MBot Posted April 6, 2023 at 11:15 AM Share Posted April 6, 2023 at 11:15 AM capa version 5.1.0 adds a Protocol Buffers (protobuf) format for result documents. Additionally, the Vector35 team contributed a new feature extractor using Binary Ninja. Other new features are a new CLI flag to override the detected operating system, functionality to read and render existing result documents, and a output color format that's easier to read. Over 25 capa rules have been added and improved. Thanks for all the support, especially to @xusheng6, @captainGeech42, @ggold7046, @manasghandat, @ooprathamm, @linpeiyu164, @yelhamer, @HongThatCong, @naikordian, @stevemk14ebr, @emtuls, @raymondlleong, @bkojusner, @joren485, and everyone else who submitted bugs and provided feedback! New Features add protobuf format for result documents #1219 @williballenthin @mr-tz extractor: add Binary Ninja feature extractor @xusheng6 new cli flag --os to override auto-detected operating system for a sample @captainGeech42 change colour/highlight to "cyan" instead of "blue" for better readability #1384 @ggold7046 add new format to parse output json back to capa #1396 @ooprathamm parse ELF symbols' names to guess OS #1403 @yelhamer New Rules (26) persistence/scheduled-tasks/schedule-task-via-at joren485 data-manipulation/prng/generate-random-numbers-via-rtlgenrandom william.ballenthin@mandiant.com communication/ip/convert-ip-address-from-string @mr-tz data-manipulation/compression/compress-data-via-zlib-inflate-or-deflate blas.kojusner@mandiant.com executable/installer/dotnet/packaged-as-single-file-dotnet-application michael.hunhoff@mandiant.com communication/socket/create-raw-socket blas.kojusner@mandiant.com communication/http/reference-http-user-agent-string @mr-tz communication/http/get-http-content-length william.ballenthin@mandiant.com nursery/move-directory michael.hunhoff@mandiant.com nursery/get-http-request-uri william.ballenthin@mandiant.com nursery/create-zip-archive-in-dotnet michael.hunhoff@mandiant.com nursery/extract-zip-archive-in-dotnet anushka.virgaonkar@mandiant.com michael.hunhoff@mandiant.com data-manipulation/encryption/tea/decrypt-data-using-tea william.ballenthin@mandiant.com raymond.leong@mandiant.com data-manipulation/encryption/tea/encrypt-data-using-tea william.ballenthin@mandiant.com raymond.leong@mandiant.com data-manipulation/encryption/xtea/encrypt-data-using-xtea raymond.leong@mandiant.com data-manipulation/encryption/xxtea/encrypt-data-using-xxtea raymond.leong@mandiant.com nursery/hash-data-using-ripemd128 raymond.leong@mandiant.com nursery/hash-data-using-ripemd256 raymond.leong@mandiant.com nursery/hash-data-using-ripemd320 raymond.leong@mandiant.com nursery/set-web-proxy-in-dotnet michael.hunhoff@mandiant.com nursery/check-for-windows-sandbox-via-subdirectory echernofsky@google.com nursery/enumerate-pe-sections-in-dotnet @mr-tz nursery/destroy-software-breakpoint-capability echernofsky@google.com nursery/send-data-to-internet michael.hunhoff@mandiant.com nursery/compiled-with-cx_freeze @mr-tz nursery/contain-a-thread-local-storage-tls-section-in-dotnet michael.hunhoff@mandiant.com Bug Fixes extractor: removed '.dynsym' as the library name for ELF imports #1318 @stevemk14ebr extractor: fix vivisect loop detection corner case #1310 @mr-tz match: extend OS characteristic to match OS_ANY to all supported OSes #1324 @mike-hunhoff extractor: fix IDA and vivisect string and bytes features overlap and tests #1327 #1336 @xusheng6 capa explorer IDA Pro plugin fix exception when plugin loaded in IDA hosted under idat #1341 @mike-hunhoff improve embedded PE detection performance and reduce FP potential #1344 @mike-hunhoff Raw diffs capa v5.0.0...v5.1.0 capa-rules v5.0.0...v5.1.0 Download Link to comment Share on other sites More sharing options...
Recommended Posts