Malware Capabilities

Jump to bottom

Ivan Kirillov edited this page Feb 19, 2014 · 12 revisions

The following hierarchy and associated pages capture the current MAEC Malware Capabilities, as of the v4.1 release. Our hope is that these pages will serve as a useful reference to our implementation and we plan on augmenting them with additional examples, references, and relationships in the near future. We also welcome any feedback on these pages and MAEC's Malware Capabilities in general.

Key

[C] : Capability
[SO] : Strategic Objective
[TO] : Tactical Objective

Hierarchy

Command and Control [C]
- Determine C2 Server [SO]
  - Generate C2 Domain Name(s) [TO]
- Receive Data from C2 Server [SO]
  - Validate Data [TO]
  - Control Malware via Remote Command [TO]
  - Update Configuration [TO]
- Send Data to C2 Server [SO]
  - Send System Information [TO]
  - Send Heartbeat Data [TO]
  - Check for Payload [TO]
Remote Machine Manipulation [C]
- Access Remote Machine [SO]
  - Compromise Remote Machine [TO]
- Search For Remote Machines [SO]
Privilege Escalation [C]
- Impersonate User [SO]
- Escalate User Privilege [SO]
  - Elevate CPU Mode [TO]
Data Theft [C]
- Steal Stored Information [SO]
  - Steal Serial Numbers [TO]
  - Steal Documents [TO]
  - Steal Database Content [TO]
  - Steal Cryptocurrency Data [TO]
  - Steal Images [TO]
- Steal User Data [SO]
  - Steal Dialed Phone Numbers [TO]
  - Steal Email Data [TO]
  - Steal SMS Database [TO]
  - Steal Browser Cache [TO]
  - Steal Browser History [TO]
  - Steal Referrer URLs [TO]
  - Steal Contact List Data [TO]
- Steal System Information [SO]
  - Steal Make/Model [TO]
  - Steal Network Address [TO]
  - Steal Open Port [TO]
- Steal Authentication Credentials [SO]
  - Steal Web/Network Credential [TO]
  - Steal Password Hash [TO]
  - Steal PKI Key [TO]
  - Steal Cookie [TO]
  - Steal PKI Software Certificate [TO]
Spying [C]
- Capture System Input Peripheral Data [SO]
  - Capture Camera Input [TO]
  - Capture Keyboard Input [TO]
  - Capture Mouse Input [TO]
  - Capture Microphone Input [TO]
  - Capture Touchscreen Input [TO]
- Capture System State Data [SO]
  - Capture File System [TO]
  - Capture System Memory [TO]
- Capture System Interface Data [SO]
  - Capture System Network Traffic [TO]
  - Capture GPS Data [TO]
- Capture System Output Peripheral Data [SO]
  - Capture System Screenshot [TO]
  - Capture Printer Output [TO]
Secondary Operation [C]
- Patch Operating System File(s) [SO]
- Remove Traces of Infection [SO]
  - Remove System Artifacts [TO]
  - Remove Self [TO]
- Lay Dormant [SO]
- Install Other Components [SO]
  - Install Secondary Module [TO]
  - Install Secondary Malware [TO]
  - Install Legitimate Software [TO]
- Suicide Exit [SO]
- Log Activity [SO]
Anti-Detection [C]
- Security Software Evasion [SO]
  - Prevent Native API Hooking [TO]
- Hide Executing Code [SO]
  - Execute Before/External to Kernel/Hypervisor [TO]
  - Hide Processes [TO]
  - Execute Stealthy Code [TO]
  - Hide Userspace Libraries [TO]
  - Execute Non-Main CPU Code [TO]
  - Hide Kernel Modules [TO]
  - Hide Services [TO]
  - Hide Threads [TO]
- Self-Modification [SO]
  - Change/Add Content [TO]
  - Encrypt Self [TO]
- Anti-Memory Forensics [SO]
- Hide Non-Executing Code [SO]
  - Hide Code in File [TO]
- Hide Malware Artifacts [SO]
  - Hide Open Network Ports [TO]
  - Obfuscate Artifact Properties [TO]
  - Hide Network Traffic [TO]
  - Hide File System Artifacts [TO]
  - Hide Registry Artifacts [TO]
Anti-Code Analysis [C]
- Anti-Debugging [SO]
  - Detect Debugging [TO]
  - Prevent Debugging [TO]
- Code Obfuscation [SO]
  - Transform Control Flow [TO]
  - Obfuscate Instructions [TO]
  - Obfuscate Runtime Code [TO]
- Anti-Disassembly [SO]
  - Defeat Linear Disassembler [TO]
  - Defeat Call Graph Generation [TO]
  - Defeat Flow-oriented (Recursive Traversal) Disassembler [TO]
  - Obfuscate Imports [TO]
  - Restructure Arrays [TO]
Infection/Propagation [C]
- Infect File [SO]
  - Write Code Into File [TO]
  - Identify File [TO]
  - Modify File [TO]
- Infect Remote Machine [SO]
  - Perform Autonomous Remote Infection [TO]
  - Inventory Victims [TO]
  - Identify Target Machine(s) [TO]
  - Perform Social-engineering Based Remote Infection [TO]
Anti-Behavioral Analysis [C]
- Anti-VM [SO]
  - Detect VM Environment [TO]
  - Prevent Execution in VM [TO]
- Anti-Sandbox [SO]
  - Overload Sandbox [TO]
  - Prevent Execution in Sandbox [TO]
  - Detect Sandbox Environment [TO]
Integrity Violation [C]
- Compromise System Data Integrity [SO]
  - Corrupt System Data [TO]
- Annoy User [SO]
  - Annoy Remote User [TO]
  - Annoy Local System User [TO]
- Compromise Network Operational Integrity [SO]
  - Intercept/Manipulate Network Traffic [TO]
- Compromise User Data Integrity [SO]
  - Corrupt User Data [TO]
- Compromise System Operational Integrity [SO]
  - Subvert System [TO]
Data Exfiltration [C]
- Perform Data Exfiltration [SO]
  - Exfiltrate via Covert Channel [TO]
  - Exfiltrate via Fax [TO]
  - Exfiltrate via Physical Media [TO]
  - Exfiltrate via Dumpster Dive [TO]
  - Exfiltrate via Network [TO]
  - Exfiltrate via VoIP/Phone [TO]
- Obfuscate Data for Exfiltration [SO]
  - Hide Data [TO]
  - Encrypt Data [TO]
- Stage Data for Exfiltration [SO]
  - Package Data [TO]
  - Move Data to Staging Server [TO]
Probing [C]
- Probe Host Configuration [SO]
  - Check Language [TO]
  - Identify OS [TO]
  - Identify Host IP Address [TO]
  - Inventory System Applications [TO]
- Probe Network Environment [SO]
  - Map Local Network [TO]
  - Check for Firewall [TO]
  - Check for Network Drives [TO]
  - Check for Proxy [TO]
  - Check for Internet Connectivity [TO]
Anti-Removal [C]
- Prevent Malware Artifact Access [SO]
  - Prevent Registry Access [TO]
  - Prevent File Access [TO]
  - Prevent Memory Access [TO]
- Prevent Malware Artifact Deletion [SO]
  - Prevent Registry Deletion [TO]
  - Prevent File Deletion [TO]
  - Prevent API Unhooking [TO]
Security Degradation [C]
- Disable Service Provider Security Features [SO]
  - Remove SMS Warning Messages [TO]
- Degrade Security Programs [SO]
  - Gather Security Product Info [TO]
  - Prevent Access to Security Websites [TO]
  - Modify Security Program Configuration [TO]
  - Prevent Security Program from Running [TO]
  - Stop Execution of Security Program [TO]
- Disable System Updates [SO]
  - Disable System Service Pack/Patch Installation [TO]
  - Disable System Update Services/Daemons [TO]
- Disable OS Security Features [SO]
  - Disable System File Overwrite Protection [TO]
  - Disable OS Security Alerts [TO]
  - Disable Kernel Patching Protection [TO]
  - Disable User Account Control [TO]
- Disable [Host-based or OS] Access Controls [SO]
  - Disable Firewall [TO]
  - Disable Access Right Checking [TO]
  - Disable Privilege Limiting [TO]
Availability Violation [C]
- Consume System Resources [SO]
  - Crack Passwords [TO]
  - Mine for CryptoCurrency [TO]
- Compromise Data Availability [SO]
  - Compromise Access to Information Assets [TO]
- Compromise System Availability [SO]
  - Denial of Service [TO]
  - Compromise Local System Availability [TO]
Destruction [C]
- Destroy Physical Entity [SO]
  - Destroy Firmware [TO]
  - Destroy Hardware [TO]
- Destroy Virtual Entity [SO]
  - Erase Data [TO]
Fraud [C]
- Premium Rate Fraud [SO]
  - Access Premium Service [TO]
- Click Fraud [SO]
Persistence [C]
- Persist to Re-infect System [SO]
  - Reinstantiate Self after Initial Detection [TO]
- Gather Information for Improvement [SO]
  - Drop/Retrieve Debug Log File [TO]
- Ensure Compatibility [SO]
  - Limit Application Type/Version [TO]
- Persist to Continuously Execute on System [SO]
  - Persist Independent of Hard Disk/OS Changes [TO]
  - Persist After OS Install/Reinstall [TO]
  - Persist After System Reboot [TO]
Machine Access/Control [C]
- Control Local Machine [SO]
  - Control Machine via Remote Command [TO]
- Install Backdoor [SO]

Clone this wiki locally