Overview
capa is an open-source tool developed by Mandiant’s FLARE team that automatically identifies the capabilities present in executable programs. Rather than relying solely on signatures or hashes, capa analyzes the behavior and functionality of binaries by matching against a curated rule set that describes what malware (and legitimate software) can do — such as encrypting files, establishing persistence, communicating over HTTP, or injecting into processes. capa supports PE files, ELF binaries, .NET assemblies, and shellcode, making it versatile across Windows and Linux malware analysis.
capa uses a YAML-based rule format where each rule describes a specific capability using combinations of API calls, string matches, byte patterns, and logical conditions mapped to the MITRE ATT&CK framework and the Malware Behavior Catalog (MBC). The tool integrates with IDA Pro, Ghidra, and Binary Ninja as plugins, and can process dynamic analysis sandbox reports (CAPE, drakvuf). With over 800 built-in rules maintained by the community, capa serves as an excellent triage tool that helps analysts quickly understand what a sample can do before diving into deeper manual analysis.
Installation
Via pip
# Install capa
pip install flare-capa
# Verify installation
capa --version
# Update rules
capa --update-rules
Pre-built Binary
# Download latest release
wget https://github.com/mandiant/capa/releases/latest/download/capa-v7.0.0-linux.zip
unzip capa-v7.0.0-linux.zip
chmod +x capa
sudo mv capa /usr/local/bin/
# Windows
# Download capa-v7.0.0-windows.zip from GitHub releases
From Source
git clone https://github.com/mandiant/capa.git
cd capa
git submodule update --init rules
pip install -e ".[dev]"
IDA Pro Plugin
# Copy plugin to IDA plugins directory
cp capa/ida/capa_explorer.py ~/.idapro/plugins/
# Or install via pip in IDA's Python environment
pip install flare-capa[ida]
Core Commands
| Command | Description |
|---|
capa <file> | Analyze file and show capabilities |
capa -v <file> | Verbose output with matched features |
capa -vv <file> | Very verbose with all matched addresses |
capa -j <file> | JSON output format |
capa -t <tag> <file> | Filter results by ATT&CK technique tag |
capa -r <rules_dir> <file> | Use custom rules directory |
capa --update-rules | Download latest rule set |
capa -f <format> <file> | Specify input format (pe, elf, dotnet, sc32, sc64) |
# Basic analysis
capa malware.exe
# Verbose output showing matched features
capa -v malware.exe
# Very verbose showing addresses of matches
capa -vv malware.exe
# JSON output for automation
capa -j malware.exe > results.json
# Analyze shellcode (specify architecture)
capa -f sc64 shellcode.bin
# Analyze ELF binary
capa linux_malware.elf
# Analyze .NET assembly
capa -f dotnet managed_malware.exe
# Filter by MITRE ATT&CK technique
capa -t T1055 malware.exe # Process Injection
capa -t T1059 malware.exe # Command and Scripting Interpreter
# Default table output
capa malware.exe
# JSON for processing
capa -j malware.exe | jq '.rules | keys[]'
# List matched ATT&CK techniques only
capa -j malware.exe | jq '.rules[] | select(.meta.att_and_ck) | .meta.att_and_ck[]'
# Count capabilities by namespace
capa -j malware.exe | jq '[.rules[].meta.namespace] | group_by(.) | map({key: .[0], count: length}) | sort_by(.count) | reverse'
Understanding Output
Capability Categories
| Namespace | Description |
|---|
anti-analysis/ | Anti-debugging, anti-VM, packing |
collection/ | Keylogging, screen capture, clipboard |
communication/ | HTTP, DNS, C2, socket operations |
data-manipulation/ | Encryption, encoding, hashing |
executable/ | PE parsing, resource manipulation |
host-interaction/ | File, registry, service, process ops |
impact/ | Ransomware, wiping, destruction |
lib/ | Library-level capabilities |
persistence/ | Run keys, scheduled tasks, services |
# Example output interpretation
# +-------------------------------------------+-------------------------------------------+
# | ATT&CK Tactic | ATT&CK Technique |
# |-------------------------------------------+-------------------------------------------|
# | DEFENSE EVASION | Obfuscated Files or Information [T1027] |
# | DISCOVERY | System Information Discovery [T1082] |
# | EXECUTION | Shared Modules [T1129] |
# +-------------------------------------------+-------------------------------------------+
#
# +-------------------------------------------+-------------------------------------------+
# | Capability | Namespace |
# |-------------------------------------------+-------------------------------------------|
# | encrypt data using AES | data-manipulation/encryption |
# | receive HTTP response | communication/http |
# | create process | host-interaction/process/create |
# +-------------------------------------------+-------------------------------------------+
Custom Rules
# rules/my-rules/detect-custom-encryption.yml
rule:
meta:
name: encrypt data using custom XOR scheme
namespace: data-manipulation/encryption
authors:
- analyst@example.com
description: Detects custom XOR-based encryption routines
scope: function
att&ck:
- Defense Evasion::Obfuscated Files or Information [T1027]
mbc:
- Cryptography::Encrypt Data [C0027]
references:
- https://example.com/analysis-report
features:
- and:
- api: CryptEncrypt
- or:
- mnemonic: xor
- mnemonic: rol
- mnemonic: ror
- number: 0x100 # 256 byte key
- not:
- api: IsDebuggerPresent
Rule Features
# API call matching
features:
- api: CreateFileA
- api: kernel32.CreateFileW
# String matching
features:
- string: "password"
- string: /https?:\/\/[^\s]+/ # Regex
# Byte patterns
features:
- bytes: EB FE # Infinite loop (jmp -2)
- bytes: 4D 5A # MZ header
# Mnemonic matching
features:
- mnemonic: syscall
- mnemonic: int 0x80
# Number matching
features:
- number: 0x5A4D # MZ magic
- number: 443 # HTTPS port
- number: 0x80000001 # HKEY_CURRENT_USER
# Operand matching
features:
- operand[0].number: 0x1000 # MEM_COMMIT
- operand[1].offset: 0x40 # Offset in structure
# Property matching
features:
- property/read: System.Environment::UserName # .NET property
Rule Logic
# Logical combinations
features:
- and:
- api: VirtualAlloc
- api: WriteProcessMemory
- api: CreateRemoteThread
- or:
- api: URLDownloadToFileA
- api: InternetOpenUrlA
- api: HttpSendRequestA
- not:
- string: "Microsoft Corporation"
- count(api(RegSetValueEx)): (3, ) # At least 3 calls
- optional:
- api: Sleep # Nice to have but not required
Advanced Usage
Batch Analysis
# Analyze entire directory
for f in /malware/samples/*; do
echo "=== $f ===" >> results.txt
capa "$f" >> results.txt 2>&1
done
# JSON batch with jq processing
find /malware/samples -type f | while read f; do
capa -j "$f" 2>/dev/null | jq -c "{file: \"$f\", capabilities: [.rules[].meta.name]}"
done > batch_results.jsonl
# Find samples with specific capability
find /malware/samples -type f | while read f; do
if capa -j "$f" 2>/dev/null | jq -e '.rules["encrypt data using AES"]' > /dev/null 2>&1; then
echo "$f"
fi
done
Integration with Sandbox Reports
# Analyze CAPE sandbox report
capa --format cape cape_report.json
# Analyze drakvuf output
capa --format drakvuf drakvuf_report.log
Ghidra Integration
# Run capa from Ghidra headless analyzer
analyzeHeadless /tmp/ghidra_project project_name \
-import malware.exe \
-postScript capa_ghidra.py
Rule Development Workflow
# Validate custom rules
capa --signature /path/to/custom-sigs -r /path/to/custom-rules malware.exe
# Test specific rule
capa -r /path/to/single-rule.yml malware.exe -v
# List all rules
capa --list-rules -r /path/to/rules/
# Generate rule statistics
capa -j malware.exe | jq '.rules | length' # Count matched rules
Troubleshooting
| Issue | Solution |
|---|
No rules found | Run capa --update-rules or specify rules dir with -r |
Unsupported file format | Check file type, specify format with -f pe, -f elf, -f sc32, -f sc64 |
| Analysis takes too long | Large files with many functions take time; use -t to filter specific techniques |
Import error on install | Ensure Python 3.8+ and pip are up to date: pip install --upgrade pip |
| IDA plugin not loading | Verify IDA Python version matches capa requirements |
| Missing capabilities in output | File may be packed; unpack first, then re-analyze |
| JSON output parsing errors | Pipe through jq . to validate; ensure capa completed successfully |
| Rule validation fails | Check YAML indentation, verify feature names match capa schema |
