From 8f85ff83cba2025ed271aa5831151268e359f836 Mon Sep 17 00:00:00 2001 From: akshat4703 Date: Mon, 23 Feb 2026 13:13:40 +0530 Subject: [PATCH 1/3] git push --forcereduce false positives in credential manager, credit-card parsing, and PE section enumeration reduce false positives in credential manager, credit-card parsing, and PE section enumeration# --- ...quire-credentials-from-windows-credential-manager.yml | 2 +- collection/credit-card/parse-credit-card-information.yml | 9 +++++---- load-code/pe/enumerate-pe-sections.yml | 1 + 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/collection/acquire-credentials-from-windows-credential-manager.yml b/collection/acquire-credentials-from-windows-credential-manager.yml index 9c54a6689..70e01e4f8 100644 --- a/collection/acquire-credentials-from-windows-credential-manager.yml +++ b/collection/acquire-credentials-from-windows-credential-manager.yml @@ -23,6 +23,6 @@ rule: - optional: - match: host-interaction/process/create - or: - - string: /vaultcmd(\.exe)?/ + - string: /\bvaultcmd(\.exe)?\b/i - substring: "/listcreds:" - substring: "\"Windows Credentials\"" diff --git a/collection/credit-card/parse-credit-card-information.yml b/collection/credit-card/parse-credit-card-information.yml index 1357f9874..19aacb308 100644 --- a/collection/credit-card/parse-credit-card-information.yml +++ b/collection/credit-card/parse-credit-card-information.yml @@ -13,10 +13,14 @@ rule: - 1d8fd13c890060464019c0f07b928b1a:0x402860 features: - and: - - 3 or more: + - or: - instruction: - mnemonic: cmp - number: 0x5E = '^' (Track 1 separator) + - instruction: + - mnemonic: cmp + - number: 0x3B = ';' (Track 2 start sentinel) + - 2 or more: - instruction: - mnemonic: cmp - number: 0x3D = '=' (Track 2 separator) @@ -32,9 +36,6 @@ rule: - instruction: - mnemonic: cmp - number: 0x3F = '?' (Track 1 & 2 end sentinel) - - instruction: - - mnemonic: cmp - - number: 0x3B = ';' (Track 2 start sentinel) - not: - description: if a function also compares these non-hex characters it's most likely NOT parsing CC data - and: diff --git a/load-code/pe/enumerate-pe-sections.yml b/load-code/pe/enumerate-pe-sections.yml index a992b380c..04391f515 100644 --- a/load-code/pe/enumerate-pe-sections.yml +++ b/load-code/pe/enumerate-pe-sections.yml @@ -18,6 +18,7 @@ rule: features: - and: - os: windows + - match: parse PE header # there should be some complexity to functions like this - count(basic blocks): 3 or more - optional: From a44a9f195ec039dff00467de9e33d69f2dd67f99 Mon Sep 17 00:00:00 2001 From: akshat4703 Date: Mon, 23 Feb 2026 15:22:29 +0530 Subject: [PATCH 2/3] response-to-comment --- ...cquire-credentials-from-windows-credential-manager.yml | 3 +++ collection/credit-card/parse-credit-card-information.yml | 4 ++++ .../group-policy/discover-group-policy-via-gpresult.yml | 8 ++++++-- load-code/pe/enumerate-pe-sections.yml | 1 + persistence/service/persist-via-windows-service.yml | 7 +++++++ 5 files changed, 21 insertions(+), 2 deletions(-) diff --git a/collection/acquire-credentials-from-windows-credential-manager.yml b/collection/acquire-credentials-from-windows-credential-manager.yml index 70e01e4f8..638742088 100644 --- a/collection/acquire-credentials-from-windows-credential-manager.yml +++ b/collection/acquire-credentials-from-windows-credential-manager.yml @@ -10,6 +10,9 @@ rule: dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores::Windows Credential Manager [T1555.004] + references: + - https://github.com/mandiant/capa-rules/issues/1030 + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/vaultcmd examples: - c56af5561e3f20bed435fb4355cffc29:0x411A41 features: diff --git a/collection/credit-card/parse-credit-card-information.yml b/collection/credit-card/parse-credit-card-information.yml index 19aacb308..2ed4c0830 100644 --- a/collection/credit-card/parse-credit-card-information.yml +++ b/collection/credit-card/parse-credit-card-information.yml @@ -9,6 +9,10 @@ rule: dynamic: unsupported # requires mnemonic features mbc: - Data::Check String [C0019] + references: + - https://github.com/mandiant/capa-rules/issues/1088 + - https://github.com/mandiant/capa-rules/issues/897 + - https://en.wikipedia.org/wiki/ISO/IEC_7813 examples: - 1d8fd13c890060464019c0f07b928b1a:0x402860 features: diff --git a/collection/group-policy/discover-group-policy-via-gpresult.yml b/collection/group-policy/discover-group-policy-via-gpresult.yml index 9d00df3c3..2b09a872d 100644 --- a/collection/group-policy/discover-group-policy-via-gpresult.yml +++ b/collection/group-policy/discover-group-policy-via-gpresult.yml @@ -9,11 +9,15 @@ rule: dynamic: span of calls att&ck: - Discovery::Group Policy Discovery [T1615] + references: + - https://github.com/mandiant/capa-rules/issues/1036 + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult examples: - 9e4d06759f278255073f9ac7b31a115a:0x100068B7 features: - and: - os: windows + - string: /\bgpresult(\.exe)?\b/i - or: - - substring: "gpresult" - - substring: "GPRESULT" + - string: /\/(r|v|z)\b/i + - string: /\/scope\b/i diff --git a/load-code/pe/enumerate-pe-sections.yml b/load-code/pe/enumerate-pe-sections.yml index 04391f515..1547c3ea1 100644 --- a/load-code/pe/enumerate-pe-sections.yml +++ b/load-code/pe/enumerate-pe-sections.yml @@ -11,6 +11,7 @@ rule: mbc: - Discovery::Code Discovery::Enumerate PE Sections [B0046.001] references: + - https://github.com/mandiant/capa-rules/issues/1090 - https://0x00sec.org/t/reflective-dll-injection/3080 - https://www.ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection examples: diff --git a/persistence/service/persist-via-windows-service.yml b/persistence/service/persist-via-windows-service.yml index 7bd333ffd..89e998973 100644 --- a/persistence/service/persist-via-windows-service.yml +++ b/persistence/service/persist-via-windows-service.yml @@ -10,6 +10,9 @@ rule: att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] - Execution::System Services::Service Execution [T1569.002] + references: + - https://github.com/mandiant/capa-rules/issues/1100 + - https://learn.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree examples: - Practical Malware Analysis Lab 03-02.dll_:0x10004706 - 9f012d7e3ae8f62370278e372691eb73b878fe2280b6083e1be637b278021855:0x40113A @@ -40,3 +43,7 @@ rule: - and: - match: set registry value - string: /System\\(ControlSet\d{3}|CurrentControlSet)\\Services/i + - or: + - string: /ImagePath/i + - string: /ServiceDll/i + - string: /^Start$/i From 6419699d43cb7c1ea564429cce443d56de8578b4 Mon Sep 17 00:00:00 2001 From: akshat4703 Date: Mon, 23 Feb 2026 16:16:51 +0530 Subject: [PATCH 3/3] rules: simplify gpresult match to command+option pattern --- .../group-policy/discover-group-policy-via-gpresult.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/collection/group-policy/discover-group-policy-via-gpresult.yml b/collection/group-policy/discover-group-policy-via-gpresult.yml index 2b09a872d..026759c9e 100644 --- a/collection/group-policy/discover-group-policy-via-gpresult.yml +++ b/collection/group-policy/discover-group-policy-via-gpresult.yml @@ -17,7 +17,4 @@ rule: features: - and: - os: windows - - string: /\bgpresult(\.exe)?\b/i - - or: - - string: /\/(r|v|z)\b/i - - string: /\/scope\b/i + - string: /\bgpresult(\.exe)?\s+\/\w+/i