tobias
f3ccc09c3d
Build comprehensive malware analysis knowledge base from 3 sources: - SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes - REMnux salt-states: 340 packages parsed from GitHub - REMnux docs: 280+ tools scraped from docs.remnux.org Master inventory merges all sources into 447 tools with help tiers (rich/standard/basic). Pipeline generates: tools.db (397 entries), 397 cheatsheets with multi-tool recipes, 15 workflow guides, 224 TLDR pages, and coverage reports. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
29 lines
785 B
Plaintext
29 lines
785 B
Plaintext
# capa
|
|
# Identify malware capabilities mapped to MITRE ATT&CK framework and Malware Behavior Catalog
|
|
# FOR610 Labs: 1.4, 5.4 | Sections: 1, 5
|
|
# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files
|
|
|
|
% capabilities, mitre-attack, automated-analysis
|
|
|
|
# Basic usage
|
|
capa specimen.exe
|
|
|
|
# Verbose output with details
|
|
capa -vv specimen.exe
|
|
|
|
# Verbose output with details
|
|
capa -vv specimen.exe | grep -A7 'Suspended Process'
|
|
|
|
|
|
# --- Recipes (multi-tool chains) ---
|
|
|
|
# >> Filter Capabilities by Technique
|
|
# Full capabilities report
|
|
capa <sample>
|
|
# Verbose with rule matches
|
|
capa -vv <sample>
|
|
# Filter for specific technique
|
|
capa -vv <sample> | grep -A7 '<technique_name>'
|
|
# Find injection-related capabilities
|
|
capa -vv <sample> | grep -A7 'inject\|hollow\|suspend'
|