v8.0.1

Summary

Added: 0 rules
Modified: 0 rules
Renamed: 0 rules
Deleted: 0 rules

Detailed release changes: rules v8.0.0...v8.0.1

v8.0.0

Summary

Added: 54 rules
Modified: 21 rules
Renamed: 1 rule
Deleted: 0 rules

Detailed release changes: rules v7.4.0...v8.0.0

Added rules (54)

• collection/browser/get-chrome-cookiemonster.yml
• collection/browser/get-elevation-service-for-chromium-based-browsers.yml
• collection/get-steam-token.yml
• linking/static/touchsocket/linked-against-touchsocket.yml
• nursery/get-shadow-password-file-entry-on-linux.yml
• nursery/persist-via-aedebug-registry-key.yml
• nursery/persist-via-amsi-registry-key.yml
• nursery/persist-via-app-paths-registry-key.yml
• nursery/persist-via-appcertdlls-registry-key.yml
• nursery/persist-via-application-shimming.yml
• nursery/persist-via-appx-registry-key.yml
• nursery/persist-via-autodialdll-registry-key.yml
• nursery/persist-via-autoplayhandlers-registry-key.yml
• nursery/persist-via-bits-job.yml
• nursery/persist-via-bootverificationprogram-registry-key.yml
• nursery/persist-via-code-signing-registry-key.yml
• nursery/persist-via-com-hijack.yml
• nursery/persist-via-command-processor-registry-key.yml
• nursery/persist-via-contextmenuhandlers-registry-key.yml
• nursery/persist-via-cor_profiler_path-registry-value.yml
• nursery/persist-via-default-file-association-registry-key.yml
• nursery/persist-via-disk-cleanup-handler-registry-key.yml
• nursery/persist-via-dotnet-dbgmanageddebugger-registry-key.yml
• nursery/persist-via-dotnet_startup_hooks-registry-key.yml
• nursery/persist-via-errorhandler-script.yml
• nursery/persist-via-explorer-tools-registry-key.yml
• nursery/persist-via-filter-handlers-registry-key.yml
• nursery/persist-via-get-variable-hijack.yml
• nursery/persist-via-group-policy-registry-key.yml
• nursery/persist-via-hhctrl-com-hijack.yml
• nursery/persist-via-htmlhelp-author-registry-key.yml
• nursery/persist-via-image-file-execution-options-registry-key.yml
• nursery/persist-via-iphlpapi-dll-hijack.yml
• nursery/persist-via-lnk-shortcut.yml
• nursery/persist-via-lsa-registry-key.yml
• nursery/persist-via-natural-language-registry-key.yml
• nursery/persist-via-netsh-registry-key.yml
• nursery/persist-via-network-provider-registry-key.yml
• nursery/persist-via-path-registry-key.yml
• nursery/persist-via-powershell-profile.yml
• nursery/persist-via-print-monitors-registry-key.yml
• nursery/persist-via-print-processors-registry-key.yml
• nursery/persist-via-rdp-startup-programs-registry-key.yml
• nursery/persist-via-silentprocessexit-registry-key.yml
• nursery/persist-via-telemetrycontroller-registry-key.yml
• nursery/persist-via-timeproviders-registry-key.yml
• nursery/persist-via-ts-initialprogram-registry-key.yml
• nursery/persist-via-userinitmprlogonscript-registry-value.yml
• nursery/persist-via-windows-accessibility-tools.yml
• nursery/persist-via-windows-error-reporting-registry-key.yml
• nursery/persist-via-windows-terminal-profile.yml
• nursery/set-shadow-password-file-entry-on-linux.yml
• nursery/write-to-browser-extension-directory.yml
• runtime/dotnet/compiled-with-dotnet-aot.yml

Modified rules (21)

• anti-analysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml
• data-manipulation/encryption/create-new-key-via-cryptacquirecontext.yml
• host-interaction/file-system/copy/copy-file.yml
• host-interaction/file-system/move/move-file.yml
• host-interaction/file-system/write/write-file-on-windows.yml
• host-interaction/process/get-process-filename.yml
• host-interaction/registry/create/set-registry-value.yml
• [h...

v7.4.0

Summary

Added: 14 rules
Modified: 2 rules
Renamed: 0 rules
Deleted: 0 rules

Detailed release changes: rules v7.3.0...v7.4.0

Added rules (14)

• anti-analysis/packer/nmm-protect/packed-with-nmm-protect.yml
• host-interaction/driver/complete-processing-asynchronous-io-request.yml
• host-interaction/firewall/modify/access-firewall-policy-via-inetfwpolicy2.yml
• host-interaction/firewall/modify/access-firewall-rule-properties-via-inetfwrule.yml
• host-interaction/os/hide-shutdown-actions-via-policy.yml
• host-interaction/process/get-process-filename.yml
• host-interaction/registry/open-recentdocs-registry-key.yml
• linking/runtime-linking/populate-syswhispers2-syscall-list.yml
• nursery/access-unmanaged-com-objects-in-dotnet.yml
• nursery/implement-ui-automation-client-in-dotnet.yml
• nursery/interact-with-shortcut-via-iwshshortcut-in-dotnet.yml
• nursery/interact-with-windows-scripting-host-in-dotnet.yml
• nursery/use-dotnet-library-simplejson.yml
• nursery/use-dotnet-library-websocket-sharp.yml

Modified rules (2)

• anti-analysis/anti-vm/vm-detection/check-for-unmoving-mouse-cursor.yml
• nursery/execute-syscall.yml

v7.3.0

Summary

Added: 6 rules
Modified: 1 rule
Renamed: 1 rule
Deleted: 0 rules

Detailed release changes: rules v7.2.0...v7.3.0

Added rules (6)

• host-interaction/network/traffic/filter/delete-network-filter-via-wfp-api.yml
• host-interaction/network/traffic/filter/enumerate-network-filters-via-wfp-api.yml
• linking/static/minhook/linked-against-minhook.yml
• linking/static/sqlite3/linked-against-sqlcipher.yml
• nursery/check-thread-suspend-count-exceeded.yml
• nursery/create-thread-bypassing-process-freeze.yml

Modified rules (1)

• data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-wolfssl.yml

Renamed rules (1)

• host-interaction/hardware/firmware/get-system-firmware-table.yml (was nursery/get-system-firmware-table.yml)

v7.2.0

Summary

Added: 5 rules
Modified: 6 rules
Renamed: 0 rules
Deleted: 0 rules

Detailed release changes: rules v7.1.0...v7.2.0

Added rules (5)

• anti-analysis/anti-av/overwrite-dll-text-section-to-remove-hooks.yml
• communication/socket/attach-bpf-to-socket-on-linux.yml
• nursery/decode-data-using-base64-via-vbmi-lookup-table.yml
• nursery/delete-file-on-linux.yml
• nursery/upload-file-to-onedrive.yml

Modified rules (6)

• anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml
• host-interaction/file-system/write/write-file-on-linux.yml
• host-interaction/log/debug/write-event/print-debug-messages.yml
• lib/calculate-modulo-256-via-x86-assembly.yml
• load-code/shellcode/execute-shellcode-via-windows-callback-function.yml
• nursery/invoke-dotnet-assembly-method.yml

v7.1.0

Summary

Added: 24 rules
Modified: 42 rules
Renamed: 2 rules
Deleted: 0 rules

Detailed release changes: rules v7.0.1...v7.1.0

Added rules (24)

• anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml
• compiler/dart/compiled-with-dart.yml
• data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction033.yml
• host-interaction/driver/interact-with-driver-via-ioctl.yml
• host-interaction/gui/window/hide/hide-graphical-window-from-taskbar.yml
• impact/wipe-disk/delete-drive-layout-via-ioctl.yml
• nursery/bypass-hidden-api-restrictions-via-jni-on-android.yml
• nursery/change-memory-permission-on-linux.yml
• nursery/check-file-permission-on-linux.yml
• nursery/check-if-process-is-running-under-android-emulator-on-android.yml
• nursery/get-current-process-filesystem-mounts-on-linux.yml
• nursery/get-current-process-memory-mapping-on-linux.yml
• nursery/get-disk-information-via-ioctl.yml
• nursery/get-system-property-on-android.yml
• nursery/get-volume-information-via-ioctl.yml
• nursery/hook-routines-via-lsplant.yml
• nursery/load-packed-dex-via-jiagu-on-android.yml
• nursery/map-or-unmap-memory-on-linux.yml
• nursery/modify-api-blacklist-or-denylist-via-jni-on-android.yml
• nursery/truncate-file-on-linux.yml
• nursery/unmount-volume-via-ioctl.yml
• persistence/act-as-share-provider-dll.yml
• persistence/act-as-time-provider-dll.yml
• persistence/act-as-windbg-extension.yml

Modified rules (42)

• collection/keylog/log-keystrokes-via-application-hook.yml
• communication/dns/resolve-dns.yml
• communication/socket/create-raw-socket.yml
• communication/socket/get-socket-status.yml
• communication/socket/initialize-winsock-library.yml
• communication/socket/receive/receive-data-on-socket.yml
• communication/socket/send/send-data-on-socket.yml
• communication/socket/set-socket-configuration.yml
• communication/socket/tcp/connect-tcp-socket.yml
• communication/socket/tcp/create-tcp-socket.yml
• communication/socket/udp/send/create-udp-socket.yml
• compiler/go/compiled-with-go.yml
• data-manipulation/encryption/dpapi/encrypt-data-using-dpapi.yml
• host-interaction/driver/install-driver.yml
• host-interaction/file-system/change-file-permission-on-linux.yml
• host-interaction/file-system/files/list/enumerate-files-on-linux.yml
• host-interaction/file-system/files/list/enumerate-files-recursively.yml
• host-interaction/file-system/read/read-file-on-linux.yml
• host-interaction/file-system/write/write-file-on-linux.yml
• host-interaction/gui/set-application-hook.yml
• host-interaction/hardware/memory/get-memory-information.yml
• host-interaction/hardware/storage/get-disk-size.yml
• host-interaction/mutex/create-semaphore-on-linux.yml
• host-interaction/mutex/lock-file.yml
• host-interaction/mutex/lock-semaphore-on-linux.yml
• host-interaction/mutex/unlock-semaphore-on-linux.yml
• host-interaction/process/create/create-process-on-linux.yml
• host-interaction/session/get-current-user-on-linux.yml
• host-interaction/thread/create/create-thread.yml
• lib/delay-execution.yml
• lib/duplicate-stdin-and-stdout.yml
• linking/runtime-linking/link-function-at-runtime-on-windows.yml
• linking/runtime-linking/link-many-functions-at-runtime.yml
• load-code/shellcode/execute-shellcode-via-windows-callback-function.yml
• nursery/encrypt-data-using-salsa20-or-chacha.yml
• nursery/get-current-pid-on-linux.yml
• nursery/get-password-database-entry-on-linux.yml
• [nursery/get-socket-information.yml](https://gi...

v7.0.1

Summary

No rules updates.

Detailed release changes: rules v7.0.0...v7.0.1

v7.0.0

Summary

Added: 37 rules
Modified: 820 rules
Renamed: 9 rules
Deleted: 2 rules

Detailed release changes: rules v6.1.0...v7.0.0

Added rules (37)

• anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml
• collection/network/capture-packets-using-sharppcap.yml
• data-manipulation/compression/create-cabinet-on-windows.yml
• data-manipulation/compression/extract-cabinet-on-windows.yml
• data-manipulation/encoding/encode-data-using-add-xor-sub-operations.yml
• data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction032.yml
• executable/dotnet-singlefile/bundled-with-dotnet-single-file-deployment.yml
• host-interaction/network/connectivity/set-tcp-connection-state.yml
• host-interaction/process/inject/process-ghostly-hollowing.yml
• internal/limitation/file/internal-dotnet-single-file-deployment-limitation.yml
• lib/change-memory-protection.yml
• load-code/dotnet/load-windows-common-language-runtime.yml
• nursery/access-camera-in-dotnet-on-android.yml
• nursery/add-value-to-global-atom-table.yml
• nursery/capture-microphone-audio-in-dotnet-on-android.yml
• nursery/capture-process-snapshot-data.yml
• nursery/capture-screenshot-in-dotnet-on-android.yml
• nursery/check-for-incoming-call-in-dotnet-on-android.yml
• nursery/check-for-outgoing-call-in-dotnet-on-android.yml
• nursery/communicate-with-kernel-module-via-netlink-socket-on-linux.yml
• nursery/compiled-with-xamarin.yml
• nursery/enumerate-files-in-dotnet.yml
• nursery/enumerate-processes-that-use-resource.yml
• nursery/get-current-pid-on-linux.yml
• nursery/get-current-process-command-line.yml
• nursery/get-current-process-file-path.yml
• nursery/get-mac-address-in-dotnet.yml
• nursery/get-ntoskrnl-base-address.yml
• nursery/get-os-version-in-dotnet-on-android.yml
• nursery/get-password-database-entry-on-linux.yml
• nursery/hook-routines-via-dlsym-rtld_next.yml
• nursery/linked-against-hp-socket.yml
• nursery/log-keystrokes-via-input-method-manager.yml
• nursery/mark-thread-detached-on-linux.yml
• nursery/persist-via-gnome-autostart-on-linux.yml
• nursery/send-sms-on-android.yml
• nursery/set-thread-name-on-linux.yml

Modified rules (820)

• anti-analysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml
• anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml
• anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml
• anti-analysis/anti-av/protect-spawned-processes-with-mitigation-policies.yml
• anti-analysis/anti-debugging/debugger-detection/check-for-debugger-via-api.yml
• anti-analysis/anti-debugging/debugger-detection/check-for-hardware-breakpoints.yml
• anti-analysis/anti-debugging/debugger-detection/check-for-kernel-debugger-via-shared-user-data-structure.yml
• anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml
• anti-analysis/anti-debugging/debugger-detection/check-for-peb-beingdebugged-flag.yml
• anti-analysis/anti-debugging/debugger-detection/check-for-peb-ntglobalflag-flag.yml
• anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml
• anti-analysis/anti-debugging/debugger-detection/check-for-software-breakpoints.yml
• anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-gettickcount.yml
• anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-queryperformancecounter.yml
• anti-analysis/anti-debugging/debugger-detection/check-for-trap-flag-exception.yml
• anti-analysis/anti-debugging/debugger-detection/check-for-unexpected-memory-writes.yml
• [anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml](https://github.com/mandiant/capa-rules/blob/v7.0.0/anti-analysis/anti-debugging/debugger-detection...

v7.0.0-beta

Summary

Added: 37 rules
Modified: 820 rules
Renamed: 9 rules
Deleted: 2 rules

Detailed release changes: rules v6.1.0...v7.0.0-beta

Added rules (37)

• anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml
• collection/network/capture-packets-using-sharppcap.yml
• data-manipulation/compression/create-cabinet-on-windows.yml
• data-manipulation/compression/extract-cabinet-on-windows.yml
• data-manipulation/encoding/encode-data-using-add-xor-sub-operations.yml
• data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction032.yml
• executable/dotnet-singlefile/bundled-with-dotnet-single-file-deployment.yml
• host-interaction/network/connectivity/set-tcp-connection-state.yml
• host-interaction/process/inject/process-ghostly-hollowing.yml
• internal/limitation/file/internal-dotnet-single-file-deployment-limitation.yml
• lib/change-memory-protection.yml
• load-code/dotnet/load-windows-common-language-runtime.yml
• nursery/access-camera-in-dotnet-on-android.yml
• nursery/add-value-to-global-atom-table.yml
• nursery/capture-microphone-audio-in-dotnet-on-android.yml
• nursery/capture-process-snapshot-data.yml
• nursery/capture-screenshot-in-dotnet-on-android.yml
• nursery/check-for-incoming-call-in-dotnet-on-android.yml
• nursery/check-for-outgoing-call-in-dotnet-on-android.yml
• nursery/communicate-with-kernel-module-via-netlink-socket-on-linux.yml
• nursery/compiled-with-xamarin.yml
• nursery/enumerate-files-in-dotnet.yml
• nursery/enumerate-processes-that-use-resource.yml
• nursery/get-current-pid-on-linux.yml
• nursery/get-current-process-command-line.yml
• nursery/get-current-process-file-path.yml
• nursery/get-mac-address-in-dotnet.yml
• nursery/get-ntoskrnl-base-address.yml
• nursery/get-os-version-in-dotnet-on-android.yml
• nursery/get-password-database-entry-on-linux.yml
• nursery/hook-routines-via-dlsym-rtld_next.yml
• nursery/linked-against-hp-socket.yml
• nursery/log-keystrokes-via-input-method-manager.yml
• nursery/mark-thread-detached-on-linux.yml
• nursery/persist-via-gnome-autostart-on-linux.yml
• nursery/send-sms-on-android.yml
• nursery/set-thread-name-on-linux.yml

Modified rules (820)

• anti-analysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml
• anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml
• anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml
• anti-analysis/anti-av/protect-spawned-processes-with-mitigation-policies.yml
• anti-analysis/anti-debugging/debugger-detection/check-for-debugger-via-api.yml
• anti-analysis/anti-debugging/debugger-detection/check-for-hardware-breakpoints.yml
• anti-analysis/anti-debugging/debugger-detection/check-for-kernel-debugger-via-shared-user-data-structure.yml
• anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml
• anti-analysis/anti-debugging/debugger-detection/check-for-peb-beingdebugged-flag.yml
• anti-analysis/anti-debugging/debugger-detection/check-for-peb-ntglobalflag-flag.yml
• anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml
• anti-analysis/anti-debugging/debugger-detection/check-for-software-breakpoints.yml
• anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-gettickcount.yml
• anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-queryperformancecounter.yml
• anti-analysis/anti-debugging/debugger-detection/check-for-trap-flag-exception.yml
• [anti-analysis/anti-debugging/debugger-detection/check-for-unexpected-memory-writes.yml](https://github.com/mandiant/capa-rules/blob/v7.0....

v6.1.0

Summary

Added: 8 rules
Modified: 9 rules
Renamed: 1 rule
Deleted: 0 rules

Detailed release changes: rules v6.0.0a3...v6.1.0

Added rules (8)

• anti-analysis/anti-vm/vm-detection/check-for-foreground-window-switch.yml
• executable/pe/export/forwarded-export.yml
• host-interaction/bootloader/get-uefi-variable.yml
• host-interaction/bootloader/set-uefi-variable.yml
• linking/static/sqlite3/linked-against-cppsqlite3.yml
• linking/static/sqlite3/linked-against-sqlite3.yml
• nursery/enumerate-device-drivers-on-linux.yml
• nursery/enumerate-device-drivers-on-windows.yml

Modified rules (9)

• anti-analysis/anti-forensic/self-deletion/self-delete.yml
• collection/browser/gather-chrome-based-browser-login-information.yml
• collection/browser/gather-firefox-profile-information.yml
• data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml
• host-interaction/process/inject/free-user-process-memory.yml
• lib/get-os-version.yml
• nursery/deserialize-json-in-dotnet.yml
• nursery/serialize-json-in-dotnet.yml
• persistence/authentication-process/act-as-credential-manager-dll.yml

Renamed rules (1)

• persistence/create-shortcut-via-ishelllink.yml (was nursery/create-shortcut-via-ishelllink.yml)