Top Related Projects
yarGen is a generator for YARA rules
Python Decoders for Common Remote Access Trojans
Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).
Repository of yara rules
Quick Overview
Mandiant's capa is an open-source tool for identifying capabilities in executable files. It uses a collection of rules to detect behaviors in binaries, helping analysts understand what a program can do without needing to reverse engineer it completely. Capa supports a wide range of file formats and can be integrated into various workflows.
Pros
- Automated capability detection saves time in malware analysis
- Extensible rule system allows for custom capability definitions
- Supports multiple file formats (PE, ELF, shellcode)
- Can be used as a library or standalone command-line tool
Cons
- May produce false positives or miss sophisticated obfuscation techniques
- Requires regular updates to rules to stay effective against new malware
- Learning curve for writing custom rules effectively
- Performance can be slow on large binaries with many rules
Getting Started
To install capa:
pip install flare-capa
Basic usage:
capa /path/to/suspicious/binary
To use capa as a library in Python:
import capa.main
rules = capa.main.get_default_rules()
capabilities = capa.main.find_capabilities(file_path, rules)
for match in capabilities:
print(match)
For more advanced usage and rule writing, refer to the project's documentation on GitHub.
Competitor Comparisons
yarGen is a generator for YARA rules
Pros of yarGen
- Generates YARA rules from malware samples, which can be directly used for detection
- Supports automatic string extraction and filtering for rule creation
- Allows customization of generated rules through various options and configurations
Cons of yarGen
- Primarily focused on YARA rule generation, while capa offers broader capability detection
- May require more manual fine-tuning of generated rules for optimal results
- Less extensive documentation and community support compared to capa
Code Comparison
yarGen:
def getGoodStrings(strings):
good_strings = []
for string in strings:
if len(string) >= 10:
good_strings.append(string)
return good_strings
capa:
def extract_features(vw, function):
for insn in function.instructions:
for rule in insn_rules:
if rule.match(insn):
yield rule.name
While yarGen focuses on string extraction and filtering for YARA rule generation, capa's code demonstrates its emphasis on feature extraction from binary instructions for capability detection. This reflects the different approaches and primary use cases of the two tools in malware analysis and detection.
Python Decoders for Common Remote Access Trojans
Pros of RATDecoders
- Focused specifically on Remote Access Trojan (RAT) analysis
- Supports a wide range of RAT families
- Lightweight and easy to integrate into existing workflows
Cons of RATDecoders
- Less actively maintained compared to capa
- Limited to RAT analysis, not as versatile for general malware capabilities
- Smaller community and fewer contributors
Code Comparison
RATDecoders (Python):
def run(data):
rat = PlugX.PlugX(data)
return rat.run()
capa (Python):
def find_capabilities(vw, rules):
extractor = get_extractor(vw, args)
capabilities = capa.capabilities.find_capabilities(rules, extractor)
return capabilities
Summary
RATDecoders is a specialized tool for analyzing Remote Access Trojans, offering support for various RAT families. It's lightweight and easy to integrate but has a narrower focus compared to capa. capa, on the other hand, is a more versatile and actively maintained tool for identifying malware capabilities across a broader range of malicious software. While RATDecoders excels in its specific domain, capa provides a more comprehensive approach to malware analysis with a larger community and more frequent updates.
Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).
Pros of pe-sieve
- Focused on detecting and dumping malicious implants in running processes
- Lightweight and fast, suitable for real-time monitoring
- Provides detailed reports on suspicious modules and memory areas
Cons of pe-sieve
- Limited to Windows PE file analysis
- Narrower scope compared to capa's broader capability detection
- Requires running processes for analysis, unlike capa's static analysis
Code Comparison
pe-sieve (C++):
bool ProcessScanner::scanWorkingSet(ProcessScanReport &pReport)
{
PSAPI_WORKING_SET_INFORMATION *wi = nullptr;
DWORD wi_size = 0;
if (!query_working_set(this->processHandle, wi, wi_size)) {
return false;
}
// ... (scanning logic)
}
capa (Python):
def extract_features(vw, file_path):
extractor = capa.features.extractors.viv.VivisectFeatureExtractor(vw, file_path)
features = []
for feature, va in extractor.extract_features():
features.append((feature, va))
return features
Both projects focus on malware analysis but serve different purposes. pe-sieve is specialized for detecting and analyzing malicious implants in running processes, while capa offers broader capability detection across various file types and architectures.
Repository of yara rules
Pros of rules
- Extensive collection of community-contributed YARA rules
- Widely adopted and supported in various security tools
- Flexible and can be used across different platforms and file types
Cons of rules
- Requires manual rule writing and maintenance
- May produce false positives if rules are not carefully crafted
- Limited to pattern matching and lacks advanced behavioral analysis
Code comparison
rules:
rule Suspicious_PDF {
meta:
description = "Detects suspicious PDF files"
strings:
$header = "%PDF"
$js = "/JavaScript"
condition:
$header at 0 and $js
}
capa:
rule:
meta:
name: decode base64 data
namespace: data-manipulation/encoding
features:
- or:
- api: base64.b64decode
- string: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="
Convert 
designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
capa detects capabilities in executable files. You run it against a PE, ELF, .NET module, shellcode file, or a sandbox report and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate.
To interactively inspect capa results in your browser use the capa Explorer Web.
If you want to inspect or write capa rules, head on over to the capa-rules repository. Otherwise, keep reading.
Below you find a list of our capa blog posts with more details.
example capa output
$ capa.exe suspicious.exe
+------------------------+--------------------------------------------------------------------------------+
| ATT&CK Tactic | ATT&CK Technique |
|------------------------+--------------------------------------------------------------------------------|
| DEFENSE EVASION | Obfuscated Files or Information [T1027] |
| DISCOVERY | Query Registry [T1012] |
| | System Information Discovery [T1082] |
| EXECUTION | Command and Scripting Interpreter::Windows Command Shell [T1059.003] |
| | Shared Modules [T1129] |
| EXFILTRATION | Exfiltration Over C2 Channel [T1041] |
| PERSISTENCE | Create or Modify System Process::Windows Service [T1543.003] |
+------------------------+--------------------------------------------------------------------------------+
+-------------------------------------------------------+-------------------------------------------------+
| CAPABILITY | NAMESPACE |
|-------------------------------------------------------+-------------------------------------------------|
| check for OutputDebugString error | anti-analysis/anti-debugging/debugger-detection |
| read and send data from client to server | c2/file-transfer |
| execute shell command and capture output | c2/shell |
| receive data (2 matches) | communication |
| send data (6 matches) | communication |
| connect to HTTP server (3 matches) | communication/http/client |
| send HTTP request (3 matches) | communication/http/client |
| create pipe | communication/named-pipe/create |
| get socket status (2 matches) | communication/socket |
| receive data on socket (2 matches) | communication/socket/receive |
| send data on socket (3 matches) | communication/socket/send |
| connect TCP socket | communication/socket/tcp |
| encode data using Base64 | data-manipulation/encoding/base64 |
| encode data using XOR (6 matches) | data-manipulation/encoding/xor |
| run as a service | executable/pe |
| get common file path (3 matches) | host-interaction/file-system |
| read file | host-interaction/file-system/read |
| write file (2 matches) | host-interaction/file-system/write |
| print debug messages (2 matches) | host-interaction/log/debug/write-event |
| resolve DNS | host-interaction/network/dns/resolve |
| get hostname | host-interaction/os/hostname |
| create a process with modified I/O handles and window | host-interaction/process/create |
| create process | host-interaction/process/create |
| create registry key | host-interaction/registry/create |
| create service | host-interaction/service/create |
| create thread | host-interaction/thread/create |
| persist via Windows service | persistence/service |
+-------------------------------------------------------+-------------------------------------------------+
download and usage
Download stable releases of the standalone capa binaries here. You can run the standalone binaries without installation. capa is a command line tool that should be run from the terminal.
To use capa as a library or integrate with another tool, see doc/installation.md for further setup instructions.
capa Explorer Web
The capa Explorer Web enables you to interactively explore capa results in your web browser. Besides the online version you can download a standalone HTML file for local offline usage.
More details on the web UI is available in the capa Explorer Web README.
example
In the above sample output, we run capa against an unknown binary (suspicious.exe),
and the tool reports that the program can send HTTP requests, decode data via XOR and Base64,
install services, and spawn new processes.
Taken together, this makes us think that suspicious.exe could be a persistent backdoor.
Therefore, our next analysis step might be to run suspicious.exe in a sandbox and try to recover the command and control server.
detailed results
By passing the -vv flag (for very verbose), capa reports exactly where it found evidence of these capabilities.
This is useful for at least two reasons:
- it helps explain why we should trust the results, and enables us to verify the conclusions, and
- it shows where within the binary an experienced analyst might study with IDA Pro
$ capa.exe suspicious.exe -vv
...
execute shell command and capture output
namespace c2/shell
author matthew.williams@mandiant.com
scope function
att&ck Execution::Command and Scripting Interpreter::Windows Command Shell [T1059.003]
references https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/ns-processthreadsapi-startupinfoa
function @ 0x4011C0
and:
match: create a process with modified I/O handles and window @ 0x4011C0
and:
number: 257 = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW @ 0x4012B8
or:
number: 68 = StartupInfo.cb (size) @ 0x401282
or: = API functions that accept a pointer to a STARTUPINFO structure
api: kernel32.CreateProcess @ 0x401343
match: create pipe @ 0x4011C0
or:
api: kernel32.CreatePipe @ 0x40126F, 0x401280
optional:
match: create thread @ 0x40136A, 0x4013BA
or:
and:
os: windows
or:
api: kernel32.CreateThread @ 0x4013D7
or:
and:
os: windows
or:
api: kernel32.CreateThread @ 0x401395
or:
string: "cmd.exe" @ 0x4012FD
...
capa also supports dynamic capabilities detection for multiple sandboxes including:
- CAPE (supported report formats:
.json,.json_,.json.gz) - DRAKVUF (supported report formats:
.log,.log.gz) - VMRay (supported report formats: analysis archive
.zip)
To use this feature, submit your file to a supported sandbox and then download and run capa against the generated report file. This feature enables capa to match capabilities against dynamic and static features that the sandbox captured during execution.
Here's an example of running capa against a packed file, and then running capa against the CAPE report generated for the same packed file:
$ capa 05be49819139a3fdcdbddbdefd298398779521f3d68daa25275cc77508e42310.exe
WARNING:capa.capabilities.common:--------------------------------------------------------------------------------
WARNING:capa.capabilities.common: This sample appears to be packed.
WARNING:capa.capabilities.common:
WARNING:capa.capabilities.common: Packed samples have often been obfuscated to hide their logic.
WARNING:capa.capabilities.common: capa cannot handle obfuscation well using static analysis. This means the results may be misleading or incomplete.
WARNING:capa.capabilities.common: If possible, you should try to unpack this input file before analyzing it with capa.
WARNING:capa.capabilities.common: Alternatively, run the sample in a supported sandbox and invoke capa against the report to obtain dynamic analysis results.
WARNING:capa.capabilities.common:
WARNING:capa.capabilities.common: Identified via rule: (internal) packer file limitation
WARNING:capa.capabilities.common:
WARNING:capa.capabilities.common: Use -v or -vv if you really want to see the capabilities identified by capa.
WARNING:capa.capabilities.common:--------------------------------------------------------------------------------
$ capa 05be49819139a3fdcdbddbdefd298398779521f3d68daa25275cc77508e42310.json
ââââââââââââââââââââââââââ¯âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
â ATT&CK Tactic â ATT&CK Technique â
ââââââââââââââââââââââââââ¿âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ¥
â CREDENTIAL ACCESS â Credentials from Password Stores T1555 â
ââââââââââââââââââââââââââ¼âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ¤
â DEFENSE EVASION â File and Directory Permissions Modification T1222 â
â â Modify Registry T1112 â
â â Obfuscated Files or Information T1027 â
â â Virtualization/Sandbox Evasion::User Activity Based Checks T1497.002 â
ââââââââââââââââââââââââââ¼âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ¤
â DISCOVERY â Account Discovery T1087 â
â â Application Window Discovery T1010 â
â â File and Directory Discovery T1083 â
â â Query Registry T1012 â
â â System Information Discovery T1082 â
â â System Location Discovery::System Language Discovery T1614.001 â
â â System Owner/User Discovery T1033 â
ââââââââââââââââââââââââââ¼âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ¤
â EXECUTION â System Services::Service Execution T1569.002 â
ââââââââââââââââââââââââââ¼âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ¤
â PERSISTENCE â Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder T1547.001 â
â â Boot or Logon Autostart Execution::Winlogon Helper DLL T1547.004 â
â â Create or Modify System Process::Windows Service T1543.003 â
ââââââââââââââââââââââââââ·âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
ââââââââââââââââââââââââââââââââââââââââââââââââââââââââ¯âââââââââââââââââââââââââââââââââââââââââââââââââââââââ
â Capability â Namespace â
ââââââââââââââââââââââââââââââââââââââââââââââââââââââââ¿âââââââââââââââââââââââââââââââââââââââââââââââââââââââ¥
â check for unmoving mouse cursor (3 matches) â anti-analysis/anti-vm/vm-detection â
â gather bitkinex information â collection/file-managers â
â gather classicftp information â collection/file-managers â
â gather filezilla information â collection/file-managers â
â gather total-commander information â collection/file-managers â
â gather ultrafxp information â collection/file-managers â
â resolve DNS (23 matches) â communication/dns â
â initialize Winsock library (7 matches) â communication/socket â
â act as TCP client (3 matches) â communication/tcp/client â
â create new key via CryptAcquireContext â data-manipulation/encryption â
â encrypt or decrypt via WinCrypt â data-manipulation/encryption â
â hash data via WinCrypt â data-manipulation/hashing â
â initialize hashing via WinCrypt â data-manipulation/hashing â
â hash data with MD5 â data-manipulation/hashing/md5 â
â generate random numbers via WinAPI â data-manipulation/prng â
â extract resource via kernel32 functions (2 matches) â executable/resource â
â interact with driver via control codes (2 matches) â host-interaction/driver â
â get Program Files directory (18 matches) â host-interaction/file-system â
â get common file path (575 matches) â host-interaction/file-system â
â create directory (2 matches) â host-interaction/file-system/create â
â delete file â host-interaction/file-system/delete â
â get file attributes (122 matches) â host-interaction/file-system/meta â
â set file attributes (8 matches) â host-interaction/file-system/meta â
â move file â host-interaction/file-system/move â
â find taskbar (3 matches) â host-interaction/gui/taskbar/find â
â get keyboard layout (12 matches) â host-interaction/hardware/keyboard â
â get disk size â host-interaction/hardware/storage â
â get hostname (4 matches) â host-interaction/os/hostname â
â allocate or change RWX memory (3 matches) â host-interaction/process/inject â
â query or enumerate registry key (3 matches) â host-interaction/registry â
â query or enumerate registry value (8 matches) â host-interaction/registry â
â delete registry key â host-interaction/registry/delete â
â start service â host-interaction/service/start â
â get session user name â host-interaction/session â
â persist via Run registry key â persistence/registry/run â
â persist via Winlogon Helper DLL registry key â persistence/registry/winlogon-helper â
â persist via Windows service (2 matches) â persistence/service â
ââââââââââââââââââââââââââââââââââââââââââââââââââââââââ·âââââââââââââââââââââââââââââââââââââââââââââââââââââââ
capa rules
capa uses a collection of rules to identify capabilities within a program. These rules are easy to write, even for those new to reverse engineering. By authoring rules, you can extend the capabilities that capa recognizes. In some regards, capa rules are a mixture of the OpenIOC, Yara, and YAML formats.
Here's an example rule used by capa:
rule:
meta:
name: create TCP socket
namespace: communication/socket/tcp
authors:
- william.ballenthin@mandiant.com
- joakim@intezer.com
- anushka.virgaonkar@mandiant.com
scopes:
static: basic block
dynamic: call
mbc:
- Communication::Socket Communication::Create TCP Socket [C0001.011]
examples:
- Practical Malware Analysis Lab 01-01.dll_:0x10001010
features:
- or:
- and:
- number: 6 = IPPROTO_TCP
- number: 1 = SOCK_STREAM
- number: 2 = AF_INET
- or:
- api: ws2_32.socket
- api: ws2_32.WSASocket
- api: socket
- property/read: System.Net.Sockets.TcpClient::Client
The github.com/mandiant/capa-rules repository contains hundreds of standard rules that are distributed with capa. Please learn to write rules and contribute new entries as you find interesting techniques in malware.
IDA Pro plugin: capa explorer
If you use IDA Pro, then you can use the capa explorer plugin. capa explorer helps you identify interesting areas of a program and build new capa rules using features extracted directly from your IDA Pro database. It also uses your local changes to the .idb to extract better features, such as when you rename a global variable that contains a dynamically resolved API address.
Ghidra integration
If you use Ghidra, then you can use the capa + Ghidra integration to run capa's analysis directly on your Ghidra database and render the results in Ghidra's user interface.
blog posts
- Dynamic capa: Exploring Executable Run-Time Behavior with the CAPE Sandbox
- capa v4: casting a wider .NET (.NET support)
- ELFant in the Room â capa v3 (ELF support)
- capa 2.0: Better, Stronger, Faster
- capa: Automatically Identify Malware Capabilities
further information
capa
capa rules
capa testfiles
The capa-testfiles repository contains the data we use to test capa's code and rules
Top Related Projects
yarGen is a generator for YARA rules
Python Decoders for Common Remote Access Trojans
Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).
Repository of yara rules
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot