OpenSecAtlas
OPENSECATLAS
Tool
CLI
Malware Analysis

capa

by mandiant

5.6Kstars
625forks
83watchers
Updated 4 months ago
About

capa is an open-source tool that identifies capabilities in executable files by analyzing their behavior and characteristics.

The FLARE team's open-source tool to identify capabilities in executable files.

Primary Use Case

Security analysts and malware researchers use capa to quickly determine what an executable file is capable of, such as detecting backdoors or communication methods. It supports multiple file formats and provides detailed capability detection to aid in malware analysis and threat hunting.

Key Features
  • Detects capabilities in PE, ELF, .NET modules, shellcode, and sandbox reports
  • Maps findings to MITRE ATT&CK tactics and techniques
  • Supports interactive inspection via a web interface (capa Explorer)
  • Uses a rules-based engine to identify behaviors and capabilities
  • Open-source with a large and actively maintained rule set
  • Provides detailed output on communication methods, persistence, and evasion
  • Integrates with Python via the flare-capa package

Installation

  • Install via pip: pip install flare-capa
  • Download latest release from https://github.com/mandiant/capa/releases
  • Clone the repository: git clone https://github.com/mandiant/capa.git
  • Use the web interface at https://mandiant.github.io/capa/explorer/ for interactive analysis

Usage

>_ capa.exe suspicious.exe

Analyze the executable suspicious.exe and output detected capabilities and associated ATT&CK techniques.

Security Frameworks
Defense Evasion
Discovery
Execution
Persistence
Exfiltration
Usage Insights
  • Integrate capa with sandbox environments to automate capability detection during malware detonation.
  • Use capa rules to enrich threat intelligence feeds with detailed malware capability mappings.
  • Leverage capa Explorer for collaborative malware analysis sessions between red and blue teams.
  • Incorporate capa scans into CI/CD pipelines to detect suspicious binaries before deployment.
  • Extend capa rule sets to cover emerging malware techniques and custom threat actor behaviors.

Docs Take 2 Hours. AI Takes 10 Seconds.

Ask anything about capa. Installation? Config? Troubleshooting? Get answers trained on real docs and GitHub issues—not generic ChatGPT fluff.

This tool hasn't been indexed yet. Request indexing to enable AI chat.

Admin will review your request within 24 hours

Security Profile
Red Team80%
Blue Team70%
Purple Team60%
Details
LicenseApache License 2.0
LanguagePython
Open Issues1089
Topics
malware-analysis
reverse-engineering
binary-analysis
threat-intelligence
gsoc-2025

Related Tools

x64dbg

x64dbg/x64dbg

Tool

An open-source user mode debugger for Windows. Optimized for reverse engineering and malware analysis.

47.5K
about 1 month ago

theZoo

ytisf/theZoo

Dataset

A repository of LIVE malwares for your own joy and pleasure. theZoo is a project created to make the possibility of malware analysis open and available to the public.

12.4K
4 months ago

flare-vm

mandiant/flare-vm

Script

A collection of software installations scripts for Windows systems that allows you to easily setup and maintain a reverse engineering environment on a VM.

7.9K
4 months ago

retoolkit

mentebinaria/retoolkit

Tool

Reverse Engineer's Toolkit

5.1K
4 months ago

awesome-yara

InQuest/awesome-yara

Educational Resource

A curated list of awesome YARA rules, tools, and people.

4.1K
3 months ago

flare-floss

mandiant/flare-floss

Tool

FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.

3.8K
4 months ago