Analyzing binaries in place with Velociraptor and CAPA

Velociraptor aims to provide the “last step” in the process of digital forensic investigations, security monitoring and threat hunting. 

CAPA detects capabilities in executable files. You run it against a PE file or shellcode and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate.

Running Fireeye’s CAPA directly on the endpoint with Velociraptor as an artifact collection may help in confirming suspicions before downloading a file from investigated endpoint. This saves time, central computing power but may also be required by privacy rules in some organizations.

Required:

https://github.com/fireeye/capa/

https://www.velocidex.com/

Artifact code below. Output is presented for quick review to decide whether file needs to be downloaded for further analysis.

name: Custom.Windows.Malware.Capa
description: |
   Analyze PE files with capa tool.

# Can be CLIENT, CLIENT_EVENT, SERVER, SERVER_EVENT
type: CLIENT
tools:
  - name: capa
    url: https://github.com/fireeye/capa/releases/download/v1.4.1/capa-v1.4.1-windows.zip
    serve_locally: true
    
required_permissions:
  - EXECVE
  
parameters:
   - name: file
     default: '.'
     
sources:
  - precondition:
      SELECT OS From info() where OS = 'windows'

    query: |
        LET bin <= SELECT * FROM Artifact.Generic.Utils.FetchBinary(
              ToolName= "capa")
        LET output = SELECT * FROM execve(argv=bin[0].FullPath + split(string=file, sep=" "))
        
        SELECT * FROM if(condition=bin,
            then={
                SELECT * FROM foreach(
                    row=output,
                    query={
                        SELECT * FROM parse_lines(filename=str(str=Stdout),
                        accessor="data")
                    })
                })

For the artifact to work you need to deliver CAPA binary from FEYE github.

Before running the collection you need to provide target file location as artifact parameter.

After collection is complete you’ll get CAPA file analysis results based on which you can deem the file worthy of further analysis or not.

One thought on “Analyzing binaries in place with Velociraptor and CAPA

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s