Merge branch 'kevoreilly:master' into master

VirusTotal · Oct 7, 2024 · f78a9bb · f78a9bb
2 parents 5a5e0df + acb0261
commit f78a9bb
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 1 deletion.
diff --git a/analyzer/windows/data/yara/PrivateLoader.yar b/analyzer/windows/data/yara/PrivateLoader.yar
@@ -0,0 +1,12 @@
+rule PrivateLoader
+{
+    meta:
+        author = "kevoreilly"
+        description = "PrivateLoader indirect syscall capture"
+        cape_options = "clear,sysbp=$syscall*-2"
+        packed = "075d0dafd7b794fbabaf53d38895cfd7cffed4a3fe093b0fc7853f3b3ce642a4"
+    strings:
+        $syscall = {48 31 C0 4C 8B 19 8B 41 10 48 8B 49 08 49 89 CA 41 FF E3}
+    condition:
+        any of them
+}
diff --git a/analyzer/windows/dll/capemon.dll b/analyzer/windows/dll/capemon.dll
diff --git a/analyzer/windows/dll/capemon_x64.dll b/analyzer/windows/dll/capemon_x64.dll
diff --git a/changelog.md b/changelog.md
@@ -1,7 +1,13 @@
+### [04.10.2024]
+* Monitor update: Add GetClassObject hook to handle UAC bypass technique using CMSTPLUA COM object
+* PrivateLoader direct syscall capture
+
+### [01.10.2024]
+* Monitor update: Improve fix for size bug with unpacking embedded PEs
+
 ### [26.09.2024] Browser monitoring
 * [Browser extension details](https://github.com/kevoreilly/CAPEv2/tree/master/extra/browser_extension/README.md). For code details see [PR](https://github.com/kevoreilly/CAPEv2/pull/2330)
 
-
 ### [23.09.2024]
 * Monitor update: Fix size bug with unpacking embedded PEs
 * .NET loader 'SlowLoader' detonation shim for slower cpus (race condition)