capa
Capa is a powerful malware capability detection tool designed to enhance automated security workflows by identifying capabilities in executable files and mapping findings to industry-standard techniques. Developed by the Mandiant/Google FLARE team, it leverages over 1000 detection rules to analyze various executable formats and provides structured output for subsequent processing.
Ideal Use Cases & Fit
Capa excels in scenarios requiring detailed analysis of executable files such as PE, ELF, or .NET formats, particularly when the goal is to uncover malware capabilities and align them with known ATT&CK techniques. It performs best when integrated into automated detection and analysis workflows, especially during post-exploitation assessments or threat intelligence gathering. It is not ideally suited for real-time monitoring or environments where immediate response actions are necessary.
Value in Workflows
In security workflows, capa adds significant value by automating the in-depth analysis of suspicious executables and providing comprehensive insights into their functionalities. It is typically positioned during the analysis phase, allowing security teams to efficiently process and correlate findings—thus enabling informed decision-making and rapid response to identified threats.
Input Data
Capa requires input in the form of executable files (PE, ELF, .NET) or sandbox reports (CAPE, DRAKVUF, VMRay). The function of the input is to serve as the target for analysis. An example input would be malware.exe, which represents a suspicious executable file requiring evaluation.
Configuration
- backend: Specifies the analysis backend to utilize. Options include various tools like vivisect or ghidra, with 'auto' as the default choice.
- format: Defines the input file format, allowing for automatic detection or specific formats such as pe or elf.
- os: Identifies the target operating system for the analysis, with options available for windows, linux, or macos, defaulting to 'auto'. Updated: 2026-02-18