Capa Versions Save

This release adds a new characteristic call $+5 enabling users to create rules that match this instruction commonly seen in obfuscators. The linter now also validates ATT&CK and MBC categories. Additionally, many dependencies, including the vivisect backend, have been updated.

One rule has been added and many more have been improved.

Thanks for all the support, especially to @kn0wl3dge and first time contributor @uckelman-sf!

New Features

• linter: validate ATT&CK/MBC categories and IDs #103 @kn0wl3dge
• extractor: add characteristic "call $+5" feature #366 @kn0wl3dge

New Rules (1)

• anti-analysis/obfuscation/obfuscated-with-advobfuscator [email protected]

Bug Fixes

• remove typing package as a requirement for Python 3.7+ compatibility #901 @uckelman-sf
• elf: fix OS detection for Linux kernel modules #867 @williballenthin

Raw diffs

• capa v3.1.0...v3.2.0
• capa-rules v3.1.0...v3.2.0

This release improves the performance of capa while also adding 23 new rules and many code quality enhancements. We profiled capa's CPU usage and optimized the way that it matches rules, such as by short circuiting when appropriate. According to our testing, the matching phase is approximately 66% faster than v3.0.3! We also added support for Python 3.10, aarch64 builds, and additional MAEC metadata in the rule headers.

This release adds 23 new rules, including nine by Jakub Jozwiak of Mandiant. @ryantxu1 and @dzbeck updated the ATT&CK and MBC mappings for many rules. Thank you!

And as always, welcome first time contributors!

• @kn0wl3dge
• @jtothej
• @cl30

New Features

• engine: short circuit logic nodes for better performance #824 @williballenthin
• engine: add optimizer the order faster nodes first #829 @williballenthin
• engine: optimize rule evaluation by skipping rules that can't match #830 @williballenthin
• support python 3.10 #816 @williballenthin
• support aarch64 #683 @williballenthin
• rules: support maec/malware-family meta #841 @mr-tz
• engine: better type annotations/exhaustiveness checking #839 @cl30

Breaking Changes: None

New Rules (23)

• nursery/delete-windows-backup-catalog [email protected]
• nursery/disable-automatic-windows-recovery-features [email protected]
• nursery/capture-webcam-video @johnk3r
• nursery/create-registry-key-via-stdregprov [email protected]
• nursery/delete-registry-key-via-stdregprov [email protected]
• nursery/delete-registry-value-via-stdregprov [email protected]
• nursery/query-or-enumerate-registry-key-via-stdregprov [email protected]
• nursery/query-or-enumerate-registry-value-via-stdregprov [email protected]
• nursery/set-registry-value-via-stdregprov [email protected]
• data-manipulation/compression/decompress-data-using-ucl [email protected]
• linking/static/wolfcrypt/linked-against-wolfcrypt [email protected]
• linking/static/wolfssl/linked-against-wolfssl [email protected]
• anti-analysis/packer/pespin/packed-with-pespin [email protected]
• load-code/shellcode/execute-shellcode-via-windows-fibers [email protected]
• load-code/shellcode/execute-shellcode-via-enumuilanguages [email protected]
• anti-analysis/packer/themida/packed-with-themida [email protected]
• load-code/shellcode/execute-shellcode-via-createthreadpoolwait [email protected]
• host-interaction/process/inject/inject-shellcode-using-a-file-mapping-object [email protected]
• load-code/shellcode/execute-shellcode-via-copyfile2 [email protected]
• malware-family/plugx/match-known-plugx-module [email protected]

Rule Changes

• update ATT&CK mappings by @ryantxu1
• update ATT&CK and MBC mappings by @dzbeck
• aplib detection by @cdong1012
• golang runtime detection by @stevemk14ebr

Bug Fixes

• fix circular import error #825 @williballenthin
• fix smda negative number extraction #430 @kn0wl3dge

capa explorer IDA Pro plugin

• pin supported versions to >= 7.4 and < 8.0 #849 @mike-hunhoff

Development

• add profiling infrastructure #828 @williballenthin
• linter: detect shellcode extension #820 @mr-tz
• show features script: add backend flag #430 @kn0wl3dge

Raw diffs

• capa v3.0.3...v3.1.0
• capa-rules v3.0.3...v3.1.0

v3.0.3 (2021-10-27)

This is primarily a rule maintenance release:

• eight new rules, including all relevant techniques from ATT&CK v10, and
• two rules removed, due to the prevalence of false positives

We've also tweaked the status codes returned by capa.exe to be more specific and added a bit more metadata to the JSON output format.

As always, welcome first time contributors!

• [email protected]
• [email protected]

New Features

• show in which function a BB match is #130 @williballenthin
• main: exit with unique error codes when bailing #802 @williballenthin

New Rules (8)

• nursery/resolve-function-by-fnv-1a-hash [email protected]
• data-manipulation/encryption/encrypt-data-using-memfrob-from-glibc [email protected]
• collection/group-policy/discover-group-policy-via-gpresult [email protected]
• host-interaction/bootloader/manipulate-safe-mode-programs [email protected]
• nursery/enable-safe-mode-boot [email protected]
• persistence/iis/persist-via-iis-module [email protected]
• persistence/iis/persist-via-isapi-extension [email protected]
• targeting/language/identify-system-language-via-api [email protected]

Removed rules (2)

• load-code/pe/parse-pe-exports: too many false positives in unrelated structure accesses
• anti-analysis/anti-vm/vm-detection/execute-anti-vm-instructions: too many false positives in junk code

Bug Fixes

• update references from FireEye to Mandiant

Raw diffs

• capa v3.0.2...v3.0.3
• capa-rules v3.0.2...v3.0.3

This release fixes an issue with the standalone executables built with PyInstaller when running capa against ELF files.

Bug Fixes

• fix bug in PyInstaller config preventing ELF analysis #795 @mr-tz

Raw diffs

• capa v3.0.1...master
• capa-rules v3.0.1...master

This version updates the version of vivisect used by capa. Users will experience fewer bugs and find improved analysis results.

Thanks to the community for highlighting issues and analysis misses. Your feedback is crucial to further improve capa.

Bug Fixes

• fix many underlying bugs in vivisect analysis and update to version v1.0.5 #786 @williballenthin

Raw diffs

• capa v3.0.0...v3.0.1
• capa-rules v3.0.0...v3.0.1

Here comes capa version 3.0! 🥳

capa 3.0:

• adds support for ELF files targeting Linux thanks to Intezer
• adds new features to specify OS, CPU architecture, and file format
• fixes a few bugs that may have led to false negatives (missed capabilities) in older versions
• adds 80 new rules, including 36 describing techniques for Linux

A huge thanks to everyone who submitted issues, provided feedback, and contributed code and rules. Special acknowledgement to @Adir-Shemesh and @TcM1911 of Intezer for contributing the code to enable ELF support. Also, welcome first time contributors:

• @jaredscottwilson
• @cdong1012
• @jlepore-fe

New Features

• all: add support for ELF files #700 @Adir-Shemesh @TcM1911
• rule format: add feature format: for file format, like format: pe #723 @williballenthin
• rule format: add feature arch: for architecture, like arch: amd64 #723 @williballenthin
• rule format: add feature os: for operating system, like os: windows #723 @williballenthin
• rule format: add feature substring: for verbatim strings with leading/trailing wildcards #737 @williballenthin
• scripts: add profile-memory.py for profiling memory usage #736 @williballenthin
• main: add light weight ELF file feature extractor to detect file limitations #770 @mr-tz

Breaking Changes

• rules using format, arch, os, or substring features cannot be used by capa versions prior to v3
• legacy term arch (i.e., "x32") is now called bitness @williballenthin
• freeze format gains new section for "global" features #759 @williballenthin

New Rules (80)

• collection/webcam/capture-webcam-image @johnk3r
• nursery/list-drag-and-drop-files [email protected]
• nursery/monitor-clipboard-content [email protected]
• nursery/monitor-local-ipv4-address-changes [email protected]
• nursery/load-windows-common-language-runtime [email protected]
• nursery/resize-volume-shadow-copy-storage [email protected]
• nursery/add-user-account-group [email protected]
• nursery/add-user-account-to-group [email protected]
• nursery/add-user-account [email protected]
• nursery/change-user-account-password [email protected]
• nursery/delete-user-account-from-group [email protected]
• nursery/delete-user-account-group [email protected]
• nursery/delete-user-account [email protected]
• nursery/list-domain-servers [email protected]
• nursery/list-groups-for-user-account [email protected]
• nursery/list-user-account-groups [email protected]
• nursery/list-user-accounts-for-group [email protected]
• nursery/list-user-accounts [email protected]
• nursery/parse-url [email protected]
• nursery/register-raw-input-devices [email protected]
• anti-analysis/packer/gopacker/packed-with-gopacker [email protected]
• host-interaction/driver/create-device-object @mr-tz
• host-interaction/process/create/execute-command @mr-tz
• data-manipulation/encryption/create-new-key-via-cryptacquirecontext [email protected]
• host-interaction/log/clfs/append-data-to-clfs-log-container [email protected]
• host-interaction/log/clfs/read-data-from-clfs-log-container [email protected]
• data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-wolfssl [email protected]
• c2/shell/create-unix-reverse-shell [email protected]
• c2/shell/execute-shell-command-received-from-socket [email protected]
• collection/get-current-user [email protected]
• host-interaction/file-system/change-file-permission [email protected]
• host-interaction/hardware/memory/get-memory-information [email protected]
• host-interaction/mutex/lock-file [email protected]
• host-interaction/os/version/get-kernel-version [email protected]
• host-interaction/os/version/get-linux-distribution [email protected]
• host-interaction/process/terminate/terminate-process-via-kill [email protected]
• lib/duplicate-stdin-and-stdout [email protected]
• nursery/capture-network-configuration-via-ifconfig [email protected]
• nursery/collect-ssh-keys [email protected]
• nursery/enumerate-processes-via-procfs [email protected]
• nursery/interact-with-iptables [email protected]
• persistence/persist-via-desktop-autostart [email protected]
• persistence/persist-via-shell-profile-or-rc-file [email protected]
• persistence/service/persist-via-rc-script [email protected]
• collection/get-current-user-on-linux [email protected]
• collection/network/get-mac-address-on-windows [email protected]
• host-interaction/file-system/read/read-file-on-linux [email protected] [email protected]
• host-interaction/file-system/read/read-file-on-windows [email protected]
• host-interaction/file-system/write/write-file-on-windows [email protected]
• host-interaction/os/info/get-system-information-on-windows [email protected] [email protected]
• host-interaction/process/create/create-process-on-windows [email protected]
• linking/runtime-linking/link-function-at-runtime-on-windows [email protected]
• nursery/create-process-on-linux [email protected]
• nursery/enumerate-files-on-linux [email protected]
• nursery/get-mac-address-on-linux [email protected]
• nursery/get-system-information-on-linux [email protected]
• nursery/link-function-at-runtime-on-linux [email protected]
• nursery/write-file-on-linux [email protected]
• communication/socket/tcp/send/obtain-transmitpackets-callback-function-via-wsaioctl [email protected]
• nursery/linked-against-cpp-http-library @mr-tz
• nursery/linked-against-cpp-json-library @mr-tz

Bug Fixes

• main: fix KeyError: 0 when reporting results @williballehtin #703
• main: fix potential false negatives due to namespaces across scopes @williballenthin #721
• linter: suppress some warnings about imports from ntdll/ntoskrnl @williballenthin #743
• linter: suppress some warnings about missing examples in the nursery @williballenthin #747

capa explorer IDA Pro plugin

• explorer: add additional filter logic when displaying matches by function #686 @mike-hunhoff
• explorer: remove duplicate check when saving file #687 @mike-hunhoff
• explorer: update IDA extractor to use non-canon mnemonics #688 @mike-hunhoff
• explorer: allow user to add specified number of bytes when adding a Bytes feature in the Rule Generator #689 @mike-hunhoff
• explorer: enforce max column width Features and Editor panes #691 @mike-hunhoff
• explorer: add option to limit features to currently selected disassembly address #692 @mike-hunhoff
• explorer: update support documentation and runtime checks #741 @mike-hunhoff
• explorer: small performance boost to rule generator search functionality #742 @mike-hunhoff
• explorer: add support for arch, os, and format features #758 @mike-hunhoff
• explorer: improve parsing algorithm for rule generator feature editor #768 @mike-hunhoff

Development

Raw diffs

• capa v2.0.0...v3.0.0
• capa-rules v2.0.0...v3.0.0

We are excited to announce version 2.0! :tada:

This release:

• enables anyone to contribute rules more easily
• is the first Python 3 ONLY version
• provides more concise and relevant results via identification of library functions using FLIRT
• includes many features and enhancements for the capa explorer IDA plugin
• adds 93 new rules, including all new techniques introduced in MITRE ATT&CK v9

A huge thanks to everyone who submitted issues, provided feedback, and contributed code and rules. Many colleagues across dozens of organizations have volunteered their experience to improve this tool! :heart:

New Features

• rules: update ATT&CK and MBC mappings https://github.com/fireeye/capa-rules/pull/317 @williballenthin
• main: use FLIRT signatures to identify and ignore library code #446 @williballenthin
• tests: update test cases and caching #545 @mr-tz
• scripts: capa2yara.py convert capa rules to YARA rules #561 @ruppde
• rule: add file-scope feature (function-name) for recognized library functions #567 @williballenthin
• main: auto detect shellcode based on file extension #516 @mr-tz
• main: more detailed progress bar output when matching functions #562 @mr-tz
• main: detect file limitations without doing code analysis for better performance #583 @williballenthin
• show-features: don't show features from library functions #569 @williballenthin
• linter: summarize results at the end #571 @williballenthin
• linter: check for or with always true child statement, e.g. optional, colors #348 @mr-tz

Breaking Changes

• py3: drop Python 2 support #480 @Ana06
• meta: added library_functions field, feature_counts.functions does not include library functions any more #562 @mr-tz
• json: results document now contains parsed ATT&CK and MBC fields instead of canonical representation #526 @mr-tz
• json: record all matching strings for regex #159 @williballenthin
• main: implement file limitations via rules not code #390 @williballenthin
• json: correctly render negative offsets #619 @williballenthin
• library: remove logic from __init__.py throughout #622 @williballenthin

New Rules (93)

• anti-analysis/packer/amber/packed-with-amber @gormaniac
• collection/file-managers/gather-3d-ftp-information @re-fox
• collection/file-managers/gather-alftp-information @re-fox
• collection/file-managers/gather-bitkinex-information @re-fox
• collection/file-managers/gather-blazeftp-information @re-fox
• collection/file-managers/gather-bulletproof-ftp-information @re-fox
• collection/file-managers/gather-classicftp-information @re-fox
• collection/file-managers/gather-coreftp-information @re-fox
• collection/file-managers/gather-cuteftp-information @re-fox
• collection/file-managers/gather-cyberduck-information @re-fox
• collection/file-managers/gather-direct-ftp-information @re-fox
• collection/file-managers/gather-directory-opus-information @re-fox
• collection/file-managers/gather-expandrive-information @re-fox
• collection/file-managers/gather-faststone-browser-information @re-fox
• collection/file-managers/gather-fasttrack-ftp-information @re-fox
• collection/file-managers/gather-ffftp-information @re-fox
• collection/file-managers/gather-filezilla-information @re-fox
• collection/file-managers/gather-flashfxp-information @re-fox
• collection/file-managers/gather-fling-ftp-information @re-fox
• collection/file-managers/gather-freshftp-information @re-fox
• collection/file-managers/gather-frigate3-information @re-fox
• collection/file-managers/gather-ftp-commander-information @re-fox
• collection/file-managers/gather-ftp-explorer-information @re-fox
• collection/file-managers/gather-ftp-voyager-information @re-fox
• collection/file-managers/gather-ftpgetter-information @re-fox
• collection/file-managers/gather-ftpinfo-information @re-fox
• collection/file-managers/gather-ftpnow-information @re-fox
• collection/file-managers/gather-ftprush-information @re-fox
• collection/file-managers/gather-ftpshell-information @re-fox
• collection/file-managers/gather-global-downloader-information @re-fox
• collection/file-managers/gather-goftp-information @re-fox
• collection/file-managers/gather-leapftp-information @re-fox
• collection/file-managers/gather-netdrive-information @re-fox
• collection/file-managers/gather-nexusfile-information @re-fox
• collection/file-managers/gather-nova-ftp-information @re-fox
• collection/file-managers/gather-robo-ftp-information @re-fox
• collection/file-managers/gather-securefx-information @re-fox
• collection/file-managers/gather-smart-ftp-information @re-fox
• collection/file-managers/gather-softx-ftp-information @re-fox
• collection/file-managers/gather-southriver-webdrive-information @re-fox
• collection/file-managers/gather-staff-ftp-information @re-fox
• collection/file-managers/gather-total-commander-information @re-fox
• collection/file-managers/gather-turbo-ftp-information @re-fox
• collection/file-managers/gather-ultrafxp-information @re-fox
• collection/file-managers/gather-winscp-information @re-fox
• collection/file-managers/gather-winzip-information @re-fox
• collection/file-managers/gather-wise-ftp-information @re-fox
• collection/file-managers/gather-ws-ftp-information @re-fox
• collection/file-managers/gather-xftp-information @re-fox
• data-manipulation/compression/decompress-data-using-aplib @r3c0nst @mr-tz
• host-interaction/bootloader/disable-code-signing @williballenthin
• host-interaction/bootloader/manipulate-boot-configuration @williballenthin
• host-interaction/driver/disable-driver-code-integrity @williballenthin
• host-interaction/file-system/bypass-mark-of-the-web @williballenthin
• host-interaction/network/domain/get-domain-information @recvfrom
• host-interaction/session/get-logon-sessions @recvfrom
• linking/runtime-linking/resolve-function-by-fin8-fasthash @r3c0nst @mr-tz
• nursery/build-docker-image @williballenthin
• nursery/create-container @williballenthin
• nursery/encrypt-data-using-fakem-cipher @mike-hunhoff
• nursery/list-containers @williballenthin
• nursery/run-in-container @williballenthin
• persistence/registry/appinitdlls/disable-appinit_dlls-code-signature-enforcement @williballenthin
• collection/password-manager/steal-keepass-passwords-using-keefarce @Ana06
• host-interaction/network/connectivity/check-internet-connectivity-via-wininet [email protected] [email protected]
• nursery/create-bits-job @mr-tz
• nursery/execute-syscall-instruction @kulinacs @mr-tz
• nursery/connect-to-wmi-namespace-via-wbemlocator [email protected]
• anti-analysis/obfuscation/obfuscated-with-callobfuscator johnk3r
• executable/installer/inno-setup/packaged-as-an-inno-setup-installer [email protected]
• data-manipulation/hashing/djb2/hash-data-using-djb2 [email protected]
• data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table [email protected]
• nursery/list-tcp-connections-and-listeners [email protected]
• nursery/list-udp-connections-and-listeners [email protected]
• nursery/log-keystrokes-via-raw-input-data [email protected]
• nursery/register-http-server-url [email protected]
• internal/limitation/file/internal-autoit-file-limitation.yml [email protected]
• internal/limitation/file/internal-dotnet-file-limitation.yml [email protected]
• internal/limitation/file/internal-installer-file-limitation.yml [email protected]
• internal/limitation/file/internal-packer-file-limitation.yml [email protected]
• host-interaction/network/domain/enumerate-domain-computers-via-ldap [email protected]
• host-interaction/network/domain/get-domain-controller-name [email protected]
• internal/limitation/file/internal-visual-basic-file-limitation @mr-tz
• data-manipulation/hashing/md5/hash-data-with-md5 [email protected]
• compiler/autohotkey/compiled-with-autohotkey [email protected]
• internal/limitation/file/internal-autohotkey-file-limitation @mr-tz
• host-interaction/process/dump/create-process-memory-minidump [email protected]
• nursery/get-storage-device-properties [email protected]
• nursery/execute-shell-command-via-windows-remote-management [email protected]
• nursery/get-token-privileges [email protected]
• nursery/prompt-user-for-credentials [email protected]
• nursery/spoof-parent-pid [email protected]

Bug Fixes

• build: use Python 3.8 for PyInstaller to support consistently running across multiple operating systems including Windows 7 #505 @mr-tz
• main: correctly match BB-scope matches at file scope #605 @williballenthin
• main: do not process non-PE files even when --format explicitly provided #664 @mr-tz

capa explorer IDA Pro plugin

• explorer: IDA 7.6 support #497 @williballenthin
• explorer: explain how to install IDA 7.6 patch to enable the plugin #528 @williballenthin
• explorer: document IDA 7.6sp1 as alternative to the patch #536 @Ana06
• explorer: add support for function-name feature #618 @mike-hunhoff
• explorer: circular import workaround #654 @mike-hunhoff
• explorer: add argument to control whether to automatically analyze when running capa explorer #548 @Ana06
• explorer: extract API features via function names recognized by IDA/FLIRT #661 @mr-tz

Development

• ci: add capa release link to capa-rules tag #517 @Ana06
• ci, changelog: update New Rules section in CHANGELOG automatically https://github.com/fireeye/capa-rules/pull/374 #549 #604 @Ana06
• ci, changelog: support multiple author in sync GH https://github.com/fireeye/capa-rules/pull/378 @Ana06
• ci, lint: check statements for single child statements #563 @mr-tz
• ci: reject PRs without CHANGELOG update to ensure CHANGELOG is kept up-to-date #584 @Ana06
• ci: test that scripts run #660 @mr-tz

Raw diffs

• capa v1.6.1...v2.0.0
• capa-rules v1.6.1...v2.0.0

v1.6.3 (2021-04-29)

This release adds IDA 7.6 support to capa.

Changes

• IDA 7.6 support @williballenthin @Ana06

Raw diffs

• capa v1.6.2...v1.6.3

v1.6.2 (2021-04-13)

This release backports a fix to capa 1.6: The Windows binary was built with Python 3.9 which doesn't support Windows 7.

Bug Fixes

• build: use Python 3.8 for PyInstaller to support consistently running across multiple operating systems including Windows 7 @mr-tz @Ana06

Raw diffs

• capa v1.6.1...v1.6.2

v1.6.1 (2021-04-07)

This release includes several bug fixes, such as a vivisect issue that prevented capa from working on Windows with Python 3. It also adds 17 new rules and a bunch of improvements in the rules and IDA rule generator. We appreciate everyone who opened issues, provided feedback, and contributed code and rules.

Upcoming changes

This is the very last capa release that supports Python 2. The next release will be v2.0 and will have breaking changes, including the removal of Python 2 support.

New features

• explorer: add support for multi-line tab and SHIFT + Tab #474 @mike-hunhoff

New Rules (17)

• encrypt data using RC4 with custom key via WinAPI @MalwareMechanic
• encrypt data using Curve25519 @dandonov
• packaged as an IExpress self-extracting archive @recvfrom
• create registry key via offline registry library @johnk3r
• open registry key via offline registry library @johnk3r
• query registry key via offline registry library @johnk3r
• set registry key via offline registry library @johnk3r
• delete registry key via offline registry library @johnk3r
• enumerate PE sections @Ana06
• inject DLL reflectively @Ana06
• inspect section memory permissions @Ana06
• parse PE exports @Ana06
• rebuild import table @Ana06
• compare security identifiers @mike-hunhoff
• get user security identifier @mike-hunhoff
• listen for remote procedure calls @mike-hunhoff
• query remote server for available data @mike-hunhoff

Bug Fixes

• vivisect: update to v1.0.1 which includes bug fix for #459 (capa failed in Windows with Python 3 and vivisect) #512 @williballenthin
• explorer: fix initialize rules directory #464 @mike-hunhoff
• explorer: support subscope rules #493 @mike-hunhoff
• explorer: add checks to validate matched data when searching #500 @mike-hunhoff
• features, explorer: add support for string features with special characters e.g. '\n' #468 @mike-hunhoff

Changes

• vivisect: raises IncompatibleVivVersion instead of UnicodeDecodeError when using incompatible Python 2 .viv files with Python3 #479 @Ana06
• explorer: improve settings modification #465 @mike-hunhoff
• rules: improvements @mr-tz, @re-fox, @mike-hunhoff
• rules, lint: enforce string with double quotes formatting in rules #468 @mike-hunhoff
• lint: ensure LF end of line #485 #486 @mr-tz
• setup: pin dependencies #513 #504 @Ana06 @mr-tz

Development

• ci: test on Windows, Ubuntu, macOS across Python versions #470 @mr-tz @Ana06
• ci: pin OS versions #491 @williballenthin
• ci: tag capa-rules on release #476 @Ana06
• doc: document release process #476 @Ana06
• doc: Improve README badges #477 #478 @ana06 @mr-tz
• doc: update capa explorer documentation #503 @mike-hunhoff
• doc: add PR template #495 @mr-tz
• changelog: document incompatibility of viv files #475 @Ana06
• rule loading: ignore files starting with .git #492 @mr-tz

Raw diffs

• capa v1.6.0...v1.6.1
• capa-rules v1.6.0...v1.6.1