capa v6.1 releases: identify capabilities in executable files

by do son · Published July 20, 2020 · Updated August 27, 2023

capa

capa detects capabilities in executable files. You run it against a PE file or shellcode and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate.

$ capa.exe suspicious.exe



+------------------------+--------------------------------------------------------------------------------+

| ATT&CK Tactic          | ATT&CK Technique                                                               |

|------------------------+--------------------------------------------------------------------------------|

| DEFENSE EVASION        | Obfuscated Files or Information [T1027]                                        |

| DISCOVERY              | Query Registry [T1012]                                                         |

|                        | System Information Discovery [T1082]                                           |

| EXECUTION              | Command and Scripting Interpreter::Windows Command Shell [T1059.003]           |

|                        | Shared Modules [T1129]                                                         |

| EXFILTRATION           | Exfiltration Over C2 Channel [T1041]                                           |

| PERSISTENCE            | Create or Modify System Process::Windows Service [T1543.003]                   |

+------------------------+--------------------------------------------------------------------------------+



+-------------------------------------------------------+-------------------------------------------------+

| CAPABILITY                                            | NAMESPACE                                       |

|-------------------------------------------------------+-------------------------------------------------|

| check for OutputDebugString error                     | anti-analysis/anti-debugging/debugger-detection |

| read and send data from client to server              | c2/file-transfer                                |

| execute shell command and capture output              | c2/shell                                        |

| receive data (2 matches)                              | communication                                   |

| send data (6 matches)                                 | communication                                   |

| connect to HTTP server (3 matches)                    | communication/http/client                       |

| send HTTP request (3 matches)                         | communication/http/client                       |

| create pipe                                           | communication/named-pipe/create                 |

| get socket status (2 matches)                         | communication/socket                            |

| receive data on socket (2 matches)                    | communication/socket/receive                    |

| send data on socket (3 matches)                       | communication/socket/send                       |

| connect TCP socket                                    | communication/socket/tcp                        |

| encode data using Base64                              | data-manipulation/encoding/base64               |

| encode data using XOR (6 matches)                     | data-manipulation/encoding/xor                  |

| run as a service                                      | executable/pe                                   |

| get common file path (3 matches)                      | host-interaction/file-system                    |

| read file                                             | host-interaction/file-system/read               |

| write file (2 matches)                                | host-interaction/file-system/write              |

| print debug messages (2 matches)                      | host-interaction/log/debug/write-event          |

| resolve DNS                                           | host-interaction/network/dns/resolve            |

| get hostname                                          | host-interaction/os/hostname                    |

| create a process with modified I/O handles and window | host-interaction/process/create                 |

| create process                                        | host-interaction/process/create                 |

| create registry key                                   | host-interaction/registry/create                |

| create service                                        | host-interaction/service/create                 |

| create thread                                         | host-interaction/thread/create                  |

| persist via Windows service                           | persistence/service                             |

+-------------------------------------------------------+-------------------------------------------------+

Changelog v6.1

New Features

ELF: implement import and export name extractor #1607 #1608 @Aayush-Goel-04
bump pydantic from 1.10.9 to 2.1.1 #1582 @Aayush-Goel-04
develop script to highlight features not used during matching #331 @Aayush-Goel-04

New Rules (8)

executable/pe/export/forwarded-export ronnie.salomonsen@mandiant.com
host-interaction/bootloader/get-uefi-variable jakub.jozwiak@mandiant.com
host-interaction/bootloader/set-uefi-variable jakub.jozwiak@mandiant.com
nursery/enumerate-device-drivers-on-linux @mr-tz
anti-analysis/anti-vm/vm-detection/check-for-foreground-window-switch ervin.ocampo@mandiant.com
linking/static/sqlite3/linked-against-cppsqlite3 still@teamt5.org
linking/static/sqlite3/linked-against-sqlite3 still@teamt5.org

Modified rules (9)

Renamed rules (1)

persistence/create-shortcut-via-ishelllink.yml (was nursery/create-shortcut-via-ishelllink.yml)

Bug Fixes

rules: fix forwarded export characteristic #1656 @RonnieSalomonsen
Binary Ninja: Fix stack string detection #1473 @xusheng6
linter: skip native API check for NtProtectVirtualMemory #1675 @williballenthin
OS: detect Android ELF files #1705 @williballenthin
ELF: fix parsing of symtab #1704 @williballenthin
result document: don’t use deprecated pydantic functions #1718 @williballenthin
pytest: don’t mark IDA tests as pytest tests #1719 @williballenthin

capa explorer IDA Pro plugin

fix unhandled exception when resolving rule path #1693 @mike-hunhoff

Usage

See capa -h for all supported arguments and usage examples.

tips and tricks

only run selected rules

Use the -t option to run rules with the given metadata value (see the rule fields rule.meta.*). For example, capa -t william.ballenthin@mandiant.com runs rules that reference Willi’s email address (probably as the author), or capa -t communication runs rules with the namespace communication.

IDA Pro integrations

You can run capa from within IDA Pro. Run capa/main.py via File - Script file... (or ALT + F7). When running in IDA, capa uses IDA’s disassembly and file analysis as its backend. These results may vary from the standalone version that uses vivisect. IDA’s analysis is generally a bit faster and more thorough than vivisect’s, so you might prefer this mode.

When run under IDA, capa supports both Python 2 and Python 3 interpreters. If you encounter issues with your specific setup, please open a new Issue.

Additionally, capa comes with an IDA Pro plugin located in the capa/ida directory: the explorer.

capa explorer

The capa explorer allows you to interactively display and browse capabilities capa identified in a binary. As you select rules or logic, capa will highlight the addresses that support its analysis conclusions. We like to use capa to help find the most interesting parts of a program, such as where the C2 mechanism might be.

To install the plugin, you’ll need to be running IDA Pro 7.4 or 7.5 with either Python 2 or Python 3. Next make sure pip commands are run using the Python install that is configured for your IDA install:

Only if running Python 2.7, run command $ pip install https://github.com/williballenthin/vivisect/zipball/master
Run $ pip install . from capa root directory
Open IDA and navigate to File > Script file… or Alt+F7
Navigate to <capa_install_dir>\capa\ida\ and choose ida_capa_explorer.py

capa v6.1 releases: identify capabilities in executable files

Search

Brilliantly

Content & Links

capa v6.1 releases: identify capabilities in executable files

capa

Changelog v6.1

New Features

New Rules (8)

Modified rules (9)

Renamed rules (1)

Bug Fixes

capa explorer IDA Pro plugin

Usage

tips and tricks

only run selected rules

IDA Pro integrations

capa explorer

Download

Search

Brilliantly

Content & Links