We are excited to announce version 3.0! ?
capa 3.0:
adds support for ELF files targeting Linux thanks to Intezer
adds new features to specify OS, CPU architecture, and file format
fixes a few bugs that may have led to false negatives (missed capabilities) in older versions
adds 80 new rules, including 36 describing techniques for Linux
A huge thanks to everyone who submitted issues, provided feedback, and contributed code and rules.
Special acknowledgement to @Adir-Shemesh and @TcM1911 of Intezer for contributing the code to enable ELF support.
Also, welcome first time contributors:
@jaredscottwilson
@cdong1012
@jlepore-fe
New Features
all: add support for ELF files #700 @Adir-Shemesh @TcM1911
rule format: add feature format: for file format, like format: pe #723 @williballenthin
rule format: add feature arch: for architecture, like arch: amd64 #723 @williballenthin
rule format: add feature os: for operating system, like os: windows #723 @williballenthin
rule format: add feature substring: for verbatim strings with leading/trailing wildcards #737 @williballenthin
scripts: add profile-memory.py for profiling memory usage #736 @williballenthin
main: add light weight ELF file feature extractor to detect file limitations #770 @mr-tz
Breaking Changes
rules using format, arch, os, or substring features cannot be used by capa versions prior to v3
legacy term arch (i.e., "x32") is now called bitness @williballenthin
freeze format gains new section for "global" features #759 @williballenthin
New Rules (80)
collection/webcam/capture-webcam-image @johnk3r
nursery/list-drag-and-drop-files michael.hunhoff@fireeye.com
nursery/monitor-clipboard-content michael.hunhoff@fireeye.com
nursery/monitor-local-ipv4-address-changes michael.hunhoff@fireeye.com
nursery/load-windows-common-language-runtime michael.hunhoff@fireeye.com
nursery/resize-volume-shadow-copy-storage michael.hunhoff@fireeye.com
nursery/add-user-account-group michael.hunhoff@fireeye.com
nursery/add-user-account-to-group michael.hunhoff@fireeye.com
nursery/add-user-account michael.hunhoff@fireeye.com
nursery/change-user-account-password michael.hunhoff@fireeye.com
nursery/delete-user-account-from-group michael.hunhoff@fireeye.com
nursery/delete-user-account-group michael.hunhoff@fireeye.com
nursery/delete-user-account michael.hunhoff@fireeye.com
nursery/list-domain-servers michael.hunhoff@fireeye.com
nursery/list-groups-for-user-account michael.hunhoff@fireeye.com
nursery/list-user-account-groups michael.hunhoff@fireeye.com
nursery/list-user-accounts-for-group michael.hunhoff@fireeye.com
nursery/list-user-accounts michael.hunhoff@fireeye.com
nursery/parse-url michael.hunhoff@fireeye.com
nursery/register-raw-input-devices michael.hunhoff@fireeye.com
anti-analysis/packer/gopacker/packed-with-gopacker jared.wilson@fireeye.com
host-interaction/driver/create-device-object @mr-tz
host-interaction/process/create/execute-command @mr-tz
data-manipulation/encryption/create-new-key-via-cryptacquirecontext chuong.dong@fireeye.com
host-interaction/log/clfs/append-data-to-clfs-log-container blaine.stancill@mandiant.com
host-interaction/log/clfs/read-data-from-clfs-log-container blaine.stancill@mandiant.com
data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-wolfssl blaine.stancill@mandiant.com
c2/shell/create-unix-reverse-shell joakim@intezer.com
c2/shell/execute-shell-command-received-from-socket joakim@intezer.com
collection/get-current-user joakim@intezer.com
host-interaction/file-system/change-file-permission joakim@intezer.com
host-interaction/hardware/memory/get-memory-information joakim@intezer.com
host-interaction/mutex/lock-file joakim@intezer.com
host-interaction/os/version/get-kernel-version joakim@intezer.com
host-interaction/os/version/get-linux-distribution joakim@intezer.com
host-interaction/process/terminate/terminate-process-via-kill joakim@intezer.com
lib/duplicate-stdin-and-stdout joakim@intezer.com
nursery/capture-network-configuration-via-ifconfig joakim@intezeer.com
nursery/collect-ssh-keys joakim@intezer.com
nursery/enumerate-processes-via-procfs joakim@intezer.com
nursery/interact-with-iptables joakim@intezer.com
persistence/persist-via-desktop-autostart joakim@intezer.com
persistence/persist-via-shell-profile-or-rc-file joakim@intezer.com
persistence/service/persist-via-rc-script joakim@intezer.com
collection/get-current-user-on-linux joakim@intezer.com
collection/network/get-mac-address-on-windows moritz.raabe@fireeye.com
host-interaction/file-system/read/read-file-on-linux moritz.raabe@fireeye.com joakim@intezer.com
host-interaction/file-system/read/read-file-on-windows moritz.raabe@fireeye.com
host-interaction/file-system/write/write-file-on-windows william.ballenthin@fireeye.com
host-interaction/os/info/get-system-information-on-windows moritz.raabe@fireeye.com joakim@intezer.com
host-interaction/process/create/create-process-on-windows moritz.raabe@fireeye.com
linking/runtime-linking/link-function-at-runtime-on-windows moritz.raabe@fireeye.com
nursery/create-process-on-linux joakim@intezer.com
nursery/enumerate-files-on-linux william.ballenthin@fireeye.com
nursery/get-mac-address-on-linux joakim@intezer.com
nursery/get-system-information-on-linux joakim@intezer.com
nursery/link-function-at-runtime-on-linux joakim@intezer.com
nursery/write-file-on-linux joakim@intezer.com
communication/socket/tcp/send/obtain-transmitpackets-callback-function-via-wsaioctl jonathan.lepore@mandiant.com
nursery/linked-against-cpp-http-library @mr-tz
nursery/linked-against-cpp-json-library @mr-tz
Bug Fixes
main: fix KeyError: 0 when reporting results @williballehtin #703
main: fix potential false negatives due to namespaces across scopes @williballenthin #721
linter: suppress some warnings about imports from ntdll/ntoskrnl @williballenthin #743
linter: suppress some warnings about missing examples in the nursery @williballenthin #747
capa explorer IDA Pro plugin
explorer: add additional filter logic when displaying matches by function #686 @mike-hunhoff
explorer: remove duplicate check when saving file #687 @mike-hunhoff
explorer: update IDA extractor to use non-canon mnemonics #688 @mike-hunhoff
explorer: allow user to add specified number of bytes when adding a Bytes feature in the Rule Generator #689 @mike-hunhoff
explorer: enforce max column width Features and Editor panes #691 @mike-hunhoff
explorer: add option to limit features to currently selected disassembly address #692 @mike-hunhoff
explorer: update support documentation and runtime checks #741 @mike-hunhoff
explorer: small performance boost to rule generator search functionality #742 @mike-hunhoff
explorer: add support for arch, os, and format features #758 @mike-hunhoff
explorer: improve parsing algorithm for rule generator feature editor #768 @mike-hunhoff
Development
Raw diffs
capa v2.0.0...v3.0.0
capa-rules v2.0.0...v3.0.0
Download