- Add validated mitre_attack frontmatter to all 754 skills (286 distinct
techniques), verified against MITRE ATT&CK v19.1 via the official
mitreattack-python library: 0 revoked, deprecated, or invalid IDs
- Curate precise per-skill technique IDs for forensics, malware-analysis,
threat-intel, and red-team skills (e.g. DCSync -> T1003.006,
Kerberoasting -> T1558.003, Pass-the-Ticket -> T1550.003)
- Reconcile v19.1 tactic restructuring: Defense Evasion split into
Stealth (TA0005) and Defense Impairment (TA0112); revoked T1562.*
family and T1070.001/.002 remapped to active equivalents (T1685.*)
- Normalize word-split tags across 35 skills (remove filename-derived
stopword tags, add semantic cybersecurity tags)
- Add api-reference.md for 3 skills that were missing it
- Update README ATT&CK section with accurate v19.1 tactic distribution
Deploy and operate CAPEv2 sandbox for automated malware analysis with behavioral monitoring, payload extraction, configuration parsing, and anti-evasion capabilities.
cybersecurity
malware-analysis
cape
sandbox
automated-analysis
malware-analysis
behavioral-analysis
payload-extraction
cuckoo
1.0
mahipal
Apache-2.0
DE.AE-02
RS.AN-03
ID.RA-01
DE.CM-01
T1027
T1055
T1140
T1497
T1070
Performing Automated Malware Analysis with CAPE
Overview
CAPE (Config And Payload Extraction) is an open-source malware sandbox derived from Cuckoo that automates behavioral analysis, payload dumping, and configuration extraction. CAPEv2 features API hooking for behavioral instrumentation, captures files created/modified/deleted during execution, records network traffic in PCAP format, and includes 70+ custom configuration extractors (cape-parsers) for families like Emotet, TrickBot, Cobalt Strike, AsyncRAT, and Rhadamanthys. The signature system includes 1000+ behavioral signatures detecting evasion techniques, persistence, credential theft, and ransomware behavior. CAPE's debugger enables dynamic anti-evasion bypasses combining debugger actions within YARA signatures. Recommended deployment: Ubuntu LTS host with Windows 10 21H2 guest VM.
When to Use
When conducting security assessments that involve performing automated malware analysis with cape
When following incident response procedures for related security events
When performing scheduled security testing or auditing activities
When validating security controls through hands-on testing
Prerequisites
Ubuntu 22.04 LTS server (8+ CPU cores, 32GB+ RAM, 500GB+ SSD)
KVM/QEMU virtualization support
Windows 10 21H2 guest image
Python 3.9+ with CAPEv2 dependencies
Network configuration for isolated analysis network
Workflow
Step 1: Submit and Analyze Samples via API
#!/usr/bin/env python3"""CAPE sandbox API client for automated malware submission and analysis."""importrequestsimportjsonimporttimeimportsysfrompathlibimportPathclassCAPEClient:def__init__(self,base_url="http://localhost:8000",api_token=None):self.base_url=base_url.rstrip("/")self.headers={}ifapi_token:self.headers["Authorization"]=f"Token {api_token}"defsubmit_file(self,filepath,options=None):"""Submit a file for analysis."""url=f"{self.base_url}/apiv2/tasks/create/file/"files={"file":open(filepath,"rb")}data=optionsor{}data.setdefault("timeout",120)data.setdefault("enforce_timeout",False)resp=requests.post(url,files=files,data=data,headers=self.headers)resp.raise_for_status()result=resp.json()task_id=result.get("data",{}).get("task_ids",[None])[0]print(f"[+] Submitted {filepath} -> Task ID: {task_id}")returntask_iddefget_status(self,task_id):"""Check task analysis status."""url=f"{self.base_url}/apiv2/tasks/status/{task_id}/"resp=requests.get(url,headers=self.headers)returnresp.json().get("data","unknown")defwait_for_completion(self,task_id,poll_interval=15,max_wait=600):"""Wait for analysis to complete."""elapsed=0whileelapsed<max_wait:status=self.get_status(task_id)ifstatus=="reported":print(f"[+] Task {task_id} completed")returnTruetime.sleep(poll_interval)elapsed+=poll_intervalprint(f" Waiting... ({elapsed}s, status: {status})")returnFalsedefget_report(self,task_id):"""Retrieve full analysis report."""url=f"{self.base_url}/apiv2/tasks/get/report/{task_id}/"resp=requests.get(url,headers=self.headers)returnresp.json()defget_config(self,task_id):"""Get extracted malware configuration."""report=self.get_report(task_id)configs=report.get("CAPE",{}).get("configs",[])returnconfigsdefget_dropped_files(self,task_id):"""List files dropped during analysis."""report=self.get_report(task_id)returnreport.get("dropped",[])defget_network_iocs(self,task_id):"""Extract network IOCs from analysis."""report=self.get_report(task_id)network=report.get("network",{})iocs={"dns":[d.get("request")fordinnetwork.get("dns",[])],"http":[h.get("uri")forhinnetwork.get("http",[])],"tcp":[f"{h.get('dst')}:{h.get('dport')}"forhinnetwork.get("tcp",[])],}returniocsdefanalyze_sample(self,filepath):"""Full automated analysis pipeline."""task_id=self.submit_file(filepath)ifnottask_id:returnNoneifself.wait_for_completion(task_id):report={"task_id":task_id,"config":self.get_config(task_id),"network_iocs":self.get_network_iocs(task_id),"dropped_files":len(self.get_dropped_files(task_id)),}returnreportreturnNoneif__name__=="__main__":iflen(sys.argv)<2:print(f"Usage: {sys.argv[0]} <malware_sample> [cape_url]")sys.exit(1)url=sys.argv[2]iflen(sys.argv)>2else"http://localhost:8000"client=CAPEClient(url)result=client.analyze_sample(sys.argv[1])ifresult:print(json.dumps(result,indent=2))
Validation Criteria
Samples submitted and analyzed within configured timeout
Behavioral signatures triggered for known malware families
Malware configurations extracted by cape-parsers
Network traffic captured and IOCs extracted
Dropped files and payloads collected for further analysis
Anti-evasion bypasses effective against sandbox-aware malware