search

mandiant / capa-rules

Standard collection of rules for capa: the tool for enumerating the capabilities of programs
https://github.com/mandiant/capa/
Apache License 2.0
516 stars 157 forks source link

graduate nursery rules using existing examples #55

Open williballenthin opened 4 years ago

williballenthin commented 4 years ago

A bunch of the nursery rules are there because they don't have an example yet, and I suspect that an example is already present in our existing set in capa-testfiles. Run capa against all the testfiles and cross reference the matches with the rules found in the nursery. Graduate rules as appropriate.

williballenthin commented 4 years ago 
for F in tests/data/*.(exe_|dll_|sys_); do 
  echo "$F"; 
  time python -m capa.main -q -j "$F" > "$F".json; 
done

cat rules/nursery/*.yml | grep "name:" | cut -d ":" -f 2 | sed -e "s/^ //g" | while read -r "RULE"; do 
  echo "$RULE"; 
  for FILE in tests/data/*.json; do 
    if jq ".rules | keys" "$FILE" | grep -q "$RULE" ; then 
      echo "  $FILE"; 
    fi ; 
  done; 
done
edit: removed old data
williballenthin commented 4 years ago

prefer PMA, lowest available chapter prefer mimikatz then anything else

mr-tz commented 3 years ago

Could we automate to run a task like this using GitHub Actions on new rule PRs?

williballenthin commented 3 years ago

we could run this in GH actions, but it takes quite a while as all the testfiles samples need to be run through capa.

williballenthin commented 3 years ago

rebuilt the update list today - most of our nursery rules can be graduated!

(note: i'm updating this output to remove sections as i graduate rules, please do the same)

build Docker image
bypass UAC via scheduled task environment variable
capture screenshot in Go
check for process debug object
check for windows sandbox via mutex
check license value
check ProcessDebugFlags
check SystemKernelDebuggerInformation
check thread yield allowed
compare security identifiers
  tests/data/0596c4ea5aa8def47f22c85d75aaca95.exe_.json
  tests/data/3583f7f97ab207be7ab2ec0a507e2481.dll_.json
  tests/data/3d760b6fc84571c928bed835863fc302.exe_.json
  tests/data/ac742739cae0d411dfcb78ae99a7baee.exe_.json
  tests/data/c335a9d41185a32ad918c5389ee54235.exe_.json
connect network resource
  tests/data/0a0882b8da225406cc838991b5f67d11.exe_.json
  tests/data/55d77ab16377a8a314982f723fcc6fae.exe_.json
  tests/data/9b7ccaa2ae6a5b96e3110ebcbc4311f6.dll_.json
create container
create Restart Manager session
  tests/data/3265b2b0afc6d2ad0bdd55af8edb9b37.exe_.json
create shortcut via IShellLink
  tests/data/48c7ad2d9d482cb11898f2719638ceed.exe_.json
  tests/data/4f11bdb380dafa2518053c6d20147a05.exe_.json
  tests/data/55d77ab16377a8a314982f723fcc6fae.exe_.json
  tests/data/6f99a2c8944cb02ff28c6f9ced59b161.exe_.json
debug build
  tests/data/0761142efbda6c4b1e801223de723578.dll_.json
  tests/data/112f9f0e8d349858a80dd8c14190e620.exe_.json
  tests/data/6b25f1e754ef486bbb28a66d46bababe.exe_.json
  tests/data/82bf6347acf15e5d883715dc289d8a2b.exe_.json
  tests/data/91a12a4cf437589ba70b1687f5acad19.exe_.json
decrypt data via SSPI
  tests/data/2b8bec5bcb1777eaa155d832f7afc797.exe_.json
delete internet cache
  tests/data/3583f7f97ab207be7ab2ec0a507e2481.dll_.json
delete registry key via offline registry library
empty recycle bin quietly
  tests/data/1195d0d18be9362fb8dd9e1738404c9d.exe_.json
  tests/data/3265b2b0afc6d2ad0bdd55af8edb9b37.exe_.json
  tests/data/55d77ab16377a8a314982f723fcc6fae.exe_.json
empty the recycle bin
  tests/data/1195d0d18be9362fb8dd9e1738404c9d.exe_.json
  tests/data/3265b2b0afc6d2ad0bdd55af8edb9b37.exe_.json
  tests/data/55d77ab16377a8a314982f723fcc6fae.exe_.json
  tests/data/9ff8e68343cc29c1036650fc153e69f7.exe_.json
encrypt data using AES via x86 extensions
  tests/data/0761142efbda6c4b1e801223de723578.dll_.json
  tests/data/49a34cfbeed733c24392c9217ef46bb6.exe_.json
  tests/data/66602b5fab602cb4e6f754748d249542.exe_.json
  tests/data/6cc148363200798a12091b97a17181a1.exe_.json
  tests/data/8ba66e4b618ffdc8255f1df01f875dde6fd0561305d9f8307be7bb11d02ae36.exe_.json
  tests/data/91a12a4cf437589ba70b1687f5acad19.exe_.json
  tests/data/94d3c854aadbcfde46b2f82801015c31.exe_.json
encrypt data using FAKEM cipher
encrypt data using Salsa20 or ChaCha
  tests/data/0761142efbda6c4b1e801223de723578.dll_.json
  tests/data/0a0882b8da225406cc838991b5f67d11.exe_.json
  tests/data/3b13b6f1d7cd14dc4a097a12e2e505c0a4cff495262261e2bfc991df238b9b04.dll_.json
encrypt data via SSPI
  tests/data/2b8bec5bcb1777eaa155d832f7afc797.exe_.json
encrypt or decrypt data via BCrypt
  tests/data/112f9f0e8d349858a80dd8c14190e620.exe_.json
enumerate browser history
enumerate disk volumes
  tests/data/0a0882b8da225406cc838991b5f67d11.exe_.json
  tests/data/1195d0d18be9362fb8dd9e1738404c9d.exe_.json
  tests/data/3265b2b0afc6d2ad0bdd55af8edb9b37.exe_.json
  tests/data/3ca359f5085bb96a7950d4735b089ffe.exe_.json
  tests/data/5fbbfeed28b258c42e0cfeb16718b31c.exe_.json
enumerate internet cache
  tests/data/3583f7f97ab207be7ab2ec0a507e2481.dll_.json
  tests/data/c56af5561e3f20bed435fb4355cffc29.exe_.json
enumerate network shares
  tests/data/0a0882b8da225406cc838991b5f67d11.exe_.json
  tests/data/3265b2b0afc6d2ad0bdd55af8edb9b37.exe_.json
  tests/data/5f66b82558ca92e54e77f216ef4c066c.exe_.json
  tests/data/9ff8e68343cc29c1036650fc153e69f7.exe_.json
  tests/data/e59ffeaf7acb0c326e452fa30bb71a36.exe_.json
  tests/data/mimikatz.exe_.json
enumerate system firmware tables
execute syscall instruction
flush cabinet file
generate random numbers using the Delphi LCG
  tests/data/112f9f0e8d349858a80dd8c14190e620.exe_.json
  tests/data/34404a3fb9804977c6ab86cb991fb130.exe_.json
  tests/data/42e81cc1145ba3c1936a6cf9b8da0ccd.dll_.json
  tests/data/5dd0b130d5c3d40c69e3972f39fd7d62.exe_.json
  tests/data/648fc498110b11b4313a47a776e6ba40.exe_.json
  tests/data/7204e3efc2434012e13ca939db0d0b02.exe_.json
  tests/data/9ff8e68343cc29c1036650fc153e69f7.exe_.json
  tests/data/a933a1a402775cfa94b6bee0963f4b46.dll_.json
  tests/data/ad4229879180e267f431ac6666b6a0a2.exe_.json
  tests/data/d9630c174b8ff5c0aa26168df523e63e.exe_.json
  tests/data/fbbaaf569b63f6398503e4f1979cabef.exe_.json
get client handle via SChannel
  tests/data/2b8bec5bcb1777eaa155d832f7afc797.exe_.json
get inbound credentials handle via CredSSP
get installed programs
  tests/data/0796f1c1ea0a142fc1eb7109a44c86cb.exe_.json
  tests/data/5a2f620f29ca2f44fc22df67b674198f.exe_.json
  tests/data/7204e3efc2434012e13ca939db0d0b02.exe_.json
get networking parameters
get proxy
  tests/data/74fa32d2b277f583010b692a3f91b627.exe_.json
get remote cert context via SChannel
get routing table
  tests/data/ccbf7cba35bab56563c0fbe4237fdc41.exe_.json
  tests/data/ping_täst.exe_.json
get session information
  tests/data/b766cc43d649d30e9f27aff8f7ee7de0.exe_.json
get socket information
  tests/data/0596c4ea5aa8def47f22c85d75aaca95.exe_.json
  tests/data/112f9f0e8d349858a80dd8c14190e620.exe_.json
  tests/data/17264e3126a97c319a6a0c61e6da951e.dll_.json
  tests/data/39c05b15e9834ac93f206bc114d0a00c357c888db567ba8f5345da0529cbed41.dll_.json
  tests/data/50d5ee1ce2ca5e30c6b1019ee64eeec2.exe_.json
  tests/data/6cc148363200798a12091b97a17181a1.exe_.json
  tests/data/84f1b049fa8962b215a77f51af6714b3.dll_.json
  tests/data/91a12a4cf437589ba70b1687f5acad19.exe_.json
  tests/data/9324d1a8ae37a36ae560c37448c9705a.exe_.json
  tests/data/a90e5b3454aa71d9700b2ea54615f44b.exe_.json
  tests/data/af2f4142463f42548b8650a3adf5ceb2.dll_.json
  tests/data/b766cc43d649d30e9f27aff8f7ee7de0.exe_.json
  tests/data/b7841b9d5dc1f511a93cc7576672ec0c.dll_.json
get system firmware table
get thread local storage value
  tests/data/03b236b23b1ec37c663527c1f53af3fe.dll_.json
  tests/data/0731679c5f99e8ee65d8b29a3cabfc6b.exe_.json
  tests/data/0761142efbda6c4b1e801223de723578.dll_.json
  tests/data/112f9f0e8d349858a80dd8c14190e620.exe_.json
  tests/data/152d4c9f63efb332ccb134c6953c0104.exe_.json
  tests/data/2a584dfc657348d164274a12bff9bbd8.exe_.json
  tests/data/3265b2b0afc6d2ad0bdd55af8edb9b37.exe_.json
  tests/data/3aa7ee4d67f562933bc998f352b1f319.dll_.json
  tests/data/3b13b6f1d7cd14dc4a097a12e2e505c0a4cff495262261e2bfc991df238b9b04.dll_.json
  tests/data/464ef2ca59782ce697bc329713698ccc.exe_.json
  tests/data/50d5ee1ce2ca5e30c6b1019ee64eeec2.exe_.json
  tests/data/55d77ab16377a8a314982f723fcc6fae.exe_.json
  tests/data/580c37831fe98a254eb6c61c692c70d8.exe_.json
  tests/data/58adc2e97fbee01b71073ccd7ff1b9a4.exe_.json
  tests/data/5b3968b47eb16a1cb88525e3b565eab1.exe_.json
  tests/data/5dd0b130d5c3d40c69e3972f39fd7d62.exe_.json
  tests/data/5fbbfeed28b258c42e0cfeb16718b31c.exe_.json
  tests/data/648fc498110b11b4313a47a776e6ba40.exe_.json
  tests/data/6cc148363200798a12091b97a17181a1.exe_.json
  tests/data/6f99a2c8944cb02ff28c6f9ced59b161.exe_.json
  tests/data/77d87e9937546aebc1595039d730352b15fab32c72a76913f04262c6802d098f.exe_.json
  tests/data/7c843e75d4f02087b932fe280df9c90c.exe_.json
  tests/data/82bf6347acf15e5d883715dc289d8a2b.exe_.json
  tests/data/91a12a4cf437589ba70b1687f5acad19.exe_.json
  tests/data/94d3c854aadbcfde46b2f82801015c31.exe_.json
  tests/data/9ff8e68343cc29c1036650fc153e69f7.exe_.json
  tests/data/a70052c45e907820187c7e6bcdc7ecca.exe_.json
  tests/data/ad4229879180e267f431ac6666b6a0a2.exe_.json
  tests/data/af2f4142463f42548b8650a3adf5ceb2.dll_.json
  tests/data/bb7922d368a9a9c8d981837b5ad988f1.exe_.json
  tests/data/bc452cc1128ccf7fa9f76d83cda79132740414973600fed14509749fe946816e.exe_.json
  tests/data/c3341b7dfbb9d43bca8c812e07b4299f.exe_.json
  tests/data/c91887d861d9bd4a5872249b641bc9f9.exe_.json
  tests/data/d063b1804e8d2bb26bd2e097141c1bbc.exe_.json
  tests/data/d87ba0bfce1cdb17fd243b8b1d247e88.exe_.json
  tests/data/dc9eb40429d6fa2f15cd34479cb320c8.exe_.json
  tests/data/e353d3fbfb5c3738a77a622adff9a416.exe_.json
  tests/data/e69a8eb94f65480980deaf1ff5a431a6.exe_.json
  tests/data/ea7bb99e03606702c1cbe543bb32b27e.dll_.json
  tests/data/f5c93ac768c8206e87544ddd76b3277c.dll_.json
hash data using CRC32b
  tests/data/7c843e75d4f02087b932fe280df9c90c.exe_.json
  tests/data/c91887d861d9bd4a5872249b641bc9f9.exe_.json
hash data using MD4
  tests/data/a90e5b3454aa71d9700b2ea54615f44b.exe_.json
hash data using murmur2
  tests/data/112f9f0e8d349858a80dd8c14190e620.exe_.json
hash data using SHA1 via WinCrypt
  tests/data/021f49678cd633dc8cf99c61b3af3dda.exe_.json
  tests/data/0596c4ea5aa8def47f22c85d75aaca95.exe_.json
  tests/data/32bb43f8847ecf158c1e96891ed9a28c.dll_.json
  tests/data/5f66b82558ca92e54e77f216ef4c066c.exe_.json
  tests/data/84f1b049fa8962b215a77f51af6714b3.dll_.json
  tests/data/ba947eb07d8c823949316a97364d060f.exe_.json
  tests/data/ffeae4a391a1d5203bd04b4161557227.exe_.json
  tests/data/mimikatz.exe_.json
hash data using sha1 via x86 extensions
hash data using sha256 via x86 extensions
hash data via BCrypt
  tests/data/112f9f0e8d349858a80dd8c14190e620.exe_.json
hide thread from debugger
hooked by API Override
hook routines via microsoft detours
  tests/data/071f2d1c4c2201ee95ffe2aa965000f5f615a11a12d345e33b9fb060e5597740.dll_.json
impersonate user
  tests/data/55d77ab16377a8a314982f723fcc6fae.exe_.json
  tests/data/5a2f620f29ca2f44fc22df67b674198f.exe_.json
  tests/data/67f8302a2fd28d15f62d6d20d748bfe350334e5353cbdef112bd1f8231b5599d.exe_.json
initialize hashing via WinCrypt
  tests/data/021f49678cd633dc8cf99c61b3af3dda.exe_.json
  tests/data/03b236b23b1ec37c663527c1f53af3fe.dll_.json
  tests/data/0596c4ea5aa8def47f22c85d75aaca95.exe_.json
  tests/data/0796f1c1ea0a142fc1eb7109a44c86cb.exe_.json
  tests/data/2a584dfc657348d164274a12bff9bbd8.exe_.json
  tests/data/32bb43f8847ecf158c1e96891ed9a28c.dll_.json
  tests/data/5f66b82558ca92e54e77f216ef4c066c.exe_.json
  tests/data/5fbbfeed28b258c42e0cfeb16718b31c.exe_.json
  tests/data/84f1b049fa8962b215a77f51af6714b3.dll_.json
  tests/data/91a12a4cf437589ba70b1687f5acad19.exe_.json
  tests/data/a90e5b3454aa71d9700b2ea54615f44b.exe_.json
  tests/data/ba947eb07d8c823949316a97364d060f.exe_.json
  tests/data/ffeae4a391a1d5203bd04b4161557227.exe_.json
  tests/data/mimikatz.exe_.json
inspect load icon resource
  tests/data/5dd0b130d5c3d40c69e3972f39fd7d62.exe_.json
  tests/data/648fc498110b11b4313a47a776e6ba40.exe_.json
  tests/data/9ff8e68343cc29c1036650fc153e69f7.exe_.json
  tests/data/ffeae4a391a1d5203bd04b4161557227.exe_.json
linked against C++ regex library
  tests/data/112f9f0e8d349858a80dd8c14190e620.exe_.json
  tests/data/6f99a2c8944cb02ff28c6f9ced59b161.exe_.json
  tests/data/a90e5b3454aa71d9700b2ea54615f44b.exe_.json
  tests/data/d063b1804e8d2bb26bd2e097141c1bbc.exe_.json
  tests/data/d9630c174b8ff5c0aa26168df523e63e.exe_.json
linked against Go process enumeration library
linked against Go registry library
linked against Go static asset library
linked against Go WMI library
linked against XZip
  tests/data/34404a3fb9804977c6ab86cb991fb130.exe_.json
  tests/data/7204e3efc2434012e13ca939db0d0b02.exe_.json
  tests/data/ad4229879180e267f431ac6666b6a0a2.exe_.json
  tests/data/d9630c174b8ff5c0aa26168df523e63e.exe_.json
  tests/data/fbbaaf569b63f6398503e4f1979cabef.exe_.json
list containers
listen for remote procedure calls
  tests/data/5f66b82558ca92e54e77f216ef4c066c.exe_.json
  tests/data/mimikatz.exe_.json
make an HTTP request with a Cookie
  tests/data/91a12a4cf437589ba70b1687f5acad19.exe_.json
  tests/data/bfb9b5391a13d0afd787e87ab90f14f5.dll_.json
  tests/data/ccbf7cba35bab56563c0fbe4237fdc41.exe_.json
migrate process to active window station
mine cryptocurrency
  tests/data/6f99a2c8944cb02ff28c6f9ced59b161.exe_.json
  tests/data/ffeae4a391a1d5203bd04b4161557227.exe_.json
move file
  tests/data/021f49678cd633dc8cf99c61b3af3dda.exe_.json
  tests/data/034b7231a49387604e81a5a5d2fe7e08f6982c418a28b719d2faace3c312ebb5.exe_.json
  tests/data/03b236b23b1ec37c663527c1f53af3fe.dll_.json
  tests/data/0596c4ea5aa8def47f22c85d75aaca95.exe_.json
  tests/data/0a0882b8da225406cc838991b5f67d11.exe_.json
  tests/data/112f9f0e8d349858a80dd8c14190e620.exe_.json
  tests/data/1195d0d18be9362fb8dd9e1738404c9d.exe_.json
  tests/data/152d4c9f63efb332ccb134c6953c0104.exe_.json
  tests/data/1d8fd13c890060464019c0f07b928b1a.exe_.json
  tests/data/31600ad0d1a7ea615690df111ae36c73.exe_.json
  tests/data/31bd8dd48ac0de3d4da340bf29f4d280.exe_.json
  tests/data/3583f7f97ab207be7ab2ec0a507e2481.dll_.json
  tests/data/39c05b15e9834ac93f206bc114d0a00c357c888db567ba8f5345da0529cbed41.dll_.json
  tests/data/3ca359f5085bb96a7950d4735b089ffe.exe_.json
  tests/data/3d760b6fc84571c928bed835863fc302.exe_.json
  tests/data/477743976643213d96b66ed5041a3b12.exe_.json
  tests/data/48c7ad2d9d482cb11898f2719638ceed.exe_.json
  tests/data/4f11bdb380dafa2518053c6d20147a05.exe_.json
  tests/data/50d5ee1ce2ca5e30c6b1019ee64eeec2.exe_.json
  tests/data/55d77ab16377a8a314982f723fcc6fae.exe_.json
  tests/data/5fbbfeed28b258c42e0cfeb16718b31c.exe_.json
  tests/data/6a352c3e55e8ae5ed39dc1be7fb964b1.dll_.json
  tests/data/6bffe5385dd1321fe5b99dec3f8858be9ff99c8629c1c8d6f414eebaa663a710.exe_.json
  tests/data/6f99a2c8944cb02ff28c6f9ced59b161.exe_.json
  tests/data/74fa32d2b277f583010b692a3f91b627.exe_.json
  tests/data/8ba66e4b618ffdc8255f1df01f875dde6fd0561305d9f8307be7bb11d02ae36.exe_.json
  tests/data/946a99f36a46d335dec080d9a4371940.dll_.json
  tests/data/9b7ccaa2ae6a5b96e3110ebcbc4311f6.dll_.json
  tests/data/9ff8e68343cc29c1036650fc153e69f7.exe_.json
  tests/data/a90e5b3454aa71d9700b2ea54615f44b.exe_.json
  tests/data/ad4229879180e267f431ac6666b6a0a2.exe_.json
  tests/data/b766cc43d649d30e9f27aff8f7ee7de0.exe_.json
  tests/data/b7841b9d5dc1f511a93cc7576672ec0c.dll_.json
  tests/data/bc452cc1128ccf7fa9f76d83cda79132740414973600fed14509749fe946816e.exe_.json
  tests/data/c91887d861d9bd4a5872249b641bc9f9.exe_.json
  tests/data/ccbf7cba35bab56563c0fbe4237fdc41.exe_.json
  tests/data/d9630c174b8ff5c0aa26168df523e63e.exe_.json
  tests/data/daa13ae302fe8b618ddbf590537443ef.exe_.json
  tests/data/e59ffeaf7acb0c326e452fa30bb71a36.exe_.json
  tests/data/ffeae4a391a1d5203bd04b4161557227.exe_.json
  tests/data/kernel32-64.dll_.json
  tests/data/Practical Malware Analysis Lab 01-04.exe_.json
  tests/data/Practical Malware Analysis Lab 05-01.dll_.json
  tests/data/Practical Malware Analysis Lab 12-04.exe_.json
  tests/data/Practical Malware Analysis Lab 17-02.dll_.json
open cabinet file
packaged as a CreateInstall installer
packaged as an InstallShield installer
packaged as a NSIS installer
  tests/data/4f11bdb380dafa2518053c6d20147a05.exe_.json
packaged as a Pintool
packaged as a WinZip self-extracting archive
packaged as a Wise installer
packed with CCG
packed with Crunch
packed with Dragon Armor
packed with enigma
packed with Epack
packed with MaskPE
packed with MEW
packed with Mpress
packed with Neolite
packed with PECompact
packed with Pepack
packed with Perplex
packed with ProCrypt
packed with RPCrypt
packed with SeauSFX
packed with Shrinker
packed with Simple Pack
packed with StarForce
packed with SVKP
packed with Themida
packed with TSULoader
packed with VProtect
packed with WWPACK
query remote server for available data
  tests/data/0796f1c1ea0a142fc1eb7109a44c86cb.exe_.json
  tests/data/55d77ab16377a8a314982f723fcc6fae.exe_.json
  tests/data/84f1b049fa8962b215a77f51af6714b3.dll_.json
  tests/data/9a00ebe67d833edb70ed6dd0f4652592.dll_.json
  tests/data/eb355bd63bddce02955792b4cd6539fb.dll_.json
read and send data from client to server
  tests/data/5d7c34b6854d48d3da4f96b71550a221.exe_.json
  tests/data/638dcc3d37b3a574044233c9637d7288.exe_.json
  tests/data/9879d201dc5aca863f357184cd1f170e.dll_.json
  tests/data/c335a9d41185a32ad918c5389ee54235.exe_.json
  tests/data/Practical Malware Analysis Lab 03-02.dll_.json
  tests/data/Practical Malware Analysis Lab 03-04.exe_.json
  tests/data/Practical Malware Analysis Lab 05-01.dll_.json
  tests/data/Practical Malware Analysis Lab 16-01.exe_.json
  tests/data/Practical Malware Analysis Lab 17-02.dll_.json
read process memory
  tests/data/0596c4ea5aa8def47f22c85d75aaca95.exe_.json
  tests/data/071f2d1c4c2201ee95ffe2aa965000f5f615a11a12d345e33b9fb060e5597740.dll_.json
  tests/data/0796f1c1ea0a142fc1eb7109a44c86cb.exe_.json
  tests/data/112f9f0e8d349858a80dd8c14190e620.exe_.json
  tests/data/1d8fd13c890060464019c0f07b928b1a.exe_.json
  tests/data/2d3edc218a90f03089cc01715a9f047f.exe_.json
  tests/data/31bd8dd48ac0de3d4da340bf29f4d280.exe_.json
  tests/data/55d77ab16377a8a314982f723fcc6fae.exe_.json
  tests/data/5f66b82558ca92e54e77f216ef4c066c.exe_.json
  tests/data/5fbbfeed28b258c42e0cfeb16718b31c.exe_.json
  tests/data/6a352c3e55e8ae5ed39dc1be7fb964b1.dll_.json
  tests/data/6bffe5385dd1321fe5b99dec3f8858be9ff99c8629c1c8d6f414eebaa663a710.exe_.json
  tests/data/6fcc13563aad936c7d0f3165351cb453.exe_.json
  tests/data/787cbc8a6d1bc58ea169e51e1ad029a637f22560660cc129ab8a099a745bd50e.exe_.json
  tests/data/9ff8e68343cc29c1036650fc153e69f7.exe_.json
  tests/data/af2f4142463f42548b8650a3adf5ceb2.dll_.json
  tests/data/al-khaser_x64.exe_.json
  tests/data/al-khaser_x86.exe_.json
  tests/data/c56af5561e3f20bed435fb4355cffc29.exe_.json
  tests/data/ccbf7cba35bab56563c0fbe4237fdc41.exe_.json
  tests/data/e353d3fbfb5c3738a77a622adff9a416.exe_.json
  tests/data/mimikatz.exe_.json
  tests/data/Practical Malware Analysis Lab 03-03.exe_.json
  tests/data/Practical Malware Analysis Lab 12-02.exe_.json
  tests/data/Practical Malware Analysis Lab 17-03.exe_.json
read raw disk data
  tests/data/48c7ad2d9d482cb11898f2719638ceed.exe_.json
  tests/data/5fbbfeed28b258c42e0cfeb16718b31c.exe_.json
  tests/data/al-khaser_x64.exe_.json
  tests/data/al-khaser_x86.exe_.json
  tests/data/ccbf7cba35bab56563c0fbe4237fdc41.exe_.json
rebuilt by ImpRec
  tests/data/daa13ae302fe8b618ddbf590537443ef.exe_.json
receive and write data from server to client
  tests/data/021f49678cd633dc8cf99c61b3af3dda.exe_.json
  tests/data/31bd8dd48ac0de3d4da340bf29f4d280.exe_.json
  tests/data/39c05b15e9834ac93f206bc114d0a00c357c888db567ba8f5345da0529cbed41.dll_.json
  tests/data/3d760b6fc84571c928bed835863fc302.exe_.json
  tests/data/48c7ad2d9d482cb11898f2719638ceed.exe_.json
  tests/data/55d77ab16377a8a314982f723fcc6fae.exe_.json
  tests/data/5d7c34b6854d48d3da4f96b71550a221.exe_.json
  tests/data/638dcc3d37b3a574044233c9637d7288.exe_.json
  tests/data/79cde1aa711e321b4939805d27e160be.exe_.json
  tests/data/a70052c45e907820187c7e6bcdc7ecca.exe_.json
  tests/data/b766cc43d649d30e9f27aff8f7ee7de0.exe_.json
  tests/data/b7841b9d5dc1f511a93cc7576672ec0c.dll_.json
  tests/data/d063b1804e8d2bb26bd2e097141c1bbc.exe_.json
  tests/data/f5c93ac768c8206e87544ddd76b3277c.dll_.json
  tests/data/Practical Malware Analysis Lab 03-02.dll_.json
  tests/data/Practical Malware Analysis Lab 03-04.exe_.json
  tests/data/Practical Malware Analysis Lab 05-01.dll_.json
  tests/data/Practical Malware Analysis Lab 16-01.exe_.json
  tests/data/Practical Malware Analysis Lab 17-02.dll_.json
reference 114DNS DNS server
reference AES constants
  tests/data/6cc148363200798a12091b97a17181a1.exe_.json
  tests/data/8ba66e4b618ffdc8255f1df01f875dde6fd0561305d9f8307be7bb11d02ae36.exe_.json
  tests/data/94d3c854aadbcfde46b2f82801015c31.exe_.json
  tests/data/a90e5b3454aa71d9700b2ea54615f44b.exe_.json
  tests/data/a933a1a402775cfa94b6bee0963f4b46.dll_.json
  tests/data/d063b1804e8d2bb26bd2e097141c1bbc.exe_.json
reference AliDNS DNS server
reference Cloudflare DNS server
reference Comodo Secure DNS server
reference DNS over HTTPS endpoints
  tests/data/749e7becf00fccc6dff324a83976dc0d.exe_.json
reference Google Public DNS server
  tests/data/0a0882b8da225406cc838991b5f67d11.exe_.json
  tests/data/2a584dfc657348d164274a12bff9bbd8.exe_.json
  tests/data/ad4229879180e267f431ac6666b6a0a2.exe_.json
reference Hurricane Electric DNS server
reference kornet DNS server
reference L3 DNS server
reference OpenDNS DNS server
reference processor manufacturer constants
reference Quad9 DNS server
reference screen saver executable
reference startup folder
  tests/data/071f2d1c4c2201ee95ffe2aa965000f5f615a11a12d345e33b9fb060e5597740.dll_.json
  tests/data/7204e3efc2434012e13ca939db0d0b02.exe_.json
  tests/data/c335a9d41185a32ad918c5389ee54235.exe_.json
  tests/data/ed888dc2f04f5eac83d6d14088d002de.exe_.json
reference the VMWare IO port
  tests/data/0596c4ea5aa8def47f22c85d75aaca95.exe_.json
  tests/data/3d760b6fc84571c928bed835863fc302.exe_.json
  tests/data/eaad7dfc78304b977d3844cc63577152.exe_.json
  tests/data/Practical Malware Analysis Lab 05-01.dll_.json
  tests/data/Practical Malware Analysis Lab 17-02.dll_.json
  tests/data/Practical Malware Analysis Lab 17-03.exe_.json
reference Verisign DNS server
resolve function by hash
run in container
run PowerShell expression
schedule task via ITaskService
  tests/data/50d5ee1ce2ca5e30c6b1019ee64eeec2.exe_.json
search for credit card data
send HTTP request with Host header
  tests/data/021f49678cd633dc8cf99c61b3af3dda.exe_.json
  tests/data/0796f1c1ea0a142fc1eb7109a44c86cb.exe_.json
  tests/data/3265b2b0afc6d2ad0bdd55af8edb9b37.exe_.json
  tests/data/39c05b15e9834ac93f206bc114d0a00c357c888db567ba8f5345da0529cbed41.dll_.json
  tests/data/6f99a2c8944cb02ff28c6f9ced59b161.exe_.json
  tests/data/a70052c45e907820187c7e6bcdc7ecca.exe_.json
  tests/data/b7841b9d5dc1f511a93cc7576672ec0c.dll_.json
  tests/data/ccbf7cba35bab56563c0fbe4237fdc41.exe_.json
  tests/data/Practical Malware Analysis Lab 05-01.dll_.json
  tests/data/Practical Malware Analysis Lab 17-02.dll_.json
set global application hook
  tests/data/5dd0b130d5c3d40c69e3972f39fd7d62.exe_.json
  tests/data/648fc498110b11b4313a47a776e6ba40.exe_.json
  tests/data/9ff8e68343cc29c1036650fc153e69f7.exe_.json
spawn thread to RWX shellcode
  tests/data/2d3edc218a90f03089cc01715a9f047f.exe_.json
  tests/data/4e9c546a54e40d0da89bb4616dd7f8c4.exe_.json
  tests/data/787cbc8a6d1bc58ea169e51e1ad029a637f22560660cc129ab8a099a745bd50e.exe_.json
  tests/data/b2ad4409323147b63e370745e5209996.exe_.json
  tests/data/b87e9dd18a5533a09d3e48a7a1efbcf6.exe_.json
  tests/data/ce8d7590182db2e51372a4a04d6a0927a65b2640739f9ec01cfd6c143b1110da.exe_.json
  tests/data/e69a8eb94f65480980deaf1ff5a431a6.exe_.json
  tests/data/ea7bb99e03606702c1cbe543bb32b27e.dll_.json
terminate process by name
  tests/data/6f99a2c8944cb02ff28c6f9ced59b161.exe_.json