Malware Capabilities

• Command and Control [C]
  • Degrade Security Programs [SO]
    • Gather Security Product Info [TO]
    • Prevent Access to Security Websites [TO]
    • Modify Security Program Configuration [TO]
    • Prevent Security Program from Running [TO]
    • Stop Execution of Security Program [TO]
  • Send Data to C2 Server [SO]
    • Send System Information [TO]
    • Send Heartbeat Data [TO]
    • Check for Payload [TO]
  • Determine C2 Server [SO]
    • Generate C2 Domain Name(s) [TO]
• Remote Machine Manipulation [C]
  • Control Local Machine [SO]
    • Control Machine via Remote Command [TO]
  • Search For Remote Machines [SO]
• Privilege Escalation [C]
  • Escalate User Privilege [SO]
    • Elevate CPU Mode [TO]
  • Access Remote Machine [SO]
    • Compromise Remote Machine [TO]
• Data Theft [C]
  • Steal Stored Information [SO]
    • Steal Serial Numbers [TO]
    • Steal Documents [TO]
    • Steal Database Content [TO]
    • Steal Cryptocurrency Data [TO]
    • Steal Images [TO]
  • Steal Authentication Credentials [SO]
    • Steal Web/Network Credential [TO]
    • Steal Password Hash [TO]
    • Steal PKI Key [TO]
    • Steal Cookie [TO]
    • Steal PKI Software Certificate [TO]
  • Steal User Data [SO]
    • Steal Dialed Phone Numbers [TO]
    • Steal Email Data [TO]
    • Steal SMS Database [TO]
    • Steal Browser Cache [TO]
    • Steal Browser History [TO]
    • Steal Referrer URLs [TO]
    • Steal Contact List Data [TO]
  • Log Activity [SO]
• Spying [C]
  • Capture System Input Peripheral Data [SO]
    • Capture Camera Input [TO]
    • Capture Keyboard Input [TO]
    • Capture Mouse Input [TO]
    • Capture Microphone Input [TO]
    • Capture Touchscreen Input [TO]
  • Capture System Output Peripheral Data [SO]
    • Capture System Screenshot [TO]
    • Capture Printer Output [TO]
  • Steal System Information [SO]
    • Steal Make/Model [TO]
    • Steal Network Address [TO]
    • Steal Open Port [TO]
  • Capture System Interface Data [SO]
    • Capture System Network Traffic [TO]
    • Capture GPS Data [TO]
• Secondary Operation [C]
  • Patch Operating System File(s) [SO]
  • Remove Traces of Infection [SO]
    • Remove System Artifacts [TO]
    • Remove Self [TO]
  • Lay Dormant [SO]
  • Install Other Components [SO]
    • Install Secondary Module [TO]
    • Install Secondary Malware [TO]
    • Install Legitimate Software [TO]
  • Suicide Exit [SO]
  • Perform Data Exfiltration [SO]
    • Exfiltrate via Covert Channel [TO]
    • Exfiltrate via Fax [TO]
    • Exfiltrate via Physical Media [TO]
    • Exfiltrate via Dumpster Dive [TO]
    • Exfiltrate via Network [TO]
    • Exfiltrate via VoIP/Phone [TO]
• Anti-Detection [C]
  • Security Software Evasion [SO]
    • Prevent Native API Hooking [TO]
  • Hide Executing Code [SO]
    • Execute Before/External to Kernel/Hypervisor [TO]
    • Hide Processes [TO]
    • Execute Stealthy Code [TO]
    • Hide Userspace Libraries [TO]
    • Execute Non-Main CPU Code [TO]
    • Hide Kernel Modules [TO]
    • Hide Services [TO]
    • Hide Threads [TO]
  • Anti-Memory Forensics [SO]
    • Prevent Physical Memory Acquisition [TO]
    • Hide Arbitrary Virtual Memory [TO]
    • Feed Misinformation During Physical Memory Acquisition [TO]
  • Self-Modification [SO]
    • Change/Add Content [TO]
    • Encrypt Self [TO]
  • Prevent Malware Artifact Access [SO]
    • Prevent Registry Access [TO]
    • Prevent File Access [TO]
    • Prevent Memory Access [TO]
  • Hide Malware Artifacts [SO]
    • Hide Open Network Ports [TO]
    • Obfuscate Artifact Properties [TO]
    • Hide Network Traffic [TO]
    • Hide File System Artifacts [TO]
    • Hide Registry Artifacts [TO]
• Anti-Code Analysis [C]
  • Anti-Debugging [SO]
    • Detect Debugging [TO]
    • Prevent Debugging [TO]
  • Anti-Disassembly [SO]
    • Defeat Linear Disassembler [TO]
    • Defeat Call Graph Generation [TO]
    • Defeat Flow-oriented (Recursive Traversal) Disassembler [TO]
    • Obfuscate Imports [TO]
    • Restructure Arrays [TO]
  • Anti-Sandbox [SO]
    • Overload Sandbox [TO]
    • Prevent Execution in Sandbox [TO]
    • Detect Sandbox Environment [TO]
• Infection/Propagation [C]
  • Infect Remote Machine [SO]
    • Perform Autonomous Remote Infection [TO]
    • Inventory Victims [TO]
    • Identify Target Machine(s) [TO]
    • Perform Social-engineering Based Remote Infection [TO]
• Anti-Behavioral Analysis [C]
  • Anti-VM [SO]
    • Detect VM Environment [TO]
    • Prevent Execution in VM [TO]
  • Infect File [SO]
    • Write Code Into File [TO]
    • Identify File [TO]
    • Modify File [TO]
• Integrity Violation [C]
  • Compromise User Data Integrity [SO]
    • Corrupt User Data [TO]
  • Compromise System Operational Integrity [SO]
    • Subvert System [TO]
  • Compromise System Data Integrity [SO]
    • Corrupt System Data [TO]
  • Compromise Network Operational Integrity [SO]
    • Intercept/Manipulate Network Traffic [TO]
  • Destroy Virtual Entity [SO]
    • Erase Data [TO]
• Data Exfiltration [C]
  • Stage Data for Exfiltration [SO]
    • Package Data [TO]
    • Move Data to Staging Server [TO]
  • Obfuscate Data for Exfiltration [SO]
    • Hide Data [TO]
    • Encrypt Data [TO]
  • Impersonate User [SO]
• Probing [C]
  • Click Fraud [SO]
  • Probe Host Configuration [SO]
    • Check Language [TO]
    • Identify OS [TO]
    • Identify Host IP Address [TO]
    • Inventory System Applications [TO]
  • Probe Network Environment [SO]
    • Map Local Network [TO]
    • Check for Firewall [TO]
    • Check for Network Drives [TO]
    • Check for Proxy [TO]
    • Check for Internet Connectivity [TO]
• Anti-Removal [C]
  • Prevent Malware Artifact Deletion [SO]
    • Prevent Registry Deletion [TO]
    • Prevent File Deletion [TO]
    • Prevent API Unhooking [TO]
  • Code Obfuscation [SO]
    • Transform Control Flow [TO]
    • Obfuscate Instructions [TO]
    • Obfuscate Runtime Code [TO]
• Security Degradation [C]
  • Disable Service Provider Security Features [SO]
    • Remove SMS Warning Messages [TO]
  • Ensure Compatibility [SO]
    • Limit Application Type/Version [TO]
  • Disable OS Security Features [SO]
    • Disable System File Overwrite Protection [TO]
    • Disable OS Security Alerts [TO]
    • Disable Kernel Patching Protection [TO]
    • Disable User Account Control [TO]
  • Disable System Updates [SO]
    • Disable System Service Pack/Patch Installation [TO]
    • Disable System Update Services/Daemons [TO]
  • Disable [Host-based or OS] Access Controls [SO]
    • Disable Firewall [TO]
    • Disable Access Right Checking [TO]
    • Disable Privilege Limiting [TO]
• Availability Violation [C]
  • Consume System Resources [SO]
    • Crack Passwords [TO]
    • Mine for CryptoCurrency [TO]
  • Annoy User [SO]
    • Annoy Remote User [TO]
    • Annoy Local System User [TO]
  • Compromise System Availability [SO]
    • Denial of Service [TO]
    • Compromise Local System Availability [TO]
• Destruction [C]
  • Destroy Physical Entity [SO]
    • Destroy Firmware [TO]
    • Destroy Hardware [TO]
  • Capture System State Data [SO]
    • Capture File System [TO]
    • Capture System Memory [TO]
• Fraud [C]
  • Premium Rate Fraud [SO]
    • Access Premium Service [TO]
  • Compromise Data Availability [SO]
    • Compromise Access to Information Assets [TO]
• Persistence [C]
  • Gather Information for Improvement [SO]
    • Drop/Retrieve Debug Log File [TO]
  • Hide Non-Executing Code [SO]
    • Hide Code in File [TO]
  • Persist to Continuously Execute on System [SO]
    • Persist Independent of Hard Disk/OS Changes [TO]
    • Persist After OS Install/Reinstall [TO]
    • Persist After System Reboot [TO]
  • Persist to Re-infect System [SO]
    • Reinstantiate Self after Initial Detection [TO]
• Machine Access/Control [C]
  • Receive Data from C2 Server [SO]
    • Validate Data [TO]
    • Control Malware via Remote Command [TO]
    • Update Configuration [TO]
  • Install Backdoor [SO]