The 3.6 release is out with lots of feature requests in it

It includes new features on the themes of:

• Process view was redesigned:

  • Includes artifacts from the Program Run view so that you can see current and past processes at the same time.
  • New search and grouping interface to make it easier to focus on certain types of processes.
  • Added a tree interface to allow users to navigate by hierarchy.
  • The Execution History tab on the bottom was removed and the Process tab now shows all past processes.
  • Added process tree diagram to bottom process tab.
  • Changed how scoring was applied and now each process instance gets its own score. This will cause higher counts when a false positive happens, but it gives more control.
  • Processes now store if they were running with elevated privileges.

  • OS Accounts

    • Accounts are now created for “non-existent” users, which are created from failed logons.
    • Merged the concept of an “inferred” account with “unknown”. These accounts where a reference is found in a log, but it was not found in the registry, etc.
    • Updated the filters in the “Account” view.
    • Score accounts as suspicious if they were recently created and have admin privileges.

  • User Logons

    • Parse more 4648 events for outbound logon details.
    • Collect log files (but not parse) from 3rd party remote logon applications. They are shown as “Source Files’’ in the Collection Details panel.
    • Bottom inbound logon panel will now show country of remote host

  • OS Configuration:

    • Record log maximum sizes and rotation policy to detect if an attacker made them small to reduce evidence.
    • Record Windows PE (MiniNT) registry setting.

  • Add Host Options:

    • Added the ability to import a local drive, which can be used when an image is locally mounted (for example if it was encrypted with BitLocker).

  • Triggered Tasks:

    • Services are now created based on event log data that shows a service was installed.
    • Services that were recently created are scored as suspicious.
    • PsExec service will be scored as suspicious.

  • Downloads:

    • Collect downloaded files from Temp folder based on Zone.Identifer ADS existence.
    • Collect content of more downloaded file types (LNK, ISO, etc.) if created within the past 6 months.
    • Recently downloaded ISO and LNK files are scored as suspicious.

  • Search:

    • Panel was updated to make its capabilities more obvious. Same functionality.

  • New Reports:

    • Export all files scored as bad as a ZIP file
    • Export all file hashes as a text file
    • Export all IP addresses as a text file

  • Collection Details:

    • Files that were searched for, but not found are now listed.
    • Bitlocker detection is shown

  • IP Addresses:

    • Mark IPs as suspicious if they are frequently by attackers for data exfiltration (such as mega)
    • Updated Dynamic DNS provider list

  • Other:

    • The Host Information panel will now show what drives the host had mounted
    • Sources tab will show payload for Windows Events
    • New evaluation panel with reduced options and allows users to import their own system
    • Updated event log parser to use EVTX for disk images and logical file imports (https://github.com/omerbenamram/evtx)

• Bug Fixes: Many bug fixes are included, but notable ones from customer support issues include:

  • Very large NTFS folders are now detected and alerted versus exhausting memory.
  • Logical folder ingest works with long folder names.

• Hash of ZIP:

  • SHA-256: 8ddb62c4961f6fc7600aaa114a31f013487b421aced725f814eb6eef7094dccc

You can read about a few of the new features on the blog.

 Or, attend our release webinar on Feb 28 at 1PM Eastern.  You can register for that here. 

 You can download the latest from here: 

• https://download.cybertriage.com/paid/3.6.0_8dVs93Qcc4d2/CyberTriage-3.6.0.zip
• SHA-256 of ZIP: 8ddb62c4961f6fc7600aaa114a31f013487b421aced725f814eb6eef7094dccc