11. History¶
The following were added in 3.1.0 (February 10, 2022)
- New Features:
Added ability to keyword search all artifact metadata within a host.
- OS Configuration:
Expanded OS Configuration artifacts to have a group and be scored.
Collect more settings, such as RDP.
Flag if EventLog or Windows Defender are disabled.
Flag if EventLog or Windows Defender are enabled, but not running.
Provide more context about why OS Configuration settings are important
- Improved Program Run Performance:
Changed the UI so that specific run times are not shown on top.
Run times are shown at the bottom and paged.
When a “Program Run” is marked as suspicious or bad, only the first and last times will show up in the “mini-timeline”.
Improved User Login performance by decreasing memory requirements in pipelines.
Added ability to select multiple items and score or export them.
Collect PowerShell History Console and Windows UAL file
Added ability to add a logo to the HTML report.
Added Offline Mode that will not generate warnings each time that the Internet can’t be connected to.
Added feature to allow you to pick a timezone other than the current one or UTC.
New evaluation dashboard with list of options.
- Bug Fixes:
Reduced amount of WMI database processing to improve performance.
Encrypted archives are only flagged as suspicious if they are less than 3 months old (to reduce false positives).
Fixed false positives associated with Swedish OS Account names.
Various other minor bug fixes
NOTE: For quality assurance, this release will upload a subset of anonymized artifact metadata to a server to help identify and fix false positives. The data is sanitized and not stored in any way to associate it with where it came from.
The following were added in 3.0.2 (Nov 30, 2021):
- New Features:
Collect WofCompressedData files using native APIs.
Added creation time and file sizes to various UIs.
- Bug Fixes:
Fix ransomware note bug that could flag the wrong file (with the same name)
The following were added in 3.0.1 (Nov 10, 2021):
- New Features:
Flag Ransomware notes based on known names and heuristics
Flag commands that disable volume shadow and Windows backup
Added ability to filter OS Accounts based on their actions on the system
Detect and mark WOF compressed files (content is still not collected)
Added ability to collect only hashes instead of file content to the UI
- Bug Fixes:
Fixed issues with collection from IPv6 hosts
Fixed Google Object upload bug
Fixed bug about not being able to open Yara rule
Fixed issue when deleting multiple hosts.
Various other minor bug fixes
The following were added in 3.0.0 (Sept 13, 2021):
- New Feature:
The backend database was replaced with SQLite and PostgreSQL and the same schema as used by Autopsy. This results in better stability.
Added ability to delete incidents.
Added ability to soft delete hosts. They are not shown in the UI, but the actual data is still retained. This will be improved.
All collected data must now be part of an Incident.
Collection tool JSON schema changed and is not compatible with v2.
Renamed Session to Host.
Added host name to the top of each panel (user request)
Users are reported as being local or domain
- Team Changes:
More extensive REST APIs exist because clients now connect to the REST API instead of directly to the database
Clients must use a Server Key to connect to the REST API.
- Bug Fixes:
Fixed issue where a process would be collected twice
No longer create an inferred user from a failed login for an account that didn’t exist
The following were added in 2.14.5 (June 4, 2021):
- Fixes:
Fixed parsing error with WMI Databases
Updated URL to download evaluation data
The following were added in 2.14.4 (Apr 15, 2021):
- New Feature:
Collect Exchange files from wwwroot for WebShell detection
Distribute NSA-based Yara rules to detect web shells related to recent Exchange compromises
Added keyboard short cuts for scoring items.
Added
--skip_file_contents
and--skip_source_file_contents
command line arguments to collect only MD5s and not file content.
- Fixes:
Do not flag inferred accounts when there are no local logins. Inferred accounts come from event logs.
Support PsExec 2.3 and above
Fixed bug that prevents Server from stopping when it was run as a Windows server
The following were added in 2.14.3 (Mar 1, 2021):
- New Feature:
Temporary S3 Session Tokens can be used.
- Fixes:
Better deal with corrupt compressed JSONs
Better UI feedback while encrypted JSONs are being checked
Fixed bug that incorrectly reported local login as remote
Fixed bugs with parsing some startup items
Fixed bug with WMI Action heuristics
Fixed Bug showing WMI DB in timeline
Collection tool will use different output folder if run from SysWow (via EDR)
The following were added in 2.14.2 (Jan 25, 2021):
- New Features
DLLs of running processes are collected
Files can be rescanned by new Yara rules and bad lists after initial collection
Updated Volatility for Windows 10 19041 Profile
- Fixes
Improved event log parsing performance
Fixed bug that prevented S3 uploads on large JSON files
Allow new version of PsExec (2.3) to be used.
Fix UI refresh issues over RDP
Fixed memory issue with large encrypted JSONs
The following were added in 2.14.1 (Oct 28, 2020):
- New Features:
S3 Test button uses configured proxy
Collection tool can use proxy for S3 using configuration file
Added CSV and JSONL incident-level reporting
- Bug Fixes:
Changed JMX to not listen for remote connections and require TLS.
Fixed bug with Team options panel
Fixed HTML incident-level reporting
The following were added to 2.14.0 (Oct 7, 2020):
- New Features:
Collection Tool output can now be encrypted using AES
Collection Tool output is now compressed when saved to local file
Collection Tool output can be uploaded to S3 bucket
Yara rules are applied to memory images using Volatility
The Event Log Id is displayed in the UI
Session files are no longer deleted after they are imported
When evaluating, a session can be automatically created with evaluation data.
- Bug Fixes:
Faster processing of systems with a large number of user accounts and logins.
Fixed UI rendering issues from font scaling
Partial files are collected when read errors occur (most often occurs with event logs that use NTFS compression)