CAPA: The Basics | Try Hack Me writeup / walkthrough

Task 1 - Introduction

Q1. I'm excited to learn more about CAPA!

No Answer Needed

Task 2 - Tool Overview: How CAPA Works

Q1. What command-line option would you use if you need to check what other parameters you can use with the tool? Use the shortest format.

Answer 👉 -h

Q2. What command-line options are used to find detailed information on the malware's capabilities? Use the shortest format.

Answer 👉 -v

Q3. What command-line options do you use to find very verbose information about the malware's capabilities? Use the shortest format.

Answer 👉 -vv

Q4. What PowerShell command will you use to read the content of a file?

Answer 👉 Get-Content

Task 3 - Dissecting CAPA Results Part 1: General Information, MITRE and MAEC

Q1. What is the sha256 of cryptbot.bin?

Answer 👉 ae7bc6b6f6ecb206a7b957e4bb86e0d11845c5b2d9f7a00a482bef63b567ce4c

Q2. What is the Technique Identifier of Obfuscated Files or Information?

Answer 👉 T1027

Q3. What is the Sub-Technique Identifier of Obfuscated Files or Information::Indicator Removal from Tools?

Answer 👉 T1027.005

Q4. When CAPA tags a file with this MAEC value, it indicates that it demonstrates behaviour similar to, but not limited to, Activating persistence mechanisms?

Answer 👉 launcher

Q5. When CAPA tags a file with this MAEC value, it indicates that the file demonstrates behaviour similar to, but not limited to, Fetching additional payloads or resources from the internet?

Answer 👉 Downloader

Task 4 - Dissecting CAPA Results Part 2: Malware Behavior Catalogue

Q1. What serves as a catalogue of malware objectives and behaviours?

Answer 👉 Malware Behavior Catalogue

Q2. Which field is based on ATT&CK tactics in the context of malware behaviour?

Answer 👉 Objective

Q3. What is the Identifier of "Create Process" micro-behavior?

Answer 👉 C0017

Q4. What is the behaviour with an Identifier of B0009?

Answer 👉 Virtual Machine Detection

Q5. Malware can be used to obfuscate data using base64 and XOR. What is the related micro-behavior for this?

Answer 👉 Encode Data

Q6. Which micro-behavior refers to "Malware is capable of initiating HTTP communications"?

Answer 👉 HTTP Communication

Task 5 - Dissecting CAPA Results Part 3: Namespaces

Q1. Which top-level Namespace contains a set of rules specifically designed to detect behaviours, including obfuscation, packing, and anti-debugging techniques exhibited by malware to evade analysis?

Answer 👉 anti-analysis

Q2. Which namespace contains rules to detect virtual machine (VM) environments? Note that this is not the TLN or Top-Level Namespace.

Answer 👉 anti-vm/vm-detection

Q3. Which Top-Level Namespace contains rules related to behaviours associated with maintaining access or persistence within a compromised system? This namespace is focused on understanding how malware can establish and maintain a presence within a compromised environment, allowing it to persist and carry out malicious activities over an extended period.

Answer 👉 persistence

Q4. Which namespace addresses techniques such as String Encryption, Code Obfuscation, Packing, and Anti-Debugging Tricks, which conceal or obscure the true purpose of the code?

Answer 👉 obfuscation

Q5. Which Top-Level Namespace Is a staging ground for rules that are not quite polished?

Answer 👉

Q6. Proceed to the next task for the 2nd part of the discussion!

No Answer Needed

Task 6 - Dissecting CAPA Results Part 4: Capability

Q1. What rule yaml file was matched if the Capability or rule name is check HTTP status code?

Answer 👉 check-http-status-code.yml

Q2. What is the name of the Capability if the rule YAML file is reference-anti-vm-strings

Answer 👉 reference anti-VM strings

Q3. Which TLN or Top-Level Namespace includes the Capability or rule name run PowerShell expression?

Answer 👉 load-code

Q4. Check the conditions inside the check-for-windows-sandbox-via-registry.yml rule file from this link. What is the value of the API that ends in Ex is it looking for?

Answer 👉 RegOpenKeyEx

Task 7 - More Information, more fun!

Q1. Which parameter allows you to output the result of CAPA into a .json file?

Answer 👉 -j

Q2. What tool allows you to interactively explore CAPA results in your web browser?

Answer 👉 CAPA Web Explorer

Q3. Which feature of this CAPA Web Explorer allows you to filter options or results?

Answer 👉 Global Search Box

Task 8 - Conclusion

Q1. This room was fantastic! Let's proceed with other rooms for continuous learning!

No Answer Needed

Prev Next

CAPA: The Basics01/02/25 ctf → thm → capa-the-basics

SQLMap: The Basics31/01/25 ctf → thm → sqlmap-the-basics

SQL Fundamentals31/01/25 ctf → thm → sql-fundamentals

Powershell30/01/25 programming → powershell