Ana María Martínez Gómez

icon indicating a website link https://anamaria.martinezgomez.name icon indicating an email [email protected]

icon company @mandiant @google icon location Germany icon location :octocat: | Reverse Engineer @mandiant | MS in Computer Science @columbia University, Theory specialization | "La Caixa" fellowship holder | FOSS enthusiast

Results 142 issues of Ana María Martínez Gómez

padded

2 comment

## Rule name `padded` ## Summary Detect files which contain padding with extraneous data such as zeros or random bytes. Sometimes used to evade antivirus engines that will not scan...

rule idea
FLARE-TODO

Steal browser credentials

Write rules to detect the ability to capture or mine credentials stored, cached, or used by the browser (Chrome, Opera, Firefox, Internet Explorer). ## Possible test samples Publicly available samples...

rule idea
FLARE-TODO

Detect Cuckoo SandBox

## Summary Modify and add new rules to `anti-analysis/anti-vm/vm-detection` to detect sandboxes detection/evasion focusing on techniques used to detect/evade Cuckoo. ## Possible test samples Publicly available samples that may contain...

rule idea
FLARE-TODO

packed with Zutto Dekiru

## Rule name `packed with Zutto Dekiru` ## Summary Contain Zutto Dekiru encoded content. Zutto Dekiru is a XOR-based encoder commonly seen used for shellcode. ## Possible test samples Publicly...

rule idea
FLARE-TODO

communicate via Twitter

## Rule name `communicate via Twitter` ## Summary Use legitimate Twitter service or web site as part of the binary's command and control (C2) communications. ## Possible test samples Publicly...

rule idea
FLARE-TODO

encode data using JSON

## Rule name `encode data using JSON` ## Summary Encode data using JavaScript Object Notation (JSON). ## Possible test samples Publicly available samples that may contain the capability this rule...

rule idea
FLARE-TODO

Make linter fail for nursery in PRs

1 comment

https://github.com/fireeye/capa-rules/issues/289 shows that we may need to be more strict in PRs to avoid introducing offenses in the nursery rules. Currently `lint.py` allows any kind of warnings for files in...

enhancement

rule: check processor architecture (need example)

1 comment

@mike-hunhoff > Example: `b7841b9d5dc1f511a93cc7576672ec0c:0x1000ebc8` > > Example resolves API calls and won't hit with capa. > > May just want to generalize this rule for general collect > > Windows...

good first issue
rule idea
migrated-rule

rule: windows version via RtlGetNtVersionNumbers (need example)

1 comment

@mike-hunhoff > Example: `b7841b9d5dc1f511a93cc7576672ec0c:1000f0e0` > > Windows API: > - `ntdll::RtlGetNtVersionNumbers` @mr-tz > dynamically resolved in referenced sample, so not a test candidate > ``` > .text:1000F0F5 68 0C 50...

good first issue
rule idea
migrated-rule

rule: thorough detection of injection

@williballenthin > ![image](https://ghe.eng.fireeye.com/storage/user/969/files/811aad00-b377-11e9-99ca-c9577ae68959) > > > http://struppigel.blogspot.com/2017/07/process-injection-info-graphic.html @mr-tz > https://www.blackhat.com/us-19/briefings/schedule/#process-injection-techniques---gotta-catch-them-all-16010 @mike-hunhoff > More techniques described here: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process.

rule idea
migrated-rule