You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
3/HIGH | ref/program/ancient_gcc | built by archaic gcc version:
99
-
| | GCC: (GNU) 4.4.7
100
-
4/CRIT | 3P/elastic/bpfdoor | Detects Linux Trojan Bpfdoor (Linux.Trojan.BPFDoor), by Elastic Security
101
-
4/CRIT | 3P/signature_base/redmenshen/bpfd.. | Detects BPFDoor implants used by Chinese actor Red Menshen, by Florian Roth
102
-
| | (Nextron Systems)
103
-
```
104
-
105
-
If you want to focus on the most suspicious behaviors, you can pass `--min-level=3`, which will remove a lot of the noise by only showing "HIGH" or "CRITICAL" risk behaviors.
106
-
107
-
## Diff mode for detecting supply-chain compromises
38
+
There are flags for controlling output (see the Usage section) and filtering out rules. Here's the `--format=markdown` output:
| 1/LOW | net/interface/get | get network interfaces by name or index |
51
+
| 1/LOW | net/interface/list | list network interfaces and their associated addresses |
52
+
| 1/LOW | net/ip | access the internet |
53
+
| 1/LOW | net/ip/multicast/send | send data to multiple nodes simultaneously |
54
+
| 1/LOW | net/ip/resolve | resolves network hosts via IP address |
55
+
| 1/LOW | net/ip/send/unicast | send data to the internet |
56
+
| 1/LOW | net/socket/connect | initiate a connection on a socket |
57
+
| 1/LOW | net/socket/receive | receive a message from a socket |
58
+
| 1/LOW | net/socket/send | send a message to a socket |
59
+
| 1/LOW | process/userid/set | set real and effective user ID of current process |
60
+
| 2/MED | combo/net/scan_tool | may scan networks: "connect |
61
+
||| gethostbyname |
62
+
||| port |
63
+
||| scan |
64
+
||| socket" |
65
+
| 2/MED | net/ip/string | converts IP address from byte to string |
66
+
67
+
68
+
Behaviors are sorted by lowest to highest risk: this binary doesn't have anything particularly exciting about it. If you want to only show output for the most suspicious behaviors, use `--min-level=3`, which shows only "HIGH" or "CRITICAL" risk behaviors.
69
+
70
+
## Diff mode to detect supply-chain attacks
108
71
109
72
Let's say you are a company that is sensitive to supply-chain compromises. You want to make sure an update doesn't introduce unexpected capability changes. There's a `--diff` mode for that:
110
73
111
74
```shell
112
75
bincapz -diff old_ffmpeg.dylib new_ffmpeg.dylib
113
76
```
114
77
115
-
Here is a result using the 3CX compromise as a test case.
| +4/CRIT |**3P/godmoderules/iddqd/god/mode**| detects a wide array of cyber threats, from malware and ransomware to advanced persistent threats (APTs), by Florian Roth |
*`--omit-empty`: omit files that contain no matches
119
+
*`--third-party`: include third-party rules, which may have licensing restrictions (default true)
187
120
188
121
## FAQ
189
122
@@ -212,3 +145,7 @@ bincapz alerns when an obfuscated or packed binary is detected. Depending on the
212
145
### What related software is out there?
213
146
214
147
Much of bincapz's functionality is inspired by <https://github.com/mandiant/capa>. While capa is a fantastic tool, it only works on x86-64 binaries (ELF/PE), and does not work for macOS programs, arm64 binaries, or scripting languages. <https://karambit.ai/> and <https://www.reversinglabs.com/> offer capability analysis through reverse engineering as a service. If you require more than what bincapz can offer, such as Windows binary analysis, you should check them out.
148
+
149
+
### How can I help?
150
+
151
+
If you find malware that `bincapz` doesn't surface suspicious behaviors for, send us a patch! All of the rules are defined in YARA format, and can be found in the `rules/` folder.
0 commit comments