Several feature updates as mentioned in the commits.
Some work was done to fix issues caused by renaming some of the YaraFileProcessor function names. There are additional functions using the old function name that will be left for an as yet to be determined amount of time with deprecation messages.
Added the feature to generate MITRE ATT&CK software codes based on the value of malware metadata keys. This will allow for enrichment of yara rules with mitre_att software codes in many situations. The current functionality does not remove mitre_att software codes, so it is possible to have mitre_att software codes that do not have a matching malware name.
Added a couple of new warning checks.
if a info|exploit|technique|tool|malware key is not present a warning is raised. While not required it is a best practice to include the metadata with the additional information i.e. malware: "malware name"
Added a first iteration of warnings metadata keys that are similarly named to keys in the standard, this is to try and help catch things like hash1, hash2, or hash_256. This is a first pass and should be updated with more common items over time.
cccs-gm
commented
4 years ago
Several feature updates as mentioned in the commits.
Some work was done to fix issues caused by renaming some of the YaraFileProcessor function names. There are additional functions using the old function name that will be left for an as yet to be determined amount of time with deprecation messages.
Added the feature to generate MITRE ATT&CK software codes based on the value of malware metadata keys. This will allow for enrichment of yara rules with mitre_att software codes in many situations. The current functionality does not remove mitre_att software codes, so it is possible to have mitre_att software codes that do not have a matching malware name.
Added a couple of new warning checks.
if a info|exploit|technique|tool|malware key is not present a warning is raised. While not required it is a best practice to include the metadata with the additional information i.e. malware: "malware name"
Added a first iteration of warnings metadata keys that are similarly named to keys in the standard, this is to try and help catch things like hash1, hash2, or hash_256. This is a first pass and should be updated with more common items over time.