Capabilities often have associated host-based and network-based indicators (HBIs and NBIs). Especially these examples (by rule namespaces) come to mind:

• communication/http: IPs, domains
• host-interaction/file-system: file names
• host-interaction/registry: registry keys and values

We often encounter an HBI or NBI as a string used close around a capability, e.g. as argument to an API call.

It would be worth exploring if we can automatically:

• extract strings potentially related to capabilities
• perform some sanity checks on them (e.g., is it an IP? or is it a file path?)
• output them with the capabilities (e.g. as part of our existing rendering or in a new section highlighting potential indicators)

I suspect this could work very well with in the dynamic analysis flavor, but also for static extraction on basic samples could work quite well.