v3.0.3 (2021-10-27)
This is primarily a rule maintenance release:
eight new rules, including all relevant techniques from ATT&CK v10, and
two rules removed, due to the prevalence of false positives
We've also tweaked the status codes returned by capa.exe to be more specific and added a bit more metadata to the JSON output format.
As always, welcome first time contributors!
still@teamt5.org
zander.work@mandiant.com
New Features
show in which function a BB match is #130 @williballenthin
main: exit with unique error codes when bailing #802 @williballenthin
New Rules (8)
nursery/resolve-function-by-fnv-1a-hash still@teamt5.org
data-manipulation/encryption/encrypt-data-using-memfrob-from-glibc zander.work@mandiant.com
collection/group-policy/discover-group-policy-via-gpresult william.ballenthin@mandiant.com
host-interaction/bootloader/manipulate-safe-mode-programs william.ballenthin@mandiant.com
nursery/enable-safe-mode-boot william.ballenthin@mandiant.com
persistence/iis/persist-via-iis-module william.ballenthin@mandiant.com
persistence/iis/persist-via-isapi-extension william.ballenthin@mandiant.com
targeting/language/identify-system-language-via-api william.ballenthin@mandiant.com
Removed rules (2)
load-code/pe/parse-pe-exports: too many false positives in unrelated structure accesses
anti-analysis/anti-vm/vm-detection/execute-anti-vm-instructions: too many false positives in junk code
Bug Fixes
update references from FireEye to Mandiant
Raw diffs
capa v3.0.2...v3.0.3
capa-rules v3.0.2...v3.0.3
Download