capa: Automatically Identify Malware Capabilities w/ Ballenthin & Moritz Raabe - SANS DFIR Summit

Effective analysts are those that understand and prioritize files of interest during an incident response. However, understanding if a program is malicious, the role it plays during an attack, and its potential capabilities requires at least basic malware analysis skills. And often, it takes an experienced reverse engineer to recover a file's complete functionality and guess at the author's intent. We are here to clear that roadblock and demonstrate how to algorithmically triage an unknown program.

Our newest tool, called capa, takes automated malware triage to the next level going from simply saying "this is probably bad" to providing a concise description of what a program actually does. capa detects capabilities in programs to reduce the time-to-triage and make malware analysis more accessible. The tool reports a sample's capabilities, role (downloader, backdoor, etc.), and any suspicious or unique functionality. This report provides critical, decision-making information to anyone dealing with potentially malicious programs and especially forensic, intelligence, and malware analysts. Furthermore, with capa, you can make more confident decisions, because the tool explains how it came to a conclusion, letting you verify each step, if necessary.

capa uses a new algorithm that reasons over the features found in a file to identify its capabilities. The lowest level features range from disassembly tricks to coding constructs, while intermediate features include references to recognized strings or API calls. Users compose rules that train capa how to reason about features, and even the significance of other rules. This makes it easy for the community to extend the tool's ability to match capabilities in malware. Incidentally, the growing rule set is a practical taxonomy of the behaviors actually seen in malware and begins to codify the collective knowledge of reverse engineers.

At the SANS DFIR Summit we will open-source capa and share it with the DFIR industry. Attendees will learn how capa works and how to use it to enhance their analysis workflow. Moreover, we will teach attendees how to develop capability detections that extend capa. This way, everyone can leave the conference with both a new tool and the skills needed to customize it for their environment.

Willi Ballenthin, Senior Staff Reverse Engineer, FLARE/FireEye
Moritz Raabe, Staff Reverse Engineer, FLARE/FireEye

The annual SANS Digital Forensics & Incident Response (DFIR) Summit is the most comprehensive DFIR event of the year, bringing together a passionate and influential group of experts, cutting edge research and tools, immersive training, and industry networking opportunities. Learn more about this event at https://www.sans.org/event/digital-fo...

DFIRCON 2020 - Live Online
sans.org/event/dfircon-2020-live-online
Virtual, US Eastern | Mon, Nov 2 - Sat, Nov 7, 2020

Courses Available:
FOR308: Digital Forensics Essentials - NEW
FOR498: Battlefield Forensics & Data Acquisition
FOR500: Windows Forensic Analysis
FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
FOR518: Mac and iOS Forensic Analysis and Incident Response
FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response
FOR578: Cyber Threat Intelligence
FOR585: Smartphone Forensic Analysis In-Depth
FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques