Releases: 0xrawsec/whids
Releases · 0xrawsec/whids
v1.8.0-beta.8
attempt at fixing #126
v1.8.0-beta.7
Endpoint configuration implemented in admin API
v1.8.0-beta.6
v1.8.0 beta.5
Changes
- Improved EDR event action handler
- Improved file upload to manager to reduce memory impact of big file upload
- migration to sod v1.5
- changed the way user are managed
- changed logic around user authentication
- added a way to create user from manager's CLI
- auto generating OpenAPI definition from tests
- OpenAPI definition
Fixes
- #87: Improve golang unit testing
- #86: Fix golang unit tests
- #85: Add API endpoint to manage IOCs spread on endpoints for detection
- #84: Ability to config default actions on different criticality thresholds
- #82: Action to produce short reports
- #81: Change "Api-Key" Authentication header
- #78: request feature - list closed report on a defined time period
- #77: Missing query criticality parameter on get /endpoint call
- #65: Archive reports
- #66: Implement /endpoint/{UUID}/report/archive
- #63: Make manager's data persistent
WHIDS v1.8.0 beta.2
Changes:
- new way to store events
- new way to search for events
Fixed issues:
- #75 List endpoints by group / status in /endpoints
- #74 Implement API endpoint to update endpoints fields
- #73 List of ever loaded modules in report
- #72 Track list of loaded modules
- #71 EdrData section in events
- #70 API endpoint /endpoint/artifacts
- #69 Implement API endpoint used to stream events
- #68 showkey parameter in /endpoints
- #64 Change /alerts to /detections
- #61 Integrate with ETW
- #60 Add score /endpoints
- #58 Date last alert in /endpoints
- #57 Add group member to manager API endpoint structure
- #56 Skip parameter in /logs /alerts
- #55 Limit parameter in /logs /alerts
- #54 Filter parameter in /rules API endpoint
WHIDS v1.8.0 beta
Refactoring:
- hids package
- hook functions taking hids as first parameter to easily access config from hooks
- removed global variables shared between hooks and HIDS
- manager command handler moved from api package to hids to easily access hids config
Fixed issues:
- Implement actionnable rules: #28
- Implement event count: #29
- Enrich events with signature information: #32
- Automatic canary folder management: #33
- Ability to configure audit policies from WHIDS config: #34
- Set File System Audit ACLs from config: #35
- Generate IR ready reports on detections: #36
- Dump process tree: #38
- Enrich event with Gene process scoring: #40
- Add Admin API to list and download artifacts dumped: #42
- Directory listing command: #44
- Implement hash command: #45
- Implement osquery command: #46
- Implement terminate command: #47
- Implement stat command: #48
- Implement walk command: #49
- Implement find command: #50
- Implement report command: #51
- Implement processes command: #52
- Implement drivers command: #53
v1.7.0
- New Administrative HTTP API with following features:
- Manage endpoints (list, create, delete)
- Get basic statistics about the manager
- Execute commands on endpoints and get results
- Can drop files prior to execution, to execute binaries/scripts not present on endpoint. Dropped files are deleted after command was ran.
- Can retrieve files (post command execution), to retrieve results of the command
- Collect files from endpoints for forensic purposes
- Contain / Uncontain endpoints by restricting any network traffic except communication to the manager.
- Query endpoints logs
- Query endpoints alerts
- Pivot on a timestamp and retrieve logs/alerts around that time pivot
- Access endpoint report
- Scoring (relative to each environment) allowing to sort endpoints and spot the ones behaving differently from the others.
- Alerts / TTPs observed on a given time frame
- Manage rules (list, create, update, save, delete)
- Integration with Sysmon v12 and v13
- Integrate ClipboardData events
- Put the content of the clipboard data inside the event to allow creating rule on the content of the clipboard
- Integrate ProcessTampering events
- Enrich event with a diffing score between .text section on disk and in memory
- Integrate ClipboardData events
- Implemented certificate pinning on client to enhance security of the communiaction channel between endpoints and management server
- Log filtering capabilities, allowing one to collect contextual events. Log filtering is achieved by creating Gene filtering rules (c.f. Gene Documentation).
- Configuration files in TOML format for better readability
- Better protection of the installation directory
WHIDS version 1.6.2
WHIDS version 1.6.1
- Fixed issue #7
- Sysmon 10.41 + configuration files
WHIDS version 1.6.0
- WHIDS is installed as a true Windows service
- Reworked the installation script to allow several options
- Created an optimized Sysmon configuration to run with WHIDS
- Process Integrity check not done before boot is finished
- Removed DNS logging features by default (since Sysmon v10 has DNSQuery events)
- Log message if process termination is not enabled
- Sysmon service depends on WHIDS (solution found not to miss events at boot)
- Updated to the latest version of Gene (v1.6)
- New registry dump mode to dump suspicious registries
- Some random code refactoring
- Sysmon events enrichment:
- Ancestors in CreateProcess
- Name of the windows services is resolved and put in Services field for any event
- CommandLine in NetworkConnect
- User and IntegrityLevel propagated to all applicable events (all except DriverLoad)
- CreateRemoteThread and ProcessAccess enrichment with:
- SourceIntegrityLevel
- TargetIntegrityLevel
- SourceUser
- TargetUser
- TargetParentProcessGuid
- SourceServices
- TargetServices
- ...