From b9c8d96aa1b2944579df158410bcfb033cc10a5d Mon Sep 17 00:00:00 2001 From: cccs-mog <117194682+cccs-mog@users.noreply.github.com> Date: Tue, 17 Sep 2024 10:14:30 -0400 Subject: [PATCH 1/9] Update service_manifest.yml --- service_manifest.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/service_manifest.yml b/service_manifest.yml index a14e2aa..cc2463b 100644 --- a/service_manifest.yml +++ b/service_manifest.yml @@ -649,6 +649,8 @@ docker_config: dependencies: updates: container: + cpu_cores: 2.0 + ram_mb: 4096 allow_internet_access: true command: ["python", "-m", "cape.update_server"] image: ${REGISTRY}cccs/assemblyline-service-cape:$SERVICE_TAG From 5596cda1f7291219f9ffd3ce409b895fafe06ca1 Mon Sep 17 00:00:00 2001 From: cccs-mog <117194682+cccs-mog@users.noreply.github.com> Date: Wed, 18 Sep 2024 15:48:23 +0000 Subject: [PATCH 2/9] Adding a signature --- cape/signatures.py | 1 + 1 file changed, 1 insertion(+) diff --git a/cape/signatures.py b/cape/signatures.py index d30bef0..6b8544a 100644 --- a/cape/signatures.py +++ b/cape/signatures.py @@ -660,6 +660,7 @@ "suricata_alert": "Network", "suspicious_certutil_use": "Command", "suspicious_command_tools": "Command", + "suspicious_html_title": "Phishing", "suspicious_ioctl_scsipassthough": "Bootkit", "suspicious_js_script": "Downloader", "suspicious_mpcmdrun_use": "Command", From 1717d9e0fbc3cc2c9e693bc3045c76ffc970ef25 Mon Sep 17 00:00:00 2001 From: cccs-mog <117194682+cccs-mog@users.noreply.github.com> Date: Thu, 19 Sep 2024 12:07:16 -0400 Subject: [PATCH 3/9] Update signatures.py --- cape/signatures.py | 1 + 1 file changed, 1 insertion(+) diff --git a/cape/signatures.py b/cape/signatures.py index 6b8544a..032ca7f 100644 --- a/cape/signatures.py +++ b/cape/signatures.py @@ -221,6 +221,7 @@ "disables_winfirewall": "Generic", "dll_load_uncommon_file_types": "Anti-debug", "document_script_exe_drop": "Dropper", + "domain_enumeration_commands": "Discovery", "doppelganging": "Injection", # CAPE "dotnet_clr_usagelog_regkeys": "Evasion", "dotnet_code_compile": "Evasion", From 2961d474a5696948a89c32e0802d2d42399c7f34 Mon Sep 17 00:00:00 2001 From: cccs-mog <117194682+cccs-mog@users.noreply.github.com> Date: Fri, 20 Sep 2024 19:11:51 +0000 Subject: [PATCH 4/9] Reversing the yara fix --- cape/cape_main.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/cape/cape_main.py b/cape/cape_main.py index ebd02eb..f3ee156 100644 --- a/cape/cape_main.py +++ b/cape/cape_main.py @@ -399,8 +399,6 @@ def execute(self, request: ServiceRequest) -> None: def _load_rules(self): # Generate root directory for yara rules. - if self.rules_directory is None: - return yara_root = os.path.join(self.rules_directory, "cape") errors = {} From d4aecf19cf279382fd6706f30385f4daeb8d6d38 Mon Sep 17 00:00:00 2001 From: cccs-mog <117194682+cccs-mog@users.noreply.github.com> Date: Fri, 20 Sep 2024 19:16:20 +0000 Subject: [PATCH 5/9] Fixing the loading of rules in case there is a problem with the updater and/or repo --- cape/cape_main.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cape/cape_main.py b/cape/cape_main.py index f3ee156..fb03f52 100644 --- a/cape/cape_main.py +++ b/cape/cape_main.py @@ -402,6 +402,8 @@ def _load_rules(self): yara_root = os.path.join(self.rules_directory, "cape") errors = {} + if not os.path.exists(yara_root): + return # Need to define each external variable that will be used in the future. Otherwise Yara will complain. externals = {"filename": ""} externals.update(YARA_EXTERNALS) From 98b3c2892b15caba6422c74e7f72ad330acf79ac Mon Sep 17 00:00:00 2001 From: cccs-mog <117194682+cccs-mog@users.noreply.github.com> Date: Fri, 20 Sep 2024 19:18:32 +0000 Subject: [PATCH 6/9] Resolving the other issue in the loader --- cape/cape_main.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cape/cape_main.py b/cape/cape_main.py index fb03f52..abafd29 100644 --- a/cape/cape_main.py +++ b/cape/cape_main.py @@ -399,6 +399,9 @@ def execute(self, request: ServiceRequest) -> None: def _load_rules(self): # Generate root directory for yara rules. + if self.rules_directory is None: + return + yara_root = os.path.join(self.rules_directory, "cape") errors = {} From 16d9d17bf516aabeec818a6f28ae9a4d43a8a956 Mon Sep 17 00:00:00 2001 From: cccs-mog <117194682+cccs-mog@users.noreply.github.com> Date: Mon, 7 Oct 2024 14:11:18 -0400 Subject: [PATCH 7/9] Update README.md --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index 5ccd44e..27dd793 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,5 @@ # CAPEv2 service -**Important**: CAPE Service currently works with version up to 20.05.2024 features and commit [9a543e7]https://github.com/kevoreilly/CAPEv2/commit/9a543e7513c8c1bc62573af041bdc9f87b206f79" - This repository is an Assemblyline service that submits a file to a CAPEv2 deployment, waits for the submission to complete, and then parses the report returned. From 290bfb9a57fd1bc011473342752f9f62b44449d4 Mon Sep 17 00:00:00 2001 From: cccs-mog <117194682+cccs-mog@users.noreply.github.com> Date: Tue, 8 Oct 2024 15:09:09 -0400 Subject: [PATCH 8/9] Update cmd extracted --- cape/cape_result.py | 1 + 1 file changed, 1 insertion(+) diff --git a/cape/cape_result.py b/cape/cape_result.py index 66d51dd..7052923 100644 --- a/cape/cape_result.py +++ b/cape/cape_result.py @@ -2154,6 +2154,7 @@ def process_all_events( command = get_cmd_command(match.value) if command and command + b"\n" not in bat_commands: bat_commands.append(command + b"\n") + bat_commands.append(event.command_line.encode()) if event.objectid.time_observed in [MIN_TIME, MAX_TIME]: continue From a6156cdefdf865a75fc6139dfcc996dd526f2600 Mon Sep 17 00:00:00 2001 From: cccs-mog <117194682+cccs-mog@users.noreply.github.com> Date: Wed, 9 Oct 2024 13:40:12 -0400 Subject: [PATCH 9/9] Update cape_result.py --- cape/cape_result.py | 1 - 1 file changed, 1 deletion(-) diff --git a/cape/cape_result.py b/cape/cape_result.py index 7052923..66d51dd 100644 --- a/cape/cape_result.py +++ b/cape/cape_result.py @@ -2154,7 +2154,6 @@ def process_all_events( command = get_cmd_command(match.value) if command and command + b"\n" not in bat_commands: bat_commands.append(command + b"\n") - bat_commands.append(event.command_line.encode()) if event.objectid.time_observed in [MIN_TIME, MAX_TIME]: continue