@@ -38,49 +38,47 @@ Below you find a list of [our capa blog posts with more details.](#blog-posts)
3838```
3939$ capa.exe suspicious.exe
4040
41- +------------------------+--------------------------------------------------------------------------------+
42- | ATT&CK Tactic | ATT&CK Technique |
43- |------------------------+--------------------------------------------------------------------------------|
44- | DEFENSE EVASION | Obfuscated Files or Information [T1027] |
45- | DISCOVERY | Query Registry [T1012] |
46- | | System Information Discovery [T1082] |
47- | EXECUTION | Command and Scripting Interpreter::Windows Command Shell [T1059.003] |
48- | | Shared Modules [T1129] |
49- | EXFILTRATION | Exfiltration Over C2 Channel [T1041] |
50- | PERSISTENCE | Create or Modify System Process::Windows Service [T1543.003] |
51- +------------------------+--------------------------------------------------------------------------------+
52-
53- +-------------------------------------------------------+-------------------------------------------------+
54- | CAPABILITY | NAMESPACE |
55- |-------------------------------------------------------+-------------------------------------------------|
56- | check for OutputDebugString error | anti-analysis/anti-debugging/debugger-detection |
57- | read and send data from client to server | c2/file-transfer |
58- | execute shell command and capture output | c2/shell |
59- | receive data (2 matches) | communication |
60- | send data (6 matches) | communication |
61- | connect to HTTP server (3 matches) | communication/http/client |
62- | send HTTP request (3 matches) | communication/http/client |
63- | create pipe | communication/named-pipe/create |
64- | get socket status (2 matches) | communication/socket |
65- | receive data on socket (2 matches) | communication/socket/receive |
66- | send data on socket (3 matches) | communication/socket/send |
67- | connect TCP socket | communication/socket/tcp |
68- | encode data using Base64 | data-manipulation/encoding/base64 |
69- | encode data using XOR (6 matches) | data-manipulation/encoding/xor |
70- | run as a service | executable/pe |
71- | get common file path (3 matches) | host-interaction/file-system |
72- | read file | host-interaction/file-system/read |
73- | write file (2 matches) | host-interaction/file-system/write |
74- | print debug messages (2 matches) | host-interaction/log/debug/write-event |
75- | resolve DNS | host-interaction/network/dns/resolve |
76- | get hostname | host-interaction/os/hostname |
77- | create a process with modified I/O handles and window | host-interaction/process/create |
78- | create process | host-interaction/process/create |
79- | create registry key | host-interaction/registry/create |
80- | create service | host-interaction/service/create |
81- | create thread | host-interaction/thread/create |
82- | persist via Windows service | persistence/service |
83- +-------------------------------------------------------+-------------------------------------------------+
41+ +--------------------+------------------------------------------------------------------------+
42+ | ATT&CK Tactic | ATT&CK Technique |
43+ |--------------------+------------------------------------------------------------------------|
44+ | DEFENSE EVASION | Obfuscated Files or Information [T1027] |
45+ | DISCOVERY | Query Registry [T1012] |
46+ | | System Information Discovery [T1082] |
47+ | EXECUTION | Command and Scripting Interpreter::Windows Command Shell [T1059.003] |
48+ | | Shared Modules [T1129] |
49+ | EXFILTRATION | Exfiltration Over C2 Channel [T1041] |
50+ | PERSISTENCE | Create or Modify System Process::Windows Service [T1543.003] |
51+ +--------------------+------------------------------------------------------------------------+
52+
53+ +-------------------------------------------+-------------------------------------------------+
54+ | CAPABILITY | NAMESPACE |
55+ |-------------------------------------------+-------------------------------------------------|
56+ | read and send data from client to server | c2/file-transfer |
57+ | execute shell command and capture output | c2/shell |
58+ | receive data (2 matches) | communication |
59+ | send data (6 matches) | communication |
60+ | connect to HTTP server (3 matches) | communication/http/client |
61+ | send HTTP request (3 matches) | communication/http/client |
62+ | create pipe | communication/named-pipe/create |
63+ | get socket status (2 matches) | communication/socket |
64+ | receive data on socket (2 matches) | communication/socket/receive |
65+ | send data on socket (3 matches) | communication/socket/send |
66+ | connect TCP socket | communication/socket/tcp |
67+ | encode data using Base64 | data-manipulation/encoding/base64 |
68+ | encode data using XOR (6 matches) | data-manipulation/encoding/xor |
69+ | run as a service | executable/pe |
70+ | get common file path (3 matches) | host-interaction/file-system |
71+ | read file | host-interaction/file-system/read |
72+ | write file (2 matches) | host-interaction/file-system/write |
73+ | print debug messages (2 matches) | host-interaction/log/debug/write-event |
74+ | resolve DNS | host-interaction/network/dns/resolve |
75+ | get hostname | host-interaction/os/hostname |
76+ | create process | host-interaction/process/create |
77+ | create registry key | host-interaction/registry/create |
78+ | create service | host-interaction/service/create |
79+ | create thread | host-interaction/thread/create |
80+ | persist via Windows service | persistence/service |
81+ +-------------------------------------------+-------------------------------------------------+
8482```
8583
8684# download and usage
0 commit comments