Velociraptor aims to provide the “last step” in the process of digital forensic investigations, security monitoring and threat hunting.
CAPA detects capabilities in executable files. You run it against a PE file or shellcode and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate.
Running Fireeye’s CAPA directly on the endpoint with Velociraptor as an artifact collection may help in confirming suspicions before downloading a file from investigated endpoint. This saves time, central computing power but may also be required by privacy rules in some organizations.
Required:
https://github.com/fireeye/capa/
Artifact code below. Output is presented for quick review to decide whether file needs to be downloaded for further analysis.
name: Custom.Windows.Malware.Capa
description: |
Analyze PE files with capa tool.
# Can be CLIENT, CLIENT_EVENT, SERVER, SERVER_EVENT
type: CLIENT
tools:
- name: capa
url: https://github.com/fireeye/capa/releases/download/v1.4.1/capa-v1.4.1-windows.zip
serve_locally: true
required_permissions:
- EXECVE
parameters:
- name: file
default: '.'
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
LET bin <= SELECT * FROM Artifact.Generic.Utils.FetchBinary(
ToolName= "capa")
LET output = SELECT * FROM execve(argv=bin[0].FullPath + split(string=file, sep=" "))
SELECT * FROM if(condition=bin,
then={
SELECT * FROM foreach(
row=output,
query={
SELECT * FROM parse_lines(filename=str(str=Stdout),
accessor="data")
})
})
For the artifact to work you need to deliver CAPA binary from FEYE github.
Before running the collection you need to provide target file location as artifact parameter.
After collection is complete you’ll get CAPA file analysis results based on which you can deem the file worthy of further analysis or not.
With #infosec at 💔🔐 
One thought on “Analyzing binaries in place with Velociraptor and CAPA”