MBot Posted September 15, 2021 Posted September 15, 2021 We are excited to announce version 3.0! ? capa 3.0: adds support for ELF files targeting Linux thanks to Intezer adds new features to specify OS, CPU architecture, and file format fixes a few bugs that may have led to false negatives (missed capabilities) in older versions adds 80 new rules, including 36 describing techniques for Linux A huge thanks to everyone who submitted issues, provided feedback, and contributed code and rules. Special acknowledgement to @Adir-Shemesh and @TcM1911 of Intezer for contributing the code to enable ELF support. Also, welcome first time contributors: @jaredscottwilson @cdong1012 @jlepore-fe New Features all: add support for ELF files #700 @Adir-Shemesh @TcM1911 rule format: add feature format: for file format, like format: pe #723 @williballenthin rule format: add feature arch: for architecture, like arch: amd64 #723 @williballenthin rule format: add feature os: for operating system, like os: windows #723 @williballenthin rule format: add feature substring: for verbatim strings with leading/trailing wildcards #737 @williballenthin scripts: add profile-memory.py for profiling memory usage #736 @williballenthin main: add light weight ELF file feature extractor to detect file limitations #770 @mr-tz Breaking Changes rules using format, arch, os, or substring features cannot be used by capa versions prior to v3 legacy term arch (i.e., "x32") is now called bitness @williballenthin freeze format gains new section for "global" features #759 @williballenthin New Rules (80) collection/webcam/capture-webcam-image @johnk3r nursery/list-drag-and-drop-files michael.hunhoff@fireeye.com nursery/monitor-clipboard-content michael.hunhoff@fireeye.com nursery/monitor-local-ipv4-address-changes michael.hunhoff@fireeye.com nursery/load-windows-common-language-runtime michael.hunhoff@fireeye.com nursery/resize-volume-shadow-copy-storage michael.hunhoff@fireeye.com nursery/add-user-account-group michael.hunhoff@fireeye.com nursery/add-user-account-to-group michael.hunhoff@fireeye.com nursery/add-user-account michael.hunhoff@fireeye.com nursery/change-user-account-password michael.hunhoff@fireeye.com nursery/delete-user-account-from-group michael.hunhoff@fireeye.com nursery/delete-user-account-group michael.hunhoff@fireeye.com nursery/delete-user-account michael.hunhoff@fireeye.com nursery/list-domain-servers michael.hunhoff@fireeye.com nursery/list-groups-for-user-account michael.hunhoff@fireeye.com nursery/list-user-account-groups michael.hunhoff@fireeye.com nursery/list-user-accounts-for-group michael.hunhoff@fireeye.com nursery/list-user-accounts michael.hunhoff@fireeye.com nursery/parse-url michael.hunhoff@fireeye.com nursery/register-raw-input-devices michael.hunhoff@fireeye.com anti-analysis/packer/gopacker/packed-with-gopacker jared.wilson@fireeye.com host-interaction/driver/create-device-object @mr-tz host-interaction/process/create/execute-command @mr-tz data-manipulation/encryption/create-new-key-via-cryptacquirecontext chuong.dong@fireeye.com host-interaction/log/clfs/append-data-to-clfs-log-container blaine.stancill@mandiant.com host-interaction/log/clfs/read-data-from-clfs-log-container blaine.stancill@mandiant.com data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-wolfssl blaine.stancill@mandiant.com c2/shell/create-unix-reverse-shell joakim@intezer.com c2/shell/execute-shell-command-received-from-socket joakim@intezer.com collection/get-current-user joakim@intezer.com host-interaction/file-system/change-file-permission joakim@intezer.com host-interaction/hardware/memory/get-memory-information joakim@intezer.com host-interaction/mutex/lock-file joakim@intezer.com host-interaction/os/version/get-kernel-version joakim@intezer.com host-interaction/os/version/get-linux-distribution joakim@intezer.com host-interaction/process/terminate/terminate-process-via-kill joakim@intezer.com lib/duplicate-stdin-and-stdout joakim@intezer.com nursery/capture-network-configuration-via-ifconfig joakim@intezeer.com nursery/collect-ssh-keys joakim@intezer.com nursery/enumerate-processes-via-procfs joakim@intezer.com nursery/interact-with-iptables joakim@intezer.com persistence/persist-via-desktop-autostart joakim@intezer.com persistence/persist-via-shell-profile-or-rc-file joakim@intezer.com persistence/service/persist-via-rc-script joakim@intezer.com collection/get-current-user-on-linux joakim@intezer.com collection/network/get-mac-address-on-windows moritz.raabe@fireeye.com host-interaction/file-system/read/read-file-on-linux moritz.raabe@fireeye.com joakim@intezer.com host-interaction/file-system/read/read-file-on-windows moritz.raabe@fireeye.com host-interaction/file-system/write/write-file-on-windows william.ballenthin@fireeye.com host-interaction/os/info/get-system-information-on-windows moritz.raabe@fireeye.com joakim@intezer.com host-interaction/process/create/create-process-on-windows moritz.raabe@fireeye.com linking/runtime-linking/link-function-at-runtime-on-windows moritz.raabe@fireeye.com nursery/create-process-on-linux joakim@intezer.com nursery/enumerate-files-on-linux william.ballenthin@fireeye.com nursery/get-mac-address-on-linux joakim@intezer.com nursery/get-system-information-on-linux joakim@intezer.com nursery/link-function-at-runtime-on-linux joakim@intezer.com nursery/write-file-on-linux joakim@intezer.com communication/socket/tcp/send/obtain-transmitpackets-callback-function-via-wsaioctl jonathan.lepore@mandiant.com nursery/linked-against-cpp-http-library @mr-tz nursery/linked-against-cpp-json-library @mr-tz Bug Fixes main: fix KeyError: 0 when reporting results @williballehtin #703 main: fix potential false negatives due to namespaces across scopes @williballenthin #721 linter: suppress some warnings about imports from ntdll/ntoskrnl @williballenthin #743 linter: suppress some warnings about missing examples in the nursery @williballenthin #747 capa explorer IDA Pro plugin explorer: add additional filter logic when displaying matches by function #686 @mike-hunhoff explorer: remove duplicate check when saving file #687 @mike-hunhoff explorer: update IDA extractor to use non-canon mnemonics #688 @mike-hunhoff explorer: allow user to add specified number of bytes when adding a Bytes feature in the Rule Generator #689 @mike-hunhoff explorer: enforce max column width Features and Editor panes #691 @mike-hunhoff explorer: add option to limit features to currently selected disassembly address #692 @mike-hunhoff explorer: update support documentation and runtime checks #741 @mike-hunhoff explorer: small performance boost to rule generator search functionality #742 @mike-hunhoff explorer: add support for arch, os, and format features #758 @mike-hunhoff explorer: improve parsing algorithm for rule generator feature editor #768 @mike-hunhoff Development Raw diffs capa v2.0.0...v3.0.0 capa-rules v2.0.0...v3.0.0 Download
Recommended Posts
Archived
This topic is now archived and is closed to further replies.