Stop Guessing What Malware Does: Mandiant's capa Exposes Every Secret

What if you could dissect a malicious executable's true intent in under 60 seconds—without touching a single line of assembly?

Every day, security teams drown in suspicious files. PE executables, ELF binaries, .NET modules, raw shellcode—each one a black box of potential destruction. The traditional approach? Hours hunched over IDA Pro, tracing call graphs, annotating functions, cross-referencing API calls with MITRE ATT&CK frameworks. It's meticulous. It's exhausting. And in a world where threat actors deploy thousands of variants daily, it's dangerously slow.

But what if the FLARE team at Mandiant—the same elite unit responding to the world's most sophisticated breaches—handed you their secret weapon? A tool that automates the drudgery, surfaces capabilities instantly, and maps findings directly to adversary tactics?

That tool exists. It's called capa. And it's about to transform how you hunt, analyze, and respond to malware.

What Is capa?

capa is the FLARE team's open-source tool to identify capabilities in executable files. Born from the frontlines of incident response at Mandiant, this framework automates one of reverse engineering's most labor-intensive tasks: determining what a program can actually do.

Unlike signature-based scanners that simply label files as "malicious" or "clean," capa performs semantic analysis. It examines static features in PE, ELF, and .NET binaries, plus dynamic features from sandbox reports, to answer the analyst's most critical question: "What capabilities does this sample possess?"

The project emerged from a harsh reality: even expert reverse engineers spend 80% of initial analysis time on repetitive capability identification. By encoding expert knowledge into hundreds of declarative rules, capa reduces this to seconds. The tool has exploded in popularity across the cybersecurity community, amassing thousands of GitHub stars and becoming a staple in malware analysis pipelines worldwide.

capa's architecture reflects real-world operational needs. It integrates with industry-standard tools like IDA Pro and Ghidra, supports both static and dynamic analysis workflows, and outputs results mapped to the MITRE ATT&CK framework. This isn't academic research—it's battle-tested software deployed by analysts investigating APT groups, ransomware operations, and nation-state campaigns.

The rules engine deserves special attention. capa rules blend concepts from YARA, OpenIOC, and YAML into an accessible format. Security researchers can author new rules without deep programming expertise, continuously expanding the tool's detection coverage. The separate capa-rules repository hosts hundreds of community-contributed rules, creating a collaborative knowledge base that improves with every contribution.

Key Features That Make capa Irreplaceable

capa delivers capabilities that address genuine pain points in modern malware analysis:

Multi-Format Static Analysis — Process PE executables, ELF binaries, .NET assemblies, and raw shellcode through a unified interface. No more switching between specialized tools for different file types.

Dynamic Analysis Integration — Submit samples to sandboxes like CAPE, DRAKVUF, or VMRay, then analyze generated reports with the same rule engine. This hybrid approach defeats packers and obfuscation that stymie pure static analysis.

ATT&CK Framework Mapping — Every identified capability automatically correlates with MITRE ATT&CK tactics and techniques. Your analysis immediately feeds into threat intelligence workflows and defensive prioritization.

Verbose Evidence Reporting — The -vv flag doesn't just tell you what was found; it shows exactly where in the binary the evidence exists. This transparency enables verification and guides deeper manual investigation.

Extensible Rule System — Author custom rules using a declarative YAML format. The rule syntax accommodates API calls, constants, strings, and logical combinations—powerful enough for complex detections, simple enough for rapid development.

Professional IDE Integration — Native plugins for IDA Pro and Ghidra embed capa directly into your disassembly workflow. Visual exploration of results accelerates understanding and rule authoring.

Web-Based Exploration — The capa Explorer Web interface enables interactive result browsing without installing anything. Download standalone HTML for offline air-gapped environments.

Standalone Binaries — Pre-built executables run without Python installation. Drop into incident response kits, deploy on restricted systems, or integrate into automated pipelines effortlessly.

Real-World Use Cases Where capa Dominates

Incident Response Triage

Your SOC receives 500 suspicious files daily. Manual analysis is impossible. capa prioritizes the queue: samples exhibiting credential theft, persistence mechanisms, or C2 communication get escalated immediately. Benign-looking files filter to batch processing. Response time collapses from days to minutes.

Threat Hunting Campaigns

Hunting across thousands of endpoints for specific adversary techniques? Extract binaries and run capa with targeted rules. Identify Cobalt Strike beacons, Empire implants, or custom backdoors by their capability fingerprints rather than brittle file hashes.

Malware Family Classification

Unknown sample resembles nothing in VirusTotal? capa's capability profile reveals functional similarities to known families. XOR encoding, service installation, and HTTP communication patterns might indicate a derivative of a tracked APT toolset.

Automated Pipeline Integration

Embed capa into your malware processing pipeline. As samples arrive, automatic execution generates structured capability reports. Feed results into SIEM correlation, threat intelligence platforms, or analyst dashboards for immediate consumption.

Reverse Engineering Acceleration

Facing a 10MB packed binary? Run capa first. The capability overview directs your manual analysis to relevant code regions. Skip the 4-hour reconnaissance phase and jump straight to the interesting functionality.

Step-by-Step Installation & Setup Guide

Option 1: Standalone Binaries (Fastest)

Download pre-built executables from the releases page:

# Download latest release for your platform
wget https://github.com/mandiant/capa/releases/download/v7.0.0/capa-v7.0.0-linux.zip
unzip capa-v7.0.0-linux.zip
chmod +x capa

# Verify installation
./capa --version

Standalone binaries require no dependencies. Ideal for incident response laptops, sandbox environments, and CI/CD pipelines.

Option 2: Python Package Installation

For library integration and development workflows:

# Create isolated environment
python -m venv capa-env
source capa-env/bin/activate  # Windows: capa-env\Scripts\activate

# Install from PyPI
pip install flare-capa

# Or install latest development version
pip install git+https://github.com/mandiant/capa.git

Option 3: Ghidra Backend Setup

Enable Ghidra integration for enhanced analysis:

# Install PyGhidra (requires JDK 17+)
pip install pyghidra

# Verify Ghidra availability
python -m capa.ghidra.install --check

Environment Configuration

# Add to PATH for global access
export PATH="$HOME/tools/capa:$PATH"

# Set rules directory (optional; auto-downloads otherwise)
export CAPA_RULES="/opt/capa-rules"

Clone the rules repository for offline usage:

git clone https://github.com/mandiant/capa-rules.git /opt/capa-rules

REAL Code Examples From the Repository

Example 1: Basic Static Analysis

The quintessential capa invocation reveals capabilities in a suspicious executable:

# Analyze a Windows executable for embedded capabilities
capa.exe suspicious.exe

This produces the structured output showing ATT&CK tactics and detailed capabilities:

+--------------------+------------------------------------------------------------------------+
| ATT&CK Tactic      | ATT&CK Technique                                                       |
|--------------------+------------------------------------------------------------------------|
| DEFENSE EVASION    | Obfuscated Files or Information [T1027]                                |
| DISCOVERY          | Query Registry [T1012]                                                 |
|                    | System Information Discovery [T1082]                                   |
| EXECUTION          | Command and Scripting Interpreter::Windows Command Shell [T1059.003]   |
|                    | Shared Modules [T1129]                                                 |
| EXFILTRATION       | Exfiltration Over C2 Channel [T1041]                                   |
| PERSISTENCE        | Create or Modify System Process::Windows Service [T1543.003]           |
+--------------------+------------------------------------------------------------------------+

The capability namespace provides hierarchical organization. communication/http/client indicates HTTP client functionality, while data-manipulation/encoding/xor reveals obfuscation techniques. This structure enables precise filtering and correlation.

Example 2: Verbose Evidence Inspection

For forensic verification and guided reverse engineering, verbose mode exposes the exact evidence:

# Show detailed evidence locations with -vv flag
capa.exe suspicious.exe -vv

Output excerpt demonstrating evidence chains:

...
execute shell command and capture output
namespace   c2/shell
author      matthew.williams@mandiant.com
scope       function
att&ck      Execution::Command and Scripting Interpreter::Windows Command Shell [T1059.003]
references  https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/ns-processthreadsapi-startupinfoa
function @ 0x4011C0
  and:
    match: create a process with modified I/O handles and window @ 0x4011C0
      and:
        number: 257 = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW @ 0x4012B8
        or:
          number: 68 = StartupInfo.cb (size) @ 0x401282
        or: = API functions that accept a pointer to a STARTUPINFO structure
          api: kernel32.CreateProcess @ 0x401343
    match: create pipe @ 0x4011C0
      or:
        api: kernel32.CreatePipe @ 0x40126F, 0x401280
    optional:
      match: create thread @ 0x40136A, 0x4013BA
        or:
          and:
            os: windows
            or:
              api: kernel32.CreateThread @ 0x4013D7
    or:
      string: "cmd.exe" @ 0x4012FD
...

This output is gold for analysts. The function @ 0x4011C0 annotation directs you to the exact code location. The evidence chain explains why capa concluded shell execution capability: CreateProcess with modified STARTUPINFO handles for pipe-based I/O redirection, combined with the "cmd.exe" string reference. Each element is independently verifiable.

Example 3: Dynamic Analysis with CAPE Sandbox

When static analysis fails against packed samples, dynamic analysis recovers capabilities from sandbox execution:

# Static analysis of packed sample shows limitations
capa 05be49819139a3fdcdbddbdefd298398779521f3d68daa25275cc77508e42310.exe

Produces the critical warning:

WARNING:capa.capabilities.common: This sample appears to be packed.
WARNING:capa.capabilities.common: 
WARNING:capa.capabilities.common: Packed samples have often been obfuscated to hide their logic.
WARNING:capa.capabilities.common: capa cannot handle obfuscation well using static analysis. This means the results may be misleading or incomplete.
WARNING:capa.capabilities.common: If possible, you should try to unpack this input file before analyzing it with capa.
WARNING:capa.capabilities.common: Alternatively, run the sample in a supported sandbox and invoke capa against the report to obtain dynamic analysis results.

Following the recommendation, submit to CAPE and analyze the report:

# Analyze CAPE dynamic analysis report
capa 05be49819139a3fdcdbddbdefd298398779521f3d68daa25275cc77508e42310.json

The dynamic output reveals rich capabilities invisible statically:

┍━━━━━━━━━━━━━━━━━━━━━━━━┯━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┑
│ ATT&CK Tactic          │ ATT&CK Technique                                                                   │
┝━━━━━━━━━━━━━━━━━━━━━━━━┿━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┥
│ CREDENTIAL ACCESS      │ Credentials from Password Stores T1555                                             │
├────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤
│ DEFENSE EVASION        │ File and Directory Permissions Modification T1222                                  │
│                        │ Modify Registry T1112                                                              │
│                        │ Obfuscated Files or Information T1027                                              │
│                        │ Virtualization/Sandbox Evasion::User Activity Based Checks T1497.002               │
├────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤
│ DISCOVERY              │ Account Discovery T1087                                                            │
│                        │ Application Window Discovery T1010                                                 │
│                        │ File and Directory Discovery T1083                                                 │
│                        │ Query Registry T1012                                                               │
│                        │ System Information Discovery T1082                                                 │
│                        │ System Location Discovery::System Language Discovery T1614.001                     │
│                        │ System Owner/User Discovery T1033                                                  │
┕━━━━━━━━━━━━━━━━━━━━━━━━┷━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┙

The dynamic analysis exposed 23 DNS resolutions, 575 file path queries, and sandbox evasion techniques—capabilities completely hidden by the packer's obfuscation layer.

Example 4: Custom Rule Authoring

Extend capa by writing rules in its declarative YAML format:

rule:
  meta:
    name: create TCP socket                    # Human-readable capability name
    namespace: communication/socket/tcp        # Hierarchical categorization
    authors:
      - william.ballenthin@mandiant.com
      - joakim@intezer.com
      - anushka.virgaonkar@mandiant.com
    scopes:
      static: basic block                      # Analysis scope for static mode
      dynamic: call                            # Analysis scope for dynamic mode
    mbc:
      - Communication::Socket Communication::Create TCP Socket [C0001.011]
    examples:
      - Practical Malware Analysis Lab 01-01.dll_:0x10001010
  features:
    - or:
      - and:
        - number: 6 = IPPROTO_TCP              # TCP protocol constant
        - number: 1 = SOCK_STREAM              # Stream socket type
        - number: 2 = AF_INET                  # IPv4 address family
        - or:
          - api: ws2_32.socket                 # Winsock API variants
          - api: ws2_32.WSASocket
          - api: socket
      - property/read: System.Net.Sockets.TcpClient::Client  # .NET equivalent

This rule demonstrates capa's cross-platform design. The or structure captures equivalent functionality across Win32 API (ws2_32.socket) and .NET (TcpClient.Client). The scopes section distinguishes static analysis (matching at basic block granularity) from dynamic analysis (matching at function call granularity). The mbc field maps to the Malware Behavior Catalog, enabling multi-framework correlation.

Advanced Usage & Best Practices

Combine Static and Dynamic Analysis — Always run static analysis first. If packed or heavily obfuscated, escalate to sandbox submission. Compare outputs: discrepancies often reveal deliberate anti-analysis techniques.

Prioritize by ATT&CK Impact — Not all capabilities deserve equal attention. Persistence and credential access typically indicate mature threats; simple information gathering may suggest reconnaissance tooling.

Leverage Verbose Mode for Rule Development — When writing custom rules, use -vv on known samples to understand how existing rules match. This pattern recognition accelerates rule authoring.

Integrate with IDA Pro/Ghidra Workflows — The IDE plugins transform capa from a standalone tool into an interactive analysis companion. Use extracted features directly for rule prototyping.

Maintain Updated Rules — Subscribe to the FLARE mailing list and regularly pull from capa-rules. Threat actors evolve; your detection surface must keep pace.

Automate in CI/CD — Embed capa in malware processing pipelines. Structured JSON output feeds programmatic decision-making for automated triage.

Comparison With Alternatives

capa occupies a unique position: more semantic than YARA, faster than sandbox-only approaches, and more structured than manual analysis. It complements rather than replaces existing tools, fitting between signature detection and full dynamic analysis in the analysis pipeline.

FAQ

Does capa replace my antivirus or EDR?

No. capa is an analysis tool, not a real-time protection solution. It answers "what can this do?" rather than "is this malicious?" Use it for deep-dive investigation, not perimeter defense.

Can capa analyze Linux ELF binaries?

Yes. capa v3+ introduced comprehensive ELF support. Analyze Linux malware, embedded firmware, and cross-platform threats with the same workflow.

How does capa handle packed or encrypted samples?

Static analysis produces warnings and limited results. The recommended fallback is dynamic analysis: submit to CAPE, DRAKVUF, or VMRay, then analyze the generated report with capa.

Is capa suitable for beginners in malware analysis?

Absolutely. The structured output and ATT&CK mapping provide learning scaffolding. Beginners understand capabilities without reading assembly, while experts accelerate routine identification.

Can I use capa in commercial environments?

Yes. capa releases under Apache 2.0 license, permitting commercial use, modification, and distribution. Mandiant encourages organizational adoption.

How do I contribute new detection rules?

Fork the capa-rules repository, author rules following the documented format, and submit pull requests. The community actively reviews and merges contributions.

What file formats does capa support?

PE (Windows executables), ELF (Linux/Unix binaries), .NET assemblies, raw shellcode, and sandbox reports from CAPE (JSON), DRAKVUF (log), and VMRay (ZIP archive).

Conclusion

Manual malware capability identification is a luxury no modern security team can afford. The volume, velocity, and sophistication of threats demand automation that preserves analytical rigor while collapsing time-to-insight.

capa delivers exactly this: Mandiant's operational expertise encoded into an extensible, open-source framework that transforms opaque binaries into structured intelligence. Whether you're triaging a thousand samples, hunting APT techniques, or building automated pipelines, capa provides the semantic foundation for informed decision-making.

The tool's true power lies in its transparency. Every capability assertion comes with verifiable evidence. Every rule is inspectable and customizable. Every output maps to industry-standard frameworks your organization already uses.

Stop guessing what malware does. Start knowing with certainty.

Download capa today, explore the capa Explorer Web interface, and join the community shaping the future of automated malware analysis. The FLARE team built this for their hardest cases—now it's yours to command.