Table of Contents
Logo featuring the acronym "CAPA" with stylized lightning bolts inside the letter "A"s, set against a blue gear with a jagged edge.

In the ever-evolving landscape of cybersecurity, malware analysis plays a crucial role in understanding and combating threats. Reverse engineering malicious software requires a high level of expertise and can be time-consuming, especially for less experienced analysts. Enter CAPA, an open-source tool developed by the FLARE team at Mandiant, which automatically identifies capabilities in executable files. CAPA empowers analysts of all skill levels to quickly and efficiently analyze malware, providing valuable insights into its functionality and potential impact.

What is CAPA?

CAPA, which stands for "Capabilities," is a powerful malware analysis tool that uses a collection of rules to identify capabilities within a program. These rules are designed to be easy to write, even for those new to reverse engineering. By running CAPA against a suspicious executable, analysts can quickly determine what the program is capable of doing, such as communicating over the network, installing services, or spawning new processes. CAPA's rule-based approach allows it to encapsulate the knowledge and experience of seasoned reverse engineers, making it accessible to a wider audience.

Key Features

  • Automatically identifies malware capabilities using a rule-based approach

  • Provides detailed explanations for each identified capability, including the specific code locations that triggered the rule

  • Supports a wide range of executable formats, including Windows PE files (EXE, DLL, SYS) and shellcode

  • Offers a flexible and extensible architecture, allowing users to create custom rules and integrate with other tools

  • Generates output in a clear and concise format, making it easy to understand and share findings

Who Can Use CAPA?

CAPA is designed to be accessible to a wide range of users, from novice analysts to experienced reverse engineers. Its automated capability identification and clear explanations make it an invaluable tool for:

  • Incident responders and forensic analysts who need to quickly triage and prioritize malware samples

  • Threat hunters looking to identify new and emerging threats

  • Malware researchers seeking to understand the capabilities of a given sample

  • Security professionals who want to expand their knowledge of malware analysis techniques

Supported Platforms

CAPA is a cross-platform tool that can be run on various operating systems, including:

  • Windows

  • Linux

  • macOS

The tool is written in Python, and standalone executables are available for each supported platform, making installation and usage straightforward.

How to Install CAPA?

Installing CAPA is a simple process that can be accomplished in just a few steps. Follow the instructions below to get started:

Installing CAPA is a simple process that can be accomplished in just a few steps. Follow the instructions below to get started:

Download the standalone executable:

Visit the official CAPA GitHub repository at

Locate the latest release and download the appropriate standalone executable for your operating system (Windows, Linux, or macOS)

Choose a directory:

Decide on a directory where you want to store the CAPA executable

Navigate to that directory using your file explorer or terminal

Place the executable:

Move the downloaded CAPA executable into the chosen directory

(Optional) Add to PATH:

If you want to run CAPA from anywhere in your terminal without specifying the full path, you can add the directory containing the CAPA executable to your system's PATH environment variable

The process for adding a directory to PATH varies depending on your operating system:


Open the Start menu and search for "Environment Variables"

Click on "Edit the system environment variables"

Click on the "Environment Variables" button

Under "System variables," scroll down and find the "Path" variable, then click "Edit"

Click "New" and add the directory containing the CAPA executable

Click "OK" to close all windows

Linux and macOS:

Open your terminal

Open the .bashrc(Linux) or .bash_profile(macOS) file in a text editor

Add the following line at the end of the file, replacing /path/to/capawith the directory containing the CAPA executable:

Save the file and close the text editor

Restart your terminal for the changes to take effect

Verify the installation:

Open a new terminal window

Type capa -hand press Enter

If the installation was successful, you should see the CAPA help message displayed in the terminal

Alternatively, if you prefer to run CAPA from source:

  1. Clone the repository:

  2. Open your terminal

  3. Navigate to the directory where you want to store the CAPA source code

  4. Run the following command to clone the repository:

  5. Install dependencies:

  6. Navigate to the cloned capadirectory

  7. Follow the installation instructions provided in the doc/installation.mdfile to set up the required dependencies

Once you have completed these steps, you are ready to start using CAPA to analyze suspicious executables and identify their capabilities.

How to Use CAPA?

Using CAPA is straightforward and can be done directly from the command line. Follow the examples below to analyze suspicious executables and identify their capabilities.

  1. Basic usage: To analyze a suspicious executable, use the following command: Replace /path/to/suspicious.exewith the actual path to the executable you want to analyze.

  2. Verbose output:To obtain more detailed information about the identified capabilities, use the verbose (-v) or very verbose (-vv) options: The verbose output provides additional details, including the specific code locations that triggered each rule, making it easier to understand and verify CAPA's findings.

  3. Analyzing shellcode: CAPA can also analyze shellcode files. To do this, you must specify the file format and architecture using the -foption:In this example, sc32indicates that the shellcode is 32-bit. Replace /path/to/shellcode.binwith the actual path to your shellcode file.

  4. Filtering rules: If you want to focus on specific capabilities, you can use the -toption to filter rules based on their metadata: This command will only display results for rules that have "create TCP socket" in their metadata.

  5. Displaying help: To view the full list of available options and their descriptions, use the -hor --helpflag: or This will display the help message, which provides an overview of CAPA's usage and available command-line options.

By using these commands, you can quickly analyze suspicious executables and gain insights into their capabilities. CAPA's command-line interface is designed to be intuitive and easy to use, making it accessible to users of all skill levels.Remember to replace /path/to/suspicious.exe and /path/to/shellcode.bin with the actual paths to the files you want to analyze. You can also combine multiple options to customize your analysis further, such as using both verbose output and rule filtering simultaneously.

Bottom Line

CAPA is a game-changer in the world of malware analysis, offering an accessible and efficient way to identify the capabilities of suspicious executables. By leveraging the collective knowledge and experience of the cybersecurity community, CAPA empowers analysts of all skill levels to make informed decisions and quickly respond to threats. As an open-source tool, CAPA benefits from the contributions of its users, continuously expanding its rule set and capabilities. Whether you are a seasoned reverse engineer or just starting in the field of malware analysis, CAPA is an essential tool to add to your arsenal.




View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.


Recently added

View all

Learn Something New with Free Email subscription