{"id":19390638,"url":"https://github.com/mandiant/capa-rules","last_synced_at":"2026-01-28T04:34:21.723Z","repository":{"id":38185759,"uuid":"273342219","full_name":"mandiant/capa-rules","owner":"mandiant","description":"Standard collection of rules for capa: the tool for enumerating the capabilities of programs","archived":false,"fork":false,"pushed_at":"2026-01-26T16:40:58.000Z","size":3118,"stargazers_count":672,"open_issues_count":130,"forks_count":209,"subscribers_count":23,"default_branch":"master","last_synced_at":"2026-01-27T04:49:50.929Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://github.com/mandiant/capa/","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mandiant.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2020-06-18T21:19:56.000Z","updated_at":"2026-01-26T16:41:04.000Z","dependencies_parsed_at":"2022-07-13T19:30:32.908Z","dependency_job_id":"24c05861-1c60-4154-9dbe-21eea564bc7b","html_url":"https://github.com/mandiant/capa-rules","commit_stats":null,"previous_names":[],"tags_count":44,"template":false,"template_full_name":null,"purl":"pkg:github/mandiant/capa-rules","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mandiant%2Fcapa-rules","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mandiant%2Fcapa-rules/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mandiant%2Fcapa-rules/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mandiant%2Fcapa-rules/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mandiant","download_url":"https://codeload.github.com/mandiant/capa-rules/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mandiant%2Fcapa-rules/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28838486,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-28T02:10:51.810Z","status":"ssl_error","status_checked_at":"2026-01-28T02:10:50.806Z","response_time":57,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-10T10:22:31.764Z","updated_at":"2026-01-28T04:34:21.696Z","avatar_url":"https://github.com/mandiant.png","language":null,"funding_links":[],"categories":["Others"],"sub_categories":[],"readme":"# capa rules\n\n[![Rule linter status](https://github.com/mandiant/capa-rules/workflows/CI/badge.svg)](https://github.com/mandiant/capa-rules/actions?query=workflow%3A%22CI%22)\n[![Number of rules](https://gist.githubusercontent.com/capa-bot/6d7960e911f48b3b74916df8988cf0f3/raw/rules_badge.svg)](rules)\n[![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt)\n\nThis is the standard collection of rules for [capa](https://github.com/mandiant/capa) - the tool to automatically identify capabilities of programs.\n\n## philosophy\nRule writing should be easy and fun! \nA large rule corpus benefits everyone in the community and we encourage all kinds of contributions.\n\nAnytime you see something neat in malware, we want you to think of expressing it in a capa rule.\nThen, we'll make it as painless as possible to share your rule here and distribute it to the capa users.\n\n## rule development\n\ncapa uses a collection of rules to identify capabilities within a program.\nThese rules are easy to write, even for those new to reverse engineering.\nBy authoring rules, you can extend the capabilities that capa recognizes.\nIn some regards, capa rules are a mixture of the OpenIOC, Yara, and YAML formats.\n\nHere's an example of a capa rule:\n\n```yaml\nrule:\n  meta:\n    name: create reverse shell\n    namespace: communication/c2/shell\n    authors:\n      - moritz.raabe@mandiant.com\n    scopes:\n      static: function\n      dynamic: span of calls\n    att\u0026ck:\n      - Execution::Command and Scripting Interpreter::Windows Command Shell [T1059.003]\n    mbc:\n      - Impact::Remote Access::Reverse Shell [B0022.001]\n    examples:\n      - C91887D861D9BD4A5872249B641BC9F9:0x401A77\n  features:\n    - or:\n      - and:\n        - match: create pipe\n        - api: kernel32.PeekNamedPipe\n        - api: kernel32.CreateProcess\n        - api: kernel32.ReadFile\n        - api: kernel32.WriteFile\n      - and:\n        - match: host-interaction/process/create\n        - match: read pipe\n        - match: write pipe\n      - and:\n        - match: create pipe\n        - match: host-interaction/process/create\n        - or:\n          - basic block:\n            - and:\n              - count(api(SetHandleInformation)): 2 or more\n              - number: 1 = HANDLE_FLAG_INHERIT\n          - call:\n            - and:\n              - count(api(SetHandleInformation)): 2 or more\n              - number: 1 = HANDLE_FLAG_INHERIT\n```\n\ncapa interpets the content of these rules as it inspects executable files.\nIf you follow the guidelines of this rule format, then you can teach capa to identify new capabilities.\n\nThe [doc/format.md](./doc/format.md) file describes exactly how to construct rules.\nPlease refer to it as you create rules for capa.\n\n\n## namespace organization\n\nThe organization of this repository mirrors the namespaces of the rules it contains. \ncapa uses namespaces to group like things together, especially when it renders its final report.\nNamespaces are hierarchical, so the children of a namespace encodes its specific techniques.\nIn a few words each, the top level namespaces are:\n\n  - [anti-analysis](./anti-analysis/) - packing, obfuscation, anti-X, etc.\n  - [collection](./collection/) - data that may be enumerated and collected for exfiltration\n  - [communication](./communication/) - HTTP, TCP, command and control (C2) traffic, etc.\n  - [compiler](./compiler/) - detection of build environments, such as MSVC, Delphi, or AutoIT\n  - [data-manipulation](./data-manipulation/) - encryption, hashing, etc.\n  - [executable](./executable/) - characteristics of the executable, such as PE sections or debug info\n  - [host-interaction](./host-interaction/) - access or manipulation of system resources, like processes or the Registry\n  - [impact](./impact/) - end goal\n  - [internal](./internal/) - used internally by capa to guide analysis\n  - [lib](./lib/) - building blocks to create other rules\n  - [linking](./linking/) - detection of dependencies, such as OpenSSL or Zlib\n  - [load-code](./load-code/) - runtime load and execution of code, such as embedded PE or shellcode\n  - [malware-family](./malware-family/) - detection of malware families\n  - [nursery](./nursery/) - staging ground for rules that are not quite polished\n  - [persistence](./persistence/) - all sorts of ways to maintain access\n  - [runtime](./runtime/) - detection of language runtimes, such as the .NET platform or Go\n  - [targeting](./targeting/) - special handling of systems, such as ATM machines\n  \nWe can easily add more top level namespaces as the need arises. \n\n\n### library rules\ncapa supports rules matching other rule matches. \nFor example, the following rule set describes various methods of persistence.\nNote that the rule `persistence` matches if either `run key` or `service` match against a sample.\n\n```yaml\n---\nrule:\n  meta:\n    name: persistence\n  features:\n    or:\n      - match: run key\n      - match: service\n---\nrule:\n  meta:\n    name: run key\n  features:\n    string: /CurrentVersion\\/Run/i\n---\nrule:\n  meta:\n    name: service\n  features:\n    api: CreateService\n```\n\nUsing this feature, we can capture common logic into \"library rules\".\nThese rules don't get rendered as results but are used as building blocks to create other rules.\nFor example, there are quite a few ways to write to files on Windows, \n so the following library rule makes it easy for other rules to thoroughly match file writing.\n \n ```yaml\nrule:\n  meta:\n    name: write file\n    lib: True\n  features:\n    or:\n      api: WriteFile\n      api: fwrite\n      ...\n ```\n\nSet `rule.meta.lib=True` to declare a lib rule and place the rule file into the [lib](./lib/) rule directory.\nLibrary rules should not have a namespace.\nLibrary rules will not be rendered as results.\nCapa will only attempt to match lib rules that are referenced by other rules, \n so there's no performance overhead for defining many reusable library rules.\n\n### rule nursery\nThe rule [nursery](https://github.com/mandiant/capa-rules/tree/master/nursery) is a staging ground for rules that are not quite polished. Nursery rule logic should still be solid, though metadata may be incomplete. For example, rules that miss a public example of the technique.\n\nThe rule engine matches regularly on nursery rules. However, our rule linter only enumerates missing rule data, but will not fail the CI build, because its understood that the rule is incomplete.\n\nWe encourage contributors to create rules in the nursery, and hope that the community will work to \"graduate\" the rule once things are acceptable.\n\nExamples of things that would place a rule into the nursery:\n  - no real-world examples\n  - missing categorization\n  - (maybe) questions about fidelity (e.g. RC4 PRNG algorithm)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmandiant%2Fcapa-rules","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmandiant%2Fcapa-rules","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmandiant%2Fcapa-rules/lists"}