Fixes

• #90 v1.8.0 beta5 bug
• #91 Correlate and enrich Microsoft-Windows-Kernel-File ETW logs

Changes

• Improved EDR event action handler
• Improved file upload to manager to reduce memory impact of big file upload
• migration to sod v1.5
• changed the way user are managed
• changed logic around user authentication
• added a way to create user from manager's CLI
• auto generating OpenAPI definition from tests
• OpenAPI definition

Fixes

• #87: Improve golang unit testing
• #86: Fix golang unit tests
• #85: Add API endpoint to manage IOCs spread on endpoints for detection
• #84: Ability to config default actions on different criticality thresholds
• #82: Action to produce short reports
• #81: Change "Api-Key" Authentication header
• #78: request feature - list closed report on a defined time period
• #77: Missing query criticality parameter on get /endpoint call
• #65: Archive reports
• #66: Implement /endpoint/{UUID}/report/archive
• #63: Make manager's data persistent

Changes:
    - new way to store events
    - new way to search for events

Fixed issues:
     - #75 List endpoints by group / status in /endpoints
    - #74 Implement API endpoint to update endpoints fields
    - #73 List of ever loaded modules in report
    - #72 Track list of loaded modules
    - #71 EdrData section in events
    - #70 API endpoint /endpoint/artifacts
    - #69 Implement API endpoint used to stream events
    - #68 showkey parameter in /endpoints
    - #64 Change /alerts to /detections
    - #61 Integrate with ETW
    - #60 Add score /endpoints
    - #58 Date last alert in /endpoints
    - #57 Add group member to manager API endpoint structure
    - #56 Skip parameter in /logs /alerts
    - #55 Limit parameter in /logs /alerts
    - #54 Filter parameter in /rules API endpoint

• New Administrative HTTP API with following features:
  • Manage endpoints (list, create, delete)
  • Get basic statistics about the manager
  • Execute commands on endpoints and get results
    • Can drop files prior to execution, to execute binaries/scripts not present on endpoint. Dropped files are deleted after command was ran.
    • Can retrieve files (post command execution), to retrieve results of the command
  • Collect files from endpoints for forensic purposes
  • Contain / Uncontain endpoints by restricting any network traffic except communication to the manager.
  • Query endpoints logs
  • Query endpoints alerts
  • Pivot on a timestamp and retrieve logs/alerts around that time pivot
  • Access endpoint report
    • Scoring (relative to each environment) allowing to sort endpoints and spot the ones behaving differently from the others.
    • Alerts / TTPs observed on a given time frame
  • Manage rules (list, create, update, save, delete)
• Integration with Sysmon v12 and v13
  • Integrate ClipboardData events
    • Put the content of the clipboard data inside the event to allow creating rule on the content of the clipboard
  • Integrate ProcessTampering events
    • Enrich event with a diffing score between .text section on disk and in memory
• Implemented certificate pinning on client to enhance security of the communiaction channel between endpoints and management server
• Log filtering capabilities, allowing one to collect contextual events. Log filtering is achieved by creating Gene filtering rules (c.f. Gene Documentation).
• Configuration files in TOML format for better readability
• Better protection of the installation directory

Integration with MISP

Fixed issues:

• #9 (issue forwarding log from endpoint to manager)
• #10 (Enrich candidate sysmon event with CurrentDirectory information)

• Fixed issue #7
• Sysmon 10.41 + configuration files

• WHIDS is installed as a true Windows service
• Reworked the installation script to allow several options
• Created an optimized Sysmon configuration to run with WHIDS
• Process Integrity check not done before boot is finished
• Removed DNS logging features by default (since Sysmon v10 has DNSQuery events)
• Log message if process termination is not enabled
• Sysmon service depends on WHIDS (solution found not to miss events at boot)
• Updated to the latest version of Gene (v1.6)
• New registry dump mode to dump suspicious registries
• Some random code refactoring
• Sysmon events enrichment:
  • Ancestors in CreateProcess
  • Name of the windows services is resolved and put in Services field for any event
  • CommandLine in NetworkConnect
  • User and IntegrityLevel propagated to all applicable events (all except DriverLoad)
  • CreateRemoteThread and ProcessAccess enrichment with:
    • SourceIntegrityLevel
    • TargetIntegrityLevel
    • SourceUser
    • TargetUser
    • TargetParentProcessGuid
    • SourceServices
    • TargetServices
  • ...

Beta release for tests

• Bunch of code rewritten to make things more consistent:
  • WHIDS is no longer command line based, most of the options are configured via a configuration file
  • Some command line switches names have changed
• WHIDS manager can now be used as a true management server:
  • Update clients' rules
  • Update clients' containers
  • Receive dumps (files, memory) from the clients

WHIDS version 1.4

• Dump hooks
  • dump file: dump as many relevant files as possible when an alert above threshold is raised
    • dump anything which is a file and that appears in Sysmon fields, depending on the event
    • can dump ADS
    • can dump scripts
    • can dump executables
  • dump memory: creates a MS full minidump of a process that triggers an alert above threshold
• Process integrity hook
  • Two fields are added to the Sysmon CreateProcess events ProcessIntegrity and ParentProcessIntegrity. If value is -1 it means process integrity could not be
    computed. Otherwise it is a float value in [0;100] measuring the degree of similarity between the image loaded in memory and the image on the disk. The higher the value is, the more likely the process image has been modified.
• Builtin alert forwarder
  • New command line utility whids-man aiming at collecting the logs and being deployed on a remote machine (windows, linux, macos ...)
    • HTTP / HTTPS are supported (HTTPS is preferred)
    • Builtin cert and key generation (convenient for testing but better with OpenSSL for prod)
    • Client authentication via API key to forward the logs
    • Server authentication can be enforced on client side via authentication key
    • Alerts are dumped in a GZIP file automatically rotated when 100MB size is reached
  • New command line switch -forward to configure forwarding on Host side
    • if manager is offline, we store the alerts in a local queue and upload them when the manager comes up again
    • builtin queue file rotation
    • builtin queued files cleaning if disk space is too high
• Install script has been updated
  • Protects the installation directory to be accessible / modifiable only by users member of Administrators group or SYSTEM user
  • The scheduled tasks now starts whids-launcher.bat located in installation directory, instead of starting WHIDS directly. This way it is easier to modify the command line arguments.
• Project tree has a bit changed, main code has been moved to tools directory

WHIDS v1.3

• Event Hook introduction
  • Can modify the events before going through detection engine
  • Created hooks to overcome domain name resolution issue
  • Implemented hooks to enrich Sysmon events 1, 6 and 7 with the size of the PE image
  • Implemented several other hooks
• Can run in service mode:
  • restart in case of failure
  • log alerts to compressed file and rotate file automatically
  • log messages to a file
• Installation script
  • creates a scheduled start running at boot to start Whids
  • agenerate an uninstall script dropped in the install folder
• Number of new command lines arguments
  • -hooks: control event hook activation
  • -protect: dummy protection against crypto-locker (can be seen as a nice POC of event hooks)
  • -all: option to enable logging of all the events coming from the monitored channels
    should not be used in production, it is more for debugging purposes
  • ...
• Some minor code refactoring

Updated with the latest version of Gene, nothing else crazy.

Changelog

• Ability to log to Windows Application channel
• Updated with latest version of gene so it benefits of its new features
  • "Match extracts" feature to match parts of event fields against containers (blacklist/whitelist)
• New channel Alias to Microsoft-Windows-DNS-Client/Operational
• Command line switch to enable DNS client logs (Microsoft-Windows-DNS-Client/Operational log channel)

New features:

• Can listen on several Event channels at the same time
• Auto update the rule from gene-rules github repo
• Compiled with faster gene engine