From 545236cdc2cbec01cd75b2b11a8774ae3e462802 Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Fri, 3 Jul 2020 11:43:47 -0600 Subject: [PATCH] readme: simplify example --- README.md | 53 ++--------------------------------------------------- 1 file changed, 2 insertions(+), 51 deletions(-) diff --git a/README.md b/README.md index 6bffd88e..6c491454 100644 --- a/README.md +++ b/README.md @@ -70,61 +70,12 @@ For more information about how to use capa, including running it as an IDA scrip # example -Here we run capa against an unknown binary (`suspicious.exe`), -and the tool reports that the program can decode data via XOR, +In the above sample output, we ran capa against an unknown binary (`suspicious.exe`), +and the tool reported that the program can decode data via XOR, contains an embedded PE, writes to a file, and spawns a new process. Taken together, this makes us think that `suspicious.exe` could be a dropper or backdoor. Therefore, our next analysis step might be to run `suspicious.exe` in a sandbox and try to recover the payload. -``` -$ capa.exe suspicious.exe - -+------------------------+----------------------------------------------------------------------+ -| ATT&CK Tactic | ATT&CK Technique | -|------------------------+----------------------------------------------------------------------| -| DEFENSE EVASION | Obfuscated Files or Information [T1027] | -| DISCOVERY | Query Registry [T1012] | -| | System Information Discovery [T1082] | -| EXECUTION | Command and Scripting Interpreter::Windows Command Shell [T1059.003] | -| | Shared Modules [T1129] | -| EXFILTRATION | Exfiltration Over C2 Channel [T1041] | -| PERSISTENCE | Create or Modify System Process::Windows Service [T1543.003] | -+------------------------+----------------------------------------------------------------------+ - -+-------------------------------------------------------+-------------------------------------------------+ -| CAPABILITY | NAMESPACE | -|-------------------------------------------------------+-------------------------------------------------| -| check for OutputDebugString error | anti-analysis/anti-debugging/debugger-detection | -| read and send data from client to server | c2/file-transfer | -| execute shell command and capture output | c2/shell | -| receive data (2 matches) | communication | -| send data (6 matches) | communication | -| connect to HTTP server (3 matches) | communication/http/client | -| send HTTP request (3 matches) | communication/http/client | -| create pipe | communication/named-pipe/create | -| get socket status (2 matches) | communication/socket | -| receive data on socket (2 matches) | communication/socket/receive | -| send data on socket (3 matches) | communication/socket/send | -| connect TCP socket | communication/socket/tcp | -| encode data using Base64 | data-manipulation/encoding/base64 | -| encode data using XOR (6 matches) | data-manipulation/encoding/xor | -| run as a service | executable/pe | -| contain an embedded PE file | executable/subfile/pe | -| get common file path (3 matches) | host-interaction/file-system | -| read file | host-interaction/file-system/read | -| write file (2 matches) | host-interaction/file-system/write | -| print debug messages (2 matches) | host-interaction/log/debug/write-event | -| resolve DNS | host-interaction/network/dns/resolve | -| get hostname | host-interaction/os/hostname | -| create a process with modified I/O handles and window | host-interaction/process/create | -| create process | host-interaction/process/create | -| create registry key | host-interaction/registry/create | -| create service | host-interaction/service/create | -| create thread | host-interaction/thread/create | -| persist via Windows service | persistence/service | -+-------------------------------------------------------+-------------------------------------------------+ -``` - By passing the `-vv` flag (for Very Verbose), capa reports exactly where it found evidence of these capabilities. This is useful for at least two reasons: