Mike Hunhoff

```yaml - characteristic: invalid token ``` scope: (instruction, basic block,) call, function, file often see this used as an anti-analysis technique aimed to break tooling also: "invalid string"

```yaml - characteristic: p/invoke ``` scope: (instruction, basic block,) call, function, file > P/Invoke is a technology that allows you to access structs, callbacks, and functions in unmanaged libraries from...

> is it worth going through all the [method] flags and turning the relevant ones into characteristics? _Originally posted by @williballenthin in https://github.com/mandiant/capa/pull/958#discussion_r845239977_ ![Screen Shot 2022-04-07 at 12 13 47...

from my understanding a single subscope child statement must be one of `and`, `or`, `optional`, `not`, `N or more`? however, it looks like we have a rule (maybe more I...

similar to #470. `create process via Win32_Process`: ```yml ... - and: - string: "Win32_Process" - or: - string: "Create" ``` `terminate process via Win32_Process`: ```yml ... - and: - string:...

Please correct me if I'm wrong but based on the most recent post from @williballenthin our decision is to continue development, including breaking changes, on `master`. This doesn't play well...

@Ana06 totally agree it is preferable to keep both `master` branches in sync. I also think it's worth enabling users the ability to use point releases of capa rules between...

> After a lot of back and forth, I think we just need to update the CI check at this point. I propose to change the workflow to: > >...

Hi @johnk3r! Did you find an example `Nim` binary containing the string `nimThreadVarsSize` that wasn't detected by the existing rule?

probably best to hit on the assembly 🚀