capa uses a collection of rules to identify capabilities within a program. The github.com/mandiant/capa-rules repository contains hundreds of standard library rules that are distributed with capa.
When you download a standalone version of capa, this standard library is embedded within the executable and capa will use these rules by default:
$ capa suspicious.exeHowever, you may want to modify the rules for a variety of reasons:
- develop new rules to find behaviors,
- tweak existing rules to reduce false positives,
- collect a private selection of rules not shared publicly.
Or, you may want to use capa as a Python library within another application.
In these scenarios, you must provide the rule set to capa as a directory on your file system. Do this using the -r/--rules parameter:
$ capa --rules /local/path/to/rules suspicious.exeYou can download the standard set of rules as ZIP or TGZ archives from the capa-rules release page.
Note that you must use match the rules major version with the capa major version, i.e., use v1 rules with v1 of capa.
This is so that new versions of capa can update rule syntax, such as by adding new fields and logic.
Otherwise, using rules with a mismatched version of capa may lead to errors like:
$ capa --rules /path/to/mismatched/rules suspicious.exe
ERROR:lint:invalid rule: injection.yml: invalid rule: unexpected statement: instruction
You can check the version of capa you're currently using like this:
$ capa --version
capa 3.0.3