Analyze PE, ELF, or shellcode files with capa.
“capa detects capabilities in executable files. You run it against a PE, ELF, or shellcode file and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate.”
https://github.com/fireeye/capa
name: Windows.Analysis.Capa
description: |
Analyze PE, ELF, or shellcode files with capa.
"capa detects capabilities in executable files. You run it against
a PE, ELF, or shellcode file and it tells you what it thinks the
program can do. For example, it might suggest that the file is a
backdoor, is capable of installing services, or relies on HTTP to
communicate."
https://github.com/fireeye/capa
type: CLIENT
author: Wes Lambert - @therealwlambert
tools:
- name: CapaWindows
url: https://github.com/mandiant/capa/releases/download/v6.1.0/capa-v6.1.0-windows.zip
expected_hash: 070923d5ca225ef29a670af9cc66a8d648fcaaff7e283cb1ddc73de6e3610f0f
serve_locally: true
parameters:
- name: File
sources:
- query: |
LET Capa <= SELECT OSPath FROM Artifact.Generic.Utils.FetchBinary(
ToolName="CapaWindows")
LET CapaPath <= tempfile(extension=".exe")
LET UnzipIt <= SELECT
copy(filename=pathspec(DelegateAccessor='file',
DelegatePath=Capa[0].OSPath, Path='capa.exe'),
dest=CapaPath,
accessor='zip')
FROM scope()
Let ExecCapa <= SELECT * FROM execve(argv=[
CapaPath,
'-j',
File
], length=10000000)
LET Data = SELECT * FROM foreach (row={
SELECT parse_json(data=Stdout)
AS Data
FROM ExecCapa}, query={
SELECT rules FROM Data})
SELECT * FROM foreach(row=items(item=Data.rules[0]), query={
SELECT _key AS Rule,
_value.matches AS Matches,
get(member="_value.meta.namespace") AS Namespace,
get(member="_value.meta.scope") AS _Scope,
get(member="_value.meta.att&ck.0.tactic") AS Tactic,
get(member="_value.meta.att&ck.0.technique") + " - " + get(member="_value.meta.att&ck.0.id") AS Technique,
get(member="_value.meta.author") AS _Author,
get(member="_value.meta") AS _Meta
FROM scope()})