Malware Capabilities

Jump to bottom

Ivan Kirillov edited this page Feb 19, 2014 · 12 revisions

The following hierarchy and associated pages capture the current MAEC Malware Capabilities, as of the v4.1 release. Our hope is that these pages will serve as a useful reference to our implementation and we plan on augmenting them with additional examples, references, and relationships in the near future. We also welcome any feedback on these pages and MAEC's Malware Capabilities in general.

Key

[C] : Capability
[SO] : Strategic Objective
[TO] : Tactical Objective

Hierarchy

Command and Control [C]
- Determine C2 Server [SO]
  - Generate C2 Domain Name(s) [TO]
- Degrade Security Programs [SO]
  - Gather Security Product Info [TO]
  - Prevent Access to Security Websites [TO]
  - Modify Security Program Configuration [TO]
  - Prevent Security Program from Running [TO]
  - Stop Execution of Security Program [TO]
- Send Data to C2 Server [SO]
  - Send System Information [TO]
  - Send Heartbeat Data [TO]
  - Check for Payload [TO]
Remote Machine Manipulation [C]
- Control Local Machine [SO]
  - Control Machine via Remote Command [TO]
- Search For Remote Machines [SO]
Privilege Escalation [C]
- Access Remote Machine [SO]
  - Compromise Remote Machine [TO]
- Escalate User Privilege [SO]
  - Elevate CPU Mode [TO]
Data Theft [C]
- Steal Stored Information [SO]
  - Steal Serial Numbers [TO]
  - Steal Documents [TO]
  - Steal Database Content [TO]
  - Steal Cryptocurrency Data [TO]
  - Steal Images [TO]
- Steal User Data [SO]
  - Steal Dialed Phone Numbers [TO]
  - Steal Email Data [TO]
  - Steal SMS Database [TO]
  - Steal Browser Cache [TO]
  - Steal Browser History [TO]
  - Steal Referrer URLs [TO]
  - Steal Contact List Data [TO]
- Log Activity [SO]
- Steal Authentication Credentials [SO]
  - Steal Web/Network Credential [TO]
  - Steal Password Hash [TO]
  - Steal PKI Key [TO]
  - Steal Cookie [TO]
  - Steal PKI Software Certificate [TO]
Spying [C]
- Capture System Input Peripheral Data [SO]
  - Capture Camera Input [TO]
  - Capture Keyboard Input [TO]
  - Capture Mouse Input [TO]
  - Capture Microphone Input [TO]
  - Capture Touchscreen Input [TO]
- Steal System Information [SO]
  - Steal Make/Model [TO]
  - Steal Network Address [TO]
  - Steal Open Port [TO]
- Capture System Interface Data [SO]
  - Capture System Network Traffic [TO]
  - Capture GPS Data [TO]
- Capture System Output Peripheral Data [SO]
  - Capture System Screenshot [TO]
  - Capture Printer Output [TO]
Secondary Operation [C]
- Patch Operating System File(s) [SO]
- Remove Traces of Infection [SO]
  - Remove System Artifacts [TO]
  - Remove Self [TO]
- Lay Dormant [SO]
- Install Other Components [SO]
  - Install Secondary Module [TO]
  - Install Secondary Malware [TO]
  - Install Legitimate Software [TO]
- Suicide Exit [SO]
- Perform Data Exfiltration [SO]
  - Exfiltrate via Covert Channel [TO]
  - Exfiltrate via Fax [TO]
  - Exfiltrate via Physical Media [TO]
  - Exfiltrate via Dumpster Dive [TO]
  - Exfiltrate via Network [TO]
  - Exfiltrate via VoIP/Phone [TO]
Anti-Detection [C]
- Security Software Evasion [SO]
  - Prevent Native API Hooking [TO]
- Prevent Malware Artifact Access [SO]
  - Prevent Registry Access [TO]
  - Prevent File Access [TO]
  - Prevent Memory Access [TO]
- Hide Executing Code [SO]
  - Execute Before/External to Kernel/Hypervisor [TO]
  - Hide Processes [TO]
  - Execute Stealthy Code [TO]
  - Hide Userspace Libraries [TO]
  - Execute Non-Main CPU Code [TO]
  - Hide Kernel Modules [TO]
  - Hide Services [TO]
  - Hide Threads [TO]
- Self-Modification [SO]
  - Change/Add Content [TO]
  - Encrypt Self [TO]
- Anti-Memory Forensics [SO]
- Hide Malware Artifacts [SO]
  - Hide Open Network Ports [TO]
  - Obfuscate Artifact Properties [TO]
  - Hide Network Traffic [TO]
  - Hide File System Artifacts [TO]
  - Hide Registry Artifacts [TO]
Anti-Code Analysis [C]
- Anti-Debugging [SO]
  - Detect Debugging [TO]
  - Prevent Debugging [TO]
- Anti-Sandbox [SO]
  - Overload Sandbox [TO]
  - Prevent Execution in Sandbox [TO]
  - Detect Sandbox Environment [TO]
- Anti-Disassembly [SO]
  - Defeat Linear Disassembler [TO]
  - Defeat Call Graph Generation [TO]
  - Defeat Flow-oriented (Recursive Traversal) Disassembler [TO]
  - Obfuscate Imports [TO]
  - Restructure Arrays [TO]
Infection/Propagation [C]
- Infect Remote Machine [SO]
  - Perform Autonomous Remote Infection [TO]
  - Inventory Victims [TO]
  - Identify Target Machine(s) [TO]
  - Perform Social-engineering Based Remote Infection [TO]
Anti-Behavioral Analysis [C]
- Infect File [SO]
  - Write Code Into File [TO]
  - Identify File [TO]
  - Modify File [TO]
- Anti-VM [SO]
  - Detect VM Environment [TO]
  - Prevent Execution in VM [TO]
Integrity Violation [C]
- Compromise User Data Integrity [SO]
  - Corrupt User Data [TO]
- Compromise System Data Integrity [SO]
  - Corrupt System Data [TO]
- Compromise Network Operational Integrity [SO]
  - Intercept/Manipulate Network Traffic [TO]
- Destroy Virtual Entity [SO]
  - Erase Data [TO]
- Compromise System Operational Integrity [SO]
  - Subvert System [TO]
Data Exfiltration [C]
- Obfuscate Data for Exfiltration [SO]
  - Hide Data [TO]
  - Encrypt Data [TO]
- Impersonate User [SO]
- Stage Data for Exfiltration [SO]
  - Package Data [TO]
  - Move Data to Staging Server [TO]
Probing [C]
- Probe Host Configuration [SO]
  - Check Language [TO]
  - Identify OS [TO]
  - Identify Host IP Address [TO]
  - Inventory System Applications [TO]
- Click Fraud [SO]
- Probe Network Environment [SO]
  - Map Local Network [TO]
  - Check for Firewall [TO]
  - Check for Network Drives [TO]
  - Check for Proxy [TO]
  - Check for Internet Connectivity [TO]
Anti-Removal [C]
- Code Obfuscation [SO]
  - Transform Control Flow [TO]
  - Obfuscate Instructions [TO]
  - Obfuscate Runtime Code [TO]
- Prevent Malware Artifact Deletion [SO]
  - Prevent Registry Deletion [TO]
  - Prevent File Deletion [TO]
  - Prevent API Unhooking [TO]
Security Degradation [C]
- Disable Service Provider Security Features [SO]
  - Remove SMS Warning Messages [TO]
- Ensure Compatibility [SO]
  - Limit Application Type/Version [TO]
- Disable System Updates [SO]
  - Disable System Service Pack/Patch Installation [TO]
  - Disable System Update Services/Daemons [TO]
- Disable OS Security Features [SO]
  - Disable System File Overwrite Protection [TO]
  - Disable OS Security Alerts [TO]
  - Disable Kernel Patching Protection [TO]
  - Disable User Account Control [TO]
- Disable [Host-based or OS] Access Controls [SO]
  - Disable Firewall [TO]
  - Disable Access Right Checking [TO]
  - Disable Privilege Limiting [TO]
Availability Violation [C]
- Compromise System Availability [SO]
  - Denial of Service [TO]
  - Compromise Local System Availability [TO]
- Consume System Resources [SO]
  - Crack Passwords [TO]
  - Mine for CryptoCurrency [TO]
- Annoy User [SO]
  - Annoy Remote User [TO]
  - Annoy Local System User [TO]
Destruction [C]
- Destroy Physical Entity [SO]
  - Destroy Firmware [TO]
  - Destroy Hardware [TO]
- Capture System State Data [SO]
  - Capture File System [TO]
  - Capture System Memory [TO]
Fraud [C]
- Compromise Data Availability [SO]
  - Compromise Access to Information Assets [TO]
- Premium Rate Fraud [SO]
  - Access Premium Service [TO]
Persistence [C]
- Persist to Re-infect System [SO]
  - Reinstantiate Self after Initial Detection [TO]
- Gather Information for Improvement [SO]
  - Drop/Retrieve Debug Log File [TO]
- Hide Non-Executing Code [SO]
  - Hide Code in File [TO]
- Persist to Continuously Execute on System [SO]
  - Persist Independent of Hard Disk/OS Changes [TO]
  - Persist After OS Install/Reinstall [TO]
  - Persist After System Reboot [TO]
Machine Access/Control [C]
- Receive Data from C2 Server [SO]
  - Validate Data [TO]
  - Control Malware via Remote Command [TO]
  - Update Configuration [TO]
- Install Backdoor [SO]

Clone this wiki locally