community
community copied to clipboard
kevoreilly
Community modules for CAPE Sandbox
Sigs for detecting WriteProcessMemory to a remote process. Example from APT29 EnvyScout/ROOTSAW dropped GraphicalNeutrino (https://go.recordedfuture.com/hubfs/reports/cta-2023-0127.pdf) 
1. Disable FP and FN checks as agreed with @kevoreilly 2. Update or remove Yara strings that slow down scanning 3. Add constraints to unlimited greedy regex in Yara I...
Excluded the verification of IP addresses belonging to the MICROSOFT-CORP-MSN-AS-BLOCK to prevent triggering the signature unnecessarily when the machine is connected to the internet.
This file contains MSFT Public IP Address blocks for both IPv4 and IPv6. Source: https://www.microsoft.com/en-us/download/details.aspx?id=53602
PR created for https://github.com/kevoreilly/CAPEv2/issues/2086 suggested by @wasbt
In sysmon.py, I read this: ``` # First figure out what architecture the system in running (x64 or x86) bin_path = os.path.join(os.getcwd(), "bin") if "Windows" in platform.uname(): if "AMD64" in...
Initial signature for one behaviour that appears in some sideloading cases. For this to trigger either zip_compound needs to be used triggering the correct file that then sideloads the DLL...