capa v3.2 releases: identify capabilities in executable files

by do son · Published July 20, 2020 · Updated March 3, 2022

capa

capa detects capabilities in executable files. You run it against a PE file or shellcode and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate.

$ capa.exe suspicious.exe

+------------------------+--------------------------------------------------------------------------------+
| ATT&CK Tactic          | ATT&CK Technique                                                               |
|------------------------+--------------------------------------------------------------------------------|
| DEFENSE EVASION        | Obfuscated Files or Information [T1027]                                        |
| DISCOVERY              | Query Registry [T1012]                                                         |
|                        | System Information Discovery [T1082]                                           |
| EXECUTION              | Command and Scripting Interpreter::Windows Command Shell [T1059.003]           |
|                        | Shared Modules [T1129]                                                         |
| EXFILTRATION           | Exfiltration Over C2 Channel [T1041]                                           |
| PERSISTENCE            | Create or Modify System Process::Windows Service [T1543.003]                   |
+------------------------+--------------------------------------------------------------------------------+

+-------------------------------------------------------+-------------------------------------------------+
| CAPABILITY                                            | NAMESPACE                                       |
|-------------------------------------------------------+-------------------------------------------------|
| check for OutputDebugString error                     | anti-analysis/anti-debugging/debugger-detection |
| read and send data from client to server              | c2/file-transfer                                |
| execute shell command and capture output              | c2/shell                                        |
| receive data (2 matches)                              | communication                                   |
| send data (6 matches)                                 | communication                                   |
| connect to HTTP server (3 matches)                    | communication/http/client                       |
| send HTTP request (3 matches)                         | communication/http/client                       |
| create pipe                                           | communication/named-pipe/create                 |
| get socket status (2 matches)                         | communication/socket                            |
| receive data on socket (2 matches)                    | communication/socket/receive                    |
| send data on socket (3 matches)                       | communication/socket/send                       |
| connect TCP socket                                    | communication/socket/tcp                        |
| encode data using Base64                              | data-manipulation/encoding/base64               |
| encode data using XOR (6 matches)                     | data-manipulation/encoding/xor                  |
| run as a service                                      | executable/pe                                   |
| get common file path (3 matches)                      | host-interaction/file-system                    |
| read file                                             | host-interaction/file-system/read               |
| write file (2 matches)                                | host-interaction/file-system/write              |
| print debug messages (2 matches)                      | host-interaction/log/debug/write-event          |
| resolve DNS                                           | host-interaction/network/dns/resolve            |
| get hostname                                          | host-interaction/os/hostname                    |
| create a process with modified I/O handles and window | host-interaction/process/create                 |
| create process                                        | host-interaction/process/create                 |
| create registry key                                   | host-interaction/registry/create                |
| create service                                        | host-interaction/service/create                 |
| create thread                                         | host-interaction/thread/create                  |
| persist via Windows service                           | persistence/service                             |
+-------------------------------------------------------+-------------------------------------------------+

Changelog v3.2

This release adds a new characteristic call $+5 enabling users to create rules that match this instruction commonly seen in obfuscators. The linter now also validates ATT&CK and MBC categories. Additionally, many dependencies, including the vivisect backend, have been updated.

One rule has been added and many more have been improved.

Thanks for all the support, especially to @kn0wl3dge and first time contributor @uckelman-sf!

New Features

linter: validate ATT&CK/MBC categories and IDs #103 @kn0wl3dge
extractor: add characteristic “call $+5” feature #366 @kn0wl3dge

New Rules (1)

anti-analysis/obfuscation/obfuscated-with-advobfuscator jakub.jozwiak@mandiant.com

Bug Fixes

remove typing package as a requirement for Python 3.7+ compatibility #901 @uckelman-sf
elf: fix OS detection for Linux kernel modules #867 @williballenthin

Usage

See capa -h for all supported arguments and usage examples.

tips and tricks

only run selected rules

Use the -t option to run rules with the given metadata value (see the rule fields rule.meta.*). For example, capa -t william.ballenthin@mandiant.com runs rules that reference Willi’s email address (probably as the author), or capa -t communication runs rules with the namespace communication.

IDA Pro integrations

You can run capa from within IDA Pro. Run capa/main.py via File - Script file... (or ALT + F7). When running in IDA, capa uses IDA’s disassembly and file analysis as its backend. These results may vary from the standalone version that uses vivisect. IDA’s analysis is generally a bit faster and more thorough than vivisect’s, so you might prefer this mode.

When run under IDA, capa supports both Python 2 and Python 3 interpreters. If you encounter issues with your specific setup, please open a new Issue.

Additionally, capa comes with an IDA Pro plugin located in the capa/ida directory: the explorer.

capa explorer

The capa explorer allows you to interactively display and browse capabilities capa identified in a binary. As you select rules or logic, capa will highlight the addresses that support its analysis conclusions. We like to use capa to help find the most interesting parts of a program, such as where the C2 mechanism might be.

To install the plugin, you’ll need to be running IDA Pro 7.4 or 7.5 with either Python 2 or Python 3. Next make sure pip commands are run using the Python install that is configured for your IDA install:

Only if running Python 2.7, run command $ pip install https://github.com/williballenthin/vivisect/zipball/master
Run $ pip install . from capa root directory
Open IDA and navigate to File > Script file… or Alt+F7
Navigate to <capa_install_dir>\capa\ida\ and choose ida_capa_explorer.py

capa v3.2 releases: identify capabilities in executable files

Search

Brilliantly

Content & Links

Popular Tags

capa v3.2 releases: identify capabilities in executable files

capa

Changelog v3.2

New Features

New Rules (1)

Bug Fixes

Usage

tips and tricks

only run selected rules

IDA Pro integrations

capa explorer

Download

Search

Brilliantly

Content & Links

Popular Tags