[AUTO] It is the time to merge develop < upstream-master #14
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
…ommit Run ruff during pre-commit checks
- removal of strace-process-tree dependencies
- removal of strace folder in analysis output folder
- changed output location of strace log files to match like behavior ("logs" folder)
- extra clean up of previous systemtap implementations
Description: Some malware may not close file descriptors, relies on lazy cleanup. Fix is to assume that the file descriptor is closed after running, If encounter fd that is unclosed during processing, match the respective filename anyway, since most likely reach near end of file descriptor list
Previous implementation was referencing the `strace` syscall indexes in order to match the relevant syscalls and argument inputs. Turns out, this is not very reliable and causes a bug on the `open` syscall which is output by strace to be the index of 5. Upon matching with the linux syscall json, it incorrectly matches with `newfstat`. The fix to this was to just match via the same syscall name instead.
Signature segregation
- Added file test_agent.py
- Tests will be run in Windows and Linux
- Tests will be run in github actions
- Test most existing functionality of the agent
- In send_file open the file in binary mode (bug fix)
- Updates to the agent to make it testable, including:
- Pass a multiprocessing event to the run() method when under test,
so the test knows when the agent process is ready
- Tweaks to the shutdown method enabling testing
- Let jsonify not crash if values cannot be serialized
- Add a new command-line parameter, -v, useful when testing interactively
- When -v is given, stdout and stderr will simply go to the console
- Allow the 'date' command to be executed from localhost; for testing
- Use an enum for the status. Only accept expected values. - Check that we can read a file before trying to send it.
- Monitor async python process spawned in background - Be able to detect if background process completed ok or errored - Accurately report failure status on execution failures - The agent used to report RUNNING when the process actually FAILED - Add base64 encoding capability to send_file - Detect and log errors that occur during send_file - Allow json_success to have status codes - Allow json_error to accept kwargs, like json_success already does - More detailed error messages for certain kinds of failure - creating directory; storing file; extracting zip file
- This feature only available in Windows - This can serve a variety of purposes - Via a POST request, the agent will open the named mutex - If not immediately available, wait 500 ms - Via a DELETE request, the agent will release the named mutex - The mutex must already exist; the agent will not create a mutex
Create logszipall for linux strace logs
Bumps [sqlparse](https://github.com/andialbrecht/sqlparse) from 0.4.4 to 0.5.0. - [Changelog](https://github.com/andialbrecht/sqlparse/blob/master/CHANGELOG) - [Commits](andialbrecht/sqlparse@0.4.4...0.5.0) --- updated-dependencies: - dependency-name: sqlparse dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
…parse-0.5.0 chore(deps): bump sqlparse from 0.4.4 to 0.5.0
…voreilly#2066) * Added support for IMDS-based authentication to avoid using access/secret keys on EC2. Using access/secret keys directly on EC2 is considered a bad security practice. I have added the option for boto3 to perform authentication using the Instance Metadata Service and assume the role associated with the EC2 instance on which CAPEv2 is running on. This does not cancel the original authentication method; it is used as a fallback in case users do not specify secret/access keys in aws.conf. * style: Automatic code formatting * Added an explanation about the option to authenticate through IMDS instead of providing an access and secret key --------- Co-authored-by: GitHub Actions <[email protected]>
Bumps [gunicorn](https://github.com/benoitc/gunicorn) from 20.1.0 to 22.0.0. - [Release notes](https://github.com/benoitc/gunicorn/releases) - [Commits](benoitc/gunicorn@20.1.0...22.0.0) --- updated-dependencies: - dependency-name: gunicorn dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* download sysmon.data filtering by categroy * lang
This link says that we should use advfirewall rather than firewall: https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior
* fixing error in volatility, floss and qemy integration. Adding psscan feature for volatility. Adding qemu compatibility for memory module. --------- Co-authored-by: alice <alice@wall-e>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Please, check thease changes and merge it :)