Merge pull request #1027 from weslambert/capa

Add Capa Analyzer
TheHive-Project · Oct 29, 2024 · 11974aa · 11974aa
2 parents 03d1724 + 0c48ca5
commit 11974aa
Show file tree

Hide file tree

Showing 8 changed files with 195 additions and 0 deletions.
diff --git a/analyzers/Capa/Capa.json b/analyzers/Capa/Capa.json
@@ -0,0 +1,38 @@
+{
+    "name": "Capa",
+    "version": "1.0",
+    "author": "Wes Lambert",
+    "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+    "license": "AGPL-V3",
+    "description": "Analyze files with Capa",
+    "dataTypeList": ["file"],
+    "baseConfig": "Capa",
+    "config": {
+       "service": "CapaAnalyze"
+    },
+    "command": "Capa/CapaAnalyze.py",
+    "configurationItems": [
+     {
+      "name": "capa_path",
+      "description": "Path to Capa binary",
+      "type": "string",
+      "multi": false,
+      "required": true,
+      "defaultValue": "/Cortex-Analyzers/analyzers/Capa/capa"
+    }
+    ],
+    "registration_required": false,
+    "subscription_required": false,
+    "free_subscription": false,
+    "service_homepage": "https://github.com/mandiant/capa",
+    "service_logo": {
+      "path": "assets/capa.png",
+      "caption": "CAPA logo"
+    },
+    "screenshots": [
+      {
+        "path": "assets/long_report.png",
+        "caption": "CAPA: Long report template"
+      }
+    ]
+}
diff --git a/analyzers/Capa/CapaAnalyze.py b/analyzers/Capa/CapaAnalyze.py
@@ -0,0 +1,91 @@
+#!/usr/bin/env python3
+# encoding: utf-8
+
+from cortexutils.analyzer import Analyzer
+import os
+import subprocess
+import argparse
+import json
+import re
+from collections import defaultdict
+
+class CapaAnalyzer(Analyzer):
+    def __init__(self):
+        Analyzer.__init__(self)
+        self.capa_path = self.get_param("config.capa_path", "/Cortex-Analyzers/analyzers/Capa/capa")
+        self.filepath = self.get_param('file', None, 'File parameter is missing.')
+
+    def summary(self, raw):
+        taxonomies = []
+        level = 'info'
+        namespace = 'Capa'
+
+        predicate = 'CapaAnalyze'
+        taxonomies.append(self.build_taxonomy(level, namespace, predicate, "analyzed!"))
+
+        return {"taxonomies": taxonomies}
+
+    def run(self):
+        parser = argparse.ArgumentParser(description='exec capa.')
+        parser.add_argument('filepath', type=str, help='file path')
+        args = parser.parse_args()
+
+        if os.path.exists(self.filepath):
+            f = subprocess.check_output([self.capa_path, '-j', self.filepath])
+            process = json.loads(f)
+            rules = process['rules']
+            tactics = []
+            techniques = []
+            subtechniques = []
+            ids = []
+            capabilities = {}
+
+            for rule in rules:
+                try:
+                    # Metadata
+                    meta = process['rules'][rule]['meta']
+
+                    # ATT&CK details
+                    attack = meta['att&ck'][0]
+
+                    # ID
+                    id = attack['id']
+
+                    # Technique
+                    technique = attack['technique'] + " - " + id
+
+                    # Subtechnique
+                    subtechnique = attack['subtechnique']
+
+                    # Tactic
+                    tactic = attack['tactic']
+
+                    # Capability
+                    capability_name = process['rules'][rule]['meta']['name']
+
+                    if tactic not in tactics:
+                        tactics.append(tactic)
+
+                    if subtechnique != "":
+                        if subtechnique not in subtechniques: 
+                            subtechniques.append(attack['subtechnique'])
+
+                    if technique not in techniques:
+                        techniques.append(attack['technique'])
+
+                    if id not in ids:
+                        ids.append(id)
+
+                    if tactic not in capabilities:
+                        capabilities[tactic] = {}
+
+                    if technique not in capabilities[tactic]:
+                        capabilities[tactic][technique] = []
+
+                    if capability_name not in capabilities[tactic][technique]:
+                        capabilities[tactic][technique].append(capability_name)
+                except:
+                    continue
+        self.report({ 'capabilities': capabilities, 'tactics': tactics, 'techniques': techniques, 'subtechniques': subtechniques, 'ids': ids, 'rules': rules })
+if __name__ == '__main__':
+    CapaAnalyzer().run()
diff --git a/analyzers/Capa/assets/capa.png b/analyzers/Capa/assets/capa.png
diff --git a/analyzers/Capa/assets/long_report.png b/analyzers/Capa/assets/long_report.png
diff --git a/analyzers/Capa/capa b/analyzers/Capa/capa
diff --git a/analyzers/Capa/requirements.txt b/analyzers/Capa/requirements.txt
@@ -0,0 +1 @@
+cortexutils
diff --git a/thehive-templates/Capa_1_0/long.html b/thehive-templates/Capa_1_0/long.html
@@ -0,0 +1,62 @@
+<style>
+   pre.input {
+   color: #a94442;
+   border: none;
+   font-size: 10px;
+   white-space: pre-wrap;
+   background-color: #f9f1f1;
+   }
+   pre.output {
+   border: none;
+   font-size: 10px;
+   word-wrap: break-word;
+   word-break: break-all;
+   white-space: pre-wrap;
+   background-color: black;
+   }
+</style>
+<div class="panel panel-info">
+   <div class="panel-heading">Capa Analysis Results</div>
+   <div class="panel-body">
+      <table class="table">
+         <thead>
+            <tr>
+               <th>Capability</th>
+               <th>ATT&CK ID</th>
+               <th>ATT&CK Tactic</th>
+               <th>ATT&CK Technique</th>
+               <th>ATT&CK Subtechnique</th>
+               <th>Rule Path</th>
+               <th>Examples</th>
+            </tr>
+         </thead>
+         <tbody ng-repeat="(key, rule) in content.rules">
+            <tr>
+               <td>{{rule.meta.name}}</td>
+               <td>
+                  <span ng-if="rule.meta.attack.length > 0">
+                  <a href="https://attack.mitre.org/techniques/{{rule.meta.attack[0].id.split('.')[0]}}/{{rule.meta.attack[0].id.split('.')[1]}}">
+                  {{rule.meta.attack[0].id}}
+                  </a>
+                  </span>
+               </td>
+               <td>
+                  <span ng-if="rule.meta.attack.length > 0">{{rule.meta.attack[0].tactic}}</span>
+               </td>
+               <td>
+                  <span ng-if="rule.meta.attack.length > 0">{{rule.meta.attack[0].technique}}</span>
+               </td>
+               <td>
+                  <span ng-if="rule.meta.attack.length > 0">{{rule.meta.attack[0].subtechnique || 'N/A'}}</span>
+               </td>
+               <td class="wrap">
+                  <a href="https://github.com/mandiant/capa-rules/tree/master{{rule.meta.namespace}}">
+                  {{rule.meta.namespace}}
+                  </a>
+               </td>
+               <td class="wrap">{{rule.meta.examples.join(', ')}}</td>
+            </tr>
+         </tbody>
+      </table>
+   </div>
+</div>
diff --git a/thehive-templates/Capa_1_0/short.html b/thehive-templates/Capa_1_0/short.html
@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}={{t.value}}
+</span>