-
Notifications
You must be signed in to change notification settings - Fork 16
Malware Capabilities
The following hierarchy and associated pages capture the current MAEC Malware Capabilities, as of the v4.1 release. Our hope is that these pages will serve as a useful reference to our implementation and we plan on augmenting them with additional examples, references, and relationships in the near future. We also welcome any feedback on these pages and MAEC's Malware Capabilities in general.
Starting with version 4.1, MAEC offers a standard way of capturing the set of high-level abilities that a malware instance possesses, which we term Capabilities. For instance, to state that a malware instance is capable of exfiltrating data, one may simply specify a single MAEC "Data Exfiltration" Capability. We have defined an initial set of Capabilities for the MAEC v4.1 release, which is captured in detail in the hierarchy below.
Strategic Objectives and Tactical Objectives have been developed to more granularly capture the details of each Capability. Simply put, a Capability can have one or more Strategic Objectives that it attempts to carry out, and accordingly a Strategic Objective can have one or more Tactical Objectives in the same manner. Continuing with the Data Exfiltration example, the malware instance could have a Strategic Objective of “Stage Data for Exfiltration,” which in turn could have a Tactical Objective of “Move Data to Staging Server.” Note that this hierarchy between Capabilities and Objectives is recommended, but not strictly enforced - one may capture any set of Capabilities and Objectives as they see fit.
A graphical representation of this hierarchy (as a PDF generated from a mind map) can be found here.
[C] : Capability
[SO] : Strategic Objective
[TO] : Tactical Objective
-
Command and Control [C]
- Determine C2 Server [SO]
-
Receive Data from C2 Server [SO]
- Validate Data [TO]
- Control Malware via Remote Command [TO]
- Update Configuration [TO]
-
Send Data to C2 Server [SO]
- Send System Information [TO]
- Send Heartbeat Data [TO]
- Check for Payload [TO]
- Remote Machine Manipulation [C]
-
Privilege Escalation [C]
- Impersonate User [SO]
-
Escalate User Privilege [SO]
- Elevate CPU Mode [TO]
-
Data Theft [C]
-
Steal Stored Information [SO]
- Steal Serial Numbers [TO]
- Steal Documents [TO]
- Steal Database Content [TO]
- Steal Cryptocurrency Data [TO]
- Steal Images [TO]
-
Steal User Data [SO]
- Steal Dialed Phone Numbers [TO]
- Steal Email Data [TO]
- Steal SMS Database [TO]
- Steal Browser Cache [TO]
- Steal Browser History [TO]
- Steal Referrer URLs [TO]
- Steal Contact List Data [TO]
-
Steal System Information [SO]
- Steal Make/Model [TO]
- Steal Network Address [TO]
- Steal Open Port [TO]
-
Steal Authentication Credentials [SO]
- Steal Web/Network Credential [TO]
- Steal Password Hash [TO]
- Steal PKI Key [TO]
- Steal Cookie [TO]
- Steal PKI Software Certificate [TO]
-
Steal Stored Information [SO]
-
Spying [C]
-
Capture System Input Peripheral Data [SO]
- Capture Camera Input [TO]
- Capture Keyboard Input [TO]
- Capture Mouse Input [TO]
- Capture Microphone Input [TO]
- Capture Touchscreen Input [TO]
-
Capture System State Data [SO]
- Capture File System [TO]
- Capture System Memory [TO]
- Capture System Interface Data [SO]
- Capture System Output Peripheral Data [SO]
-
Capture System Input Peripheral Data [SO]
-
Secondary Operation [C]
- Patch Operating System File(s) [SO]
-
Remove Traces of Infection [SO]
- Remove System Artifacts [TO]
- Remove Self [TO]
- Lay Dormant [SO]
- Install Other Components [SO]
- Suicide Exit [SO]
- Log Activity [SO]
-
Anti-Detection [C]
- Security Software Evasion [SO]
-
Hide Executing Code [SO]
- Execute Before/External to Kernel/Hypervisor [TO]
- Hide Processes [TO]
- Execute Stealthy Code [TO]
- Hide Userspace Libraries [TO]
- Execute Non-Main CPU Code [TO]
- Hide Kernel Modules [TO]
- Hide Services [TO]
- Hide Threads [TO]
-
Self-Modification [SO]
- Change/Add Content [TO]
- Encrypt Self [TO]
- Anti-Memory Forensics [SO]
-
Hide Non-Executing Code [SO]
- Hide Code in File [TO]
- Hide Malware Artifacts [SO]
-
Anti-Code Analysis [C]
-
Anti-Debugging [SO]
- Detect Debugging [TO]
- Prevent Debugging [TO]
-
Code Obfuscation [SO]
- Transform Control Flow [TO]
- Obfuscate Instructions [TO]
- Obfuscate Runtime Code [TO]
- Anti-Disassembly [SO]
-
Anti-Debugging [SO]
-
Infection/Propagation [C]
-
Infect File [SO]
- Write Code Into File [TO]
- Identify File [TO]
- Modify File [TO]
- Infect Remote Machine [SO]
-
Infect File [SO]
-
Anti-Behavioral Analysis [C]
-
Anti-VM [SO]
- Detect VM Environment [TO]
- Prevent Execution in VM [TO]
- Anti-Sandbox [SO]
-
Anti-VM [SO]
-
Integrity Violation [C]
-
Compromise System Data Integrity [SO]
- Corrupt System Data [TO]
-
Annoy User [SO]
- Annoy Remote User [TO]
- Annoy Local System User [TO]
- Compromise Network Operational Integrity [SO]
-
Compromise User Data Integrity [SO]
- Corrupt User Data [TO]
-
Compromise System Operational Integrity [SO]
- Subvert System [TO]
-
Compromise System Data Integrity [SO]
-
Data Exfiltration [C]
- Perform Data Exfiltration [SO]
-
Obfuscate Data for Exfiltration [SO]
- Hide Data [TO]
- Encrypt Data [TO]
-
Stage Data for Exfiltration [SO]
- Package Data [TO]
- Move Data to Staging Server [TO]
-
Probing [C]
-
Probe Host Configuration [SO]
- Check Language [TO]
- Identify OS [TO]
- Identify Host IP Address [TO]
- Inventory System Applications [TO]
-
Probe Network Environment [SO]
- Map Local Network [TO]
- Check for Firewall [TO]
- Check for Network Drives [TO]
- Check for Proxy [TO]
- Check for Internet Connectivity [TO]
-
Probe Host Configuration [SO]
- Anti-Removal [C]
- Security Degradation [C]
- Availability Violation [C]
-
Destruction [C]
-
Destroy Physical Entity [SO]
- Destroy Firmware [TO]
- Destroy Hardware [TO]
-
Destroy Virtual Entity [SO]
- Erase Data [TO]
-
Destroy Physical Entity [SO]
-
Fraud [C]
- Premium Rate Fraud [SO]
- Click Fraud [SO]
- Persistence [C]
- Machine Access/Control [C]