Cortex-Analyzers
Cortex-Analyzers copied to clipboard
TheHive-Project
New Analyzer: Fireeye Capa (WIP)
I've started working on an analyzer for capa from Fireeye. Will submit PR soon.
From https://github.com/fireeye/capa:
capa detects capabilities in executable files. You run it against a PE file or shellcode and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate.
We tested it this week.. it's actually missing a safe/malicious indicator that is necessary for the taxonomy that was available in the past but is broken right now..
we can keep this open and start to code. Even without safe/malicious this have a lot of interesting information imho.
@dadokkio Thoughts on this?
https://github.com/fireeye/capa/issues/50
Assuming we should wait until it's fully supported for Python 3?
That's bad, unfortunately at the moment we tested only the executable on windows and the python3 port seems will take a lot of time. A possibility is to run the linux executable with subprocess until the library will be update and then parse the tabular output, I've just tested it locally and it works fine. Let me know if you need any help.
I've created a little executable output parser here https://gist.github.com/dadokkio/32f0791f3572122ef3d7924ab315babb if you want to use it as example.
The output is something like:
{'ATT&CK Tactic_ATT&CK Technique': [{'ATT&CK Tactic': 'DEFENSE EVASION',
'ATT&CK Technique': 'Process Injection '
'[T1055]'},
{'ATT&CK Tactic': 'DEFENSE EVASION',
'ATT&CK Technique': 'Virtualization/Sandbox '
'Evasion::System '
'Checks [T1497.001]'},
{'ATT&CK Tactic': 'DISCOVERY',
'ATT&CK Technique': 'Application Window '
'Discovery [T1010]'},
{'ATT&CK Tactic': 'DISCOVERY',
'ATT&CK Technique': 'Process Discovery '
'[T1057]'},
{'ATT&CK Tactic': 'DISCOVERY',
'ATT&CK Technique': 'Query Registry '
'[T1012]'},
{'ATT&CK Tactic': 'DISCOVERY',
'ATT&CK Technique': 'System Information '
'Discovery [T1082]'},
{'ATT&CK Tactic': 'DISCOVERY',
'ATT&CK Technique': 'System Network '
'Configuration '
'Discovery [T1016]'},
{'ATT&CK Tactic': 'DISCOVERY',
'ATT&CK Technique': 'System Owner/User '
'Discovery [T1033]'},
{'ATT&CK Tactic': 'EXECUTION',
'ATT&CK Technique': 'Shared Modules '
'[T1129]'}],
'CAPABILITY_NAMESPACE': [{'CAPABILITY': 'check for OutputDebugString error',
'NAMESPACE': 'anti-analysis/anti-debugging/debugger-detection'},
{'CAPABILITY': 'check for time delay via '
'GetTickCount',
'NAMESPACE': 'anti-analysis/anti-debugging/debugger-detection'},
{'CAPABILITY': 'execute anti-debugging instructions '
'(2 matches)',
'NAMESPACE': 'anti-analysis/anti-debugging/debugger-detection'},
{'CAPABILITY': 'execute anti-VM instructions (8 '
'matches)',
'NAMESPACE': 'anti-analysis/anti-vm/vm-detection'},
{'CAPABILITY': 'reference anti-VM strings',
'NAMESPACE': 'anti-analysis/anti-vm/vm-detection'},
{'CAPABILITY': 'contain a resource (.rsrc) section',
'NAMESPACE': 'executable/pe/section/rsrc'},
{'CAPABILITY': 'contain a thread local storage '
'(.tls) section',
'NAMESPACE': 'executable/pe/section/tls'},
{'CAPABILITY': 'interact with driver via control '
'codes',
'NAMESPACE': 'host-interaction/driver'},
{'CAPABILITY': 'write file',
'NAMESPACE': 'host-interaction/file-system/write'},
{'CAPABILITY': 'find graphical window',
'NAMESPACE': 'host-interaction/gui/window/find'},
{'CAPABILITY': 'get memory capacity',
'NAMESPACE': 'host-interaction/hardware/memory'},
{'CAPABILITY': 'get disk information (2 matches)',
'NAMESPACE': 'host-interaction/hardware/storage'},
{'CAPABILITY': 'print debug messages',
'NAMESPACE': 'host-interaction/log/debug/write-event'},
{'CAPABILITY': 'get local IPv4 addresses (2 matches)',
'NAMESPACE': 'host-interaction/network/address'},
{'CAPABILITY': 'resolve DNS',
'NAMESPACE': 'host-interaction/network/dns/resolve'},
{'CAPABILITY': 'get system information',
'NAMESPACE': 'host-interaction/os/info'},
{'CAPABILITY': 'get OS version',
'NAMESPACE': 'host-interaction/os/version'},
{'CAPABILITY': 'allocate RWX memory',
'NAMESPACE': 'host-interaction/process/inject'},
{'CAPABILITY': 'enumerate processes',
'NAMESPACE': 'host-interaction/process/list'},
{'CAPABILITY': 'terminate process',
'NAMESPACE': 'host-interaction/process/terminate'},
{'CAPABILITY': 'open registry key (2 matches)',
'NAMESPACE': 'host-interaction/registry/open'},
{'CAPABILITY': 'query registry entry',
'NAMESPACE': 'host-interaction/registry/query'},
{'CAPABILITY': 'query registry value',
'NAMESPACE': 'host-interaction/registry/query'},
{'CAPABILITY': 'get session user name',
'NAMESPACE': 'host-interaction/session'},
{'CAPABILITY': 'link function at runtime (7 matches)',
'NAMESPACE': 'linking/runtime-linking'}],
'md5': '9159edb64c4a21d8888d088bf2db23f3',
'path': 'pafish.exe'}
Awesome, thanks! I've thought about using an executable with another analyzer before, but wasn't sure if that would be acceptable. So, it would just be run from the analyzer directory (unless Dockerized) correct?
yes, it should be available on the docker image of the analyzer (maybe the path could be a settings) if you search for subprocess you should find other tools that runs in this way.
for the time being, we would (unfortunately) suggest that you run capa as a subprocess.
however, you should also consider using the -j command line option that emits a standardized json format. this is the document that drives all the output, so you should find everything you need in there. we consider this document format part of our public API, so you can rely on it not changing unless we bump the major version of capa.
if you want to sketch out integration with py3, then you can play with the branch in https://github.com/fireeye/capa/pull/234. however, we don't consider it supported yet, so i can't guarantee things won't change. should get you most of the way there.
please reach out if i can assist at all - would definitely like to help capa be used more widely.
Currently running into an issue w/ permissions and the file creation associated with the following: https://github.com/fireeye/capa/issues/244
Should be fixed very soon upstream, at which point, I'll finish the implementation of this analyzer.
@dadokkio what do you think of something like the following?
(Tactic -> Technique -> Capability -> Metadata (rule, examples))
@dadokkio , this is almost ready to PR, but was just curious about the best approach for including the Capa binary. I haven't contributed a Docker-based analyzer/responder yet, so any guidance would be appreciated there. Also need to finish up TheHive templates.
Probably @To-om has better answers. I think the option are: include the binary with your python code or add a Dockerfile that downloads the executables.
Hi @weslambert how is the development of this analyzer going? Do you need help with anything? I was thinking of developing one for cortex and found out its already beeing worked on here.
me too was looking for capa analyzer since the new capa version just released. Would like to hear any update about the analyzer development status @weslambert
@Passimist @m5050 This has been in my backlog, but given the interest, I'll see if I can re-test and get it wrapped up by the end of this week.
hi @weslambert, thanks for the reply! Will the analyzer use the new python 3 version of capa? Let me know if I can help you with this project.
@Passimist Correct, it is using the Python 3 version. I believe I just needed to adjust the format of the results/template(s) to get it finished up.
