dadokkio
commented
4 years ago We tested it this week.. it's actually missing a safe/malicious indicator that is necessary for the taxonomy that was available in the past but is broken right now..
Open weslambert opened 4 years ago
dadokkio
commented
4 years ago We tested it this week.. it's actually missing a safe/malicious indicator that is necessary for the taxonomy that was available in the past but is broken right now..
weslambert
commented
4 years ago Ah, I see -- should close I this out then?
dadokkio
commented
4 years ago we can keep this open and start to code. Even without safe/malicious this have a lot of interesting information imho.
weslambert
commented
4 years ago Agreed. Sounds good! 👍
weslambert
commented
4 years ago @dadokkio Thoughts on this?
https://github.com/fireeye/capa/issues/50
Assuming we should wait until it's fully supported for Python 3?
dadokkio
commented
4 years ago That's bad, unfortunately at the moment we tested only the executable on windows and the python3 port seems will take a lot of time. A possibility is to run the linux executable with subprocess until the library will be update and then parse the tabular output, I've just tested it locally and it works fine. Let me know if you need any help.
dadokkio
commented
4 years ago I've created a little executable output parser here https://gist.github.com/dadokkio/32f0791f3572122ef3d7924ab315babb if you want to use it as example.
The output is something like:
{'ATT&CK Tactic_ATT&CK Technique': [{'ATT&CK Tactic': 'DEFENSE EVASION',
'ATT&CK Technique': 'Process Injection '
'[T1055]'},
{'ATT&CK Tactic': 'DEFENSE EVASION',
'ATT&CK Technique': 'Virtualization/Sandbox '
'Evasion::System '
'Checks [T1497.001]'},
{'ATT&CK Tactic': 'DISCOVERY',
'ATT&CK Technique': 'Application Window '
'Discovery [T1010]'},
{'ATT&CK Tactic': 'DISCOVERY',
'ATT&CK Technique': 'Process Discovery '
'[T1057]'},
{'ATT&CK Tactic': 'DISCOVERY',
'ATT&CK Technique': 'Query Registry '
'[T1012]'},
{'ATT&CK Tactic': 'DISCOVERY',
'ATT&CK Technique': 'System Information '
'Discovery [T1082]'},
{'ATT&CK Tactic': 'DISCOVERY',
'ATT&CK Technique': 'System Network '
'Configuration '
'Discovery [T1016]'},
{'ATT&CK Tactic': 'DISCOVERY',
'ATT&CK Technique': 'System Owner/User '
'Discovery [T1033]'},
{'ATT&CK Tactic': 'EXECUTION',
'ATT&CK Technique': 'Shared Modules '
'[T1129]'}],
'CAPABILITY_NAMESPACE': [{'CAPABILITY': 'check for OutputDebugString error',
'NAMESPACE': 'anti-analysis/anti-debugging/debugger-detection'},
{'CAPABILITY': 'check for time delay via '
'GetTickCount',
'NAMESPACE': 'anti-analysis/anti-debugging/debugger-detection'},
{'CAPABILITY': 'execute anti-debugging instructions '
'(2 matches)',
'NAMESPACE': 'anti-analysis/anti-debugging/debugger-detection'},
{'CAPABILITY': 'execute anti-VM instructions (8 '
'matches)',
'NAMESPACE': 'anti-analysis/anti-vm/vm-detection'},
{'CAPABILITY': 'reference anti-VM strings',
'NAMESPACE': 'anti-analysis/anti-vm/vm-detection'},
{'CAPABILITY': 'contain a resource (.rsrc) section',
'NAMESPACE': 'executable/pe/section/rsrc'},
{'CAPABILITY': 'contain a thread local storage '
'(.tls) section',
'NAMESPACE': 'executable/pe/section/tls'},
{'CAPABILITY': 'interact with driver via control '
'codes',
'NAMESPACE': 'host-interaction/driver'},
{'CAPABILITY': 'write file',
'NAMESPACE': 'host-interaction/file-system/write'},
{'CAPABILITY': 'find graphical window',
'NAMESPACE': 'host-interaction/gui/window/find'},
{'CAPABILITY': 'get memory capacity',
'NAMESPACE': 'host-interaction/hardware/memory'},
{'CAPABILITY': 'get disk information (2 matches)',
'NAMESPACE': 'host-interaction/hardware/storage'},
{'CAPABILITY': 'print debug messages',
'NAMESPACE': 'host-interaction/log/debug/write-event'},
{'CAPABILITY': 'get local IPv4 addresses (2 matches)',
'NAMESPACE': 'host-interaction/network/address'},
{'CAPABILITY': 'resolve DNS',
'NAMESPACE': 'host-interaction/network/dns/resolve'},
{'CAPABILITY': 'get system information',
'NAMESPACE': 'host-interaction/os/info'},
{'CAPABILITY': 'get OS version',
'NAMESPACE': 'host-interaction/os/version'},
{'CAPABILITY': 'allocate RWX memory',
'NAMESPACE': 'host-interaction/process/inject'},
{'CAPABILITY': 'enumerate processes',
'NAMESPACE': 'host-interaction/process/list'},
{'CAPABILITY': 'terminate process',
'NAMESPACE': 'host-interaction/process/terminate'},
{'CAPABILITY': 'open registry key (2 matches)',
'NAMESPACE': 'host-interaction/registry/open'},
{'CAPABILITY': 'query registry entry',
'NAMESPACE': 'host-interaction/registry/query'},
{'CAPABILITY': 'query registry value',
'NAMESPACE': 'host-interaction/registry/query'},
{'CAPABILITY': 'get session user name',
'NAMESPACE': 'host-interaction/session'},
{'CAPABILITY': 'link function at runtime (7 matches)',
'NAMESPACE': 'linking/runtime-linking'}],
'md5': '9159edb64c4a21d8888d088bf2db23f3',
'path': 'pafish.exe'}Awesome, thanks! I've thought about using an executable with another analyzer before, but wasn't sure if that would be acceptable. So, it would just be run from the analyzer directory (unless Dockerized) correct?
dadokkio
commented
4 years ago yes, it should be available on the docker image of the analyzer (maybe the path could be a settings) if you search for subprocess you should find other tools that runs in this way.
williballenthin
commented
4 years ago for the time being, we would (unfortunately) suggest that you run capa as a subprocess.
however, you should also consider using the -j command line option that emits a standardized json format. this is the document that drives all the output, so you should find everything you need in there. we consider this document format part of our public API, so you can rely on it not changing unless we bump the major version of capa.
williballenthin
commented
4 years ago if you want to sketch out integration with py3, then you can play with the branch in https://github.com/fireeye/capa/pull/234. however, we don't consider it supported yet, so i can't guarantee things won't change. should get you most of the way there.
please reach out if i can assist at all - would definitely like to help capa be used more widely.
weslambert
commented
4 years ago Thanks @williballenthin !
weslambert
commented
4 years ago Currently running into an issue w/ permissions and the file creation associated with the following: https://github.com/fireeye/capa/issues/244
weslambert
commented
4 years ago Should be fixed very soon upstream, at which point, I'll finish the implementation of this analyzer.
weslambert
commented
4 years ago 1.3.0 was released today. Continuing to test/develop.
weslambert
commented
3 years ago @dadokkio what do you think of something like the following?
(Tactic -> Technique -> Capability -> Metadata (rule, examples))
weslambert
commented
3 years ago @dadokkio , this is almost ready to PR, but was just curious about the best approach for including the Capa binary. I haven't contributed a Docker-based analyzer/responder yet, so any guidance would be appreciated there. Also need to finish up TheHive templates.
dadokkio
commented
3 years ago Probably @To-om has better answers. I think the option are: include the binary with your python code or add a Dockerfile that downloads the executables.
weslambert
commented
3 years ago This should be wrapped up very soon. Apologies for the delay.
Passimist
commented
3 years ago Hi @weslambert how is the development of this analyzer going? Do you need help with anything? I was thinking of developing one for cortex and found out its already beeing worked on here.
m5050
commented
3 years ago me too was looking for capa analyzer since the new capa version just released. Would like to hear any update about the analyzer development status @weslambert
weslambert
commented
3 years ago @Passimist @m5050 This has been in my backlog, but given the interest, I'll see if I can re-test and get it wrapped up by the end of this week.
Passimist
commented
3 years ago hi @weslambert, thanks for the reply! Will the analyzer use the new python 3 version of capa? Let me know if I can help you with this project.
weslambert
commented
3 years ago @Passimist Correct, it is using the Python 3 version. I believe I just needed to adjust the format of the results/template(s) to get it finished up.
weslambert
commented
3 years ago weslambert
commented
3 years ago Example templated report:
I've started working on an analyzer for
capafrom Fireeye. Will submit PR soon.From https://github.com/fireeye/capa:
capa detects capabilities in executable files. You run it against a PE file or shellcode and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate.