diff --git a/capa/render/default.py b/capa/render/default.py index 2e5064740..7aaa7e46d 100644 --- a/capa/render/default.py +++ b/capa/render/default.py @@ -7,6 +7,7 @@ # See the License for the specific language governing permissions and limitations under the License. import collections +from typing import Dict import tabulate @@ -73,19 +74,30 @@ def rec(match: rd.Match): def render_capabilities(doc: rd.ResultDocument, ostream: StringIO): """ + render capabilities sorted by: + - prevalence (rare to unknown) + - namespace (alphabetical) + example:: - +-------------------------------------------------------+-------------------------------------------------+ - | CAPABILITY | NAMESPACE | - |-------------------------------------------------------+-------------------------------------------------| - | check for OutputDebugString error (2 matches) | anti-analysis/anti-debugging/debugger-detection | - | read and send data from client to server | c2/file-transfer | - | ... | ... | - +-------------------------------------------------------+-------------------------------------------------+ + +-------------------------------------------------------+-------------------------------------------------+------------+ + | CAPABILITY | NAMESPACE | PREVALENCE | + |-------------------------------------------------------+-------------------------------------------------|------------| + | check for OutputDebugString error (2 matches) | anti-analysis/anti-debugging/debugger-detection | rare | + | ... | ... | ... | + |-------------------------------------------------------|-------------------------------------------------|------------| + | read and send data from client to server | c2/file-transfer | common | + | ... | ... | ... | + +-------------------------------------------------------+-------------------------------------------------+------------+ """ subrule_matches = find_subrule_matches(doc) - rows = [] + # seperate rules based on their prevalence + common: Dict[str, str] = {"capability": "", "namespace": "", "prevalence": ""} + had_common = False + rare: Dict[str, str] = {"capability": "", "namespace": "", "prevalence": ""} + had_rare = False + for rule in rutils.capability_rules(doc): if rule.meta.name in subrule_matches: # rules that are also matched by other rules should not get rendered by default. @@ -98,11 +110,34 @@ def render_capabilities(doc: rd.ResultDocument, ostream: StringIO): capability = rutils.bold(rule.meta.name) else: capability = f"{rutils.bold(rule.meta.name)} ({count} matches)" - rows.append((capability, rule.meta.namespace)) + + namespace = rule.meta.namespace if rule.meta.namespace is not None else "" + prevalence = rutils.bold(rule.meta.prevalence) if rule.meta.prevalence != "unknown" else "unknown" + + if "rare" in prevalence: + rare["capability"] += capability + "\n" + rare["namespace"] += namespace + "\n" + rare["prevalence"] += prevalence + "\n" + had_rare = True + else: + common["capability"] += capability + "\n" + common["namespace"] += namespace + "\n" + common["prevalence"] += prevalence + "\n" + had_common = True + + rows = [] + if had_rare: + rows.append((rare["capability"], rare["namespace"], rare["prevalence"])) + if had_common: + rows.append((common["capability"], common["namespace"], common["prevalence"])) if rows: ostream.write( - tabulate.tabulate(rows, headers=[width("Capability", 50), width("Namespace", 50)], tablefmt="mixed_outline") + tabulate.tabulate( + rows, + headers=[width("Capability", 50), width("Namespace", 50), width("Prevalence", 10)], + tablefmt="mixed_grid", + ) ) ostream.write("\n") else: diff --git a/capa/render/result_document.py b/capa/render/result_document.py index 0dcd9dd15..293acf44b 100644 --- a/capa/render/result_document.py +++ b/capa/render/result_document.py @@ -10,6 +10,7 @@ from enum import Enum from typing import Dict, List, Tuple, Union, Literal, Optional from pathlib import Path +from functools import lru_cache from pydantic import Field, BaseModel, ConfigDict from typing_extensions import TypeAlias @@ -19,6 +20,7 @@ import capa.features.common import capa.features.freeze as frz import capa.features.address +import capa.render.rules_prevalence import capa.features.freeze.features as frzf from capa.rules import RuleSet from capa.engine import MatchResults @@ -569,9 +571,33 @@ class MaecMetadata(FrozenModel): model_config = ConfigDict(frozen=True, populate_by_name=True) +@lru_cache(maxsize=None) +def load_rules_prevalence() -> Dict[str, str]: + """ + Load and return a dictionary containing prevalence information for rules defined in capa. + + Returns: + Dict[str, str]: A dictionary where keys are rule names, and values are prevalence levels. + + Example: + { + "capture screenshot": "rare", + "send data": "common", + "receive and write data from server to client": "common", + "resolve DNS": "common", + "reference HTTP User-Agent string": "rare" + } + + Note: + Prevalence levels can be one of the following: "common", "rare" + """ + return capa.render.rules_prevalence.RULES_PREVALENCE + + class RuleMetadata(FrozenModel): name: str namespace: Optional[str] = None + prevalence: str = "unknown" authors: Tuple[str, ...] scopes: capa.rules.Scopes attack: Tuple[AttackSpec, ...] = Field(alias="att&ck") @@ -589,6 +615,7 @@ def from_capa(cls, rule: capa.rules.Rule) -> "RuleMetadata": return cls( name=rule.meta.get("name"), namespace=rule.meta.get("namespace"), + prevalence=load_rules_prevalence().get(rule.meta.get("name"), "unknown"), authors=rule.meta.get("authors"), scopes=capa.rules.Scopes.from_dict(rule.meta.get("scopes")), attack=tuple(map(AttackSpec.from_str, rule.meta.get("att&ck", []))), diff --git a/capa/render/rules_prevalence.py b/capa/render/rules_prevalence.py new file mode 100644 index 000000000..3bf4461c9 --- /dev/null +++ b/capa/render/rules_prevalence.py @@ -0,0 +1,603 @@ +# Copyright (C) 2023 Mandiant, Inc. All Rights Reserved. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: [package root]/LICENSE.txt +# Unless required by applicable law or agreed to in writing, software distributed under the License +# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and limitations under the License. +from typing import Dict + +RULES_PREVALENCE: Dict[str, str] = { + "reference anti-VM strings": "common", + "contain obfuscated stackstrings": "rare", + "gather firefox profile information": "common", + "log keystrokes": "common", + "log keystrokes via polling": "common", + "capture screenshot": "common", + "send data": "rare", + "receive and write data from server to client": "common", + "resolve DNS": "common", + "reference HTTP User-Agent string": "common", + "send HTTP request with Host header": "common", + "create pipe": "common", + "create two anonymous pipes": "common", + "read pipe": "common", + "get socket status": "common", + "initialize Winsock library": "common", + "set socket configuration": "common", + "act as TCP client": "common", + "encode data using XOR": "rare", + "create new key via CryptAcquireContext": "common", + "encrypt data using DPAPI": "common", + "encrypt data using RC4 PRGA": "common", + "hash data via WinCrypt": "common", + "hash data with MD5": "common", + "hash data using SHA1": "common", + "hash data using SHA1 via WinCrypt": "common", + "accept command line arguments": "common", + "query environment variable": "common", + "get common file path": "rare", + "create directory": "common", + "delete file": "rare", + "check if file exists": "common", + "enumerate files recursively": "common", + "get file attributes": "rare", + "set file attributes": "rare", + "move file": "common", + "read file on Windows": "rare", + "write file on Windows": "rare", + "enumerate gui resources": "common", + "get graphical window text": "common", + "get disk information": "common", + "get disk size": "common", + "check mutex and exit": "common", + "get hostname": "common", + "get system information on Windows": "common", + "check OS version": "common", + "create a process with modified I/O handles and window": "common", + "create process on Windows": "rare", + "create process suspended": "common", + "enumerate processes": "common", + "terminate process": "rare", + "query or enumerate registry key": "common", + "query or enumerate registry value": "rare", + "set registry value": "common", + "delete registry key": "common", + "delete registry value": "common", + "get session user name": "common", + "create thread": "rare", + "resume thread": "common", + "link many functions at runtime": "common", + "resolve function by parsing PE exports": "rare", + "persist via Active Setup registry key": "common", + "persist via Run registry key": "common", + "contains PDB path": "common", + "reference anti-VM strings targeting VirtualBox": "common", + "receive data": "common", + "start HTTP server": "common", + "access .NET resource": "common", + "manipulate console buffer": "common", + "load .NET assembly": "common", + "unmanaged call": "common", + "compiled to the .NET platform": "common", + "reference Base64 string": "common", + "encrypt or decrypt via WinCrypt": "common", + "encrypt data using AES via WinAPI": "common", + "initialize hashing via WinCrypt": "common", + "generate random numbers via WinAPI": "common", + "set current directory": "common", + "copy file": "common", + "print debug messages": "rare", + "create mutex": "common", + "get thread local storage value": "common", + "set thread local storage value": "common", + "create service": "common", + "enumerate services": "common", + "linked against CPP standard library": "common", + "parse PE header": "rare", + "schedule task via ITaskScheduler": "common", + "persist via Windows service": "common", + "encode data using Base64": "common", + "get file size": "common", + "execute VBScript Javascript or JScript in memory": "common", + "act as Excel XLL add-in": "common", + "act as Word WLL add-in": "common", + "encrypt data using memfrob from glibc": "common", + "check for time delay via GetTickCount": "common", + "check for VM using instruction VPCEXT": "common", + "reference the VMWare IO port": "common", + "get HTTP content length": "common", + "parse URL": "common", + "check HTTP status code": "common", + "connect to HTTP server": "common", + "create HTTP request": "common", + "get socket information": "common", + "hash data with CRC32": "common", + "decompress data using aPLib": "common", + "encrypt data using RC4 via WinAPI": "common", + "hash data using fnv": "common", + "contain an embedded PE file": "common", + "disable code signing": "common", + "manipulate boot configuration": "common", + "interact with driver via control codes": "common", + "bypass Mark of the Web": "common", + "get local IPv4 addresses": "common", + "shutdown system": "common", + "modify access privileges": "common", + "run as service": "common", + "delete service": "common", + "start service": "common", + "get token membership": "common", + "compare security identifiers": "common", + "access PEB ldr_data": "common", + "enumerate PE sections": "common", + "execute shellcode via indirect call": "common", + "identify system language via API": "common", + "hook routines via microsoft detours": "common", + "generate random numbers using a Mersenne Twister": "common", + "read clipboard data": "common", + "allocate RWX memory": "common", + "enumerate processes on remote desktop session host": "common", + "acquire debug privileges": "common", + "link function at runtime on Windows": "rare", + "linked against Microsoft Detours": "common", + "reference startup folder": "common", + "get geographical location": "common", + "parse credit card information": "common", + "get domain trust relationships": "common", + "initialize WinHTTP library": "common", + "read HTTP header": "common", + "prepare HTTP request": "common", + "receive HTTP response": "common", + "hash data using SHA256": "common", + "list domain servers": "common", + "set environment variable": "common", + "hide graphical window": "common", + "allocate thread local storage": "common", + "reference analysis tools strings": "common", + "decrypt data using AES via x86 extensions": "common", + "encrypt data using AES via x86 extensions": "common", + "encrypt data using blowfish": "common", + "encrypt data using Camellia": "common", + "encrypt data using DES": "common", + "encrypt data using Curve25519": "common", + "encrypt data using Salsa20 or ChaCha": "common", + "encrypt data using twofish": "common", + "hash data using murmur3": "common", + "hash data using SHA384": "common", + "hash data using SHA512": "common", + "hash data using tiger": "common", + "authenticate HMAC": "common", + "generate random numbers via RtlGenRandom": "common", + "debug build": "common", + "contain a thread local storage (.tls) section": "common", + "read file via mapping": "common", + "get memory capacity": "common", + "query remote server for available data": "common", + "create reverse shell": "common", + "convert IP address from string": "common", + "create UDP socket": "common", + "enumerate files on Windows": "common", + "use process Doppelg\u00e4nging": "common", + "use process replacement": "common", + "get installed programs": "common", + "connect to WMI namespace via WbemLocator": "common", + "encrypt data using RC4 KSA": "common", + "write file to startup folder": "common", + "reference SQL statements": "common", + "check if directory exists": "common", + "act as Office COM add-in": "common", + "check for unmoving mouse cursor": "common", + "create BITS job": "common", + "enumerate process modules": "common", + "bypass UAC via ICMLuaUtil": "common", + "check for debugger via API": "common", + "reference anti-VM strings targeting Xen": "common", + "obfuscated with Babel Obfuscator": "common", + "obfuscated with Dotfuscator": "common", + "obfuscated with Spices.Net Obfuscator": "common", + "obfuscated with Yano": "common", + "manipulate unmanaged memory in .NET": "common", + "get OS version in .NET": "common", + "resolve function by FNV-1a hash": "common", + "reference Google Public DNS server": "common", + "connect network resource": "common", + "enumerate disk volumes": "common", + "enumerate network shares": "common", + "check for PEB BeingDebugged flag": "common", + "reference anti-VM strings targeting VMWare": "common", + "initialize IWebBrowser2": "common", + "get HTTP document via IWebBrowser2": "common", + "encrypt data using AES": "common", + "reference AES constants": "common", + "get Program Files directory": "common", + "read .ini file": "common", + "get number of processors": "common", + "get keyboard layout": "common", + "get networking parameters": "common", + "enumerate threads": "common", + "schedule task via at": "common", + "get startup folder": "common", + "create TCP socket via raw AFD driver": "common", + "execute shellcode via Windows callback function": "common", + "create raw socket": "common", + "check for software breakpoints": "common", + "log keystrokes via application hook": "common", + "capture webcam image": "common", + "compute adler32 checksum": "common", + "compress data via WinAPI": "common", + "compress data via ZLIB inflate or deflate": "common", + "encrypt or decrypt data via BCrypt": "common", + "hash data via BCrypt": "common", + "hash data using djb2": "common", + "hash data using murmur2": "common", + "generate random numbers using the Delphi LCG": "common", + "extract resource via kernel32 functions": "common", + "get file system object information": "common", + "delete directory": "common", + "get file version info": "common", + "access firewall settings via INetFwMgr": "common", + "find graphical window": "common", + "enumerate devices by category": "common", + "get process heap flags": "common", + "get process heap force flags": "common", + "get process image filename": "common", + "query service status": "common", + "suspend thread": "common", + "terminate thread": "common", + "linked against CPP regex library": "common", + "linked against libcurl": "common", + "linked against OpenSSL": "common", + "linked against wolfSSL": "common", + "import public key": "common", + "empty the recycle bin": "common", + "stop service": "common", + "obtain TransmitPackets callback function via WSAIoctl": "common", + "connect pipe": "common", + "write clipboard data": "common", + "set application hook": "common", + "patch Event Tracing for Windows function": "common", + "get kernel32 base address": "common", + "inspect section memory permissions": "common", + "validate payment card number using luhn algorithm": "common", + "enumerate domain computers via LDAP": "common", + "get domain information": "common", + "steal KeePass passwords using KeeFarce": "common", + "inject thread": "common", + "timestomp file": "common", + "encrypt data using AES MixColumns step": "common", + "list user accounts": "common", + "get storage device properties": "common", + "access the Windows event log": "common", + "persist via IIS module": "common", + "persist via ISAPI extension": "common", + "forwarded export": "common", + "linked against PolarSSL/mbed TLS": "common", + "linked against XZip": "common", + "hide thread from debugger": "common", + "switch active desktop": "common", + "get MAC address on Windows": "common", + "send ICMP echo request": "common", + "decode data using Base64 via WinAPI": "common", + "empty recycle bin quietly": "common", + "get current user on Linux": "common", + "enumerate files on Linux": "common", + "read file on Linux": "common", + "write file on Linux": "common", + "create semaphore on Linux": "common", + "lock semaphore on Linux": "common", + "unlock semaphore on Linux": "common", + "get networking interfaces": "common", + "get kernel version": "common", + "create process on Linux": "common", + "decrypt data via SSPI": "common", + "encrypt data via SSPI": "common", + "get client handle via SChannel": "common", + "check mutex": "common", + "get system information on Linux": "common", + "terminate process via kill": "common", + "write pipe": "common", + "spawn thread to RWX shellcode": "common", + "obfuscated with SmartAssembly": "common", + "encrypt data using AES via .NET": "common", + "generate method via reflection in .NET": "common", + "mixed mode": "common", + "execute syscall instruction": "common", + "block operations on executable memory pages using Arbitrary Code Guard": "common", + "protect spawned processes with mitigation policies": "common", + "spoof parent PID": "common", + "get ntdll base address": "common", + "bypass UAC via AppInfo ALPC": "common", + "bypass UAC via RPC": "common", + "bypass UAC via token manipulation": "common", + "manually build AES constants": "common", + "reference cryptocurrency strings": "common", + "encrypt data using XXTEA": "common", + "modify service": "common", + "save image in .NET": "common", + "gather chrome based browser login information": "common", + "reference WMI statements": "common", + "decode data using Base64 in .NET": "common", + "find data using regex in .NET": "common", + "load XML in .NET": "common", + "enumerate drives": "common", + "access WMI data in .NET": "common", + "resolve path using msvcrt": "common", + "send file using FTP": "common", + "enumerate processes via NtQuerySystemInformation": "common", + "disable driver code integrity": "common", + "install driver": "common", + "get Windows directory from KUSER_SHARED_DATA": "common", + "set console window title": "common", + "map section object": "common", + "hijack thread execution": "common", + "check for time delay via QueryPerformanceCounter": "common", + "compiled with dmd": "common", + "read virtual disk": "common", + "create Restart Manager session": "common", + "delete volume shadow copies": "common", + "detect VM via disk hardware WMI queries": "common", + "detect VM via motherboard hardware WMI queries": "common", + "manipulate safe mode programs": "common", + "read raw disk data": "common", + "query service configuration": "common", + "get token privileges": "common", + "obfuscated with DeepSea Obfuscator": "common", + "delete internet cache": "common", + "check for PEB NtGlobalFlag flag": "common", + "implement COM DLL": "common", + "act as DHCP server callout DLL": "common", + "act as DNS server plugin DLL": "common", + "act as Security Support Provider DLL": "common", + "act as SubAuthentication Package DLL": "common", + "act as credential manager DLL": "common", + "reference public RSA key": "common", + "get domain controller name": "common", + "self delete": "common", + "extract HTTP body": "common", + "clear Windows event logs": "common", + "lock the desktop": "common", + "hide the Windows taskbar": "common", + "manipulate CD-ROM drive": "common", + "power down monitor": "common", + "swap mouse buttons": "common", + "execute command": "common", + "overwrite Master Boot Record (MBR)": "common", + "linked against ZLIB": "common", + "compiled with nuitka": "common", + "contain anti-disasm techniques": "common", + "terminate process by name": "common", + "reference anti-VM strings targeting Qemu": "common", + "decompress data using UCL": "common", + "get CPU information": "common", + "create device object": "common", + "enumerate minifilter drivers": "common", + "find process by PID": "common", + "inspect load icon resource": "common", + "capture screenshot via keybd event": "common", + "decrypt data using TEA": "common", + "encrypt data using TEA": "common", + "encrypt data using RC6": "common", + "check for sandbox and av modules": "common", + "check if process is running under wine": "common", + "create shortcut via IShellLink": "common", + "send TCP data via WFP API": "common", + "copy network traffic": "common", + "register network filter via WFP API": "common", + "allocate user process RWX memory": "common", + "free user process memory": "common", + "get OS information via KUSER_SHARED_DATA": "common", + "compiled with Go": "common", + "decompress data using QuickLZ": "common", + "schedule task via schtasks": "common", + "encrypt data using XTEA": "common", + "compiled with Borland Delphi": "common", + "load NCR ATM library": "common", + "encrypt data using RC4 with custom key via WinAPI": "common", + "act as password filter DLL": "common", + "schedule task via ITaskService": "common", + "reference absolute stream path on Windows": "common", + "linked against CPP JSON library": "common", + "access PE header": "common", + "compiled with cx_Freeze": "common", + "acquire credentials from Windows Credential Manager": "common", + "execute shell command and capture output": "common", + "encrypt data using OpenSSL DSA": "common", + "encrypt data using OpenSSL RSA": "common", + "enumerate browser history": "common", + "linked against wolfCrypt": "common", + "compiled with Nim": "common", + "compiled with MinGW for Windows": "common", + "disable AppInit_DLLs code signature enforcement": "common", + "persist via AppInit_DLLs registry key": "common", + "inject shellcode using extra window memory": "common", + "gather 3d-ftp information": "common", + "gather alftp information": "common", + "gather bitkinex information": "common", + "gather blazeftp information": "common", + "gather bulletproof-ftp information": "common", + "gather classicftp information": "common", + "gather coreftp information": "common", + "gather cuteftp information": "common", + "gather cyberduck information": "common", + "gather direct-ftp information": "common", + "gather directory-opus information": "common", + "gather expandrive information": "common", + "gather faststone-browser information": "common", + "gather fasttrack-ftp information": "common", + "gather ffftp information": "common", + "gather filezilla information": "common", + "gather flashfxp information": "common", + "gather fling-ftp information": "common", + "gather freshftp information": "common", + "gather frigate3 information": "common", + "gather ftp-commander information": "common", + "gather ftp-explorer information": "common", + "gather ftp-voyager information": "common", + "gather ftpgetter information": "common", + "gather ftpinfo information": "common", + "gather ftpnow information": "common", + "gather ftprush information": "common", + "gather ftpshell information": "common", + "gather global-downloader information": "common", + "gather goftp information": "common", + "gather leapftp information": "common", + "gather netdrive information": "common", + "gather nexusfile information": "common", + "gather nova-ftp information": "common", + "gather robo-ftp information": "common", + "gather securefx information": "common", + "gather smart-ftp information": "common", + "gather softx-ftp information": "common", + "gather southriver-webdrive information": "common", + "gather staff-ftp information": "common", + "gather total-commander information": "common", + "gather turbo-ftp information": "common", + "gather ultrafxp information": "common", + "gather winscp information": "common", + "gather winzip information": "common", + "gather wise-ftp information": "common", + "gather ws-ftp information": "common", + "gather xftp information": "common", + "impersonate user": "common", + "linked against aPLib": "common", + "reference NCR ATM library routines": "common", + "read and send data from client to server": "common", + "set global application hook": "common", + "change the wallpaper": "common", + "disable automatic Windows recovery features": "common", + "listen for remote procedure calls": "common", + "encode data using Base64 via WinAPI": "common", + "get outbound credentials handle via CredSSP": "common", + "encrypt data using DES via WinAPI": "common", + "get user security identifier": "common", + "create registry key via offline registry library": "common", + "open registry key via offline registry library": "common", + "query registry key via offline registry library": "common", + "set registry key via offline registry library": "common", + "set HTTP header": "common", + "check Internet connectivity via WinINet": "common", + "resolve function by Brute Ratel Badger hash": "common", + "resolve function by hash": "common", + "load Diebold Nixdorf ATM library": "common", + "linked against Crypto++": "common", + "receive HTTP request": "common", + "register HTTP server URL": "common", + "send HTTP response": "common", + "create mailslot": "common", + "read from mailslot": "common", + "compiled with exe4j": "common", + "resolve function by djb2 hash": "common", + "inject shellcode using window subclass procedure": "common", + "hash data using RIPEMD128": "common", + "hash data using SHA224": "common", + "execute .NET assembly via CLR host": "common", + "load Windows Common Language Runtime": "common", + "create new application domain in .NET": "common", + "get HTTP response content encoding": "common", + "get Explorer PID": "common", + "obfuscated with callobfuscator": "common", + "capture network configuration via ipconfig": "common", + "connect to URL": "common", + "decompress HTTP response via IEncodingFilterFactory": "common", + "create reverse shell on Linux": "common", + "execute shell command received from socket on Linux": "common", + "change file permission on Linux": "common", + "get memory information": "common", + "lock file": "common", + "get Linux distribution": "common", + "persist via .desktop autostart": "common", + "persist via shell profile or rc file": "common", + "persist via rc script": "common", + "execute anti-debugging instructions": "common", + "reference DNS over HTTPS endpoints": "common", + "deserialize JSON in .NET": "common", + "compiled with Zig": "common", + "get proxy": "common", + "check for Windows sandbox via device": "common", + "check for Windows sandbox via dns suffix": "common", + "check for Windows sandbox via genuine state": "common", + "check for Windows sandbox via process name": "common", + "check for Windows sandbox via registry": "common", + "check for microsoft office emulation": "common", + "check for sandbox username or hostname": "common", + "64-bit execution via heavens gate": "common", + "hash data using CRC32b": "common", + "persist via Winlogon Helper DLL registry key": "common", + "compiled with ps2exe": "common", + "run PowerShell expression": "common", + "crash the Windows event logging service": "common", + "capture public ip": "common", + "compiled with perl2exe": "common", + "inject shellcode using a file mapping object": "common", + "encrypt data using HC-128 via WolfSSL": "common", + "read data from CLFS log container": "common", + "rebuild import table": "common", + "encrypt data using skipjack": "common", + "get session integrity level": "common", + "decode data using Base64 via dword translation table": "common", + "encrypt data using vest": "common", + "get logon sessions": "common", + "discover Group Policy via gpresult": "common", + "create VMCI socket": "common", + "capture microphone audio": "common", + "start TCP server": "common", + "open clipboard": "common", + "compiled with pyarmor": "common", + "create TCP socket": "common", + "act as Exchange transport agent": "common", + "execute shellcode via CreateThreadpoolWait": "common", + "hash data using MD4": "common", + "check for OutputDebugString error": "common", + "check for protected handle exception": "common", + "check for trap flag exception": "common", + "check for unexpected memory writes": "common", + "check process job object": "common", + "reference anti-VM strings targeting Parallels": "common", + "reference anti-VM strings targeting VirtualPC": "common", + "get number of processor cores": "common", + "enumerate disk properties": "common", + "inject APC": "common", + "inject dll": "common", + "check for hardware breakpoints": "common", + "check for kernel debugger via shared user data structure": "common", + "identify ATM dispenser service provider": "common", + "reference Diebold ATM routines": "common", + "resolve function by FIN8 fasthash": "common", + "register minifilter driver": "common", + "start minifilter driver": "common", + "simulate CTRL ALT DEL": "common", + "get session information": "common", + "create virtual file system in .NET": "common", + "invoke .NET assembly method": "common", + "make an HTTP request with a Cookie": "common", + "obfuscated with ADVobfuscator": "common", + "execute shellcode via CopyFile2": "common", + "compiled with rust": "common", + "list groups for user account": "common", + "references logon banner": "common", + "enumerate internet cache": "common", + "log keystrokes via raw input data": "common", + "register raw input devices": "common", + "get routing table": "common", + "inject pe": "common", + "rebuilt by ImpRec": "common", + "patch process command line": "common", + "inject DLL reflectively": "common", + "impersonate file version information": "common", + "list drag and drop files": "common", + "encrypt data using HC-128": "common", + "compiled with V": "common", + "encrypt data using Sosemanuk": "common", + "compiled with py2exe": "common", + "compress data using LZO": "common", + "decompress data using LZO": "common", + "obfuscated with vs-obfuscation": "common", + "execute shellcode via Windows fibers": "common", + "check ProcessDebugPort": "common", + "check SystemKernelDebuggerInformation": "common", + "bypass Windows File Protection": "common", + "continue service": "common", + "pause service": "common", + "persist via GinaDLL registry key": "common", +} diff --git a/capa/render/verbose.py b/capa/render/verbose.py index 076ad2b13..fafae36ad 100644 --- a/capa/render/verbose.py +++ b/capa/render/verbose.py @@ -265,6 +265,9 @@ def render_rules(ostream, doc: rd.ResultDocument): if ns: rows.append(("namespace", ns)) + prevalence = rutils.bold(rule.meta.prevalence) if rule.meta.prevalence != "unknown" else "unknown" + rows.append(("prevalence", prevalence)) + desc = rule.meta.description if desc: rows.append(("description", desc)) diff --git a/capa/render/vverbose.py b/capa/render/vverbose.py index ac1674672..5c3f16ff6 100644 --- a/capa/render/vverbose.py +++ b/capa/render/vverbose.py @@ -364,6 +364,9 @@ def render_rules(ostream, doc: rd.ResultDocument): # library rules should not have a namespace rows.append(("namespace", rule.meta.namespace)) + prevalence = rutils.bold(rule.meta.prevalence) if rule.meta.prevalence != "unknown" else "unknown" + rows.append(("prevalence", prevalence)) + if rule.meta.maec.analysis_conclusion or rule.meta.maec.analysis_conclusion_ov: rows.append( (