Ana María Martínez Gómez
Ana María Martínez Gómez
padded
## Rule name `padded` ## Summary Detect files which contain padding with extraneous data such as zeros or random bytes. Sometimes used to evade antivirus engines that will not scan...
Write rules to detect the ability to capture or mine credentials stored, cached, or used by the browser (Chrome, Opera, Firefox, Internet Explorer). ## Possible test samples Publicly available samples...
## Summary Modify and add new rules to `anti-analysis/anti-vm/vm-detection` to detect sandboxes detection/evasion focusing on techniques used to detect/evade Cuckoo. ## Possible test samples Publicly available samples that may contain...
## Rule name `packed with Zutto Dekiru` ## Summary Contain Zutto Dekiru encoded content. Zutto Dekiru is a XOR-based encoder commonly seen used for shellcode. ## Possible test samples Publicly...
## Rule name `communicate via Twitter` ## Summary Use legitimate Twitter service or web site as part of the binary's command and control (C2) communications. ## Possible test samples Publicly...
## Rule name `encode data using JSON` ## Summary Encode data using JavaScript Object Notation (JSON). ## Possible test samples Publicly available samples that may contain the capability this rule...
https://github.com/fireeye/capa-rules/issues/289 shows that we may need to be more strict in PRs to avoid introducing offenses in the nursery rules. Currently `lint.py` allows any kind of warnings for files in...
@mike-hunhoff > Example: `b7841b9d5dc1f511a93cc7576672ec0c:0x1000ebc8` > > Example resolves API calls and won't hit with capa. > > May just want to generalize this rule for general collect > > Windows...
@mike-hunhoff > Example: `b7841b9d5dc1f511a93cc7576672ec0c:1000f0e0` > > Windows API: > - `ntdll::RtlGetNtVersionNumbers` @mr-tz > dynamically resolved in referenced sample, so not a test candidate > ``` > .text:1000F0F5 68 0C 50...
@williballenthin > ![image](https://ghe.eng.fireeye.com/storage/user/969/files/811aad00-b377-11e9-99ca-c9577ae68959) > > > http://struppigel.blogspot.com/2017/07/process-injection-info-graphic.html @mr-tz > https://www.blackhat.com/us-19/briefings/schedule/#process-injection-techniques---gotta-catch-them-all-16010 @mike-hunhoff > More techniques described here: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process.