v1.17.0

What's Changed

• linux udevd: replace file-size based detection with YARA rules by @tstromberg in #380
• new detection: recently downloaded files which have been packed by @tstromberg in #381
• active systemd units: populate more in-the-wild examples by @tstromberg in #382
• new detection: suspicious systemd units by @tstromberg in #383

.. and loads of false positive-reduction PR's.

New Contributors

• @egibs made their first contribution in #372

Full Changelog: v1.16.0...v1.17.0

v1.16.0

What's Changed

• fpr: MHLink, k3d, BlueFin, query tuning by @tstromberg in #364
• mark command-events & execdir-events as 'extra' due to high CPU usage by @tstromberg in #365
• fpr: Fedora Silverblue, MHLinkServer, Elastic, ptyxis, Zed by @tstromberg in #366
• fpr: Universal Blue and a little bit of everything else by @tstromberg in #367
• Massive false-positive reduction, particularly for uBlue by @tstromberg in #368
• fpr: Rule toning for podman, pip, zed, java, ssh, and more by @tstromberg in #369

Full Changelog: v1.15.0...v1.16.0

v1.15.0

What's Changed

• Rename current_time column to now_ts to avoid Kolide import issue by @tstromberg in #346
• Set a time limit of 8s for query output by @tstromberg in #347
• fpr: elastic, rapid7, zwift by @tstromberg in #348
• fpr: snap, mutedeck, idea, Chrome exts by @tstromberg in #349
• pin to shas and upgrade actions workflows and osquery client by @jedsalazar in #350
• fpr: PSI, Arduino, BitDefender, Keybase, Cody, Elastic, Firefox by @tstromberg in #351
• massive fpr: Rapid7, Elastic, everything by @tstromberg in #352
• Add TTP details from https://www.sentinelone.com/blog/backdoor-activa… by @tstromberg in #353
• fpr: Elastic Defend, gcloud, Warp, etc by @tstromberg in #354
• fpr: Elastic, IR, Velociraptor, BitDefender, incus, Adguard by @tstromberg in #355
• Ignore taint code 4096 (out-of-tree driver) by @tstromberg in #356
• fpr: Incus, Firefox, mbim, networkd, incus by @tstromberg in #357
• fpr: Docker Desktop, code-oss, incus, geoclue, etc by @tstromberg in #358
• fpr: snapd, cups, ubuntu, etc by @tstromberg in #359
• Allow Kandji to do weird things with expect by @tstromberg in #361
• Performance tuning, mark some Linux queries as 'extra' by @tstromberg in #362
• Add Harden Runner audit configs by @jedsalazar in #360
• FPR: Docker, Yubikey, Aerospace, WhatsApp, nuclei, etc. by @tstromberg in #363

Full Changelog: v1.14.1...v1.15.0

v1.14.1

What's Changed

• recently downloaded go-crypt: Fix YARA error by @tstromberg in #345

Full Changelog: v1.14.0...v1.14.1

v1.14.0

What's Changed

• fpr: syncthing, sourcegraph, phantombuster, iterm, cody, stickers, wolfi sdk, nuclei, gobuster by @tstromberg in #343
• Simplify makefile, reduce config targets to 4 by @tstromberg in #344

Full Changelog: v1.13.0...v1.14.0

v1.13.0

What's Changed

• Optimize YARA process queries by deduping paths by @tstromberg in #334
• make: Add combined-detection.conf & osqtool versioning by @tstromberg in #339
• Add Macdown as an exception to minimal-socket-client-macos by @jedsalazar in #340
• Upgrade osqtool to v1.4.1 by @tstromberg in #341
• fpr: rootlesskit, sshd, Fedora, Oracle Linux by @tstromberg in #331
• fpr: aws, java, arch, cody, google, wireshark, etc by @tstromberg in #332
• fpr: dbeaver, AwesomeScreenshot, Hyper, etc by @tstromberg in #333
• fpr: ThingsWidgetExtension by @tstromberg in #335
• fpr: Capture One, Grammarly, Mullvad, etc by @tstromberg in #336
• exotic events linux: optimize query for reduced system CPU by @tstromberg in #337
• fpr: A little bit of everything by @tstromberg in #338
• fpr: Elastic Defend, Rapid7 InsightIDR & others by @tstromberg in #342

New Contributors

• @jedsalazar made their first contribution in #340

Full Changelog: v1.12.2...v1.13.0

v1.12.2

What's Changed

Reduced false positives:

• fpr: Kolide, qemu, bash, monday, macOS by @tstromberg in #327
• fpr: osquery release spam by @tstromberg in #328
• fpr: mtr, vscode, cpptools, cron, firefox by @tstromberg in #329
• fpr: Electron, Github by @tstromberg in #330

Full Changelog: v1.12.1...v1.12.2

v1.12.1

What's Changed

• fpr: Monday, Splunk, Gnome, Git, Grammarly, etc by @tstromberg in #324
• fpr: containerd, hyper, Docker, Chromium, spotify, busycal by @tstromberg in #325
• makefile: Extend timeouts for YARA queries by @tstromberg in #326

Full Changelog: v1.12.0...v1.12.1

v1.12.0

What's Changed

• Add 14 new YARA based checks by @tstromberg in #314
• new detector: Unexpected talker events by @tstromberg in #309
• new detector: hidden cwd events by @tstromberg in #311
• Add detector for listening from an unusual location by @tstromberg in #321
• unexpected chrome extension: Check for 'management' permission by @tstromberg in #291
• new detector: unexpected process extension linux by @tstromberg in #293
• macOS sysutils: add csrutil, ditto, unzip, whoami, system_profiler by @tstromberg in #294
• netutil calls: add nscurl by @tstromberg in #295
• Improve unexpected-chmod-exec-event performance by @tstromberg in #303
• Detect vulnerable versions of Acrobat Reader by @tstromberg in #305
• Improve base64/crontab detection by @tstromberg in #306
• Add primitive name-based detection for possible InfoStealers by @tstromberg in #304
• More checks for unusual process names inspired by Earth Lusca by @tstromberg in #308
• split detection pack into subpacks by @tstromberg in #315
• Address issues which kept some Linux alerts from firing by @tstromberg in #319
• Loads of false positives and other bugs addressed.

Full Changelog: v1.11.0...v1.12.0

v1.11.0

What's Changed

• New detectors based on JokerSpy research by @tstromberg in #286
• New detectors: excessive Google Drive exports by @tstromberg in #269
• Improve detection for bpfdoor and similar backdoors. by @tstromberg in #262
• Query tuning for Geacon detection and reduced CPU usage by @tstromberg in #264
• incident_response: Improve macOS coverage by @tstromberg in #258
• Collect recent file events by @tstromberg in #259
• hidden home config: Add ~/.config/.* to search criteria by @tstromberg in #273
• minimal socket client: speed query up by @tstromberg in #276
• The usual mess of false-positive reductions.

Full Changelog: v1.10.0...v1.11.0