# capa
> Identify malware capabilities mapped to MITRE ATT&CK framework and Malware Behavior Catalog

**Category:** [[categories/statically-analyze-code-pe-files|Statically Analyze Code > PE Files]] | **Tier:** Rich (FOR610)
**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files](https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files)

## Usage
```bash
capa specimen.exe
capa -vv specimen.exe
capa -vv specimen.exe | grep -A7 'Suspended Process'
```

## Recipes
- [[recipes/capa-capability-filter|Filter Capabilities by Technique]]

## Workflows
- [[workflows/static-analysis-workflow|Static Properties Analysis]] — Step 5: Capability Detection
- [[workflows/behavioral-analysis-workflow|Behavioral Analysis]] — Step 4: Emulation (Safe Alternative)
- [[workflows/unpacking-workflow|Unpacking Packed Executables]] — Step 8: Verification
- [[workflows/code-injection-workflow|Code Injection Analysis]] — Step 1: Capability Detection
- [[workflows/shellcode-analysis-workflow|Shellcode Analysis]] — Step 1: Shellcode Detection
- [[workflows/cobalt-strike-workflow|Cobalt Strike Analysis]] — Step 1: Beacon Detection

## Related Tools
- [[tools/binee-binary-emulation-environment|binee (Binary Emulation Environment)]] — Analyze I/O operations of a suspicious PE file by emulating 
- [[tools/mbcscan|mbcscan]] — Scan a PE file to list the associated Malware Behavior Catal
- [[tools/speakeasy|speakeasy]] — Windows binary emulator — emulates API calls to analyze malw

## FOR610
**Labs:** 1.4, 5.4
**Sections:** 1, 5

#capabilities #mitre-attack #automated-analysis