Add dynamic capa rules #816
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds rules that work for the new release of capa which adds the extraction of dynamic capabilities.
The rules here allow it for the new version of capa to work as usual for static analysis (since there were some changes to how capa handles rules, i.e.
scopeskeyword, dynamic/static scoping, etc.), but the rules however will not work for dynamic feature extractors (the CAPE feature extractor for now). This is because we are gradually migrating the current rules into the dynamic format, and that progress can be seen on the dynamic-syntax branch here (issue: mandiant/capa#1747)If you'd like to test out capa's new dynamic capability extraction, use the rules in that branch instead, since the main blocker for merging that is the scopes there aren't restrictive enough (process instead of thread, thread instead of api-call, etc.), as well as the fact that we anticipate the possible addition of some more dynamic features and support for more static characteristic features (possibly)
This PR should be merged when the dynamic capa branch is merged into mandiant/capa:master