docs: Docs changes for 2.4.0

Author: rabbitstack

docs/_coverpage.md

@@ -4,7 +4,7 @@
   <img src='logo.png' height="800px" width="800px"></img>
 </div>
 
-# fibratus <small>2.3.0</small>
+# fibratus <small>2.4.0</small>
 
 >  Adversary tradecraft detection, protection, and hunting
 

docs/_sidebar.md

@@ -14,14 +14,15 @@
   * [Registry](kevents/registry.md)
   * [Network](kevents/network.md)
   * [Handle](kevents/handle.md)
+  * [Object](kevents/object.md)
   * [Driver](kevents/driver.md)
   * [Memory](kevents/mem.md)
 * <ion-icon name="filter-outline"></ion-icon> Filters and Rules
   * [Needle In The Haystack](filters/introduction.md)
   * [Prefiltering](filters/prefiltering.md)
   * [Filtering](filters/filtering.md)
   * [Operators](filters/operators.md)
-  * [Paths](filters/paths.md)
+  * [Iterators](filters/iterators.md)
   * [Functions](filters/functions.md)
   * [Rules](filters/rules.md)
   * [Fields](filters/fields.md)

docs/filters/fields.md

@@ -115,6 +115,31 @@ The following tables summarize available field names that can be used in filter
 | thread.access.mask.names | Thread access human-readable rights | `thread.access.mask.names in ('QUERY_LIMITED_INFORMATION')`   |
 | thread.access.status | Thread access status | `thread.access.status = 'Success'`   |
 | thread.teb_address | The base address of the thread environment block | `thread.teb_address = '8f30893000'`   |
+| thread.start_address.symbol | Thread start address symbol | `thread.start_address.symbol = 'LoadImage'`   |
+| thread.start_address.module | Thread start address module | `thread.start_address.module endswith 'kernel32.dll'`   |
+
+
+### Threadpool
+
+| Field Name  | Description | Example     |
+| :---        |    :----   |          :---: |
+| threadpool.id     | Thread pool identifier | `threadpool.id = '20f5fc02440'`   |
+| threadpool.task.id     | Thread pool task identifier | `threadpool.task.id = '20f7ecd21f8'`   |
+| threadpool.callback.address     | Thread pool callback address | `threadpool.callback.address = '7ff868739ed0'` |
+| threadpool.callback.symbol     | Thread pool callback address symbol | `threadpool.callback.symbol = 'RtlDestroyQueryDebugBuffer'`   |
+| threadpool.callback.module     | Thread pool callback address module | `threadpool.callback.module contains 'ntdll.dll'`   |
+| threadpool.callback.context     | Thread pool callback context address | `threadpool.callback.context = '1df41e07bd0'`   |
+| threadpool.callback.context.rip     | Thread pool callback thread context instruction pointer | `threadpool.callback.context.rip = '1df42ffc1f8'`   |
+| threadpool.callback.context.rip.symbol     | Thread pool callback thread context instruction pointer symbol | `threadpool.callback.context.rip.symbol = 'VirtualProtect'`   |
+| threadpool.callback.context.rip.module     | Thread pool callback thread context instruction pointer module | `threadpool.callback.context.rip.module contains 'ntdll.dll'`   |
+| threadpool.subprocess_tag     | Thread pool service identifier | `threadpool.subprocess_tag = '10d'`   |
+| threadpool.timer.duetime     | Thread pool timer due time | `threadpool.timer.duetime > 10`   |
+| threadpool.timer.subqueue     | Thread pool timer subqueue address | `threadpool.timer.subqueue = '1db401703e8'`   |
+| threadpool.timer.address     | Thread pool timer address | `threadpool.timer.address = '3e8'`   |
+| threadpool.timer.period     | Thread pool timer period | `threadpool.timer.period = 0`   |
+| threadpool.timer.window     | Thread pool timer tolerate period | `threadpool.timer.window = 0`   |
+| threadpool.timer.is_absolute     | Indicates if the thread pool timer is absolute or relative | `threadpool.timer.is_absolute = true`   |
+
 
 ### Callstack
 | Field Name  | Description | Example     |
@@ -128,12 +153,23 @@ The following tables summarize available field names that can be used in filter
 | thread.callstack.callsite_leading_assembly    | Callsite leading assembly instructions | `thread.callstack.callsite_leading_assembly in ('mov r10,rcx', 'syscall')` |
 | thread.callstack.callsite_trailing_assembly    | Callsite trailing assembly instructions | `thread.callstack.callsite_trailing_assembly in ('add esp, 0xab')` |
 | thread.callstack.is_unbacked    | Indicates if the callstack contains unbacked regions | `thread.callstack.is_unbacked` |
-
+| thread.callstack.addresses    | List of all callstack return addresses | `thread.callstack.addresses in ('7ffb5c1d0396')` |
+| thread.callstack.final_user_module.name  | The final user module name | `thread.callstack.final_user_module.name != 'ntdll.dll'` |
+| thread.callstack.final_user_module.path  | The final user module path | `thread.callstack.final_user_module.path imatches '?:\\Windows\\System32\\ntdll.dll'` |
+| thread.callstack.final_user_symbol.name  | The final user symbol name | `thread.callstack.final_user_symbol.name imatches 'CreateProcess*'` |
+| thread.callstack.final_kernel_module.name  | The final kernel module name | `thread.callstack.final_kernel_module.name = 'FLTMGR.SYS'` |
+| thread.callstack.final_kernel_module.path  | The final kernel module path | `thread.callstack.final_kernel_module.path imatches '?:\\WINDOWS\\System32\\drivers\\FLTMGR.SYS'` |
+| thread.callstack.final_kernel_symbol.name  | The final kernel symbol name | `thread.callstack.final_kernel_symbol.name = 'FltGetStreamContext'` |
+| thread.callstack.final_user_module.signature.is_signed  | Indicates if the final user module is signed | `thread.callstack.final_user_module.signature.is_signed = true` |
+| thread.callstack.final_user_module.signature.is_trusted   | Indicates if the final user module signature is trusted | `thread.callstack.final_user_module.signature.is_trusted = true` |
+| thread.callstack.final_user_module.signature.cert.issuer  | The final user module signature certificate issuer | `thread.callstack.final_user_module.signature.cert.issuer imatches '*Microsoft Corporation*'` |
+| thread.callstack.final_user_module.signature.cert.subject  |  The final user module signature certificate subject | `thread.callstack.final_user_module.signature.cert.subject imatches '*Microsoft Windows*'` |
 
 ### Image
 | Field Name  | Description | Example     |
 | :---        |    :----   |          :---: |
-| image.name     | Full image path | `image.name = 'C:\\Windows\\System32\\advapi32.dll'`   |
+| image.path     | Full image path | `image.name = 'C:\\Windows\\System32\\advapi32.dll'`   |
+| image.name     | Image name | `image.name = 'advapi32.dll'`   |
 | image.base.address  | Base address of the process in which the image is loaded | `image.base.address = 'a65d800000'`   |
 | image.checksum  | Image checksum | `image.checksum = 746424`   |
 | image.size  | Image size | `image.size > 1024`   |
@@ -156,7 +192,8 @@ The following tables summarize available field names that can be used in filter
 | Field Name  | Description | Example     |
 | :---        |    :----   |          :---: |
 | file.object     | File object address in the kernel space | `file.object = 18446738026482168384`   |
-| file.name       | Full file name | `file.name = 'C:\\Windows\\Sytem32\\regedit.exe'`   |
+| file.path       | Full file path | `file.name = 'C:\\Windows\\Sytem32\\regedit.exe'`   |
+| file.name       | File name | `file.name = 'regedit.exe'`   |
 | file.operation  | Operation performed on the file or I/O device | `file.operation = 'OPEN'`   |
 | file.share.mask | File share mask | `file.share.mask = 'READ'`   |
 | file.io.size    | I/O read/write size | `file.io.size > 512`   |
@@ -183,7 +220,8 @@ The following tables summarize available field names that can be used in filter
 ### Registry
 | Field Name  | Description | Example     |
 | :---        |    :----   |          :---: |
-| registry.key.name   | Fully qualified key name | `registry.key.name = 'HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services'`   |
+| registry.path   | Fully qualified registry path | `registry.path = 'HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services'`   |
+| registry.key.name   | Base registry key name | `registry.key.name = 'Services'`   |
 | registry.key.handle | Registry key object address | `registry.key.handle = 'FFFFB905D60C2268'`   |
 | registry.value      | Registry value content | `registry.value = '%SystemRoot%\\system32'`   |
 | registry.value.type | Registry value type | `registry.value.type = 'REG_SZ'`   |

docs/filters/functions.md

@@ -237,7 +237,7 @@ Additionally, some functions may return a collection of values. Function names a
     ```
     - `string`: Input string
     - `start`: Substring start index
-    - `end`: Substring end index
+    - `end`: Substring end index (optional)
     - `return` a substring contained within start and end indices
 
 - **Examples**
@@ -246,6 +246,7 @@ Additionally, some functions may return a collection of values. Function names a
 
     ```
     substr(file.name, indexof(file.name, '\\'), indexof(file.name, '\\Hard')) = '\\Device'
+    substr(file.name, indexof(file.name, 'system32')) = 'system32\\user32.dll'
     ```
 
 #### entropy

docs/filters/iterators.md

@@ -0,0 +1,193 @@
+# Iterators
+
+`foreach` idiom adds iteration capabilities to the rule language. Under the hood, `foreach` is implemented as a function that accepts three required and multiple optional arguments. The first argument is the `iterable` value typically yielded by the pseudo field. 
+
+The function recognizes process internal state collections such as modules, threads, memory mappings, or thread stack frames. Obviously, it is also possible to iterate over simple string slices. The second argument represents the `bound variable` which is an item associated with every element in the slice. The bound variable is accessed in the third argument, the `predicate`. It is usually followed by the `segment` that denotes the accessed value. Unsurprisingly, the predicate is commonly a binary expression that can be formed of `not/paren` expressions, other functions, and so on. The predicate is executed on every item in the slice. If the predicate evaluates to true, the function also returns the true value.
+
+Lastly, foreach function can receive an optional `list of fields` from the outer context, i.e. outside predicate loop. Therefore, for the predicate to access the field not defined within the scope of the iterable, it must capture the field first.
+
+Some examples of the `foreach` usage:
+
+- Traverses process modules and return true if the module path matches the pattern
+
+```
+foreach(ps._modules, $mod, $mod.path imatches '?:\\Windows\\System32\\us?r32.dll')
+```
+
+- For each process ancestor, check if the ancestor is `services.exe` and the current process is protected. In this example, the `ps.is_protected` field is captured before its usage in the predicate
+
+```
+foreach(ps._ancestors, $proc, $proc.name = 'services.exe' and ps.is_protected, ps.is_protected)
+```
+
+## Process iterators {docsify-ignore}
+
+The `ps.ancestor` returns all ancestor names of the process generating the event. Alternatively, the filter field can accept an argument. In case of the `ps.ancestor` field, the argument indicates the ancestor level. Given the process tree below and assuming the current process generating the event is `cmd.exe`, the field with an optional level argument yields the values as follows:
+
+```
+├───wininit.exe
+│   └───services.exe
+│       └───svchost.exe
+│           └───dllhost.exe
+│               ├───cmd.exe
+│               └───winword.exe
+```
+
+- `ps.ancestor[1]` returns `dllhost.exe`
+- `ps.ancestor[3]` returns `services.exe`
+- `ps.ancestor[4]` returns `wininit.exe`
+
+If the argument is omitted, the slice with all ancestor names is returned. The `ps.ancestor` field can only yield a single process attribute - process name. To build complex conditions involving different process attribute, we can use the `foreach` construct. The bound variable associated with the `ps._ancestors` pseudo field can have the any of the segments:
+
+| Segment Name  | Description |
+| :---        |    :----    |
+|`pid` | Process identifier |
+|`name` | Process name |
+|`args` | Process command line arguments as a list of strings |
+|`cmdline` | Process command line argument as a raw string |
+|`cwd`  | Process current working directory |
+|`exe` | Process image path |
+|`sid` | Process SID (security identifier) |
+|`sessionid` | Process session identifier |
+|`username` | User name associated with the process security context |
+|`domain`  | Domain associated with the process security context |
+
+Examples
+
+- Check if the ancestor has one of the particular process identifiers and the pid belongs to the `services.exe` process
+
+```
+foreach(ps._ancestors, $proc, $proc.pid in (2034, 343) and $proc.name = 'services.exe')
+```
+
+- Check if the ancestor starts with the specific security identifier and the pid belongs to the `svchost.exe` process
+
+```
+foreach(ps._ancestors, $proc, $proc.sid imatches `S-1-5*` and $proc.name = 'svchost.exe')
+```
+
+
+### Modules {docsify-ignore}
+
+The `ps._modules` pseudo field returns the process modules iterable. Available module segments are:
+
+
+| Segment Name  | Description |
+| :---        |    :----    |
+|`address` | Base address of the process in which the module is loaded|
+|`checksum` | Module checksum |
+|`size` | Module size in terms of allocated virtual address space |
+|`name` | Module name |
+|`path`  | Full module path |
+
+Examples
+
+- Check the virtual memory space size of the specific module
+
+```
+foreach(ps._modules, $mod, $mod.size >= 212354 and $mod.name imatches '*winhttp.dll')
+```
+
+### Threads {docsify-ignore}
+
+The `ps._threads` pseudo field yields all of the process running threads. Available thread segments are:
+
+
+| Segment Name  | Description |
+| :---        |    :----    |
+|`tid` | Thread identifier |
+|`start_address` | The address of the function executed by the thread |
+|`user_stack_base` | The base address of the thread userspace stack |
+|`user_stack_limit` | The address denoting the thread userspace stack limit  |
+|`kernel_stack_base`  | The base address of the thread kernel stack |
+|`kernel_stack_limit`  | he address denoting the thread kernel stack limit |
+
+### Memory mappings {docsify-ignore}
+
+Process memory mappings (also known as sections) can be accessed via the `ps._mmaps` pseudo field. Available memory mappings segments are:
+
+| Segment Name  | Description |
+| :---        |    :----    |
+|`address` | Address where the section is mapped within the process address space |
+|`type` | The type of the memory mapping. For example, `DATA`. |
+|`size` | Size in bytes of the memory mapping |
+|`protection` | Protection attributes of the mapped memory section |
+|`path`  | If the memory mapping is backed by a physical file, indicates the path of the file |
+
+### Environment variables {docsify-ignore}
+
+You can access process environment variables by providing the name of the environment variable. Alternatively, you can provide the prefix.
+
+```
+ps.envs['MOZ_CRASHREPORTER'] = 'C:\\Program Files\\Firefox'
+```
+
+Or, supplying the prefix
+
+```
+ps.envs['MOZ_CRASH'] = 'C:\\Program Files\\Firefox'
+```
+
+It is also possible to retrieve all environment variables as a list of colon separated key/value pairs. Example using the `foreach` idiom:
+
+```
+foreach(ps.envs, $env, substr($env, 0, indexof($env, ':')) = 'OS')
+```
+
+## Portable Executable iterators {docsify-ignore}
+
+[Portable Executable](/pe/introduction) introspection allows for utilizing the PE metadata in filters. See other [fields](filters/fields?id=pe) that can be used to narrow down events by PE data.
+
+### Sections {docsify-ignore}
+
+The `pe._sections` pseudo field yields all of the executable image PE sections. Available section segments are:
+
+| Segment Name  | Description |
+| :---        |    :----    |
+|`name` | Section name. For example, `.debug$` |
+|`size` | Section size in bytes |
+|`entropy` | Section entropy |
+|`md5` | Section MD5 hash |
+
+### Resources {docsify-ignore}
+
+PE [resources](/pe/resources) can be accessed by the resource name. Alternatively, it is possible to obtain all the resources as a list separated by the colon delimiter:
+
+```
+pe.resources iin ('FileDescription:Notepad')
+```
+
+
+## Callstack {docsify-ignore}
+
+[Stack enrichment](/kevents/anatomy?id=callstack) attaches call frames that can be accessed by the `thread._callstack` pseudo field. Available callstsack segments are:
+
+| Segment Name  | Description |
+| :---        |    :----    |
+|`address` | Symbol address |
+|`offset` | Symbol offset |
+|`symbol` | Symbol name |
+|`module` | Module name containing the frame |
+|`allocation_size` | Private allocation size |
+|`protection` | Frame protection mask |
+|`is_unbacked` | Indicates if the frame is unbacked |
+|`callsite_leading_assembly` | Callsite leading assembly instructions |
+|`callsite_trailing_assembly` | Callsite trailing assembly instructions|
+|`module.signature.is_signed` | Indicates if the frame module is signed |
+|`module.signature.is_trusted` | Indicates if the frame module signature is trusted |
+|`module.signature.cert.subject` | Frame module signature certificate subject |
+|`module.signature.cert.issuer` | Frame module signature certificate issuer |
+
+Examples:
+
+- Determine if the frame protection is RWX (Read-Write-Execute)
+
+```
+foreach(thread._callstack, $frame, $frame.protection = 'RWX')
+```
+
+- Determine if the frame trailing assembly contain the `syscall` instruction and the frame resides in the floating memory region
+
+```
+foreach(thread._callstack, $frame, $frame.callsite_trailing_assembly matches '*mov r10, rcx|mov eax, 0x*|syscall*' and $frame.module = 'unbacked')
+```

docs/filters/operators.md

@@ -118,6 +118,19 @@ String operators are applied to string field types or string literals.
 
    ```
    fibratus run ps.name endswith '.exe'
+    ```
+
+### intersects, iintersects
+
+`intersects` operator and its case-insensitive `iintersects` variant operate on string slices. If all elements in the RHS slice are present in the slice given by LHS, the operator evaluates to `true`. Otherwise, it evaluates to `false`.
+
+- **Example**
+
+   Filter events where the originating process command line arguments contain both `DcomLaunch` and `LSM` arguments
+
+   ```
+   fibratus run ps.args intersects ('DcomLaunch', 'LSM')
+   ```
 
 ### matches, imatches