mandiant/capa-rules issues and pull requests

#102 - fixed description key, and added x32 and x64 flavours

Pull Request - State: closed - Opened by 0ssigeno about 4 years ago - 2 comments

#101 - Typos

Pull Request - State: closed - Opened by 0ssigeno over 4 years ago - 8 comments

#101 - Typos

Pull Request - State: closed - Opened by 0ssigeno over 4 years ago - 8 comments

#100 - fresh new rules from al-khaser project

Pull Request - State: closed - Opened by mike-hunhoff over 4 years ago - 3 comments

#100 - fresh new rules from al-khaser project

Pull Request - State: closed - Opened by mike-hunhoff over 4 years ago - 3 comments

#99 - Remove characteristic(switch) from the documentation

Pull Request - State: closed - Opened by Ana06 over 4 years ago
Labels: documentation

#99 - Remove characteristic(switch) from the documentation

Pull Request - State: closed - Opened by Ana06 over 4 years ago
Labels: documentation

#98 - Create check-for-sandbox-username.yml

Pull Request - State: closed - Opened by re-fox over 4 years ago

#98 - Create check-for-sandbox-username.yml

Pull Request - State: closed - Opened by re-fox over 4 years ago

#97 - Improve hash-data-using-murmur3 rule

Pull Request - State: closed - Opened by Ana06 over 4 years ago - 1 comment

#97 - Improve hash-data-using-murmur3 rule

Pull Request - State: closed - Opened by Ana06 over 4 years ago - 1 comment

#96 - Create check-for-sandbox-and-av-modules.yml

Pull Request - State: closed - Opened by re-fox over 4 years ago - 1 comment

#96 - Create check-for-sandbox-and-av-modules.yml

Pull Request - State: closed - Opened by re-fox over 4 years ago - 1 comment

#95 - Create check-if-process-is-running-under-wine.yml

Pull Request - State: closed - Opened by re-fox over 4 years ago - 1 comment

#95 - Create check-if-process-is-running-under-wine.yml

Pull Request - State: closed - Opened by re-fox over 4 years ago - 1 comment

#94 - improve RC4 rules

Pull Request - State: closed - Opened by mr-tz over 4 years ago

#94 - improve RC4 rules

Pull Request - State: closed - Opened by mr-tz over 4 years ago

#93 - Coverage for alternate Luhn variant and moving rules to lib

Pull Request - State: closed - Opened by re-fox over 4 years ago - 1 comment

#93 - Coverage for alternate Luhn variant and moving rules to lib

Pull Request - State: closed - Opened by re-fox over 4 years ago - 1 comment

#92 - new rules for internet cache manipulation

Pull Request - State: closed - Opened by mike-hunhoff over 4 years ago

#92 - new rules for internet cache manipulation

Pull Request - State: closed - Opened by mike-hunhoff over 4 years ago

#91 - FN: RC4: 73ce04892e5f39ec82b00c02fc04c70f: 0x40677C

Issue - State: closed - Opened by williballenthin over 4 years ago
Labels: false negative

#91 - FN: RC4: 73ce04892e5f39ec82b00c02fc04c70f: 0x40677C

Issue - State: closed - Opened by williballenthin over 4 years ago
Labels: false negative

#90 - Guidance on rule naming conventions and placement

Issue - State: closed - Opened by re-fox over 4 years ago - 3 comments

#90 - Guidance on rule naming conventions and placement

Issue - State: closed - Opened by re-fox over 4 years ago - 3 comments

#89 - rule: detect packers based on section names

Issue - State: closed - Opened by Ana06 over 4 years ago
Labels: rule idea, migrated-rule

#89 - rule: detect packers based on section names

Issue - State: closed - Opened by Ana06 over 4 years ago
Labels: rule idea, migrated-rule

#88 - rule: thorough detection of injection

Issue - State: open - Opened by Ana06 over 4 years ago
Labels: rule idea, migrated-rule

#88 - rule: thorough detection of injection

Issue - State: open - Opened by Ana06 over 4 years ago
Labels: rule idea, migrated-rule

#87 - add ICMP routines

Issue - State: closed - Opened by Ana06 over 4 years ago - 1 comment
Labels: rule idea, migrated-rule

#87 - add ICMP routines

Issue - State: closed - Opened by Ana06 over 4 years ago - 1 comment
Labels: rule idea, migrated-rule

#86 - rule: detect secure desktop protection bypass

Issue - State: open - Opened by Ana06 over 4 years ago
Labels: rule idea, migrated-rule

#86 - rule: detect secure desktop protection bypass

Issue - State: open - Opened by Ana06 over 4 years ago
Labels: rule idea, migrated-rule

#85 - rule: windows version via RtlGetNtVersionNumbers (need example)

Issue - State: closed - Opened by Ana06 over 4 years ago - 1 comment
Labels: good first issue, rule idea, migrated-rule

#85 - rule: windows version via RtlGetNtVersionNumbers (need example)

Issue - State: closed - Opened by Ana06 over 4 years ago - 1 comment
Labels: good first issue, rule idea, migrated-rule

#84 - CP Malware Evasion Encyclopedia

Issue - State: open - Opened by Ana06 over 4 years ago
Labels: rule idea, migrated-rule

#84 - CP Malware Evasion Encyclopedia

Issue - State: open - Opened by Ana06 over 4 years ago
Labels: rule idea, migrated-rule

#83 - rule: resolve ntoskrnl base address with NTDLL (need example)

Issue - State: closed - Opened by Ana06 over 4 years ago
Labels: rule idea, migrated-rule

#83 - rule: resolve ntoskrnl base address with NTDLL (need example)

Issue - State: closed - Opened by Ana06 over 4 years ago
Labels: rule idea, migrated-rule

#82 - rule: resolve exe path via MSVCRT

Issue - State: closed - Opened by Ana06 over 4 years ago - 5 comments
Labels: rule idea, migrated-rule

#82 - rule: resolve exe path via MSVCRT

Issue - State: closed - Opened by Ana06 over 4 years ago - 5 comments
Labels: rule idea, migrated-rule

#81 - rule: datamine keystrokes via input method manager (need example)

Issue - State: closed - Opened by Ana06 over 4 years ago
Labels: rule idea, migrated-rule

#81 - rule: datamine keystrokes via input method manager (need example)

Issue - State: closed - Opened by Ana06 over 4 years ago
Labels: rule idea, migrated-rule

#80 - rule: capture major, minor, build versions via ntdll (need example)

Issue - State: closed - Opened by Ana06 over 4 years ago - 1 comment
Labels: rule idea, migrated-rule

#80 - rule: capture major, minor, build versions via ntdll (need example)

Issue - State: closed - Opened by Ana06 over 4 years ago - 1 comment
Labels: rule idea, migrated-rule

#79 - rule: check processor architecture (need example)

Issue - State: closed - Opened by Ana06 over 4 years ago - 2 comments
Labels: good first issue, rule idea, migrated-rule

#79 - rule: check processor architecture (need example)

Issue - State: closed - Opened by Ana06 over 4 years ago - 2 comments
Labels: good first issue, rule idea, migrated-rule

#78 - Create bypass-uac-via-token-manipulation-1.yml

Pull Request - State: closed - Opened by agithubuserlol over 4 years ago

#78 - Create bypass-uac-via-token-manipulation-1.yml

Pull Request - State: closed - Opened by agithubuserlol over 4 years ago

#77 - Create Update bypass-uac-via-appinfo-alpc.yml

Pull Request - State: closed - Opened by agithubuserlol over 4 years ago - 1 comment

#77 - Create Update bypass-uac-via-appinfo-alpc.yml

Pull Request - State: closed - Opened by agithubuserlol over 4 years ago - 1 comment

#76 - Create bypass-uac-via-appinfo-alpc.yml

Pull Request - State: closed - Opened by agithubuserlol over 4 years ago - 1 comment

#76 - Create bypass-uac-via-appinfo-alpc.yml

Pull Request - State: closed - Opened by agithubuserlol over 4 years ago - 1 comment

#75 - Create encrypt-data-using-twofish.yml

Pull Request - State: closed - Opened by re-fox over 4 years ago - 1 comment

#75 - Create encrypt-data-using-twofish.yml

Pull Request - State: closed - Opened by re-fox over 4 years ago - 1 comment

#74 - add doc around arch flavors of offset/number

Pull Request - State: closed - Opened by williballenthin over 4 years ago

#74 - add doc around arch flavors of offset/number

Pull Request - State: closed - Opened by williballenthin over 4 years ago

#73 - adding misc new rules and rule updates

Pull Request - State: closed - Opened by mike-hunhoff over 4 years ago

#73 - adding misc new rules and rule updates

Pull Request - State: closed - Opened by mike-hunhoff over 4 years ago

#72 - Create encrypt-data-using-blowfish.yml

Pull Request - State: closed - Opened by re-fox over 4 years ago - 1 comment

#72 - Create encrypt-data-using-blowfish.yml

Pull Request - State: closed - Opened by re-fox over 4 years ago - 1 comment

#71 - Create hash-data-using-tiger.yml

Pull Request - State: closed - Opened by re-fox over 4 years ago - 1 comment

#71 - Create hash-data-using-tiger.yml

Pull Request - State: closed - Opened by re-fox over 4 years ago - 1 comment

#70 - Update encrypt-data-using-camellia.yml

Pull Request - State: closed - Opened by re-fox over 4 years ago

#70 - Update encrypt-data-using-camellia.yml

Pull Request - State: closed - Opened by re-fox over 4 years ago

#69 - Create encrypt-data-using-camellia.yml

Pull Request - State: closed - Opened by re-fox over 4 years ago - 2 comments

#69 - Create encrypt-data-using-camellia.yml

Pull Request - State: closed - Opened by re-fox over 4 years ago - 2 comments

#68 - Update validate-credit-card-number-with-luhn-algorithm.yml

Pull Request - State: closed - Opened by re-fox over 4 years ago - 1 comment

#67 - Create encrypt-data-using-skipjack.yml

Pull Request - State: closed - Opened by re-fox over 4 years ago

#67 - Create encrypt-data-using-skipjack.yml

Pull Request - State: closed - Opened by re-fox over 4 years ago

#66 - Create gather-firefox-profile-information.yml

Pull Request - State: closed - Opened by re-fox over 4 years ago - 1 comment

#66 - Create gather-firefox-profile-information.yml

Pull Request - State: closed - Opened by re-fox over 4 years ago - 1 comment

#65 - new rules for cabinet file manipulation

Pull Request - State: closed - Opened by mike-hunhoff over 4 years ago

#65 - new rules for cabinet file manipulation

Pull Request - State: closed - Opened by mike-hunhoff over 4 years ago

#64 - New rules from 03B236B23B1EC37C663527C1F53AF3FE

Pull Request - State: closed - Opened by mike-hunhoff over 4 years ago - 1 comment

#64 - New rules from 03B236B23B1EC37C663527C1F53AF3FE

Pull Request - State: closed - Opened by mike-hunhoff over 4 years ago - 1 comment

#63 - rule idea: cabinet (.cab) manipulation

Issue - State: closed - Opened by mike-hunhoff over 4 years ago
Labels: rule idea

#63 - rule idea: cabinet (.cab) manipulation

Issue - State: closed - Opened by mike-hunhoff over 4 years ago
Labels: rule idea

#62 - rule idea: thread local storage

Issue - State: closed - Opened by mike-hunhoff over 4 years ago
Labels: rule idea

#62 - rule idea: thread local storage

Issue - State: closed - Opened by mike-hunhoff over 4 years ago
Labels: rule idea

#61 - Create capture-network-configuration-via-ipconfig.yml

Pull Request - State: closed - Opened by re-fox over 4 years ago - 2 comments

#61 - Create capture-network-configuration-via-ipconfig.yml

Pull Request - State: closed - Opened by re-fox over 4 years ago - 2 comments

#60 - Updating screenshot capability to cover Arkei Stealer

Pull Request - State: closed - Opened by re-fox over 4 years ago

#60 - Updating screenshot capability to cover Arkei Stealer

Pull Request - State: closed - Opened by re-fox over 4 years ago

#59 - SHA1 &SHA256 via processor extensions

Pull Request - State: closed - Opened by re-fox over 4 years ago

#59 - SHA1 &SHA256 via processor extensions

Pull Request - State: closed - Opened by re-fox over 4 years ago

#58 - Create encrypt-data-using-des-via-winapi.yml

Pull Request - State: closed - Opened by re-fox over 4 years ago

#58 - Create encrypt-data-using-des-via-winapi.yml

Pull Request - State: closed - Opened by re-fox over 4 years ago

#57 - doc: Document descriptions for statement nodes

Pull Request - State: closed - Opened by Ana06 over 4 years ago
Labels: documentation

#57 - doc: Document descriptions for statement nodes

Pull Request - State: closed - Opened by Ana06 over 4 years ago
Labels: documentation

#56 - Create encrypt-data-using-des.yml

Pull Request - State: closed - Opened by re-fox over 4 years ago

#55 - graduate nursery rules using existing examples

Issue - State: open - Opened by williballenthin over 4 years ago - 5 comments
Labels: enhancement

#55 - graduate nursery rules using existing examples

Issue - State: open - Opened by williballenthin over 4 years ago - 5 comments
Labels: enhancement

#54 - add a couple new rules derived from Cl0p ransomware

Pull Request - State: closed - Opened by williballenthin over 4 years ago - 3 comments
Labels: enhancement

GitHub / mandiant/capa-rules issues and pull requests