capa
An open-source tool that detects capabilities in executable files like malware, identifying behaviors such as backdoor installation or network communication.
What is capa?
capa is an open-source tool developed by Mandiant's FLARE team that identifies capabilities in executable files, such as malware. It analyzes PE, ELF, .NET modules, shellcode, and sandbox reports to detect behaviors like backdoor installation, network communication, or data encoding, helping analysts understand a program's intent. The tool maps these capabilities to the MITRE ATT&CK framework for standardized threat reporting.
Malware analysts, reverse engineers, and security researchers who need to quickly assess suspicious binaries and understand their functionality. It's also valuable for threat intelligence teams mapping malware behaviors to known attack patterns.
Developers choose capa for its rule-based extensibility, integration with disassemblers like IDA Pro and Ghidra, and support for both static and dynamic analysis via sandbox reports. Its open-source nature and active community ensure continuous updates and a transparent approach to capability detection.
Overview
The FLARE team's open-source tool to identify capabilities in executable files.
Use Cases
Best For
- Identifying malware capabilities in suspicious executables
Related Projects
Found a gem we're missing?
Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.
