New Analyzer: Fireeye Capa (WIP) #822
Comments
weslambert
added
the
category:feature-request
|
We tested it this week.. it's actually missing a safe/malicious indicator that is necessary for the taxonomy that was available in the past but is broken right now.. |
|
Ah, I see -- should close I this out then? |
|
we can keep this open and start to code. Even without safe/malicious this have a lot of interesting information imho. |
|
Agreed. Sounds good! 👍 |
|
@dadokkio Thoughts on this? Assuming we should wait until it's fully supported for Python 3? |
|
That's bad, unfortunately at the moment we tested only the executable on windows and the python3 port seems will take a lot of time. |
|
I've created a little executable output parser here https://gist.github.com/dadokkio/32f0791f3572122ef3d7924ab315babb if you want to use it as example. The output is something like: |
|
Awesome, thanks! I've thought about using an executable with another analyzer before, but wasn't sure if that would be acceptable. So, it would just be run from the analyzer directory (unless Dockerized) correct? |
|
yes, it should be available on the docker image of the analyzer (maybe the path could be a settings) |
|
for the time being, we would (unfortunately) suggest that you run capa as a subprocess. however, you should also consider using the |
|
if you want to sketch out integration with py3, then you can play with the branch in mandiant/capa#234. however, we don't consider it supported yet, so i can't guarantee things won't change. should get you most of the way there. please reach out if i can assist at all - would definitely like to help capa be used more widely. |
|
Thanks @williballenthin ! |
|
Currently running into an issue w/ permissions and the file creation associated with the following: mandiant/capa#244 |
|
Should be fixed very soon upstream, at which point, I'll finish the implementation of this analyzer. |
|
1.3.0 was released today. Continuing to test/develop. |
|
@dadokkio what do you think of something like the following? (Tactic -> Technique -> Capability -> Metadata (rule, examples))
|
|
@dadokkio , this is almost ready to PR, but was just curious about the best approach for including the Capa binary. I haven't contributed a Docker-based analyzer/responder yet, so any guidance would be appreciated there. Also need to finish up TheHive templates. |
|
Probably @To-om has better answers. |
|
This should be wrapped up very soon. Apologies for the delay. |
|
Hi @weslambert how is the development of this analyzer going? Do you need help with anything? I was thinking of developing one for cortex and found out its already beeing worked on here. |
|
me too was looking for capa analyzer since the new capa version just released. Would like to hear any update about the analyzer development status @weslambert |
|
@Passimist @m5050 This has been in my backlog, but given the interest, I'll see if I can re-test and get it wrapped up by the end of this week. |
|
hi @weslambert, thanks for the reply! Will the analyzer use the new python 3 version of capa? Let me know if I can help you with this project. |
|
@Passimist Correct, it is using the Python 3 version. I believe I just needed to adjust the format of the results/template(s) to get it finished up. |
|
PR: #1027 |
|
Example templated report:
|
I've started working on an analyzer for
capafrom Fireeye. Will submit PR soon.From https://github.com/fireeye/capa:
capa detects capabilities in executable files. You run it against a PE file or shellcode and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate.The text was updated successfully, but these errors were encountered: