MBot Posted October 23, 2020 Posted October 23, 2020 v1.4.0 (2020-10-23) This capa release includes changes to the rule parsing, enhanced feature extraction, various bug fixes, and improved capa scripts. Everyone should benefit from the improved functionality and performance. The community helped to add 69 new rules. We appreciate everyone who opened issues, provided feedback, and contributed code and rules. A special shout out to the following new project contributors: @mwilliams31 @yt0ng @dzbeck added Malware Behavior Catalog (MBC) and ATT&CK mappings for 86 rules. Due to an issue with our CI build configuration, please download standalone binaries from the v1.4.1 release here. Checkout the readme here on GitHub. Report issues on our issue tracker and contribute new rules at capa-rules. New features script that demonstrates bulk processing @williballenthin #307 main: render MBC table @mr-tz #332 ida backend: improve detection of APIs called via two or more chained thunks @mike-hunhoff #340 viv backend: improve detection of APIs called via two or more chained thunks @mr-tz #341 features: extract APIs called via jmp instruction @mr-tz #337 New rules clear the Windows event log @mike-hunhoff crash the Windows event logging service @mike-hunhoff packed with kkrunchy @re-fox packed with nspack @re-fox packed with pebundle @re-fox packed with pelocknt @re-fox packed with peshield @re-fox packed with petite @re-fox packed with rlpack @re-fox packed with upack @re-fox packed with y0da crypter @re-fox compiled with rust @re-fox compute adler32 checksum @mwilliams31 encrypt-data-using-hc-128 @recvfrom manipulate console @williballenthin references logon banner @re-fox terminate process via fastfail @re-fox delete volume shadow copies @mr-tz authenticate HMAC @mr-tz compiled from EPL @williballenthin compiled with Go @williballenthin create Restart Manager session @mike-hunhoff decode data using Base64 via WinAPI @mike-hunhoff empty recycle bin quietly @mwilliams31 enumerate network shares @mike-hunhoff hook routines via microsoft detours @williballenthin hooked by API Override @williballenthin impersonate user @mike-hunhoff the @williballenthin packer detection package, thanks to Hexacorn for the data, see https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ packed with CCG packed with Crunch packed with Dragon Armor packed with enigma packed with Epack packed with MaskPE packed with MEW packed with Mpress packed with Neolite packed with PECompact packed with Pepack packed with Perplex packed with ProCrypt packed with RPCrypt packed with SeauSFX packed with Shrinker packed with Simple Pack packed with StarForce packed with SVKP packed with Themida packed with TSULoader packed with VProtect packed with WWPACK rebuilt by ImpRec packaged as a Pintool packaged as a CreateInstall installer packaged as a WinZip self-extracting archive reference 114DNS DNS server @williballenthin reference AliDNS DNS server @williballenthin reference Cloudflare DNS server @williballenthin reference Comodo Secure DNS server @williballenthin reference Google Public DNS server @williballenthin reference Hurricane Electric DNS server @williballenthin reference kornet DNS server @williballenthin reference L3 DNS server @williballenthin reference OpenDNS DNS server @williballenthin reference Quad9 DNS server @williballenthin reference Verisign DNS server @williballenthin run as service @mike-hunhoff schedule task via ITaskService @mike-hunhoff references DNS over HTTPS endpoints @yt0ng Bug fixes ida plugin: fix tree-view exception @mike-hunhoff #315 ida plugin: fix feature count @mike-hunhoff main: fix reported total rule count @williballenthin #325 features: fix handling of API names with multiple periods @mike-hunhoff #329 ida backend: find all byte sequences instead of only first @mike-hunhoff #335 features: display 0 value @mr-tz #338 ida backend: extract ordinal and name imports @mr-tz #343 show-features: improvements and support within IDA @mr-tz #342 main: sanity check MBC rendering @williballenthin main: handle sample path that contains non-ASCII characters @mr-tz #328 Changes rules: use yaml.CLoader for better performance @williballenthin #306 rules: parse descriptions for statements @mr-tz #312 Raw diffs capa v1.3.0...v1.4.0 capa-rules v1.3.0...v1.4.0 Standalone binaries Due to an issue with our CI build configuration, please download standalone binaries from the v1.4.1 release here.Download
Recommended Posts
Archived
This topic is now archived and is closed to further replies.