From 7ab2a9b163a0f139fcad3b2b640f15fc69f877e4 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Thu, 29 Jun 2023 09:47:46 +0000 Subject: [PATCH 01/36] Sync capa-testfiles submodule --- tests/data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/data b/tests/data index a37873c8..ccf0d07d 160000 --- a/tests/data +++ b/tests/data @@ -1 +1 @@ -Subproject commit a37873c8a571b515f2baaf19bfcfaff5c7ef5342 +Subproject commit ccf0d07d273da47ff3e00a066e1b109c97920b99 From 2cd6b8bdaccb95174c4f8ba3eb708a5ac85cae2a Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Thu, 29 Jun 2023 10:01:38 +0000 Subject: [PATCH 02/36] Sync capa-testfiles submodule --- tests/data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/data b/tests/data index ccf0d07d..9d6a155b 160000 --- a/tests/data +++ b/tests/data @@ -1 +1 @@ -Subproject commit ccf0d07d273da47ff3e00a066e1b109c97920b99 +Subproject commit 9d6a155b77f62f967bd859dffd1d262cd52a0e54 From 06dd6f45c006506710659aa745179ab28dbb527c Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Mon, 3 Jul 2023 07:54:42 +0000 Subject: [PATCH 03/36] Sync capa rules submodule --- rules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules b/rules index 58ac3d72..cb3bc24e 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit 58ac3d724bb3ec74b2d0030827d474d97adbf364 +Subproject commit cb3bc24e7a33ffdecd74d85506da43eeb229b6c5 From 165fe87aca4d47b3a0645ec22456b7bbdc89221b Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Mon, 3 Jul 2023 14:04:39 +0000 Subject: [PATCH 04/36] Sync capa-testfiles submodule --- tests/data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/data b/tests/data index 9d6a155b..78b620ba 160000 --- a/tests/data +++ b/tests/data @@ -1 +1 @@ -Subproject commit 9d6a155b77f62f967bd859dffd1d262cd52a0e54 +Subproject commit 78b620ba30d92689f2d98d6ad0e8a6c12553b4ed From 301d8425c1922a574fd09fc3b3e17cf44989a8f9 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Mon, 3 Jul 2023 14:05:01 +0000 Subject: [PATCH 05/36] Sync capa-testfiles submodule --- tests/data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/data b/tests/data index 78b620ba..915f9d9d 160000 --- a/tests/data +++ b/tests/data @@ -1 +1 @@ -Subproject commit 78b620ba30d92689f2d98d6ad0e8a6c12553b4ed +Subproject commit 915f9d9d85d3104aeb4dd2fa1b7d9f023b3c43ed From 066e42e2711535f038f2c31802babf016d650ce9 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Mon, 3 Jul 2023 14:05:29 +0000 Subject: [PATCH 06/36] Sync capa-testfiles submodule --- tests/data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/data b/tests/data index 915f9d9d..effa7ae9 160000 --- a/tests/data +++ b/tests/data @@ -1 +1 @@ -Subproject commit 915f9d9d85d3104aeb4dd2fa1b7d9f023b3c43ed +Subproject commit effa7ae91ee9ab13c949064ff24ffa7f3379f1e7 From 30950f129ec9cedcebf81ed57994950bf9039131 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Tue, 4 Jul 2023 08:54:40 +0000 Subject: [PATCH 07/36] Sync capa-testfiles submodule --- tests/data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/data b/tests/data index effa7ae9..451d187c 160000 --- a/tests/data +++ b/tests/data @@ -1 +1 @@ -Subproject commit effa7ae91ee9ab13c949064ff24ffa7f3379f1e7 +Subproject commit 451d187c1784ee2cb6e5e6d7bc32bce5e1c04f89 From 446114acc3524ae9356c2a1ffd2475e2de5672d5 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Tue, 4 Jul 2023 08:54:56 +0000 Subject: [PATCH 08/36] Sync capa-testfiles submodule --- tests/data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/data b/tests/data index 451d187c..16e38a33 160000 --- a/tests/data +++ b/tests/data @@ -1 +1 @@ -Subproject commit 451d187c1784ee2cb6e5e6d7bc32bce5e1c04f89 +Subproject commit 16e38a33d183d0afb0ca0d0d1a311090e9c93be7 From 9a7ce0b04848348b10ef90329c904efa6e72cac4 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Tue, 4 Jul 2023 08:55:21 +0000 Subject: [PATCH 09/36] Sync capa-testfiles submodule --- tests/data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/data b/tests/data index 16e38a33..76810b63 160000 --- a/tests/data +++ b/tests/data @@ -1 +1 @@ -Subproject commit 16e38a33d183d0afb0ca0d0d1a311090e9c93be7 +Subproject commit 76810b63f8bdf829d9b36133e961ea6c14967e8a From 2d55976cb4711c327340d2a439a68691ed870aac Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Wed, 5 Jul 2023 06:40:30 +0000 Subject: [PATCH 10/36] Sync capa rules submodule --- CHANGELOG.md | 3 ++- README.md | 2 +- rules | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 88182091..150f5494 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,7 +9,7 @@ ### Breaking Changes - Update Metadata type in capa main [#1411](https://github.com/mandiant/capa/issues/1411) [@Aayush-Goel-04](https://github.com/aayush-goel-04) @manasghandat -### New Rules (11) +### New Rules (12) - load-code/shellcode/execute-shellcode-via-windows-callback-function ervin.ocampo@mandiant.com jakub.jozwiak@mandiant.com - nursery/execute-shellcode-via-indirect-call ronnie.salomonsen@mandiant.com @@ -22,6 +22,7 @@ - host-interaction/hardware/enumerate-devices-by-category @mr-tz - host-interaction/service/continue-service @mr-tz - host-interaction/service/pause-service @mr-tz +- persistence/exchange/act-as-exchange-transport-agent jakub.jozwiak@mandiant.com - ### Bug Fixes diff --git a/README.md b/README.md index 15a5e096..fc744088 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ [![PyPI - Python Version](https://img.shields.io/pypi/pyversions/flare-capa)](https://pypi.org/project/flare-capa) [![Last release](https://img.shields.io/github/v/release/mandiant/capa)](https://github.com/mandiant/capa/releases) -[![Number of rules](https://img.shields.io/badge/rules-802-blue.svg)](https://github.com/mandiant/capa-rules) +[![Number of rules](https://img.shields.io/badge/rules-803-blue.svg)](https://github.com/mandiant/capa-rules) [![CI status](https://github.com/mandiant/capa/workflows/CI/badge.svg)](https://github.com/mandiant/capa/actions?query=workflow%3ACI+event%3Apush+branch%3Amaster) [![Downloads](https://img.shields.io/github/downloads/mandiant/capa/total)](https://github.com/mandiant/capa/releases) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) diff --git a/rules b/rules index cb3bc24e..71450724 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit cb3bc24e7a33ffdecd74d85506da43eeb229b6c5 +Subproject commit 71450724d331a5bcc57bf3d8c5dd950f72c8c2cd From 1e258c3bc263ababd79263e7df543d016a329f4c Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Wed, 5 Jul 2023 06:41:20 +0000 Subject: [PATCH 11/36] Sync capa rules submodule --- CHANGELOG.md | 3 ++- README.md | 2 +- rules | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 150f5494..d1c23988 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,7 +9,7 @@ ### Breaking Changes - Update Metadata type in capa main [#1411](https://github.com/mandiant/capa/issues/1411) [@Aayush-Goel-04](https://github.com/aayush-goel-04) @manasghandat -### New Rules (12) +### New Rules (14) - load-code/shellcode/execute-shellcode-via-windows-callback-function ervin.ocampo@mandiant.com jakub.jozwiak@mandiant.com - nursery/execute-shellcode-via-indirect-call ronnie.salomonsen@mandiant.com @@ -23,6 +23,7 @@ - host-interaction/service/continue-service @mr-tz - host-interaction/service/pause-service @mr-tz - persistence/exchange/act-as-exchange-transport-agent jakub.jozwiak@mandiant.com +- host-interaction/file-system/create-virtual-file-system-in-dotnet jakub.jozwiak@mandiant.com - ### Bug Fixes diff --git a/README.md b/README.md index fc744088..7d73da68 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ [![PyPI - Python Version](https://img.shields.io/pypi/pyversions/flare-capa)](https://pypi.org/project/flare-capa) [![Last release](https://img.shields.io/github/v/release/mandiant/capa)](https://github.com/mandiant/capa/releases) -[![Number of rules](https://img.shields.io/badge/rules-803-blue.svg)](https://github.com/mandiant/capa-rules) +[![Number of rules](https://img.shields.io/badge/rules-804-blue.svg)](https://github.com/mandiant/capa-rules) [![CI status](https://github.com/mandiant/capa/workflows/CI/badge.svg)](https://github.com/mandiant/capa/actions?query=workflow%3ACI+event%3Apush+branch%3Amaster) [![Downloads](https://img.shields.io/github/downloads/mandiant/capa/total)](https://github.com/mandiant/capa/releases) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) diff --git a/rules b/rules index 71450724..b46b6b26 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit 71450724d331a5bcc57bf3d8c5dd950f72c8c2cd +Subproject commit b46b6b2687b9395dfa4e66ff5001122b8fed510d From 0c3c5e42ffacc632cf6cecfe0d9be323e1e62aed Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Wed, 5 Jul 2023 06:41:40 +0000 Subject: [PATCH 12/36] Sync capa rules submodule --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d1c23988..5aa96cb2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,7 +9,7 @@ ### Breaking Changes - Update Metadata type in capa main [#1411](https://github.com/mandiant/capa/issues/1411) [@Aayush-Goel-04](https://github.com/aayush-goel-04) @manasghandat -### New Rules (14) +### New Rules (15) - load-code/shellcode/execute-shellcode-via-windows-callback-function ervin.ocampo@mandiant.com jakub.jozwiak@mandiant.com - nursery/execute-shellcode-via-indirect-call ronnie.salomonsen@mandiant.com @@ -24,6 +24,7 @@ - host-interaction/service/pause-service @mr-tz - persistence/exchange/act-as-exchange-transport-agent jakub.jozwiak@mandiant.com - host-interaction/file-system/create-virtual-file-system-in-dotnet jakub.jozwiak@mandiant.com +- compiler/cx_freeze/compiled-with-cx_freeze @mr-tz jakub.jozwiak@mandiant.com - ### Bug Fixes From 0a74eb671f1fedae9aa885fe50eeea1b90a50faa Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Wed, 5 Jul 2023 06:58:23 +0000 Subject: [PATCH 13/36] Sync capa rules submodule --- CHANGELOG.md | 3 ++- README.md | 2 +- rules | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5aa96cb2..a0b973cc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,7 +9,7 @@ ### Breaking Changes - Update Metadata type in capa main [#1411](https://github.com/mandiant/capa/issues/1411) [@Aayush-Goel-04](https://github.com/aayush-goel-04) @manasghandat -### New Rules (15) +### New Rules (16) - load-code/shellcode/execute-shellcode-via-windows-callback-function ervin.ocampo@mandiant.com jakub.jozwiak@mandiant.com - nursery/execute-shellcode-via-indirect-call ronnie.salomonsen@mandiant.com @@ -25,6 +25,7 @@ - persistence/exchange/act-as-exchange-transport-agent jakub.jozwiak@mandiant.com - host-interaction/file-system/create-virtual-file-system-in-dotnet jakub.jozwiak@mandiant.com - compiler/cx_freeze/compiled-with-cx_freeze @mr-tz jakub.jozwiak@mandiant.com +- communication/socket/create-vmci-socket jakub.jozwiak@mandiant.com - ### Bug Fixes diff --git a/README.md b/README.md index 7d73da68..b1d5a1bd 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ [![PyPI - Python Version](https://img.shields.io/pypi/pyversions/flare-capa)](https://pypi.org/project/flare-capa) [![Last release](https://img.shields.io/github/v/release/mandiant/capa)](https://github.com/mandiant/capa/releases) -[![Number of rules](https://img.shields.io/badge/rules-804-blue.svg)](https://github.com/mandiant/capa-rules) +[![Number of rules](https://img.shields.io/badge/rules-805-blue.svg)](https://github.com/mandiant/capa-rules) [![CI status](https://github.com/mandiant/capa/workflows/CI/badge.svg)](https://github.com/mandiant/capa/actions?query=workflow%3ACI+event%3Apush+branch%3Amaster) [![Downloads](https://img.shields.io/github/downloads/mandiant/capa/total)](https://github.com/mandiant/capa/releases) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) diff --git a/rules b/rules index b46b6b26..6b449aa9 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit b46b6b2687b9395dfa4e66ff5001122b8fed510d +Subproject commit 6b449aa96f0e737dc0ed70c5f61ed5836c5f68f9 From 16ce6a5ef243adc132a483f897e761ca09d37f9e Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Wed, 5 Jul 2023 08:57:27 +0000 Subject: [PATCH 14/36] Sync capa rules submodule --- CHANGELOG.md | 5 ++++- README.md | 2 +- rules | 2 +- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a0b973cc..0ecf391b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,7 +9,7 @@ ### Breaking Changes - Update Metadata type in capa main [#1411](https://github.com/mandiant/capa/issues/1411) [@Aayush-Goel-04](https://github.com/aayush-goel-04) @manasghandat -### New Rules (16) +### New Rules (19) - load-code/shellcode/execute-shellcode-via-windows-callback-function ervin.ocampo@mandiant.com jakub.jozwiak@mandiant.com - nursery/execute-shellcode-via-indirect-call ronnie.salomonsen@mandiant.com @@ -26,6 +26,9 @@ - host-interaction/file-system/create-virtual-file-system-in-dotnet jakub.jozwiak@mandiant.com - compiler/cx_freeze/compiled-with-cx_freeze @mr-tz jakub.jozwiak@mandiant.com - communication/socket/create-vmci-socket jakub.jozwiak@mandiant.com +- persistence/office/act-as-excel-xll-add-in jakub.jozwiak@mandiant.com +- persistence/office/act-as-office-com-add-in jakub.jozwiak@mandiant.com +- persistence/office/act-as-word-wll-add-in jakub.jozwiak@mandiant.com - ### Bug Fixes diff --git a/README.md b/README.md index b1d5a1bd..2458b9b5 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ [![PyPI - Python Version](https://img.shields.io/pypi/pyversions/flare-capa)](https://pypi.org/project/flare-capa) [![Last release](https://img.shields.io/github/v/release/mandiant/capa)](https://github.com/mandiant/capa/releases) -[![Number of rules](https://img.shields.io/badge/rules-805-blue.svg)](https://github.com/mandiant/capa-rules) +[![Number of rules](https://img.shields.io/badge/rules-808-blue.svg)](https://github.com/mandiant/capa-rules) [![CI status](https://github.com/mandiant/capa/workflows/CI/badge.svg)](https://github.com/mandiant/capa/actions?query=workflow%3ACI+event%3Apush+branch%3Amaster) [![Downloads](https://img.shields.io/github/downloads/mandiant/capa/total)](https://github.com/mandiant/capa/releases) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) diff --git a/rules b/rules index 6b449aa9..e541c244 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit 6b449aa96f0e737dc0ed70c5f61ed5836c5f68f9 +Subproject commit e541c2444fa294452e0f908cdebb5f094495ad8c From a6763d8882540af6a128915a8cb38d248a66b762 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Wed, 5 Jul 2023 08:59:18 +0000 Subject: [PATCH 15/36] Sync capa rules submodule --- CHANGELOG.md | 3 ++- rules | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0ecf391b..12a29261 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,7 +9,7 @@ ### Breaking Changes - Update Metadata type in capa main [#1411](https://github.com/mandiant/capa/issues/1411) [@Aayush-Goel-04](https://github.com/aayush-goel-04) @manasghandat -### New Rules (19) +### New Rules (20) - load-code/shellcode/execute-shellcode-via-windows-callback-function ervin.ocampo@mandiant.com jakub.jozwiak@mandiant.com - nursery/execute-shellcode-via-indirect-call ronnie.salomonsen@mandiant.com @@ -29,6 +29,7 @@ - persistence/office/act-as-excel-xll-add-in jakub.jozwiak@mandiant.com - persistence/office/act-as-office-com-add-in jakub.jozwiak@mandiant.com - persistence/office/act-as-word-wll-add-in jakub.jozwiak@mandiant.com +- anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger michael.hunhoff@mandiant.com jakub.jozwiak@mandiant.com - ### Bug Fixes diff --git a/rules b/rules index e541c244..76eccb54 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit e541c2444fa294452e0f908cdebb5f094495ad8c +Subproject commit 76eccb548b502f83522d885c93256bfcd91ccc79 From 1a2e034ee03a29ae45e4253224717b81ade204e6 Mon Sep 17 00:00:00 2001 From: mr-tz Date: Sat, 24 Jun 2023 10:31:14 +0200 Subject: [PATCH 16/36] update data via script --- CHANGELOG.md | 1 + scripts/linter-data.json | 25 ++++++++++++++++++++----- 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 12a29261..2e78e731 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -49,6 +49,7 @@ ### capa explorer IDA Pro plugin ### Development +- update ATT&CK/MBC data for linting #1568 @mr-tz ### Raw diffs - [capa v5.1.0...master](https://github.com/mandiant/capa/compare/v5.1.0...master) diff --git a/scripts/linter-data.json b/scripts/linter-data.json index 5b9eb2ab..3be54c62 100644 --- a/scripts/linter-data.json +++ b/scripts/linter-data.json @@ -54,6 +54,7 @@ "T1583.005": "Acquire Infrastructure::Botnet", "T1583.006": "Acquire Infrastructure::Web Services", "T1583.007": "Acquire Infrastructure::Serverless", + "T1583.008": "Acquire Infrastructure::Malvertising", "T1584": "Compromise Infrastructure", "T1584.001": "Compromise Infrastructure::Domains", "T1584.002": "Compromise Infrastructure::DNS Server", @@ -88,7 +89,8 @@ "T1608.003": "Stage Capabilities::Install Digital Certificate", "T1608.004": "Stage Capabilities::Drive-by Target", "T1608.005": "Stage Capabilities::Link Target", - "T1608.006": "Stage Capabilities::SEO Poisoning" + "T1608.006": "Stage Capabilities::SEO Poisoning", + "T1650": "Acquire Access" }, "Initial Access": { "T1078": "Valid Accounts", @@ -128,6 +130,7 @@ "T1059.006": "Command and Scripting Interpreter::Python", "T1059.007": "Command and Scripting Interpreter::JavaScript", "T1059.008": "Command and Scripting Interpreter::Network Device CLI", + "T1059.009": "Command and Scripting Interpreter::Cloud API", "T1072": "Software Deployment Tools", "T1106": "Native API", "T1129": "Shared Modules", @@ -145,7 +148,8 @@ "T1569.002": "System Services::Service Execution", "T1609": "Container Administration Command", "T1610": "Deploy Container", - "T1648": "Serverless Execution" + "T1648": "Serverless Execution", + "T1651": "Cloud Administration Command" }, "Persistence": { "T1037": "Boot or Logon Initialization Scripts", @@ -247,6 +251,7 @@ "T1556.005": "Modify Authentication Process::Reversible Encryption", "T1556.006": "Modify Authentication Process::Multi-Factor Authentication", "T1556.007": "Modify Authentication Process::Hybrid Identity", + "T1556.008": "Modify Authentication Process::Network Provider DLL", "T1574": "Hijack Execution Flow", "T1574.001": "Hijack Execution Flow::DLL Search Order Hijacking", "T1574.002": "Hijack Execution Flow::DLL Side-Loading", @@ -372,6 +377,8 @@ "T1027.007": "Obfuscated Files or Information::Dynamic API Resolution", "T1027.008": "Obfuscated Files or Information::Stripped Payloads", "T1027.009": "Obfuscated Files or Information::Embedded Payloads", + "T1027.010": "Obfuscated Files or Information::Command Obfuscation", + "T1027.011": "Obfuscated Files or Information::Fileless Storage", "T1036": "Masquerading", "T1036.001": "Masquerading::Invalid Code Signature", "T1036.002": "Masquerading::Right-to-Left Override", @@ -380,6 +387,7 @@ "T1036.005": "Masquerading::Match Legitimate Name or Location", "T1036.006": "Masquerading::Space after Filename", "T1036.007": "Masquerading::Double File Extension", + "T1036.008": "Masquerading::Masquerade File Type", "T1055": "Process Injection", "T1055.001": "Process Injection::Dynamic-link Library Injection", "T1055.002": "Process Injection::Portable Executable Injection", @@ -487,6 +495,7 @@ "T1556.005": "Modify Authentication Process::Reversible Encryption", "T1556.006": "Modify Authentication Process::Multi-Factor Authentication", "T1556.007": "Modify Authentication Process::Hybrid Identity", + "T1556.008": "Modify Authentication Process::Network Provider DLL", "T1562": "Impair Defenses", "T1562.001": "Impair Defenses::Disable or Modify Tools", "T1562.002": "Impair Defenses::Disable Windows Event Logging", @@ -497,6 +506,7 @@ "T1562.008": "Impair Defenses::Disable Cloud Logs", "T1562.009": "Impair Defenses::Safe Mode Boot", "T1562.010": "Impair Defenses::Downgrade Attack", + "T1562.011": "Impair Defenses::Spoof Security Alerting", "T1564": "Hide Artifacts", "T1564.001": "Hide Artifacts::Hidden Files and Directories", "T1564.002": "Hide Artifacts::Hidden Users", @@ -574,6 +584,7 @@ "T1552.005": "Unsecured Credentials::Cloud Instance Metadata API", "T1552.006": "Unsecured Credentials::Group Policy Preferences", "T1552.007": "Unsecured Credentials::Container API", + "T1552.008": "Unsecured Credentials::Chat Messages", "T1555": "Credentials from Password Stores", "T1555.001": "Credentials from Password Stores::Keychain", "T1555.002": "Credentials from Password Stores::Securityd Memory", @@ -588,6 +599,7 @@ "T1556.005": "Modify Authentication Process::Reversible Encryption", "T1556.006": "Modify Authentication Process::Multi-Factor Authentication", "T1556.007": "Modify Authentication Process::Hybrid Identity", + "T1556.008": "Modify Authentication Process::Network Provider DLL", "T1557": "Adversary-in-the-Middle", "T1557.001": "Adversary-in-the-Middle::LLMNR/NBT-NS Poisoning and SMB Relay", "T1557.002": "Adversary-in-the-Middle::ARP Cache Poisoning", @@ -630,7 +642,7 @@ "T1124": "System Time Discovery", "T1135": "Network Share Discovery", "T1201": "Password Policy Discovery", - "T1217": "Browser Bookmark Discovery", + "T1217": "Browser Information Discovery", "T1482": "Domain Trust Discovery", "T1497": "Virtualization/Sandbox Evasion", "T1497.001": "Virtualization/Sandbox Evasion::System Checks", @@ -646,7 +658,8 @@ "T1614.001": "System Location Discovery::System Language Discovery", "T1615": "Group Policy Discovery", "T1619": "Cloud Storage Object Discovery", - "T1622": "Debugger Evasion" + "T1622": "Debugger Evasion", + "T1652": "Device Driver Discovery" }, "Lateral Movement": { "T1021": "Remote Services", @@ -656,6 +669,7 @@ "T1021.004": "Remote Services::SSH", "T1021.005": "Remote Services::VNC", "T1021.006": "Remote Services::Windows Remote Management", + "T1021.007": "Remote Services::Cloud Services", "T1072": "Software Deployment Tools", "T1080": "Taint Shared Content", "T1091": "Replication Through Removable Media", @@ -768,7 +782,8 @@ "T1537": "Transfer Data to Cloud Account", "T1567": "Exfiltration Over Web Service", "T1567.001": "Exfiltration Over Web Service::Exfiltration to Code Repository", - "T1567.002": "Exfiltration Over Web Service::Exfiltration to Cloud Storage" + "T1567.002": "Exfiltration Over Web Service::Exfiltration to Cloud Storage", + "T1567.003": "Exfiltration Over Web Service::Exfiltration to Text Storage Sites" }, "Impact": { "T1485": "Data Destruction", From bb053561ef215034282fef0de11303811a07a6fb Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Wed, 5 Jul 2023 18:03:57 +0200 Subject: [PATCH 17/36] import-to-ida: decode MD5 to hex --- scripts/import-to-ida.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scripts/import-to-ida.py b/scripts/import-to-ida.py index 058c2553..c0f788c6 100644 --- a/scripts/import-to-ida.py +++ b/scripts/import-to-ida.py @@ -28,6 +28,7 @@ Unless required by applicable law or agreed to in writing, software distributed is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. """ +import binascii import json import logging @@ -77,7 +78,7 @@ def main(): # # see: https://github.com/idapython/bin/issues/11 a = doc["meta"]["sample"]["md5"].lower() - b = ida_nalt.retrieve_input_file_md5().lower() + b = binascii.hexlify(ida_nalt.retrieve_input_file_md5()).decode("ascii").lower() if not a.startswith(b): logger.error("sample mismatch") return -2 From 169b3d60a81ff0ac8fc7be1ef2d1c67ea3292678 Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Wed, 5 Jul 2023 18:04:15 +0200 Subject: [PATCH 18/36] import-to-ida: update to use v5 JSON format closes #1584 --- scripts/import-to-ida.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/scripts/import-to-ida.py b/scripts/import-to-ida.py index c0f788c6..fd762f58 100644 --- a/scripts/import-to-ida.py +++ b/scripts/import-to-ida.py @@ -94,8 +94,11 @@ def main(): name = rule["meta"]["name"] ns = rule["meta"].get("namespace", "") - for va in rule["matches"].keys(): - va = int(va) + for address, match in rule["matches"]: + if address["type"] != "absolute": + continue + + va = address["value"] rows.append((ns, name, va)) # order by (namespace, name) so that like things show up together From 19a5ef8a644327f2fe436a73ccea390adaf95c6e Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Wed, 5 Jul 2023 18:21:03 +0200 Subject: [PATCH 19/36] import-to-ida: use existing result document json parser --- scripts/import-to-ida.py | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/scripts/import-to-ida.py b/scripts/import-to-ida.py index fd762f58..8b9b3471 100644 --- a/scripts/import-to-ida.py +++ b/scripts/import-to-ida.py @@ -29,13 +29,16 @@ Unless required by applicable law or agreed to in writing, software distributed See the License for the specific language governing permissions and limitations under the License. """ import binascii -import json import logging import ida_nalt import ida_funcs import ida_kernwin +import capa.rules +import capa.features.freeze +import capa.render.result_document + logger = logging.getLogger("capa") @@ -65,40 +68,37 @@ def main(): if not path: return 0 - with open(path, "rb") as f: - doc = json.loads(f.read().decode("utf-8")) - - if "meta" not in doc or "rules" not in doc: - logger.error("doesn't appear to be a capa report") - return -1 + result_doc = capa.render.result_document.ResultDocument.parse_file(path) + meta, capabilities = result_doc.to_capa() # in IDA 7.4, the MD5 hash may be truncated, for example: # wanted: 84882c9d43e23d63b82004fae74ebb61 # found: b'84882C9D43E23D63B82004FAE74EBB6\x00' # # see: https://github.com/idapython/bin/issues/11 - a = doc["meta"]["sample"]["md5"].lower() + a = meta["sample"]["md5"].lower() b = binascii.hexlify(ida_nalt.retrieve_input_file_md5()).decode("ascii").lower() if not a.startswith(b): logger.error("sample mismatch") return -2 rows = [] - for rule in doc["rules"].values(): - if rule["meta"].get("lib"): + for name in capabilities.keys(): + rule = result_doc.rules[name] + if rule.meta.lib: continue - if rule["meta"].get("capa/subscope"): + if rule.meta.is_subscope_rule: continue - if rule["meta"]["scope"] != "function": + if rule.meta.scope != capa.rules.Scope.FUNCTION: continue - name = rule["meta"]["name"] - ns = rule["meta"].get("namespace", "") - for address, match in rule["matches"]: - if address["type"] != "absolute": + ns = rule.meta.namespace + + for address, _ in rule.matches: + if address.type != capa.features.freeze.AddressType.ABSOLUTE: continue - va = address["value"] + va = address.value rows.append((ns, name, va)) # order by (namespace, name) so that like things show up together From 694143ce6bf31eca8669c05ef51262d29a97aad3 Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Wed, 5 Jul 2023 18:24:37 +0200 Subject: [PATCH 20/36] import-to-ida: use Metadata type not json document --- scripts/import-to-ida.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/import-to-ida.py b/scripts/import-to-ida.py index 8b9b3471..42c56445 100644 --- a/scripts/import-to-ida.py +++ b/scripts/import-to-ida.py @@ -28,8 +28,8 @@ Unless required by applicable law or agreed to in writing, software distributed is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. """ -import binascii import logging +import binascii import ida_nalt import ida_funcs @@ -76,7 +76,7 @@ def main(): # found: b'84882C9D43E23D63B82004FAE74EBB6\x00' # # see: https://github.com/idapython/bin/issues/11 - a = meta["sample"]["md5"].lower() + a = meta.sample.md5.lower() b = binascii.hexlify(ida_nalt.retrieve_input_file_md5()).decode("ascii").lower() if not a.startswith(b): logger.error("sample mismatch") From bf5b2612c89acfe6ae5923a610cf1bc9c1a3851b Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Wed, 5 Jul 2023 18:27:20 +0200 Subject: [PATCH 21/36] changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9334beea..23294012 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -46,6 +46,7 @@ - Add logging and print redirect to tqdm for capa main [#749](https://github.com/mandiant/capa/issues/749) [@Aayush-Goel-04](https://github.com/aayush-goel-04) - extractor: fix binja installation path detection does not work with Python 3.11 - tests: refine the IDA test runner script #1513 @williballenthin +- import-to-ida: fix bug introduced with JSON report changes in v5 #1584 @williballenthin ### capa explorer IDA Pro plugin From 5d1e26a95e477ab125743d3fd28134b3a249a42a Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Wed, 5 Jul 2023 18:34:41 +0200 Subject: [PATCH 22/36] update minimum supported python version to 3.8 --- .github/workflows/publish.yml | 2 +- .github/workflows/tests.yml | 4 ++-- CHANGELOG.md | 1 + capa/helpers.py | 2 +- capa/ida/plugin/README.md | 4 ++-- capa/main.py | 4 ++-- setup.py | 2 +- 7 files changed, 10 insertions(+), 9 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 520e0894..002a7095 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -15,7 +15,7 @@ jobs: - name: Set up Python uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0 with: - python-version: '3.7' + python-version: '3.8' - name: Install dependencies run: | python -m pip install --upgrade pip diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 64475f65..b6db661b 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -69,7 +69,7 @@ jobs: matrix: os: [ubuntu-20.04, windows-2019, macos-11] # across all operating systems - python-version: ["3.7", "3.11"] + python-version: ["3.8", "3.11"] include: # on Ubuntu run these as well - os: ubuntu-20.04 @@ -104,7 +104,7 @@ jobs: strategy: fail-fast: false matrix: - python-version: ["3.7", "3.11"] + python-version: ["3.8", "3.11"] steps: - name: Checkout capa with submodules # do only run if BN_SERIAL is available, have to do this in every step, see https://github.com/orgs/community/discussions/26726#discussioncomment-3253118 diff --git a/CHANGELOG.md b/CHANGELOG.md index 9334beea..a001f47f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ ### Breaking Changes - Update Metadata type in capa main [#1411](https://github.com/mandiant/capa/issues/1411) [@Aayush-Goel-04](https://github.com/aayush-goel-04) @manasghandat +- Python 3.8 is now the minimum supported Python version #1578 @williballenthin ### New Rules (21) diff --git a/capa/helpers.py b/capa/helpers.py index c03e0553..38bd2d56 100644 --- a/capa/helpers.py +++ b/capa/helpers.py @@ -155,7 +155,7 @@ def log_unsupported_runtime_error(): logger.error("-" * 80) logger.error(" Unsupported runtime or Python interpreter.") logger.error(" ") - logger.error(" capa supports running under Python 3.7 and higher.") + logger.error(" capa supports running under Python 3.8 and higher.") logger.error(" ") logger.error( " If you're seeing this message on the command line, please ensure you're running a supported Python version." diff --git a/capa/ida/plugin/README.md b/capa/ida/plugin/README.md index 6dd07002..4bf3616c 100644 --- a/capa/ida/plugin/README.md +++ b/capa/ida/plugin/README.md @@ -95,7 +95,7 @@ can update using the `Settings` button. ### Requirements -capa explorer supports Python versions >= 3.7.x and IDA Pro versions >= 7.4. The following IDA Pro versions have been tested: +capa explorer supports Python versions >= 3.8.x and IDA Pro versions >= 7.4. The following IDA Pro versions have been tested: * IDA 7.4 * IDA 7.5 @@ -105,7 +105,7 @@ capa explorer supports Python versions >= 3.7.x and IDA Pro versions >= 7.4. The * IDA 8.1 * IDA 8.2 -capa explorer is however limited to the Python versions supported by your IDA installation (which may not include all Python versions >= 3.7.x). +capa explorer is however limited to the Python versions supported by your IDA installation (which may not include all Python versions >= 3.8.x). If you encounter issues with your specific setup, please open a new [Issue](https://github.com/mandiant/capa/issues). diff --git a/capa/main.py b/capa/main.py index bdf0cec3..64b0509b 100644 --- a/capa/main.py +++ b/capa/main.py @@ -1072,8 +1072,8 @@ def handle_common_args(args): def main(argv=None): - if sys.version_info < (3, 7): - raise UnsupportedRuntimeError("This version of capa can only be used with Python 3.7+") + if sys.version_info < (3, 8): + raise UnsupportedRuntimeError("This version of capa can only be used with Python 3.8+") if argv is None: argv = sys.argv[1:] diff --git a/setup.py b/setup.py index 4a67c68c..52ad0a43 100644 --- a/setup.py +++ b/setup.py @@ -107,5 +107,5 @@ setuptools.setup( "Programming Language :: Python :: 3", "Topic :: Security", ], - python_requires=">=3.7", + python_requires=">=3.8", ) From dd2d5431a916e21eae99ea3d65cbfee0c449f77f Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Wed, 5 Jul 2023 18:44:12 +0200 Subject: [PATCH 23/36] setup: bump networkx to 3.1 since we now have python 3.8 as min version --- setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py index 52ad0a43..85ce8ec0 100644 --- a/setup.py +++ b/setup.py @@ -20,7 +20,7 @@ requirements = [ "ida-settings==2.1.0", "viv-utils[flirt]==0.7.9", "halo==0.0.31", - "networkx==2.5.1", # newer versions no longer support py3.7. + "networkx==3.1", "ruamel.yaml==0.17.32", "vivisect==1.1.1", "pefile==2023.2.7", From 6a767600338a567ffcfc719c46b98e5fc51f0889 Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Wed, 5 Jul 2023 18:55:32 +0200 Subject: [PATCH 24/36] render: use fancy boxes closes #1586 --- capa/render/default.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/capa/render/default.py b/capa/render/default.py index 76659252..1bf1cf6d 100644 --- a/capa/render/default.py +++ b/capa/render/default.py @@ -40,7 +40,7 @@ def render_meta(doc: rd.ResultDocument, ostream: StringIO): ("path", doc.meta.sample.path), ] - ostream.write(tabulate.tabulate(rows, tablefmt="psql")) + ostream.write(tabulate.tabulate(rows, tablefmt="mixed_outline")) ostream.write("\n") @@ -102,7 +102,7 @@ def render_capabilities(doc: rd.ResultDocument, ostream: StringIO): if rows: ostream.write( - tabulate.tabulate(rows, headers=[width("CAPABILITY", 50), width("NAMESPACE", 50)], tablefmt="psql") + tabulate.tabulate(rows, headers=[width("Capability", 50), width("Namespace", 50)], tablefmt="mixed_outline") ) ostream.write("\n") else: @@ -148,7 +148,7 @@ def render_attack(doc: rd.ResultDocument, ostream: StringIO): if rows: ostream.write( tabulate.tabulate( - rows, headers=[width("ATT&CK Tactic", 20), width("ATT&CK Technique", 80)], tablefmt="psql" + rows, headers=[width("ATT&CK Tactic", 20), width("ATT&CK Technique", 80)], tablefmt="mixed_grid" ) ) ostream.write("\n") @@ -190,7 +190,7 @@ def render_mbc(doc: rd.ResultDocument, ostream: StringIO): if rows: ostream.write( - tabulate.tabulate(rows, headers=[width("MBC Objective", 25), width("MBC Behavior", 75)], tablefmt="psql") + tabulate.tabulate(rows, headers=[width("MBC Objective", 25), width("MBC Behavior", 75)], tablefmt="mixed_grid") ) ostream.write("\n") From 2b6cc6fee2dfe7034a39a89d9f881abb4574f5ab Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Wed, 5 Jul 2023 18:57:37 +0200 Subject: [PATCH 25/36] changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9334beea..ebc389e5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ ### New Features - Utility script to detect feature overlap between new and existing CAPA rules [#1451](https://github.com/mandiant/capa/issues/1451) [@Aayush-Goel-04](https://github.com/aayush-goel-04) +- use fancy box drawing characters for default output #1586 @williballenthin ### Breaking Changes - Update Metadata type in capa main [#1411](https://github.com/mandiant/capa/issues/1411) [@Aayush-Goel-04](https://github.com/aayush-goel-04) @manasghandat From 23ed0a5d9ddf88421e79c10a3928ed342afab30e Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Wed, 5 Jul 2023 19:06:33 +0200 Subject: [PATCH 26/36] main: don't leave behind traces of the progress bar --- CHANGELOG.md | 1 + capa/main.py | 2 +- scripts/lint.py | 2 +- scripts/profile-time.py | 2 +- 4 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9334beea..8ef51d71 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -46,6 +46,7 @@ - Add logging and print redirect to tqdm for capa main [#749](https://github.com/mandiant/capa/issues/749) [@Aayush-Goel-04](https://github.com/aayush-goel-04) - extractor: fix binja installation path detection does not work with Python 3.11 - tests: refine the IDA test runner script #1513 @williballenthin +- output: don't leave behind traces of progress bar @williballenthin ### capa explorer IDA Pro plugin diff --git a/capa/main.py b/capa/main.py index bdf0cec3..af52b82d 100644 --- a/capa/main.py +++ b/capa/main.py @@ -262,7 +262,7 @@ def find_capabilities(ruleset: RuleSet, extractor: FeatureExtractor, disable_pro functions = list(extractor.get_functions()) n_funcs = len(functions) - pb = pbar(functions, desc="matching", unit=" functions", postfix="skipped 0 library functions") + pb = pbar(functions, desc="matching", unit=" functions", postfix="skipped 0 library functions", leave=False) for f in pb: if extractor.is_library_function(f.address): function_name = extractor.get_function_name(f.address) diff --git a/scripts/lint.py b/scripts/lint.py index a80d3e12..8348cdea 100644 --- a/scripts/lint.py +++ b/scripts/lint.py @@ -873,7 +873,7 @@ def lint(ctx: Context): ret = {} source_rules = [rule for rule in ctx.rules.rules.values() if not rule.is_subscope_rule()] - with tqdm.contrib.logging.tqdm_logging_redirect(source_rules, unit="rule") as pbar: + with tqdm.contrib.logging.tqdm_logging_redirect(source_rules, unit="rule", leave=False) as pbar: with capa.helpers.redirecting_print_to_tqdm(False): for rule in pbar: name = rule.name diff --git a/scripts/profile-time.py b/scripts/profile-time.py index 09d125d8..7ce28962 100644 --- a/scripts/profile-time.py +++ b/scripts/profile-time.py @@ -109,7 +109,7 @@ def main(argv=None): args.sample, args.format, args.os, capa.main.BACKEND_VIV, sig_paths, should_save_workspace=False ) - with tqdm.tqdm(total=args.number * args.repeat) as pbar: + with tqdm.tqdm(total=args.number * args.repeat, leave=False) as pbar: def do_iteration(): capa.perf.reset() From 9bcd7678a43210fc76485c7177ecb122ba1730d6 Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Wed, 5 Jul 2023 19:14:15 +0200 Subject: [PATCH 27/36] main: fix console output on windows (in CI) --- capa/main.py | 16 ++++++++++++++++ setup.py | 2 +- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/capa/main.py b/capa/main.py index bdf0cec3..b8730326 100644 --- a/capa/main.py +++ b/capa/main.py @@ -8,6 +8,7 @@ Unless required by applicable law or agreed to in writing, software distributed is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. """ +import io import os import sys import time @@ -997,6 +998,21 @@ def handle_common_args(args): codecs.register(lambda name: codecs.lookup("utf-8") if name == "cp65001" else None) + if isinstance(sys.stdout, io.TextIOWrapper) or hasattr(sys.stdout, "reconfigure"): + # from sys.stdout type hint: + # + # TextIO is used instead of more specific types for the standard streams, + # since they are often monkeypatched at runtime. At startup, the objects + # are initialized to instances of TextIOWrapper. + # + # To use methods from TextIOWrapper, use an isinstance check to ensure that + # the streams have not been overridden: + # + # if isinstance(sys.stdout, io.TextIOWrapper): + # sys.stdout.reconfigure(...) + sys.stdout.reconfigure(encoding="utf-8") + colorama.just_fix_windows_console() + if args.color == "always": colorama.init(strip=False) elif args.color == "auto": diff --git a/setup.py b/setup.py index 4a67c68c..f68e64d9 100644 --- a/setup.py +++ b/setup.py @@ -14,7 +14,7 @@ requirements = [ "tqdm==4.65.0", "pyyaml==6.0", "tabulate==0.9.0", - "colorama==0.4.5", + "colorama==0.4.6", "termcolor==2.3.0", "wcwidth==0.2.6", "ida-settings==2.1.0", From ba8040ace5b538168cb17e1e070dbc4b4cd108ba Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Wed, 5 Jul 2023 19:15:33 +0200 Subject: [PATCH 28/36] main: remove old codec registration for py3.7 --- capa/main.py | 7 ------- 1 file changed, 7 deletions(-) diff --git a/capa/main.py b/capa/main.py index 64b0509b..e2470d19 100644 --- a/capa/main.py +++ b/capa/main.py @@ -990,13 +990,6 @@ def handle_common_args(args): # disable vivisect-related logging, it's verbose and not relevant for capa users set_vivisect_log_level(logging.CRITICAL) - # Since Python 3.8 cp65001 is an alias to utf_8, but not for Python < 3.8 - # TODO: remove this code when only supporting Python 3.8+ - # https://stackoverflow.com/a/3259271/87207 - import codecs - - codecs.register(lambda name: codecs.lookup("utf-8") if name == "cp65001" else None) - if args.color == "always": colorama.init(strip=False) elif args.color == "auto": From b5a063b0d982be78d337cb819b59787d0c369c8c Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Wed, 5 Jul 2023 19:19:26 +0200 Subject: [PATCH 29/36] pep8 --- capa/render/default.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/capa/render/default.py b/capa/render/default.py index 1bf1cf6d..15e2a5e8 100644 --- a/capa/render/default.py +++ b/capa/render/default.py @@ -190,7 +190,9 @@ def render_mbc(doc: rd.ResultDocument, ostream: StringIO): if rows: ostream.write( - tabulate.tabulate(rows, headers=[width("MBC Objective", 25), width("MBC Behavior", 75)], tablefmt="mixed_grid") + tabulate.tabulate( + rows, headers=[width("MBC Objective", 25), width("MBC Behavior", 75)], tablefmt="mixed_grid" + ) ) ostream.write("\n") From 2e27745b5f481952ff1aa7b8654adf6683d74942 Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Wed, 5 Jul 2023 19:30:55 +0200 Subject: [PATCH 30/36] setup: bump mypy hints for colorama --- setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py index f68e64d9..872c277c 100644 --- a/setup.py +++ b/setup.py @@ -84,7 +84,7 @@ setuptools.setup( "mypy-protobuf==3.4.0", # type stubs for mypy "types-backports==0.1.3", - "types-colorama==0.4.15", + "types-colorama==0.4.15.11", "types-PyYAML==6.0.8", "types-tabulate==0.9.0.1", "types-termcolor==1.1.4", From 49ffbdd54d7d331dea3dc259f964d08cb86e0248 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Thu, 6 Jul 2023 08:04:33 +0000 Subject: [PATCH 31/36] Sync capa-testfiles submodule --- tests/data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/data b/tests/data index 76810b63..c2c61f05 160000 --- a/tests/data +++ b/tests/data @@ -1 +1 @@ -Subproject commit 76810b63f8bdf829d9b36133e961ea6c14967e8a +Subproject commit c2c61f05fbd8a7c3a6d5283dd05289507e0cbc2e From b57188e98c94b90b2b9ce47d3081fb8fd6870dc9 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Thu, 6 Jul 2023 08:17:32 +0000 Subject: [PATCH 32/36] Sync capa rules submodule --- CHANGELOG.md | 3 ++- README.md | 2 +- rules | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2e78e731..9334beea 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,7 +9,7 @@ ### Breaking Changes - Update Metadata type in capa main [#1411](https://github.com/mandiant/capa/issues/1411) [@Aayush-Goel-04](https://github.com/aayush-goel-04) @manasghandat -### New Rules (20) +### New Rules (21) - load-code/shellcode/execute-shellcode-via-windows-callback-function ervin.ocampo@mandiant.com jakub.jozwiak@mandiant.com - nursery/execute-shellcode-via-indirect-call ronnie.salomonsen@mandiant.com @@ -30,6 +30,7 @@ - persistence/office/act-as-office-com-add-in jakub.jozwiak@mandiant.com - persistence/office/act-as-word-wll-add-in jakub.jozwiak@mandiant.com - anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger michael.hunhoff@mandiant.com jakub.jozwiak@mandiant.com +- host-interaction/memory/create-new-application-domain-in-dotnet jakub.jozwiak@mandiant.com - ### Bug Fixes diff --git a/README.md b/README.md index 2458b9b5..cd748a5d 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ [![PyPI - Python Version](https://img.shields.io/pypi/pyversions/flare-capa)](https://pypi.org/project/flare-capa) [![Last release](https://img.shields.io/github/v/release/mandiant/capa)](https://github.com/mandiant/capa/releases) -[![Number of rules](https://img.shields.io/badge/rules-808-blue.svg)](https://github.com/mandiant/capa-rules) +[![Number of rules](https://img.shields.io/badge/rules-809-blue.svg)](https://github.com/mandiant/capa-rules) [![CI status](https://github.com/mandiant/capa/workflows/CI/badge.svg)](https://github.com/mandiant/capa/actions?query=workflow%3ACI+event%3Apush+branch%3Amaster) [![Downloads](https://img.shields.io/github/downloads/mandiant/capa/total)](https://github.com/mandiant/capa/releases) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) diff --git a/rules b/rules index 76eccb54..f109d758 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit 76eccb548b502f83522d885c93256bfcd91ccc79 +Subproject commit f109d758ced8235892da97a5cfe31bcd6b09a4fa From 46ff798faed8feabb1722624266751442fc33be0 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Thu, 6 Jul 2023 09:26:23 +0000 Subject: [PATCH 33/36] Sync capa-testfiles submodule --- tests/data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/data b/tests/data index c2c61f05..bc0c0fe2 160000 --- a/tests/data +++ b/tests/data @@ -1 +1 @@ -Subproject commit c2c61f05fbd8a7c3a6d5283dd05289507e0cbc2e +Subproject commit bc0c0fe29a445be7da2a45c40e59cb9ad14651ec From 5bc85f39a6676c7b9e68804fceae3b9815807818 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Fri, 7 Jul 2023 06:26:34 +0000 Subject: [PATCH 34/36] Sync capa rules submodule --- CHANGELOG.md | 3 ++- README.md | 2 +- rules | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e5edae74..f461f392 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,7 +11,7 @@ - Update Metadata type in capa main [#1411](https://github.com/mandiant/capa/issues/1411) [@Aayush-Goel-04](https://github.com/aayush-goel-04) @manasghandat - Python 3.8 is now the minimum supported Python version #1578 @williballenthin -### New Rules (21) +### New Rules (22) - load-code/shellcode/execute-shellcode-via-windows-callback-function ervin.ocampo@mandiant.com jakub.jozwiak@mandiant.com - nursery/execute-shellcode-via-indirect-call ronnie.salomonsen@mandiant.com @@ -33,6 +33,7 @@ - persistence/office/act-as-word-wll-add-in jakub.jozwiak@mandiant.com - anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger michael.hunhoff@mandiant.com jakub.jozwiak@mandiant.com - host-interaction/memory/create-new-application-domain-in-dotnet jakub.jozwiak@mandiant.com +- host-interaction/gui/switch-active-desktop jakub.jozwiak@mandiant.com - ### Bug Fixes diff --git a/README.md b/README.md index cd748a5d..723671a4 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ [![PyPI - Python Version](https://img.shields.io/pypi/pyversions/flare-capa)](https://pypi.org/project/flare-capa) [![Last release](https://img.shields.io/github/v/release/mandiant/capa)](https://github.com/mandiant/capa/releases) -[![Number of rules](https://img.shields.io/badge/rules-809-blue.svg)](https://github.com/mandiant/capa-rules) +[![Number of rules](https://img.shields.io/badge/rules-810-blue.svg)](https://github.com/mandiant/capa-rules) [![CI status](https://github.com/mandiant/capa/workflows/CI/badge.svg)](https://github.com/mandiant/capa/actions?query=workflow%3ACI+event%3Apush+branch%3Amaster) [![Downloads](https://img.shields.io/github/downloads/mandiant/capa/total)](https://github.com/mandiant/capa/releases) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) diff --git a/rules b/rules index f109d758..a2989e6b 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit f109d758ced8235892da97a5cfe31bcd6b09a4fa +Subproject commit a2989e6ba5e145617d2aa3a23d365bff6f752284 From b8f277b3c6c5634f4caaaa3b1068222478e862f6 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Fri, 7 Jul 2023 06:26:53 +0000 Subject: [PATCH 35/36] Sync capa-testfiles submodule --- tests/data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/data b/tests/data index bc0c0fe2..8ff7e34c 160000 --- a/tests/data +++ b/tests/data @@ -1 +1 @@ -Subproject commit bc0c0fe29a445be7da2a45c40e59cb9ad14651ec +Subproject commit 8ff7e34ce00bad26b3199d49f14d260f17da2d48 From 4a2902512ee2ffe6ddeb2ec4136b090f3a9aeb00 Mon Sep 17 00:00:00 2001 From: Moritz Date: Fri, 7 Jul 2023 14:01:50 +0200 Subject: [PATCH 36/36] Update test_binja_features.py (#1595) temporarily skip stack string test, while we wait for #1473 --- tests/test_binja_features.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/test_binja_features.py b/tests/test_binja_features.py index 04c8a49e..2e9e6697 100644 --- a/tests/test_binja_features.py +++ b/tests/test_binja_features.py @@ -37,6 +37,8 @@ except ImportError: indirect=["sample", "scope"], ) def test_binja_features(sample, scope, feature, expected): + if feature == capa.features.common.Characteristic("stack string"): + pytest.xfail("skip failing Binja stack string detection temporarily, see #1473") fixtures.do_test_feature_presence(fixtures.get_binja_extractor, sample, scope, feature, expected)