Merge branch 'master' into staging

Author: doomedraven

analyzer/windows/data/yara/Formbook.yar

@@ -26,7 +26,7 @@ rule FormhookB
         $new_remap = {8B (86 [2] 00 00|46 ??|06) 5F 5E 5B 8B E5 5D C3}
         $code = {8B 4E 18 50 6A 00 51 57 56 E8 9A 18 00 00 8B 55 10 8B 45 0C 8B 0F 83 C4 1C 52 50 FF D1 5F 5E 5D C3}
     condition:
-        any of them
+        2 of them
 }
 
 rule FormconfA

analyzer/windows/data/yara/Stealc.yar

@@ -17,10 +17,40 @@ rule StealcStrings
     meta:
         author = "kevoreilly"
         description = "Stealc string decryption"
-        cape_options = "bp0=$decode+17,action0=string:edx,count=1,typestring=Stealc Strings"
+        cape_options = "bp0=$decode+17,action0=string:edx,count=0,typestring=Stealc Strings"
         packed = "d0c824e886f14b8c411940a07dc133012b9eed74901b156233ac4cac23378add"
     strings:
         $decode = {51 8B 15 [4] 52 8B 45 ?? 50 E8 [4] 83 C4 0C 6A 04 6A 00 8D 4D ?? 51 FF 15 [4] 83 C4 0C 8B 45 ?? 8B E5 5D C3}
     condition:
         uint16(0) == 0x5A4D and any of them
 }
+
+rule StealcV2Strings
+{
+    meta:
+        author = "kevoreilly"
+        description = "StealcV2 string decryption"
+        cape_options = "bp0=$decode32*,action0=string:[esp],bp1=$decode64,action1=string:eax,bp2=$dump,action2=dumpstrings,count=0,typestring=Stealc Strings"
+        packed = "2f42dcf05dd87e6352491ff9d4ea3dc3f854df53d548a8da0c323be42df797b6"
+        packed = "8301936f439f43579cffe98e11e3224051e2fb890ffe9df680bbbd8db0729387"
+    strings:
+        $decode32 = {AB AB AB AB 8B 45 0C 89 4E 10 89 4E 14 39 45 08 75 0B C7 46 14 0F 00 00 00 88 0E EB 0F 2B 45 08 50 51 FF 75 ?? 8B}
+        $decode64 = {40 53 48 83 EC 20 48 8B 19 48 85 DB 74 ?? 48 8B 53 18 48 83 FA 0F 76 2C 48 8B 0B 48 FF C2 48 81 FA 00 10 00 00 72}
+        $dump32 = {33 C0 89 46 30 88 46 34 89 46 38 89 46 3C 89 46 40 89 46 44 89 46 48 89 46 4C 89 46 50 89 46 54 89 46 58 8B C6 5F 5E C3}
+        $dump64 = {48 8B C7 89 6F 40 40 88 6F 44 48 89 6F 48 48 89 6F 50 48 89 6F 58 48 89 6F 60 48 89 6F 68 48 89 6F 70 48 89 6F 78 48 89}
+    condition:
+        uint16(0) == 0x5A4D and 2 of them
+}
+
+rule StealcV2DateCheck
+{
+    meta:
+        author = "kevoreilly"
+        description = "StealcV2 date check bypass"
+        cape_options = "patch=$date32*-1:B000,patch=$date64*-2:B00090"
+    strings:
+        $date32 = {F3 A5 8D 45 ?? 50 E8 [4] 59 8B F8 8B F2 8D 45 A4 50 E8 [4] 59 3B F2 7C 08 7F 04 3B F8 76 02 B3 01 8A C3}
+        $date64 = {0F 11 44 [2] 0F 11 8C [2] 00 00 00 89 8C [2] 00 00 00 48 8D 4C [2] E8 [4] 48 8B D8 48 8D 4C [2] E8 [4] 48 3B D8 0F 9F C0}
+    condition:
+        uint16(0) == 0x5A4D and any of them
+}

analyzer/windows/dll/capemon.dll

@@ -1,3 +1,12 @@
+### [05.08.2025]
+* Monitor updates:
+    * Enhance dynamic patching capability: new PatchBytes() function, submission/yara option patch=<address>:<bytes>
+    * Create DumpStrings debugger action for corresponding function
+    * Standalone mode improvements (thanks heck-gd)
+    * Improve NtGetContextThread & NtSetContextThread hooks to handle e.g. a2d4e1c831808d0a791608db40cd1e4df598e5fee4bac1b239d4f8194f8e2d4a
+    * Debugger: add flag changes to trace output
+* Stealc V2 detection, dynamic strings & config extraction (requires accompanying CAPE-parsers update)
+
 ### [11.06.2025]
 * __Action required!__ For users of Python 3.12+ in guest, update the agent to solve #2621 affecting e.g. MSI detonation
 * Agent update: Fix issue with analyzer directory creation lacking required ACLs for Python 3.12, remove predictable "tmp" prefix for directory name(s) (fixes #2621)

analyzer/windows/dll/capemon_x64.dll

@@ -204,6 +204,13 @@ auth_only = no
 rps = 1/s
 #rpm = 10/m
 
+# Pull a PCAP from a specific task
+[tasktlspcap]
+enabled = yes
+auth_only = no
+rps = 1/s
+#rpm = 10/m
+
 # Pull a EVTX from a specific task
 [taskevtx]
 enabled = yes

changelog.md

@@ -84,6 +84,12 @@ enabled = no
 
 [Mitmdump]
 # Enable or disable the use of mitmdump (mitmproxy) to get dump.har [yes/no].
-# This module requires installed mitmproxy see install_mitmproxy
+# This module requires mitmproxy to be installed see install_mitmproxy
 # (https://github.com/kevoreilly/CAPEv2/blob/master/installer/cape2.sh#L1320)
 enabled = no
+
+[PolarProxy]
+# Enable or disable the use of PolarProxy to get dump.pcap with decrypted TLS streams [yes/no].
+# This module requires PolarProxy to be installed see install_polarproxy.
+# Use add the options "polarproxy=1" when submitting a sample.
+enabled = no

conf/default/api.conf.default

@@ -0,0 +1,26 @@
+[cfg]
+# bin path to PolarProxy
+bin = /opt/PolarProxy/PolarProxy
+
+# Host ip where PolarProxy is listening
+host = 192.168.122.1
+
+# Interface where PolarProxy is listening
+interface = virbr0
+
+# PKCS#12 certificate/private key file
+cert = /opt/PolarProxy/PolarProxy-key-crt.p12
+
+# Password to unlock PKCS#12 file
+password = CHANGEME
+
+# See https://www.netresec.com/?page=TlsFirewall for details on PolarProxy TLS firewall
+# Newline separated file containing domain regexes for PolarProxy to not MITM
+bypass_list = /opt/PolarProxy/bypass-domains.txt
+# Newline separated file containing domain regexes for PolarProxy to block connections to
+block_list = /opt/PolarProxy/block-domains.txt
+
+# bin path to mergecap
+mergecap = /usr/bin/mergecap
+
+# Future options like custom ports, cert paths, etc

conf/default/auxiliary.conf.default

@@ -153,14 +153,11 @@ do_file_lookup = yes
 do_url_lookup = yes
 urlscrub = (^http:\/\/serw\.clicksor\.com\/redir\.php\?url=|&InjectedParam=.+$)
 
+# Since Suricata 8, socket mode is deprecated.
 [suricata]
-# Notes on getting this to work check install_suricata function:
-# https://github.com/kevoreilly/CAPEv2/blob/master/installer/cape2.sh
-
-enabled = yes
-#Runmode "cli" or "socket"
-runmode = socket
-#Outputfiles
+enabled = no
+runmode = cli
+# Outputfiles
 # if evelog is specified, it will be used instead of the per-protocol log files
 evelog = eve.json
 
@@ -176,13 +173,14 @@ fileslog = files-json.log
 filesdir = files
 # Amount of text to carve from plaintext files (bytes)
 buffer = 8192
-#Used for creating an archive of extracted files
+ #Used for creating an archive of extracted files
 7zbin = /usr/bin/7z
 zippass = infected
-##Runmode "cli" options
+# Runmode "cli" options
 bin = /usr/bin/suricata
 conf = /etc/suricata/suricata.yaml
-##Runmode "socket" Options
+
+# Runmode "socket" Options. Deprecated since Suricata 8.
 socket_file = /tmp/suricata-command.socket
 
 # Community
@@ -316,3 +314,9 @@ enabled = yes
 
 [html_scraper]
 enabled = no
+
+# Community
+[polarproxy]
+# Enable when using the PolarProxy option during analysis. This will merge the tls.pcap containing
+# plain-text TLS streams into the task PCAP.
+enabled = no

conf/default/polarproxy.conf.default

@@ -147,10 +147,6 @@ user = admin
 pass = admin
 realm = Moloch
 
-# Community
-[resubmitexe]
-enabled = no
-resublimit = 5
 
 # Community
 [compression]