github mandiant/capa v2.0.0

latest releases: v7.4.0, v7.3.0, v7.2.0...
3 years ago

We are excited to announce version 2.0! 🎉

This release:

  • enables anyone to contribute rules more easily
  • is the first Python 3 ONLY version
  • provides more concise and relevant results via identification of library functions using FLIRT
    capa v2.0 results ignoring library code functions
  • includes many features and enhancements for the capa explorer IDA plugin
  • adds 93 new rules, including all new techniques introduced in MITRE ATT&CK v9

A huge thanks to everyone who submitted issues, provided feedback, and contributed code and rules. Many colleagues across dozens of organizations have volunteered their experience to improve this tool! ❤️

New Features

Breaking Changes

New Rules (93)

  • anti-analysis/packer/amber/packed-with-amber @gormaniac
  • collection/file-managers/gather-3d-ftp-information @re-fox
  • collection/file-managers/gather-alftp-information @re-fox
  • collection/file-managers/gather-bitkinex-information @re-fox
  • collection/file-managers/gather-blazeftp-information @re-fox
  • collection/file-managers/gather-bulletproof-ftp-information @re-fox
  • collection/file-managers/gather-classicftp-information @re-fox
  • collection/file-managers/gather-coreftp-information @re-fox
  • collection/file-managers/gather-cuteftp-information @re-fox
  • collection/file-managers/gather-cyberduck-information @re-fox
  • collection/file-managers/gather-direct-ftp-information @re-fox
  • collection/file-managers/gather-directory-opus-information @re-fox
  • collection/file-managers/gather-expandrive-information @re-fox
  • collection/file-managers/gather-faststone-browser-information @re-fox
  • collection/file-managers/gather-fasttrack-ftp-information @re-fox
  • collection/file-managers/gather-ffftp-information @re-fox
  • collection/file-managers/gather-filezilla-information @re-fox
  • collection/file-managers/gather-flashfxp-information @re-fox
  • collection/file-managers/gather-fling-ftp-information @re-fox
  • collection/file-managers/gather-freshftp-information @re-fox
  • collection/file-managers/gather-frigate3-information @re-fox
  • collection/file-managers/gather-ftp-commander-information @re-fox
  • collection/file-managers/gather-ftp-explorer-information @re-fox
  • collection/file-managers/gather-ftp-voyager-information @re-fox
  • collection/file-managers/gather-ftpgetter-information @re-fox
  • collection/file-managers/gather-ftpinfo-information @re-fox
  • collection/file-managers/gather-ftpnow-information @re-fox
  • collection/file-managers/gather-ftprush-information @re-fox
  • collection/file-managers/gather-ftpshell-information @re-fox
  • collection/file-managers/gather-global-downloader-information @re-fox
  • collection/file-managers/gather-goftp-information @re-fox
  • collection/file-managers/gather-leapftp-information @re-fox
  • collection/file-managers/gather-netdrive-information @re-fox
  • collection/file-managers/gather-nexusfile-information @re-fox
  • collection/file-managers/gather-nova-ftp-information @re-fox
  • collection/file-managers/gather-robo-ftp-information @re-fox
  • collection/file-managers/gather-securefx-information @re-fox
  • collection/file-managers/gather-smart-ftp-information @re-fox
  • collection/file-managers/gather-softx-ftp-information @re-fox
  • collection/file-managers/gather-southriver-webdrive-information @re-fox
  • collection/file-managers/gather-staff-ftp-information @re-fox
  • collection/file-managers/gather-total-commander-information @re-fox
  • collection/file-managers/gather-turbo-ftp-information @re-fox
  • collection/file-managers/gather-ultrafxp-information @re-fox
  • collection/file-managers/gather-winscp-information @re-fox
  • collection/file-managers/gather-winzip-information @re-fox
  • collection/file-managers/gather-wise-ftp-information @re-fox
  • collection/file-managers/gather-ws-ftp-information @re-fox
  • collection/file-managers/gather-xftp-information @re-fox
  • data-manipulation/compression/decompress-data-using-aplib @r3c0nst @mr-tz
  • host-interaction/bootloader/disable-code-signing @williballenthin
  • host-interaction/bootloader/manipulate-boot-configuration @williballenthin
  • host-interaction/driver/disable-driver-code-integrity @williballenthin
  • host-interaction/file-system/bypass-mark-of-the-web @williballenthin
  • host-interaction/network/domain/get-domain-information @recvfrom
  • host-interaction/session/get-logon-sessions @recvfrom
  • linking/runtime-linking/resolve-function-by-fin8-fasthash @r3c0nst @mr-tz
  • nursery/build-docker-image @williballenthin
  • nursery/create-container @williballenthin
  • nursery/encrypt-data-using-fakem-cipher @mike-hunhoff
  • nursery/list-containers @williballenthin
  • nursery/run-in-container @williballenthin
  • persistence/registry/appinitdlls/disable-appinit_dlls-code-signature-enforcement @williballenthin
  • collection/password-manager/steal-keepass-passwords-using-keefarce @Ana06
  • host-interaction/network/connectivity/check-internet-connectivity-via-wininet matthew.williams@fireeye.com michael.hunhoff@fireeye.com
  • nursery/create-bits-job @mr-tz
  • nursery/execute-syscall-instruction @kulinacs @mr-tz
  • nursery/connect-to-wmi-namespace-via-wbemlocator michael.hunhoff@fireeye.com
  • anti-analysis/obfuscation/obfuscated-with-callobfuscator johnk3r
  • executable/installer/inno-setup/packaged-as-an-inno-setup-installer awillia2@cisco.com
  • data-manipulation/hashing/djb2/hash-data-using-djb2 awillia2@cisco.com
  • data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table gilbert.elliot@fireeye.com
  • nursery/list-tcp-connections-and-listeners michael.hunhoff@fireeye.com
  • nursery/list-udp-connections-and-listeners michael.hunhoff@fireeye.com
  • nursery/log-keystrokes-via-raw-input-data michael.hunhoff@fireeye.com
  • nursery/register-http-server-url michael.hunhoff@fireeye.com
  • internal/limitation/file/internal-autoit-file-limitation.yml william.ballenthin@fireeye.com
  • internal/limitation/file/internal-dotnet-file-limitation.yml william.ballenthin@fireeye.com
  • internal/limitation/file/internal-installer-file-limitation.yml william.ballenthin@fireeye.com
  • internal/limitation/file/internal-packer-file-limitation.yml william.ballenthin@fireeye.com
  • host-interaction/network/domain/enumerate-domain-computers-via-ldap awillia2@cisco.com
  • host-interaction/network/domain/get-domain-controller-name awillia2@cisco.com
  • internal/limitation/file/internal-visual-basic-file-limitation @mr-tz
  • data-manipulation/hashing/md5/hash-data-with-md5 moritz.raabe@fireeye.com
  • compiler/autohotkey/compiled-with-autohotkey awillia2@cisco.com
  • internal/limitation/file/internal-autohotkey-file-limitation @mr-tz
  • host-interaction/process/dump/create-process-memory-minidump michael.hunhoff@fireeye.com
  • nursery/get-storage-device-properties michael.hunhoff@fireeye.com
  • nursery/execute-shell-command-via-windows-remote-management michael.hunhoff@fireeye.com
  • nursery/get-token-privileges michael.hunhoff@fireeye.com
  • nursery/prompt-user-for-credentials michael.hunhoff@fireeye.com
  • nursery/spoof-parent-pid michael.hunhoff@fireeye.com

Bug Fixes

  • build: use Python 3.8 for PyInstaller to support consistently running across multiple operating systems including Windows 7 #505 @mr-tz
  • main: correctly match BB-scope matches at file scope #605 @williballenthin
  • main: do not process non-PE files even when --format explicitly provided #664 @mr-tz

capa explorer IDA Pro plugin

  • explorer: IDA 7.6 support #497 @williballenthin
  • explorer: explain how to install IDA 7.6 patch to enable the plugin #528 @williballenthin
  • explorer: document IDA 7.6sp1 as alternative to the patch #536 @Ana06
  • explorer: add support for function-name feature #618 @mike-hunhoff
  • explorer: circular import workaround #654 @mike-hunhoff
  • explorer: add argument to control whether to automatically analyze when running capa explorer #548 @Ana06
  • explorer: extract API features via function names recognized by IDA/FLIRT #661 @mr-tz

Development

Raw diffs

Don't miss a new capa release

NewReleases is sending notifications on new releases.