-
Notifications
You must be signed in to change notification settings - Fork 0
/
Custom.Client.TriageCapa.yaml
52 lines (43 loc) · 1.97 KB
/
Custom.Client.TriageCapa.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
name: Custom.Client.TriageCapa
description: |
This artifact runs the Capa tool against executable files. Capa attempts
to determine the CAPAbilities of the target executable files.
reference:
- Thanks to Wes Lambert for his Capa artifact which helped in developing this artifact.
- https://docs.velociraptor.app/exchange/artifacts/pages/windows.analysis.capa/
parameters:
- name: targets
type: json_array
- name: file_accessor
type: hidden
tools:
- name: capa-darwin-amd64
- name: capa-windows-amd64
- name: capa-linux-amd64
resources:
timeout: 3600
sources:
- precondition: SELECT * FROM info() WHERE OS =~ "windows|linux|darwin" AND Architecture = "amd64"
query: |
-- We get the host info so that we can use it to match the right tool name for each OS
LET host_info <= select * from info()
-- Get the version of Capa matching the OS
LET capa <= SELECT FullPath
FROM Artifact.Generic.Utils.FetchBinary(ToolName="capa-" + host_info[0].OS +"-amd64", IsExecutable=TRUE)
-- Run Capa
LET raw_results = SELECT *, file_accessor
FROM foreach(row=targets,
query={ SELECT parse_json(data=Stdout) AS data, _value AS target FROM execve(
argv=[capa[0].FullPath, "-j", path_join(components=_value)],
length=1000000) },
workers=1)
SELECT * FROM foreach(row=items(item=raw_results.rules[0]), query={
SELECT _key AS Rule,
_value.matches AS Matches,
get(member="_value.meta.namespace") AS Namespace,
get(member="_value.meta.scope") AS _Scope,
get(member="_value.meta.att&ck.0.tactic") AS Tactic,
get(member="_value.meta.att&ck.0.technique") + " - " + get(member="_value.meta.att&ck.0.id") AS Technique,
get(member="_value.meta.author") AS _Author,
get(member="_value.meta") AS _Meta
FROM scope()})