Command Snippets in interACT Terminal: Investigators and response teams can customize, execute, and reuse predefined or custom command snippets from within the interACT terminal – streamlining repetitive response operations, improving accuracy, and saving time.
Responder now uses the native macOS ComputerName (retrieved via system API) to identify assets during registration and check-ins. This replaces the prior use of default Hostname, offering more alignment with asset titles seen in the system preferences and command-line. If ComputerName is blank or fails, fallback to LocalHost and then traditional hostname is used. This improves accuracy in asset identity and reduces user confusion in deployment and reporting alignment.
When fetching assets identities from LDAP, AIR now extracts the full device hostname from the dNSHostName attribute. This resolves prior misidentification issues due to NETBIOS truncation and ensures domain-joined machines are accurately matched and managed within AIR.
Tasks executed via the AIR Console now provide analysts with granular insight into execution durations. Displayed within the task UI, analysts can view timing for task start, responder pickup, evidence collection, upload, and completion. This helps benchmark task latencies across environments and identify performance bottlenecks (e.g., endpoint slowness or network delay).
AIR's evidence timeline has been visually optimized by replacing full-text flag and finding type names with icons, severity markers, and tooltips. This allows analysts to review larger evidence datasets more efficiently without hindering access to detailed context through hover/tooltips or modals.
Each evidence item in the Investigation Hub now includes a clickable comment icon, allowing immediate access to any prior annotations or the creation of new investigation notes. This fosters collaborative triage, helps analysts recall context during escalation, and supports auditability during incident postmortem.
This release brings a powerful usability improvement to remote command execution in AIR. Analysts can now access, create, and share command snippets to standardize commonly executed interACT operations. Snippets can include metadata such as supported OS, placeholders, categories, and ownership tags.
Commands can be run directly from the terminal, copied to the clipboard, favorited, or saved as a new custom command. A full-featured Library UI allows editing, deletion, import/export via JSON, and tagging. Search, sort, and filter operations help streamline access to hundreds of command assets during critical investigations.
The maximum upload size for files pushed to endpoints via interACT has been increased from 200MB to 500MB. This expands interACT’s versatility for Investigation and Response use cases where analysts need to deploy larger diagnostic or investigatory tools.
The Audit Logs search bar now searches across all relevant data—not just the Type column—allowing for quicker incident review and traceability when auditing forensic activities or evaluating system usage during security investigations.
A built-in password generation feature is introduced within the User Management form. System administrators can now generate secure, random passwords for new user accounts, removing the need for third-party browser plugins, which are often restricted in high-security environments.
DRONE Hash Based Detection Issues: DRONE analyzers no longer inappropriately use the "hash" in the rule’s metadata block as the object hash in findings. This improves the accuracy and integrity of reported object hashes. DRONE now prevents self-identification by excluding its own binaries from detections via database paths. This avoids noisy false positives in trusted environments.
Local SMB Authentication Fails: Fixed an issue where accessing SMB repositories via local user credentials failed due to domain name auto-append in Responder, causing authentication errors. Repository Explorer has also been updated for consistent login behavior using local account formats.
Disk Image Behavior Issues: Several bugs affecting Disk Image management were resolved, including broken filtering logic post-creation, assets being miscategorized after LDAP sync, and inability to re-select deleted disk image entries.
Responder Upload Failure Not Reported: Situations where evidence uploads failed during task execution weren't being reported correctly to the Console, causing lingering UI states. This is now resolved, ensuring failure causes are surfaced.
Finding Date Inconsistencies with Timezone Changes: Investigative findings and their detailed timestamps now reflect timezone offset changes consistently across summary and detail views.
NETBIOS Name Truncation via LDAP: Full hostnames can now be extracted through more reliable directory attributes to avoid classification as "unmanaged asset" in the UI.
interACT Failed Session Reconnects Due to Cache: Addressed a bug where the stale cache entries after server process restarts could prevent new İnterACT websocket connections.
Fixed IP allow list handling in endpoint isolation (now bidirectional): Addressed an issue during endpoint isolation where entries in the IP allow list were not respected for inbound communications. Allow list logic is now bidirectional, ensuring defined IPs are granted both inbound and outbound access through the isolation layer
The analyzer continues to expand its recognition of potentially malicious or dual-use hacker tools. Tools frequently found in offensive security operations and red team engagements are being surfaced during investigations more reliably, providing immediate enrichment and analyst direction. New rules also include expanded capability for recognition of remote access management tools increasingly abused by threat actors.
Improvements in this release include advanced detection for high-risk malware and toolkits such as PromptLock (GPT-powered ransomware), CANONSTAGER launchers, and PlugX variants. Behavioral patterns such as double-extension masquerading, shortcut-based execution, TinyShell usage, and more aggressive base64 obfuscation are now detectable. Enhancements to recognition heuristics reduce false positives while broadening detection coverage across Windows, Linux, and Darwin targets.
The Sigma integration within DRONE reflects the latest pattern updates contributed by communities such as SigmaHQ and Hayabusa. These empower your team to detect adversary behavior within event logs and system audit trails using the latest detection logic, without needing to manage rule updates manually.