-
Through version 2.0, capa only supported Windows PE files and shellcode. In #700 and mandiant/capa-rules#442 @Adir-Shemesh and @TcM1911 add support for ELF files. This means that capa can now match executables that target non-Windows operating systems! Obviously, logic that matches on one operating system is (probably) not relevant to other operating systems. For example, the APIs provided by Microsoft Windows are different than those provided by libc on Linux. We expect this to introduce a few problems:
(3) is of particular note for us - we consider capa's rule set to be consumed as much by humans as by computers. In this thread we want to document various strategies of organizing multi-OS rule logic and discuss the pros and cons. Some points to consider:
Note: PE vs ELF don't necessarily correspond directly to an underlying architecture or operating system. If we propose to extend capa rules with OS-specific features, then we'll need to also extend the feature extractors to provide the detected OS. avoiding cross-OS matchescapa may match logic meant for one OS against files for another OS, potentially resulting in false positives. I'm not sure how prevalent this will be in practice. We should be aware of this possibility and consider its impact. performanceWith more and more rules we should keep an eye on performance. capa will perform better if we only apply targeted rules vs. everything and all features. intuitive capability documentation for humansWe consider capa's rule set to be consumed as much by humans as by computers. We should design a strategy that makes it easy for a human to recognize which logic applies to which OS, when relevant. For example, consider a rule that fetches system information: rule:
meta:
name: get system information
features:
- or:
- api: ZwQuerySystemInformationEx
- api: sysconf
- and:
- api: system
- string: "lshw" The API duplication of meta data and file directory structurecapa rules have a lot of metadata associated with them, like ATT&CK mappings. We should design strategies that avoid duplicating metadata in many places (e.g. if we suggest duplicating rules by OS then the metadata is duplicated within the rules, too) because this information can fall out of date easily. possibilities to leverage higher-level rulescapa already supports rules matching other rules and namespaces. This means that its feasible to split up logic across various rules and recognize capabilities in "higher level" rules. For example, the following rule relies on another rule ( rule:
meta:
name: collect ssh keys
features:
- and:
- match: read file
- or:
- string: /id_rsa/ backwards compatibility and/or breaking changes requiring a new major releasecapa releases follow semantic versioning: we avoid breaking changes in minor and patch releases. Furthermore, despite our recent publicity around v2.0, we don't consider major releases to necessarily be "major". They just signify breaking changes. So, if we need to change capa behavior in a breaking way, we'll need to coordinate a release of capa v3.0. Its unclear if our semantic versioning applies to capa rules, too. That is, if we introduce a new capa rule feature that cannot be used in old capa versions, is this a breaking change that requires a new major release of capa? Probably, but we haven't documented this, yet. |
Beta Was this translation helpful? Give feedback.
Replies: 7 comments 35 replies
-
Multiple OSes in one ruleThis adds a few extra fields to the initially proposed rules. meta:
name: get CPU information
namespace: host-interaction/hardware/cpu
author:
- moritz.raabe@fireeye.com
- joakim@intezer.com
scope: function
att&ck:
- Discovery::System Information Discovery [T1082]
examples:
- BFB9B5391A13D0AFD787E87AB90F14F5:0x13145B5A
features:
- windows:
- or:
- and:
- match: query or enumerate registry value
- string: /Hardware\\Description\\System\\CentralProcessor/i
- linux:
- or:
- and:
- match: read file
- string: "/proc/cpuinfo"
- and:
- api: system
- string: /\/proc\/cpuinfo/ Maybe adding an additional meta data fields makes sense as well, e.g. meta:
...
os:
- linux
- freebsd
... Pros
Cons
|
Beta Was this translation helpful? Give feedback.
-
emit features with OS suffixToday, we emit number features with suffixes that reflects their architecture, like In this case, we'd emit both I think these suffixes would apply to most/all features. Pros
Cons
|
Beta Was this translation helpful? Give feedback.
-
one OS per fileWe could limit the rule OS scope at the file-level via a new metadata field, like so: rule:
meta:
name: invoke system
os:
- linux
- freebsd
... If Rule names should probably be extended when they're OS specific, like Then, we can encourage higher-level rules like so: rule:
meta:
name: read file
features:
matches: host-interaction/file-system/read # matches any of the "...on [OS]" rules here or: rule:
meta:
name: read file
features:
or:
matches: read file on Linux
matches: read file on Windows Pro
Con
|
Beta Was this translation helpful? Give feedback.
-
one OS per root rule directorySeparate rules by OS at the top-level directory structure. Define OSes at the root of
Pro
Con
|
Beta Was this translation helpful? Give feedback.
-
do nothingDon't introduce any further organization of rules or logic. Maybe its not yet a problem so we shouldn't over-engineer a solution before necessary. Pro
Con
|
Beta Was this translation helpful? Give feedback.
-
file "subclasses"If a rule has an OS specific version add a file/reference that only updates what's listed in the new file rule:
meta:
name: create reverse shell
namespace: c2/shell
author: moritz.raabe@fireeye.com
scope: function
...
os:
- linux: create unix reverse shell Alternatively, users add a file to the same path with a suffix, e.g. Then rule:
meta:
name: create unix reverse shell
author: joakim@intezer.com
att&ck:
- Execution::Command and Scripting Interpreter::Unix Shell [T1059.004]
examples:
- 7351f8a40c5450557b24622417fc478d:0x40231E
features:
- or:
- and:
- match: duplicate stdin and stdout
- match: create process Pro
Con
As I'm writing this I'm not really convinced by this approach, but documenting it regardless. |
Beta Was this translation helpful? Give feedback.
-
Thinking about this more, one option that I haven't seen mentioned is adding new file scope characteristics corresponding to PE files or ELF files. This would be backwards-compatible AFAICT, and could look something like:
|
Beta Was this translation helpful? Give feedback.
Multiple OSes in one rule
This adds a few extra fields to the initially proposed rules.
Split up features block by OS, example based on
get CPU information
from mandiant/capa-rules#442