Skip to content

Comments

feat(targeting): add cloud and container collection/interaction rules#1098

Open
Maijin wants to merge 1 commit intomandiant:masterfrom
Maijin:feature/cloud-targeting-rules
Open

feat(targeting): add cloud and container collection/interaction rules#1098
Maijin wants to merge 1 commit intomandiant:masterfrom
Maijin:feature/cloud-targeting-rules

Conversation

@Maijin
Copy link

@Maijin Maijin commented Jan 19, 2026

This adds rules for:

  • enumerating AWS resources (CloudFormation, CloudTrail, DirectConnect, EC2, IAM, S3, Support)
  • stealing credentials for AWS, GCP, Cloudflare
  • stealing credentials for Docker and Kubernetes

Rules are categorized into host-interaction and collection namespaces.

williballenthin
williballenthin requested changes Jan 19, 2026
View reviewed changes
Copy link
Collaborator

@williballenthin williballenthin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

really cool that you have example files for all of these!

@Maijin Maijin force-pushed the feature/cloud-targeting-rules branch 3 times, most recently from ddaa300 to 2cb34aa Compare January 19, 2026 09:58
@mike-hunhoff
Copy link
Collaborator

mike-hunhoff commented Jan 22, 2026

Great work @Maijin ! CI workflows are failing because the example files do not exist. If you have access to them, please open a PR at github.com/mandiant/capa-testfiles. Otherwise, we can move these rules to the nusery directory until we do, thank you!

@mike-hunhoff
Copy link
Collaborator

mike-hunhoff commented Jan 30, 2026

@Maijin I've realized that the referenced samples are shell scripts. capa does not yet support shell scripts so please do one of the following:

  1. find at least one example file supported by capa (PE(.NET), ELF, etc.)
  2. remove the examples meta field and move each rule to the nursery directory

Thank you!

@mike-hunhoff
Copy link
Collaborator

mike-hunhoff commented Feb 6, 2026

@Maijin bump

@Maijin
Copy link
Author

Maijin commented Feb 7, 2026

Will do once I'm back on laptop!

@Maijin Maijin marked this pull request as draft February 7, 2026 22:34
@Maijin
feat(targeting): add cloud and container collection/interaction rules
ceea7de 
This adds rules for:

- enumerating AWS resources (CloudFormation, CloudTrail, DirectConnect, EC2, IAM, S3, Support)

- stealing credentials for AWS, GCP, Cloudflare

- stealing credentials for Docker and Kubernetes

Rules are categorized into host-interaction and collection namespaces.
@Maijin Maijin force-pushed the feature/cloud-targeting-rules branch from 2cb34aa to ceea7de Compare February 23, 2026 13:25
@Maijin Maijin marked this pull request as ready for review February 23, 2026 13:26
@Maijin
Copy link
Author

Maijin commented Feb 23, 2026

@williballenthin sorry for the delay - done

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@williballenthin williballenthin williballenthin approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Maijin @mike-hunhoff @williballenthin