http://open-source-security-software.net/project/whids/releases.atom 2024-05-02T05:21:29.569969+00:00 python-feedgen whids v1.0 2018-02-02T07:45:50+00:00 2018-02-02T07:45:50+00:00 whids v1.01 2018-02-06T22:20:02+00:00 2018-02-06T22:20:02+00:00 whids v1.1 2018-02-08T19:38:30+00:00 New features: * Listen on several channels at time * Auto update the rule from gene-rules github repo 2018-02-08T19:38:30+00:00 whids v1.2 2018-03-27T20:53:40+00:00 ## Changelog * Ability to log to Windows Application channel * Updated with latest version of gene so it benefits of its new features * "Match extracts" feature to match parts of event fields against containers (blacklist/whitelist) * New channel Alias to Microsoft-Windows-DNS-Client/Operational * Command line switch to enable DNS client logs (Microsoft-Windows-DNS-Client/Operational log channel) 2018-03-27T20:53:40+00:00 whids v1.2.1 2018-05-21T21:40:31+00:00 Updated with the latest version of Gene, nothing else crazy. 2018-05-21T21:40:31+00:00 whids untagged-aac2183bf02799dd14b7 2018-06-28T21:17:12+00:00 # WHIDS v1.3 * **Event Hook** introduction * Can modify the events before going through detection engine * Created hooks to overcome domain name resolution issue * Implemented hooks to enrich Sysmon events 1, 6 and 7 with the size of the PE image * Implemented several other hooks * Can run in **service mode**: * restart in case of failure * log alerts to compressed file and rotate file automatically * log messages to a file * Installation script * creates a scheduled start running at boot to start Whids * agenerate an uninstall script dropped in the install folder * Number of new command lines arguments * **-hooks**: control event hook activation * **-protect**: dummy protection against crypto-locker (can be seen as a nice POC of event hooks) * **-all**: option to enable logging of **all** the events coming from the monitored channels should not be used in production, it is more for debugging purposes * ... * Some minor code refactoring 2018-06-28T21:17:12+00:00 whids v1.4 2019-01-17T21:21:58+00:00 # WHIDS version 1.4 * Dump hooks * dump file: dump as many relevant files as possible when an alert above threshold is raised * dump anything which is a file and that appears in Sysmon fields, depending on the event * can dump ADS * can dump scripts * can dump executables * dump memory: creates a **MS full minidump** of a process that triggers an alert above threshold * Process integrity hook * Two fields are added to the Sysmon **CreateProcess** events **ProcessIntegrity** and **ParentProcessIntegrity**. If value is **-1** it means process integrity could not be computed. Otherwise it is a float value in **[0;100]** measuring the degree of similarity between the image loaded in memory and the image on the disk. The **higher** the value is, the more likely the process image **has been modified**. * Builtin alert forwarder * New command line utility **whids-man** aiming at collecting the logs and being deployed on a remote machine (**windows, linux, macos ...**) * HTTP / HTTPS are supported (HTTPS is preferred) * Builtin cert and key generation (convenient for testing but better with OpenSSL for prod) * Client authentication via API key to forward the logs * Server authentication can be enforced on client side via authentication key * Alerts are dumped in a GZIP file automatically rotated when **100MB** size is reached * New command line switch **-forward** to configure forwarding on Host side * if manager is offline, we store the alerts in a local queue and upload them when the manager comes up again * builtin queue file rotation * builtin queued files cleaning if disk space is too high * Install script has been updated * Protects the installation directory to be accessible / modifiable only by users member of Administrators group or SYSTEM user * The scheduled tasks now starts **whids-launcher.bat** located in installation directory, instead of starting WHIDS directly. This way it is easier to modify the command line arguments. * Project tree has a bit changed, **main** code has been moved to **tools** directory 2019-01-17T21:21:58+00:00 whids v1.5.0 2019-04-08T20:59:31+00:00 * Bunch of code rewritten to make things more consistent: * WHIDS is no longer command line based, most of the options are configured via a configuration file * Some command line switches names have changed * WHIDS manager can now be used as a **true management server**: * Update clients' rules * Update clients' containers * Receive dumps (files, memory) from the clients 2019-04-08T20:59:31+00:00 whids v1.5.1beta 2019-05-14T20:55:46+00:00 Beta release for tests 2019-05-14T20:55:46+00:00 whids v1.6.0 2019-08-21T21:48:42+00:00 - **WHIDS** is installed as a true **Windows service** - Reworked the installation script to allow several options - Created an **optimized Sysmon configuration** to run with WHIDS - **Process Integrity** check not done before boot is finished - Removed DNS logging features by default (since Sysmon v10 has DNSQuery events) - Log message if process termination is not enabled - **Sysmon service** depends on WHIDS (solution found not to miss events at boot) - Updated to the latest version of **Gene (v1.6)** - New **registry** dump mode to dump suspicious registries - Some random code refactoring - Sysmon events enrichment: - *Ancestors* in **CreateProcess** - Name of the **windows services** is resolved and put in *Services* field for **any event** - *CommandLine* in **NetworkConnect** - *User* and *IntegrityLevel* propagated to all applicable events (all except DriverLoad) - **CreateRemoteThread** and **ProcessAccess** enrichment with: * *SourceIntegrityLevel* * *TargetIntegrityLevel* * *SourceUser* * *TargetUser* * *TargetParentProcessGuid* * *SourceServices* * *TargetServices* - ... 2019-08-21T21:48:42+00:00 whids v1.6.1 2019-10-02T16:14:03+00:00 * Fixed issue #7 * Sysmon 10.41 + configuration files 2019-10-02T16:14:03+00:00 whids v1.6.2 2019-10-21T11:38:33+00:00 Integration with MISP 2019-10-21T11:38:33+00:00 whids v1.7.0 2021-03-01T21:24:44+00:00 - New Administrative HTTP API with following features: - Manage endpoints (list, create, delete) - Get basic statistics about the manager - Execute commands on endpoints and get results * Can drop files prior to execution, to execute binaries/scripts not present on endpoint. Dropped files are deleted after command was ran. * Can retrieve files (post command execution), to retrieve results of the command - Collect files from endpoints for forensic purposes - Contain / Uncontain endpoints by restricting any network traffic except communication to the manager. - Query endpoints logs - Query endpoints alerts - Pivot on a timestamp and retrieve logs/alerts around that time pivot - Access endpoint report * Scoring (**relative to each environment**) allowing to sort endpoints and spot the ones behaving differently from the others. * Alerts / TTPs observed on a given time frame - Manage rules (list, create, update, save, delete) - Integration with Sysmon v12 and v13 - Integrate ClipboardData events * Put the content of the clipboard data inside the event to allow creating rule on the content of the clipboard - Integrate ProcessTampering events * Enrich event with a diffing score between .text section on disk and in memory - Implemented certificate pinning on client to enhance security of the communiaction channel between endpoints and management server - Log filtering capabilities, allowing one to collect contextual events. Log filtering is achieved by creating Gene filtering rules (c.f. [Gene Documentation](https://github.com/0xrawsec/gene)). - Configuration files in TOML format for better readability - Better protection of the installation directory 2021-03-01T21:24:44+00:00 whids v1.8.0-beta 2021-06-22T21:59:08+00:00 2021-06-22T21:59:08+00:00 whids v1.8.0-beta.2 2021-08-24T20:53:40+00:00 Changes: - new way to store events - new way to search for events Fixed issues: - #75 List endpoints by group / status in /endpoints - #74 Implement API endpoint to update endpoints fields - #73 List of ever loaded modules in report - #72 Track list of loaded modules - #71 EdrData section in events - #70 API endpoint /endpoint/artifacts - #69 Implement API endpoint used to stream events - #68 showkey parameter in /endpoints - #64 Change /alerts to /detections - #61 Integrate with ETW - #60 Add score /endpoints - #58 Date last alert in /endpoints - #57 Add group member to manager API endpoint structure - #56 Skip parameter in /logs /alerts - #55 Limit parameter in /logs /alerts - #54 Filter parameter in /rules API endpoint 2021-08-24T20:53:40+00:00 whids v1.8.0.beta.5 2021-12-07T21:25:35+00:00 ## Changes - Improved EDR event action handler - Improved file upload to manager to reduce memory impact of big file upload - migration to sod v1.4 - changed the way user are managed - changed logic around user authentication - added a way to create user from manager's CLI - auto generating OpenAPI definition from tests - OpenAPI definition ## Fixes - #87: Improve golang unit testing - #86: Fix golang unit tests - #85: Add API endpoint to manage IOCs spread on endpoints for detection - #84: Ability to config default actions on different criticality thresholds - #82: Action to produce short reports - #81: Change "Api-Key" Authentication header - #78: request feature - list closed report on a defined time period - #77: Missing query criticality parameter on get /endpoint call - #65: Archive reports - #66: Implement /endpoint/{UUID}/report/archive - #63: Make manager's data persistent 2021-12-07T21:25:35+00:00 whids v1.8.0-beta.5 2021-12-07T21:25:35+00:00 ## Changes - Improved EDR event action handler - Improved file upload to manager to reduce memory impact of big file upload - migration to sod v1.5 - changed the way user are managed - changed logic around user authentication - added a way to create user from manager's CLI - auto generating OpenAPI definition from tests - OpenAPI definition ## Fixes - #87: Improve golang unit testing - #86: Fix golang unit tests - #85: Add API endpoint to manage IOCs spread on endpoints for detection - #84: Ability to config default actions on different criticality thresholds - #82: Action to produce short reports - #81: Change "Api-Key" Authentication header - #78: request feature - list closed report on a defined time period - #77: Missing query criticality parameter on get /endpoint call - #65: Archive reports - #66: Implement /endpoint/{UUID}/report/archive - #63: Make manager's data persistent 2021-12-07T21:25:35+00:00 whids v1.8.0-beta.6 2021-12-10T14:57:59+00:00 ## Fixes - #90 v1.8.0 beta5 bug - #91 Correlate and enrich Microsoft-Windows-Kernel-File ETW logs 2021-12-10T14:57:59+00:00 whids v1.8.0-beta.7 2022-08-03T12:33:11+00:00 2022-08-03T12:33:11+00:00 whids v1.8.0-beta.8 2022-08-08T16:38:56+00:00 2022-08-08T16:38:56+00:00