MBot Posted October 27, 2021 at 04:20 PM Share Posted October 27, 2021 at 04:20 PM v3.0.3 (2021-10-27) This is primarily a rule maintenance release: eight new rules, including all relevant techniques from ATT&CK v10, and two rules removed, due to the prevalence of false positives We've also tweaked the status codes returned by capa.exe to be more specific and added a bit more metadata to the JSON output format. As always, welcome first time contributors! still@teamt5.org zander.work@mandiant.com New Features show in which function a BB match is #130 @williballenthin main: exit with unique error codes when bailing #802 @williballenthin New Rules (8) nursery/resolve-function-by-fnv-1a-hash still@teamt5.org data-manipulation/encryption/encrypt-data-using-memfrob-from-glibc zander.work@mandiant.com collection/group-policy/discover-group-policy-via-gpresult william.ballenthin@mandiant.com host-interaction/bootloader/manipulate-safe-mode-programs william.ballenthin@mandiant.com nursery/enable-safe-mode-boot william.ballenthin@mandiant.com persistence/iis/persist-via-iis-module william.ballenthin@mandiant.com persistence/iis/persist-via-isapi-extension william.ballenthin@mandiant.com targeting/language/identify-system-language-via-api william.ballenthin@mandiant.com Removed rules (2) load-code/pe/parse-pe-exports: too many false positives in unrelated structure accesses anti-analysis/anti-vm/vm-detection/execute-anti-vm-instructions: too many false positives in junk code Bug Fixes update references from FireEye to Mandiant Raw diffs capa v3.0.2...v3.0.3 capa-rules v3.0.2...v3.0.3 Download Link to comment Share on other sites More sharing options...
Recommended Posts