capa icon indicating copy to clipboard operation
capa copied to clipboard

Published 20 hours ago verified publisher icon mandiant

develop script to highlight the features that are not used during matching

Open williballenthin opened this issue 3 years ago • 0 comments

to bring light to capabilities for which we do not yet have rules, we should develop a script that highlights the features that have been extracted by capa and yet not used by any rule. these entries might be sorted (and maybe reversed) based on their frequency. for example:

$ python scripts/show-unused-features.py /tmp/suspicious.dll_

count  feature
-----  -------
1      api: ClearEventLog
1      api: RtlPushFrame
...    ...
1145   mnemonic: push

a rule author could review these features an decide "hey, we need to cover event log clearing!" and use this output as inspiration.

williballenthin avatar Sep 30 '20 20:09 williballenthin