Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Path issue (probably?) with CAPA #532

Closed
HuskyHacks opened this issue Nov 21, 2023 · 6 comments
Closed

[Bug] Path issue (probably?) with CAPA #532

HuskyHacks opened this issue Nov 21, 2023 · 6 comments
Labels
🐛 bug Something isn't working 😕 needs info Further information is needed

Comments

@HuskyHacks
Copy link
Contributor

What's the problem?

Hello!

I've had a few students report that for recent FLAREVM installs, CAPA can't locate its default rules set when invoked with a relative path:

image

The CAPA binary definitely runs but it doesn't find its default rule set, which leads me to believe the PATH var is getting messed up somewhere during install.

Steps to Reproduce

  1. Perform full FLAREVM install
  2. Open cmder/terminal/cmd prompt
  3. capa [sample]

Output indicates that the binary executes but cannot find its bundled default rule set when invoked with a relative path.

Environment

  • Standard PMAT Win 10 FLAREVM install

Additional Information

No response
@HuskyHacks HuskyHacks added the 🐛 bug Something isn't working label Nov 21, 2023
@Ana06
Copy link
Member

Ana06 commented Nov 21, 2023
edited
Loading

This seems to be the issue reported in mandiant/VM-Packages#686 and fixed in mandiant/VM-Packages#710. To be able to help you, please provide all the information required in the bug issue template. Concretely, we need the following environment information:

  • Output of VM-Get-Host-Info (run VM-Get-Host-Info in PowerShell with admin rights)

Also, I am not sure what a Standard PMAT Win 10 FLAREVM install is, could you please provide more details?

@Ana06 Ana06 added 😕 needs info Further information is needed 🐛 bug Something isn't working and removed 🐛 bug Something isn't working labels Nov 21, 2023
@HuskyHacks
Copy link
Contributor Author

I'm reporting this on behalf of students taking PMAT, so I don't have their exact builds at the ready to provide the system info. I can get it for you.

In the course, lab set up basically boils down to

@HuskyHacks
Copy link
Contributor Author

Though after reading through those other closed issues, it's more likely that the student installed FLAREVM when that bug was still live, so maybe having them reinstall CAPA would be the actual issue here and this can probably be marked as a duplicate!

@Ana06
Copy link
Member

Ana06 commented Nov 21, 2023

Reinstalling capa won't fix the problem, as the bug was in libraries.python3.vm. Upgrading libraries.python3.vm may fix the issue, but I would recommend a fresh new install. Closing as it seems it is a duplicate. Thanks for reporting it. 😃

@Ana06 Ana06 closed this as completed Nov 21, 2023
@Ana06
Copy link
Member

Ana06 commented Nov 21, 2023

Unrelated

@HuskyHacks I think you may want to update the environment variables in that config file. TOOL_LIST_SHORTCUT is not used anymore, I recommend you to remove and update TOOL_LIST_DIR as it is done in the current default configuration: https://github.com/mandiant/flare-vm/blob/main/config.xml#L5

@HuskyHacks
Copy link
Contributor Author

Hey thanks! I'll update that and add the new registry key items too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🐛 bug Something isn't working 😕 needs info Further information is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Ana06 @HuskyHacks