Skip to content

Releases: 0xrawsec/whids

WHIDS Version 1.5.1beta

14 May 20:55
@qjerome qjerome
v1.5.1beta
9e731e5
Compare
Choose a tag to compare
WHIDS Version 1.5.1beta Pre-release
Pre-release

Beta release for tests

Assets 3
Loading

WHIDS version 1.5.0

08 Apr 20:59
@qjerome qjerome
v1.5.0
23ddbff
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
WHIDS version 1.5.0
  • Bunch of code rewritten to make things more consistent:
    • WHIDS is no longer command line based, most of the options are configured via a configuration file
    • Some command line switches names have changed
  • WHIDS manager can now be used as a true management server:
    • Update clients' rules
    • Update clients' containers
    • Receive dumps (files, memory) from the clients
Assets 6
Loading

WHIDS v1.4

17 Jan 21:21
@qjerome qjerome
v1.4
5e7bff9
Compare
Choose a tag to compare
WHIDS v1.4

WHIDS version 1.4

  • Dump hooks
    • dump file: dump as many relevant files as possible when an alert above threshold is raised
      • dump anything which is a file and that appears in Sysmon fields, depending on the event
      • can dump ADS
      • can dump scripts
      • can dump executables
    • dump memory: creates a MS full minidump of a process that triggers an alert above threshold
  • Process integrity hook
    • Two fields are added to the Sysmon CreateProcess events ProcessIntegrity and ParentProcessIntegrity. If value is -1 it means process integrity could not be
      computed. Otherwise it is a float value in [0;100] measuring the degree of similarity between the image loaded in memory and the image on the disk. The higher the value is, the more likely the process image has been modified.
  • Builtin alert forwarder
    • New command line utility whids-man aiming at collecting the logs and being deployed on a remote machine (windows, linux, macos ...)
      • HTTP / HTTPS are supported (HTTPS is preferred)
      • Builtin cert and key generation (convenient for testing but better with OpenSSL for prod)
      • Client authentication via API key to forward the logs
      • Server authentication can be enforced on client side via authentication key
      • Alerts are dumped in a GZIP file automatically rotated when 100MB size is reached
    • New command line switch -forward to configure forwarding on Host side
      • if manager is offline, we store the alerts in a local queue and upload them when the manager comes up again
      • builtin queue file rotation
      • builtin queued files cleaning if disk space is too high
  • Install script has been updated
    • Protects the installation directory to be accessible / modifiable only by users member of Administrators group or SYSTEM user
    • The scheduled tasks now starts whids-launcher.bat located in installation directory, instead of starting WHIDS directly. This way it is easier to modify the command line arguments.
  • Project tree has a bit changed, main code has been moved to tools directory
Assets 6
Loading

WHIDS v1.3

28 Jun 21:17
@qjerome qjerome
untagged-aac2183bf02799dd14b7
3618668
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
WHIDS v1.3

WHIDS v1.3

  • Event Hook introduction
    • Can modify the events before going through detection engine
    • Created hooks to overcome domain name resolution issue
    • Implemented hooks to enrich Sysmon events 1, 6 and 7 with the size of the PE image
    • Implemented several other hooks
  • Can run in service mode:
    • restart in case of failure
    • log alerts to compressed file and rotate file automatically
    • log messages to a file
  • Installation script
    • creates a scheduled start running at boot to start Whids
    • agenerate an uninstall script dropped in the install folder
  • Number of new command lines arguments
    • -hooks: control event hook activation
    • -protect: dummy protection against crypto-locker (can be seen as a nice POC of event hooks)
    • -all: option to enable logging of all the events coming from the monitored channels
      should not be used in production, it is more for debugging purposes
    • ...
  • Some minor code refactoring
Assets 6
Loading

WHIDS v1.2.1

21 May 21:40
@qjerome qjerome
v1.2.1
9886ffb
Compare
Choose a tag to compare
WHIDS v1.2.1

Updated with the latest version of Gene, nothing else crazy.

Assets 3
Loading

WHIDS v1.2

27 Mar 20:53
@qjerome qjerome
v1.2
fb826b5
Compare
Choose a tag to compare
WHIDS v1.2

Changelog

  • Ability to log to Windows Application channel
  • Updated with latest version of gene so it benefits of its new features
    • "Match extracts" feature to match parts of event fields against containers (blacklist/whitelist)
  • New channel Alias to Microsoft-Windows-DNS-Client/Operational
  • Command line switch to enable DNS client logs (Microsoft-Windows-DNS-Client/Operational log channel)
Assets 5
Loading

Version 1.1

23 Feb 18:03
@qjerome qjerome
v1.1
b45214b
Compare
Choose a tag to compare
Version 1.1

New features:

  • Can listen on several Event channels at the same time
  • Auto update the rule from gene-rules github repo
  • Compiled with faster gene engine
Assets 5
Loading

WHIDS Version 1.01

06 Feb 22:20
@qjerome qjerome
v1.01
b45214b
Compare
Choose a tag to compare
WHIDS Version 1.01 
v1.01

Can now listen on several channels
Assets 3
Loading

WHIDS Version 1.0

02 Feb 07:45
@qjerome qjerome
v1.0
516c3a9
Compare
Choose a tag to compare
WHIDS Version 1.0 
v1.0

README updated
Assets 3
Loading