanner acts on process creation and image loading events to initiate the scan. For the former event types, the memory scan is performed on the...

rabbitstack avatar rabbitstack

scope: yara
scope: alertsenders
scope: config

chore(deps): bump github.com/Microsoft/go-winio from 0.4.14 to 0.6.2

Bumps [github.com/Microsoft/go-winio](https://github.com/Microsoft/go-winio) from 0.4.14 to 0.6.2. Release notes Sourced from github.com/Microsoft/go-winio's releases. v0.6.2 What's Changed [etw] Add String() functions, JSON field option by @​helsaawy in microsoft/go-winio#285 enable dependency updates by...

dependabot[bot] avatar dependabot[bot]

deps

chore(deps): bump golang.org/x/net from 0.17.0 to 0.23.0

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.17.0 to 0.23.0. Commits c48da13 http2: fix TestServerContinuationFlood flakes 762b58d http2: fix tipos in comment ba87210 http2: close connections when receiving too many headers ebc8168 all: fix...

dependabot[bot] avatar dependabot[bot]

deps

feat(systray, alertsender): Introduce independent component for systray alertsender

The systray component is an independent process that permits interaction with the notification area, mainly for sending balloon alerts when the rules are triggered. In the future, the use cases...

rabbitstack avatar rabbitstack

chore(deps): bump github.com/spf13/viper from 1.6.2 to 1.19.0

1 comment

Bumps [github.com/spf13/viper](https://github.com/spf13/viper) from 1.6.2 to 1.19.0. Release notes Sourced from github.com/spf13/viper's releases. v1.19.0 What's Changed Bug Fixes 🐛 fix!: hide struct binding behind a feature flag by @​sagikazarmark in spf13/viper#1720...

dependabot[bot] avatar dependabot[bot]

deps

Add option to output events to a file

4 comment

Helllo @rabbitstack, Scanning over the doc, I was not able to find if we can output the events to a JSON file. I see that we have a console sink,...

ayoubfaouzi avatar ayoubfaouzi

chore(kcap): Persist process flags in capture

### What is the purpose of this PR / why it is needed? The process state marshaller stores the new `IsWow64`, `IsPackaged`, and `IsProtected` fields into the binary blob. ###...

rabbitstack avatar rabbitstack

scope: kcap

feat(rules): New `Potential injection via .NET debugging` rule

### What is the purpose of this PR / why it is needed? Identifies creation of a process on behalf of the CLR debugging facility which may be indicative of...

rabbitstack avatar rabbitstack

rules

feat(rules): New `Hidden local account creation` rule

### What is the purpose of this PR / why it is needed? Identifies the creation of a hidden local account. Adversaries can create hidden accounts by appending the dollar...

rabbitstack avatar rabbitstack

rules

fix(proc): Spurious conditions when querying process protection attributes

### What is the purpose of this PR / why it is needed? Fixes spurious conditions when querying process protection attributes. ### What type of change does this PR introduce?...

rabbitstack avatar rabbitstack

Metadata

2.1k
Stars
183
Forks
Watchers

Owner

verified publisher icon rabbitstack

Metadata

A modern tool for Windows kernel exploration and tracing with a focus on security

Back