capa-rules
capa-rules copied to clipboard
mandiant
Standard collection of rules for capa: the tool for enumerating the capabilities of programs
Hi, what is the best way to create rule/rules to detect these suspicious libraries?  Would it be a rule for each library? Ref.: https://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil/
Create a standard to guard rules with multiple formats, e.g. binary, script, and .NET. I like the idea of `matches: xyz technology` where we expect the former to be included...
see dfd6...c4e0 - number: 56 - bytes: see constant tables e.g. in https://github.com/libtom/libtomcrypt/blob/develop/src/ciphers/des.c
I noticed that the current .NET rules missed a lot of functionality/API calls that the aspx test malware includes. I therefore modified the currently available rules and created new ones...
link: https://github.com/yck1509/ConfuserEx/blob/master/Confuser.Runtime/antinet/AntiManagedProfiler.cs
https://github.com/Outbuilt/.NET-Anti-Debug
https://github.com/Mecanik/Anti-DebugNET
## Prerequisites * [x] Put an X between the brackets on this line if you have done all of the following: * Checked that your rule idea isn't already filed:...
