v3.0.3
·
3552 commits
to master
since this release
v3.0.3 (2021-10-27)
This is primarily a rule maintenance release:
- eight new rules, including all relevant techniques from ATT&CK v10, and
- two rules removed, due to the prevalence of false positives
We've also tweaked the status codes returned by capa.exe to be more specific and added a bit more metadata to the JSON output format.
As always, welcome first time contributors!
New Features
- show in which function a BB match is #130 @williballenthin
- main: exit with unique error codes when bailing #802 @williballenthin
New Rules (8)
- nursery/resolve-function-by-fnv-1a-hash [email protected]
- data-manipulation/encryption/encrypt-data-using-memfrob-from-glibc [email protected]
- collection/group-policy/discover-group-policy-via-gpresult [email protected]
- host-interaction/bootloader/manipulate-safe-mode-programs [email protected]
- nursery/enable-safe-mode-boot [email protected]
- persistence/iis/persist-via-iis-module [email protected]
- persistence/iis/persist-via-isapi-extension [email protected]
- targeting/language/identify-system-language-via-api [email protected]
Removed rules (2)
- load-code/pe/parse-pe-exports: too many false positives in unrelated structure accesses
- anti-analysis/anti-vm/vm-detection/execute-anti-vm-instructions: too many false positives in junk code
Bug Fixes
- update references from FireEye to Mandiant
Raw diffs
Contributors
williballenthin