From c6d95aeaeb91f32c927fb17deb33e823c4e8ba4e Mon Sep 17 00:00:00 2001 From: makflwana Date: Thu, 24 May 2018 23:02:50 +1000 Subject: [PATCH 1/7] MAEC 5.0 Malware behavior --- maec-malware-behavior/machinetag.json | 614 ++++++++++++++++++++++++++ 1 file changed, 614 insertions(+) create mode 100644 maec-malware-behavior/machinetag.json diff --git a/maec-malware-behavior/machinetag.json b/maec-malware-behavior/machinetag.json new file mode 100644 index 0000000..6112dff --- /dev/null +++ b/maec-malware-behavior/machinetag.json @@ -0,0 +1,614 @@ +{ + "namespace": "MAEC Malware Bahaviors", + "description": "Malware behaviours based on MAEC 5.0", + "version": 1, + "predicates": [ + { + "value": "maec-malware-behavior", + "expanded": "MAEC Malware behavior" + } + ], + "values": [ + { + "predicate": "maec-malware-behavior", + "entry": [ + { + "value": "access-premium-service", + "expanded": "access-premium-service" + }, + { + "value": "autonomous-remote-infection", + "expanded": "autonomous-remote-infection" + }, + { + "value": "block-security-websites", + "expanded": "block-security-websites" + }, + { + "value": "capture-camera-input", + "expanded": "capture-camera-input" + }, + { + "value": "capture-file-system-data", + "expanded": "capture-file-system-data" + }, + { + "value": "capture-gps-data", + "expanded": "capture-gps-data" + }, + { + "value": "capture-keyboard-input", + "expanded": "capture-keyboard-input" + }, + { + "value": "capture-microphone-input", + "expanded": "capture-microphone-input" + }, + { + "value": "capture-mouse-input", + "expanded": "capture-mouse-input" + }, + { + "value": "capture-printer-output", + "expanded": "capture-printer-output" + }, + { + "value": "capture-system-memory", + "expanded": "capture-system-memory" + }, + { + "value": "capture-system-network-traffic", + "expanded": "capture-system-network-traffic" + }, + { + "value": "capture-system-screenshot", + "expanded": "capture-system-screenshot" + }, + { + "value": "capture-touchscreen-input", + "expanded": "capture-touchscreen-input" + }, + { + "value": "check-for-payload", + "expanded": "check-for-payload" + }, + { + "value": "click-fraud", + "expanded": "click-fraud" + }, + { + "value": "compare-host-fingerprints", + "expanded": "compare-host-fingerprints" + }, + { + "value": "compromise-remote-machine", + "expanded": "compromise-remote-machinen" + }, + { + "value": "control-local-machine-via-remote-command", + "expanded": "control-local-machine-via-remote-command" + }, + { + "value": "control-malware-via-remote-command", + "expanded": "control-malware-via-remote-command" + }, + { + "value": "crack-passwords", + "expanded": "crack-passwords" + }, + { + "value": "defeat-call-graph-generation", + "expanded": "defeat-call-graph-generation" + }, + { + "value": "defeat-emulator", + "expanded": "defeat-emulator" + }, + { + "value": "defeat-flow-oriented-disassembler", + "expanded": "defeat-flow-oriented-disassembler" + }, + { + "value": "defeat-linear-disassembler", + "expanded": "defeat-linear-disassembler" + }, + { + "value": "degrade-security-program", + "expanded": "degrade-security-program" + }, + { + "value": "denial-of-service", + "expanded": "denial-of-service" + }, + { + "value": "destroy-hardware", + "expanded": "destroy-hardware" + }, + { + "value": "detect-debugging", + "expanded": "detect-debugging" + }, + { + "value": "detect-emulator", + "expanded": "detect-emulator" + }, + { + "value": "detect-installed-analysis-tools", + "expanded": "detect-installed-analysis-tools" + }, + { + "value": "detect-installed-av-tools", + "expanded": "detect-installed-av-tools" + }, + { + "value": "detect-sandbox-environment", + "expanded": "detect-sandbox-environment" + }, + { + "value": "detect-vm-environment", + "expanded": "detect-vm-environment" + }, + { + "value": "determine-host-ip-address", + "expanded": "determine-host-ip-address" + }, + { + "value": "disable-access-rights-checking", + "expanded": "disable-access-rights-checking" + }, + { + "value": "disable-firewall", + "expanded": "disable-firewall" + }, + { + "value": "disable-kernel-patch-protection", + "expanded": "disable-kernel-patch-protection" + }, + { + "value": "disable-os-security-alerts", + "expanded": "disable-os-security-alerts" + }, + { + "value": "disable-privilege-limiting", + "expanded": "disable-privilege-limiting" + }, + { + "value": "disable-service-pack-patch-installation", + "expanded": "disable-service-pack-patch-installation" + }, + { + "value": "disable-system-file-overwrite-protection", + "expanded": "disable-system-file-overwrite-protection" + }, + { + "value": "disable-update-services-daemons", + "expanded": "disable-update-services-daemons" + }, + { + "value": "disable-user-account-control", + "expanded": "disable-user-account-control" + }, + { + "value": "drop-retrieve-debug-log-file", + "expanded": "drop-retrieve-debug-log-file" + }, + { + "value": "elevate-privilege", + "expanded": "elevate-privilege" + }, + { + "value": "encrypt-data", + "expanded": "encrypt-data" + }, + { + "value": "encrypt-files", + "expanded": "encrypt-files" + }, + { + "value": "encrypt-self", + "expanded": "encrypt-self" + }, + { + "value": "erase-data", + "expanded": "erase-data" + }, + { + "value": "evade-static-heuristic", + "expanded": "evade-static-heuristic" + }, + { + "value": "execute-before-external-to-kernel-hypervisor", + "expanded": "execute-before-external-to-kernel-hypervisor" + }, + { + "value": "execute-non-main-cpu-code", + "expanded": "execute-non-main-cpu-code" + }, + { + "value": "execute-stealthy-code", + "expanded": "execute-stealthy-code" + }, + { + "value": "exfiltrate-data-via-covert channel", + "expanded": "exfiltrate-data-via-covert channel" + }, + { + "value": "exfiltrate-data-via--dumpster-dive", + "expanded": "exfiltrate-data-via-dumpster-dives" + }, + { + "value": "exfiltrate-data-via-fax", + "expanded": "exfiltrate-data-via-fax" + }, + { + "value": "exfiltrate-data-via-network", + "expanded": "exfiltrate-data-via-network" + }, + { + "value": "exfiltrate-data-via-physical-media", + "expanded": "exfiltrate-data-via-physical-media" + }, + { + "value": "exfiltrate-data-via-voip-phone", + "expanded": "exfiltrate-data-via-voip-phone" + }, + { + "value": "feed-misinformation-during-physical-memory-acquisition", + "expanded": "feed-misinformation-during-physical-memory-acquisition" + }, + { + "value": "file-system-instantiation", + "expanded": "file-system-instantiation" + }, + { + "value": "fingerprint-host", + "expanded": "fingerprint-host" + }, + { + "value": "generate-c2-domain-names", + "expanded": "generate-c2-domain-names" + }, + { + "value": "hide-arbitrary-virtual-memory", + "expanded": "hide-arbitrary-virtual-memory" + }, + { + "value": "hide-data-in-other-formats", + "expanded": "hide-data-in-other-formats" + }, + { + "value": "hide-file-system-artifacts", + "expanded": "hide-file-system-artifacts" + }, + { + "value": "hide-kernel-modules", + "expanded": "hide-kernel-modules" + }, + { + "value": "hide-network-traffic", + "expanded": "hide-network-traffic" + }, + { + "value": "hide-open-network-ports", + "expanded": "hide-open-network-ports" + }, + { + "value": "hide-processes", + "expanded": "hide-processes" + }, + { + "value": "hide-services", + "expanded": "hide-services" + }, + { + "value": "hide-threads", + "expanded": "hide-threads" + }, + { + "value": "hide-userspace-libraries", + "expanded": "hide-userspace-libraries" + }, + { + "value": "identify-file", + "expanded": "identify-file" + }, + { + "value": "identify-os", + "expanded": "identify-os" + }, + { + "value": "identify-target-machines", + "expanded": "identify-target-machines" + }, + { + "value": "impersonate-user", + "expanded": "impersonate-user" + }, + { + "value": "install-backdoor", + "expanded": "install-backdoor" + }, + { + "value": "install-legitimate-software", + "expanded": "install-legitimate-software" + }, + { + "value": "install-secondary-malware", + "expanded": "install-secondary-malware" + }, + { + "value": "install-secondary-module", + "expanded": "install-secondary-module" + }, + { + "value": "intercept-manipulate-network-traffic", + "expanded": "intercept-manipulate-network-traffic" + }, + { + "value": "inventory-security-products", + "expanded": "inventory-security-products" + }, + { + "value": "inventory-system-applications", + "expanded": "inventory-system-applications" + }, + { + "value": "inventory-victims", + "expanded": "inventory-victims" + }, + { + "value": "limit-application-type-version", + "expanded": "limit-application-type-version" + }, + { + "value": "log-activity", + "expanded": "log-activity" + }, + { + "value": "inventory-victims", + "expanded": "inventory-victims" + }, + { + "value": "manipulate-file-system-data", + "expanded": "manipulate-file-system-data" + }, + { + "value": "map-local-network", + "expanded": "map-local-network" + }, + { + "value": "mine-for-cryptocurrency", + "expanded": "mine-for-cryptocurrency" + }, + { + "value": "modify-file", + "expanded": "modify-file" + }, + { + "value": "modify-security-software-configuration", + "expanded": "modify-security-software-configuration" + }, + { + "value": "move-data-to-staging-server", + "expanded": "move-data-to-staging-server" + }, + { + "value": "obfuscate-artifact-properties", + "expanded": "obfuscate-artifact-properties" + }, + { + "value": "overload-sandbox", + "expanded": "overload-sandbox" + }, + { + "value": "package-data", + "expanded": "package-data" + }, + { + "value": "persist-after-hardware-changes", + "expanded": "persist-after-hardware-changes" + }, + { + "value": "persist-after-os-changes", + "expanded": "persist-after-os-changes" + }, + { + "value": "persist-after-system-reboot", + "expanded": "persist-after-system-reboot" + }, + { + "value": "prevent-api-unhooking", + "expanded": "prevent-api-unhooking" + }, + { + "value": "prevent-concurrent-execution", + "expanded": "prevent-concurrent-execution" + }, + { + "value": "prevent-debugging", + "expanded": "prevent-debugging" + }, + { + "value": "prevent-file-access", + "expanded": "prevent-file-access" + }, + { + "value": "prevent-file-deletion", + "expanded": "prevent-file-deletion" + }, + { + "value": "prevent-memory-access", + "expanded": "prevent-memory-access" + }, + { + "value": "prevent-native-api-hooking", + "expanded": "prevent-native-api-hooking" + }, + { + "value": "prevent-physical-memory-acquisition", + "expanded": "prevent-physical-memory-acquisition" + }, + { + "value": "prevent-registry-access", + "expanded": "prevent-registry-access" + }, + { + "value": "prevent-registry-deletion", + "expanded": "prevent-registry-deletion" + } + { + "value": "prevent-security-software-from-executing", + "expanded": "prevent-security-software-from-executing" + }, + { + "value": "re-instantiate-self", + "expanded": "re-instantiate-self" + }, + { + "value": "remove-self", + "expanded": "remove-self" + }, + { + "value": "remove-sms-warning-messages", + "expanded": "remove-sms-warning-messages" + }, + { + "value": "remove-system-artifacts", + "expanded": "remove-system-artifacts" + }, + { + "value": "request-email-address-list", + "expanded": "request-email-address-list" + }, + { + "value": "request-email-template", + "expanded": "request-email-template" + }, + { + "value": "search-for-remote-machines", + "expanded": "search-for-remote-machines" + }, + { + "value": "send-beacon", + "expanded": "send-beacon" + }, + { + "value": "send-email-message", + "expanded": "send-email-message" + }, + { + "value": "social-engineering-based-remote-infection", + "expanded": "social-engineering-based-remote-infection" + }, + { + "value": "steal-browser-cache", + "expanded": "steal-browser-cache" + }, + { + "value": "steal-browser-cookies", + "expanded": "steal-browser-cookies" + }, + { + "value": "steal-browser-history", + "expanded": "steal-browser-history" + }, + { + "value": "steal-contact-list-data", + "expanded": "steal-contact-list-data" + }, + { + "value": "steal-cryptocurrency-data", + "expanded": "steal-cryptocurrency-data" + }, + { + "value": "steal-database-content", + "expanded": "steal-database-content" + }, + { + "value": "steal-dialed-phone-numbers", + "expanded": "steal-dialed-phone-numbers" + }, + { + "value": "steal-digital-certificates", + "expanded": "steal-digital-certificates" + }, + { + "value": "steal-documents", + "expanded": "steal-documents" + }, + { + "value": "steal-email-data", + "expanded": "steal-email-data" + }, + { + "value": "steal-images", + "expanded": "steal-images" + }, + { + "value": "steal-password-hashes", + "expanded": "steal-password-hashes" + }, + { + "value": "steal-pki-key", + "expanded": "steal-pki-key" + }, + { + "value": "steal-referrer-urls", + "expanded": "steal-referrer-urls" + }, + { + "value": "steal-serial-numbers", + "expanded": "steal-serial-numbers" + }, + { + "value": "steal-sms-database", + "expanded": "steal-sms-database" + }, + { + "value": "steal-web-network-credential", + "expanded": "steal-web-network-credential" + }, + { + "value": "stop-execution-of-security-software", + "expanded": "stop-execution-of-security-software" + }, + { + "value": "suicide-exit", + "expanded": "suicide-exit" + }, + { + "value": "test-for-firewall", + "expanded": "test-for-firewall" + }, + { + "value": "test-for-internet-connectivity", + "expanded": "test-for-internet-connectivity" + }, + { + "value": "test-for-network-drives", + "expanded": "test-for-network-drives" + }, + { + "value": "test-for-proxy", + "expanded": "test-for-proxy" + }, + { + "value": "test-smtp-connection", + "expanded": "test-smtp-connection" + }, + { + "value": "update-configuration", + "expanded": "update-configuration" + }, + { + "value": "validate-data", + "expanded": "validate-data" + }, + { + "value": "write-code-into-file", + "expanded": "write-code-into-file" + } + ], + } + ] +} From ca6ef0b4cafab7c6b82bceb3a87fe01b5a34a987 Mon Sep 17 00:00:00 2001 From: makflwana Date: Thu, 24 May 2018 23:05:54 +1000 Subject: [PATCH 2/7] MAEC 5.0 Malware capabilties --- maec-malware-capabilties/machinetag.json | 298 +++++++++++++++++++++++ 1 file changed, 298 insertions(+) create mode 100644 maec-malware-capabilties/machinetag.json diff --git a/maec-malware-capabilties/machinetag.json b/maec-malware-capabilties/machinetag.json new file mode 100644 index 0000000..a1b4cd1 --- /dev/null +++ b/maec-malware-capabilties/machinetag.json @@ -0,0 +1,298 @@ +{ + "namespace": "MAEC Malware Capabilities", + "description": "Malware Capabilities based on MAEC 5.0", + "version": 1, + "predicates": [ + { + "value": "maec-malware-capability", + "expanded": "MAEC Malware capability" + } + ], + "values": [ + { + "predicate": "maec-malware-capability", + "entry": [ + { + "value": "anti-behavioral-analysis", + "expanded": "anti-behavioral-analysis" + }, + { + "value": "anti-code-analysis", + "expanded": "anti-code-analysis" + }, + { + "value": "anti-detection", + "expanded": "anti-detection" + }, + { + "value": "anti-removal", + "expanded": "anti-removal" + }, + { + "value": "availability-violation", + "expanded": "availability-violation" + }, + { + "value": "collection", + "expanded": "collection" + }, + { + "value": "command-and-control", + "expanded": "command-and-control" + }, + { + "value": "data-theft", + "expanded": "data-theft" + }, + { + "value": "destruction", + "expanded": "destruction" + }, + { + "value": "discovery", + "expanded": "discovery" + }, + { + "value": "exfiltration", + "expanded": "exfiltration" + }, + { + "value": "fraud", + "expanded": "fraud" + }, + { + "value": "infection-propagation", + "expanded": "infection-propagation" + }, + { + "value": "integrity-violation", + "expanded": "integrity-violationk" + }, + { + "value": "machine-access-control", + "expanded": "machine-access-control" + }, + { + "value": "persistence", + "expanded": "persistence" + }, + { + "value": "privilege-escalation", + "expanded": "privilege-escalation" + }, + { + "value": "secondary-operation", + "expanded": "secondary-operation" + }, + { + "value": "security-degradation", + "expanded": "security-degradation" + }, + { + "value": "access-control-degradation", + "expanded": "access-control-degradation" + }, + { + "value": "security-degradation", + "expanded": "security-degradation" + }, + { + "value": "anti-debugging", + "expanded": "anti-debugging" + }, + { + "value": "anti-disassembly", + "expanded": "anti-disassembly" + }, + { + "value": "anti-emulation", + "expanded": "anti-emulation" + }, + { + "value": "anti-memory-forensics", + "expanded": "anti-memory-forensics" + }, + { + "value": "anti-sandbox", + "expanded": "anti-sandbox" + }, + { + "value": "anti-virus-evasion", + "expanded": "anti-virus-evasion" + }, + { + "value": "anti-vm", + "expanded": "anti-vm" + }, + { + "value": "authentication-credentials-theft", + "expanded": "authentication-credentials-theft" + }, + { + "value": "clean-traces-of-infection", + "expanded": "clean-traces-of-infection" + }, + { + "value": "communicate-with-c2-server", + "expanded": "communicate-with-c2-servern" + }, + { + "value": "compromise-data-availability", + "expanded": "compromise-data-availability" + }, + { + "value": "compromise-system-availability", + "expanded": "compromise-system-availability" + }, + { + "value": "consume-system-resources", + "expanded": "consume-system-resources" + }, + { + "value": "continuous-execution", + "expanded": "continuous-execution" + }, + { + "value": "data-integrity-violation", + "expanded": "data-integrity-violation" + }, + { + "value": "data-obfuscation", + "expanded": "data-obfuscation" + }, + { + "value": "data-staging", + "expanded": "data-staging" + }, + { + "value": "determine-c2-server", + "expanded": "determine-c2-server" + }, + { + "value": "email-spam", + "expanded": "email-spam" + }, + { + "value": "ensure-compatibility", + "expanded": "ensure-compatibility" + }, + { + "value": "environment-awareness", + "expanded": "environment-awareness" + }, + { + "value": "file-infection", + "expanded": "file-infection" + }, + { + "value": "hide-artifacts", + "expanded": "hide-artifacts" + }, + { + "value": "hide-executing-code", + "expanded": "hide-executing-code" + }, + { + "value": "hide-non-executing-code", + "expanded": "hide-non-executing-code" + }, + { + "value": "host-configuration-probing", + "expanded": "host-configuration-probing" + }, + { + "value": "information-gathering-for-improvement", + "expanded": "information-gathering-for-improvement" + }, + { + "value": "input-peripheral-capture", + "expanded": "input-peripheral-capture" + }, + { + "value": "install-other-components", + "expanded": "install-other-components" + }, + { + "value": "local-machine-control", + "expanded": "local-machine-control" + }, + { + "value": "network-environment-probing", + "expanded": "network-environment-probing" + }, + { + "value": "os-security-feature-degradation", + "expanded": "os-security-feature-degradation" + }, + { + "value": "output-peripheral-capture", + "expanded": "output-peripheral-capture" + }, + { + "value": "physical-entity-destruction", + "expanded": "physical-entity-destruction" + }, + { + "value": "prevent-artifact-access", + "expanded": "prevent-artifact-access" + }, + { + "value": "prevent-artifact-deletion", + "expanded": "prevent-artifact-deletion" + }, + { + "value": "remote-machine-access", + "expanded": "remote-machine-access" + }, + { + "value": "security-software-degradation", + "expanded": "security-software-degradation" + }, + { + "value": "security-software-evasion", + "expanded": "security-software-evasion" + }, + { + "value": "self-modification", + "expanded": "self-modification" + }, + { + "value": "service-provider-security-feature-degradation", + "expanded": "service-provider-security-feature-degradation" + }, + { + "value": "stored-information-theft", + "expanded": "stored-information-theft" + }, + { + "value": "system-interface-data-capture", + "expanded": "system-interface-data-capture" + }, + { + "value": "system-operational-integrity-violation", + "expanded": "system-operational-integrity-violation" + }, + { + "value": "system-re-infection", + "expanded": "system-re-infection" + }, + { + "value": "system-state-data-capture", + "expanded": "system-state-data-capture" + }, + { + "value": "system-update-degradation", + "expanded": "system-update-degradation" + }, + { + "value": "user-data-theft", + "expanded": "user-data-theft" + }, + { + "value": "virtual-entity-destruction", + "expanded": "virtual-entity-destruction" + } + ], + } + ] +} From 9397a9e8258555a8ff6ad07b28abdfe64acacbd9 Mon Sep 17 00:00:00 2001 From: makflwana Date: Thu, 24 May 2018 23:09:13 +1000 Subject: [PATCH 3/7] MAEC 5.0 Malware Delivery Vectors --- maec-delivery-vectors/machinetag.json | 86 +++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 maec-delivery-vectors/machinetag.json diff --git a/maec-delivery-vectors/machinetag.json b/maec-delivery-vectors/machinetag.json new file mode 100644 index 0000000..b026458 --- /dev/null +++ b/maec-delivery-vectors/machinetag.json @@ -0,0 +1,86 @@ +{ + "namespace": "MAEC Delivery Vectors", + "description": "Vectors used to deliver malware based on MAEC 5.0", + "version": 1, + "predicates": [ + { + "value": "maec-delivery-vector", + "expanded": "MAEC Delivery Vector" + } + ], + "values": [ + { + "predicate": "maec-delivery-vector", + "entry": [ + { + "value": "active-attacker", + "expanded": "active Attacker" + }, + { + "value": "auto-executing-media", + "expanded": "auto-executing-media" + }, + { + "value": "downloader", + "expanded": "downloader" + }, + { + "value": "dropper", + "expanded": "dropper" + }, + { + "value": "email-attachment", + "expanded": "email-attachment" + }, + { + "value": "exploit-kit-landing-page", + "expanded": "exploit-kit-landing-page" + }, + { + "value": "fake-website", + "expanded": "fake-website" + }, + { + "value": "janitor-attack", + "expanded": "janitor-attack" + }, + { + "value": "malicious-iframes", + "expanded": "malicious-iframes" + }, + { + "value": "malvertising", + "expanded": "malvertising" + }, + { + "value": "media-baiting", + "expanded": "media-baiting" + }, + { + "value": "pharming", + "expanded": "pharming" + }, + { + "value": "phishing", + "expanded": "phishing" + }, + { + "value": "trojanized-link", + "expanded": "trojanized-link" + }, + { + "value": "trojanized-software", + "expanded": "trojanized-software" + }, + { + "value": "usb-cable-syncing", + "expanded": "usb-cable-syncing" + }, + { + "value": "watering-hole", + "expanded": "watering-hole" + } + ], + } + ] +} From 755cfb4169670d306773b6ec69797cb79a41683c Mon Sep 17 00:00:00 2001 From: makflwana Date: Thu, 24 May 2018 23:10:32 +1000 Subject: [PATCH 4/7] MAEC 5.0 Malware obfuscation methods --- .../machinetag.json | 66 +++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 maec-malware-obfuscation-methods/machinetag.json diff --git a/maec-malware-obfuscation-methods/machinetag.json b/maec-malware-obfuscation-methods/machinetag.json new file mode 100644 index 0000000..8d7d1dd --- /dev/null +++ b/maec-malware-obfuscation-methods/machinetag.json @@ -0,0 +1,66 @@ +{ + "namespace": "MAEC Obfuscation methods", + "description": "Obfuscation methods used by malware based on MAEC 5.0", + "version": 1, + "predicates": [ + { + "value": "maec-obfuscation-methods", + "expanded": "MAEC Obfuscation methods" + } + ], + "values": [ + { + "predicate": "maec-obfuscation-methods", + "entry": [ + { + "value": "packing", + "expanded": "packing" + }, + { + "value": "code-encryption", + "expanded": "code-encryption" + }, + { + "value": "dead-code-insertion", + "expanded": "dead-code-insertion" + }, + { + "value": "entry-point-obfuscation", + "expanded": "entry-point-obfuscation" + }, + { + "value": "import-address-table-obfuscation", + "expanded": "import-address-table-obfuscation" + }, + { + "value": "interleaving-code", + "expanded": "interleaving-code" + }, + { + "value": "symbolic-obfuscation", + "expanded": "symbolic-obfuscation" + }, + { + "value": "string-obfuscation", + "expanded": "string-obfuscation" + }, + { + "value": "subroutine-reordering", + "expanded": "subroutine-reordering" + }, + { + "value": "code-transposition", + "expanded": "code-transposition" + }, + { + "value": "instruction-substitution", + "expanded": "instruction-substitution" + }, + { + "value": "register-reassignment", + "expanded": "register-reassignment" + } + ], + } + ] +} From 8ec5e5995c1cd516e3817ae655073b49c2a9a5d6 Mon Sep 17 00:00:00 2001 From: makflwana Date: Fri, 25 May 2018 09:38:17 +1000 Subject: [PATCH 5/7] Updated MAEC 5.0 malware capabilties --- maec-malware-capabilities/machinetag.json | 298 ++++++++++++++++++++++ 1 file changed, 298 insertions(+) create mode 100644 maec-malware-capabilities/machinetag.json diff --git a/maec-malware-capabilities/machinetag.json b/maec-malware-capabilities/machinetag.json new file mode 100644 index 0000000..a1b4cd1 --- /dev/null +++ b/maec-malware-capabilities/machinetag.json @@ -0,0 +1,298 @@ +{ + "namespace": "MAEC Malware Capabilities", + "description": "Malware Capabilities based on MAEC 5.0", + "version": 1, + "predicates": [ + { + "value": "maec-malware-capability", + "expanded": "MAEC Malware capability" + } + ], + "values": [ + { + "predicate": "maec-malware-capability", + "entry": [ + { + "value": "anti-behavioral-analysis", + "expanded": "anti-behavioral-analysis" + }, + { + "value": "anti-code-analysis", + "expanded": "anti-code-analysis" + }, + { + "value": "anti-detection", + "expanded": "anti-detection" + }, + { + "value": "anti-removal", + "expanded": "anti-removal" + }, + { + "value": "availability-violation", + "expanded": "availability-violation" + }, + { + "value": "collection", + "expanded": "collection" + }, + { + "value": "command-and-control", + "expanded": "command-and-control" + }, + { + "value": "data-theft", + "expanded": "data-theft" + }, + { + "value": "destruction", + "expanded": "destruction" + }, + { + "value": "discovery", + "expanded": "discovery" + }, + { + "value": "exfiltration", + "expanded": "exfiltration" + }, + { + "value": "fraud", + "expanded": "fraud" + }, + { + "value": "infection-propagation", + "expanded": "infection-propagation" + }, + { + "value": "integrity-violation", + "expanded": "integrity-violationk" + }, + { + "value": "machine-access-control", + "expanded": "machine-access-control" + }, + { + "value": "persistence", + "expanded": "persistence" + }, + { + "value": "privilege-escalation", + "expanded": "privilege-escalation" + }, + { + "value": "secondary-operation", + "expanded": "secondary-operation" + }, + { + "value": "security-degradation", + "expanded": "security-degradation" + }, + { + "value": "access-control-degradation", + "expanded": "access-control-degradation" + }, + { + "value": "security-degradation", + "expanded": "security-degradation" + }, + { + "value": "anti-debugging", + "expanded": "anti-debugging" + }, + { + "value": "anti-disassembly", + "expanded": "anti-disassembly" + }, + { + "value": "anti-emulation", + "expanded": "anti-emulation" + }, + { + "value": "anti-memory-forensics", + "expanded": "anti-memory-forensics" + }, + { + "value": "anti-sandbox", + "expanded": "anti-sandbox" + }, + { + "value": "anti-virus-evasion", + "expanded": "anti-virus-evasion" + }, + { + "value": "anti-vm", + "expanded": "anti-vm" + }, + { + "value": "authentication-credentials-theft", + "expanded": "authentication-credentials-theft" + }, + { + "value": "clean-traces-of-infection", + "expanded": "clean-traces-of-infection" + }, + { + "value": "communicate-with-c2-server", + "expanded": "communicate-with-c2-servern" + }, + { + "value": "compromise-data-availability", + "expanded": "compromise-data-availability" + }, + { + "value": "compromise-system-availability", + "expanded": "compromise-system-availability" + }, + { + "value": "consume-system-resources", + "expanded": "consume-system-resources" + }, + { + "value": "continuous-execution", + "expanded": "continuous-execution" + }, + { + "value": "data-integrity-violation", + "expanded": "data-integrity-violation" + }, + { + "value": "data-obfuscation", + "expanded": "data-obfuscation" + }, + { + "value": "data-staging", + "expanded": "data-staging" + }, + { + "value": "determine-c2-server", + "expanded": "determine-c2-server" + }, + { + "value": "email-spam", + "expanded": "email-spam" + }, + { + "value": "ensure-compatibility", + "expanded": "ensure-compatibility" + }, + { + "value": "environment-awareness", + "expanded": "environment-awareness" + }, + { + "value": "file-infection", + "expanded": "file-infection" + }, + { + "value": "hide-artifacts", + "expanded": "hide-artifacts" + }, + { + "value": "hide-executing-code", + "expanded": "hide-executing-code" + }, + { + "value": "hide-non-executing-code", + "expanded": "hide-non-executing-code" + }, + { + "value": "host-configuration-probing", + "expanded": "host-configuration-probing" + }, + { + "value": "information-gathering-for-improvement", + "expanded": "information-gathering-for-improvement" + }, + { + "value": "input-peripheral-capture", + "expanded": "input-peripheral-capture" + }, + { + "value": "install-other-components", + "expanded": "install-other-components" + }, + { + "value": "local-machine-control", + "expanded": "local-machine-control" + }, + { + "value": "network-environment-probing", + "expanded": "network-environment-probing" + }, + { + "value": "os-security-feature-degradation", + "expanded": "os-security-feature-degradation" + }, + { + "value": "output-peripheral-capture", + "expanded": "output-peripheral-capture" + }, + { + "value": "physical-entity-destruction", + "expanded": "physical-entity-destruction" + }, + { + "value": "prevent-artifact-access", + "expanded": "prevent-artifact-access" + }, + { + "value": "prevent-artifact-deletion", + "expanded": "prevent-artifact-deletion" + }, + { + "value": "remote-machine-access", + "expanded": "remote-machine-access" + }, + { + "value": "security-software-degradation", + "expanded": "security-software-degradation" + }, + { + "value": "security-software-evasion", + "expanded": "security-software-evasion" + }, + { + "value": "self-modification", + "expanded": "self-modification" + }, + { + "value": "service-provider-security-feature-degradation", + "expanded": "service-provider-security-feature-degradation" + }, + { + "value": "stored-information-theft", + "expanded": "stored-information-theft" + }, + { + "value": "system-interface-data-capture", + "expanded": "system-interface-data-capture" + }, + { + "value": "system-operational-integrity-violation", + "expanded": "system-operational-integrity-violation" + }, + { + "value": "system-re-infection", + "expanded": "system-re-infection" + }, + { + "value": "system-state-data-capture", + "expanded": "system-state-data-capture" + }, + { + "value": "system-update-degradation", + "expanded": "system-update-degradation" + }, + { + "value": "user-data-theft", + "expanded": "user-data-theft" + }, + { + "value": "virtual-entity-destruction", + "expanded": "virtual-entity-destruction" + } + ], + } + ] +} From 0f90c63b3aa3f8a9defa72c8e892fee59f754852 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 25 May 2018 10:47:19 +0200 Subject: [PATCH 6/7] fix: remove the incorrect namespace --- maec-malware-capabilties/machinetag.json | 298 ----------------------- 1 file changed, 298 deletions(-) delete mode 100644 maec-malware-capabilties/machinetag.json diff --git a/maec-malware-capabilties/machinetag.json b/maec-malware-capabilties/machinetag.json deleted file mode 100644 index a1b4cd1..0000000 --- a/maec-malware-capabilties/machinetag.json +++ /dev/null @@ -1,298 +0,0 @@ -{ - "namespace": "MAEC Malware Capabilities", - "description": "Malware Capabilities based on MAEC 5.0", - "version": 1, - "predicates": [ - { - "value": "maec-malware-capability", - "expanded": "MAEC Malware capability" - } - ], - "values": [ - { - "predicate": "maec-malware-capability", - "entry": [ - { - "value": "anti-behavioral-analysis", - "expanded": "anti-behavioral-analysis" - }, - { - "value": "anti-code-analysis", - "expanded": "anti-code-analysis" - }, - { - "value": "anti-detection", - "expanded": "anti-detection" - }, - { - "value": "anti-removal", - "expanded": "anti-removal" - }, - { - "value": "availability-violation", - "expanded": "availability-violation" - }, - { - "value": "collection", - "expanded": "collection" - }, - { - "value": "command-and-control", - "expanded": "command-and-control" - }, - { - "value": "data-theft", - "expanded": "data-theft" - }, - { - "value": "destruction", - "expanded": "destruction" - }, - { - "value": "discovery", - "expanded": "discovery" - }, - { - "value": "exfiltration", - "expanded": "exfiltration" - }, - { - "value": "fraud", - "expanded": "fraud" - }, - { - "value": "infection-propagation", - "expanded": "infection-propagation" - }, - { - "value": "integrity-violation", - "expanded": "integrity-violationk" - }, - { - "value": "machine-access-control", - "expanded": "machine-access-control" - }, - { - "value": "persistence", - "expanded": "persistence" - }, - { - "value": "privilege-escalation", - "expanded": "privilege-escalation" - }, - { - "value": "secondary-operation", - "expanded": "secondary-operation" - }, - { - "value": "security-degradation", - "expanded": "security-degradation" - }, - { - "value": "access-control-degradation", - "expanded": "access-control-degradation" - }, - { - "value": "security-degradation", - "expanded": "security-degradation" - }, - { - "value": "anti-debugging", - "expanded": "anti-debugging" - }, - { - "value": "anti-disassembly", - "expanded": "anti-disassembly" - }, - { - "value": "anti-emulation", - "expanded": "anti-emulation" - }, - { - "value": "anti-memory-forensics", - "expanded": "anti-memory-forensics" - }, - { - "value": "anti-sandbox", - "expanded": "anti-sandbox" - }, - { - "value": "anti-virus-evasion", - "expanded": "anti-virus-evasion" - }, - { - "value": "anti-vm", - "expanded": "anti-vm" - }, - { - "value": "authentication-credentials-theft", - "expanded": "authentication-credentials-theft" - }, - { - "value": "clean-traces-of-infection", - "expanded": "clean-traces-of-infection" - }, - { - "value": "communicate-with-c2-server", - "expanded": "communicate-with-c2-servern" - }, - { - "value": "compromise-data-availability", - "expanded": "compromise-data-availability" - }, - { - "value": "compromise-system-availability", - "expanded": "compromise-system-availability" - }, - { - "value": "consume-system-resources", - "expanded": "consume-system-resources" - }, - { - "value": "continuous-execution", - "expanded": "continuous-execution" - }, - { - "value": "data-integrity-violation", - "expanded": "data-integrity-violation" - }, - { - "value": "data-obfuscation", - "expanded": "data-obfuscation" - }, - { - "value": "data-staging", - "expanded": "data-staging" - }, - { - "value": "determine-c2-server", - "expanded": "determine-c2-server" - }, - { - "value": "email-spam", - "expanded": "email-spam" - }, - { - "value": "ensure-compatibility", - "expanded": "ensure-compatibility" - }, - { - "value": "environment-awareness", - "expanded": "environment-awareness" - }, - { - "value": "file-infection", - "expanded": "file-infection" - }, - { - "value": "hide-artifacts", - "expanded": "hide-artifacts" - }, - { - "value": "hide-executing-code", - "expanded": "hide-executing-code" - }, - { - "value": "hide-non-executing-code", - "expanded": "hide-non-executing-code" - }, - { - "value": "host-configuration-probing", - "expanded": "host-configuration-probing" - }, - { - "value": "information-gathering-for-improvement", - "expanded": "information-gathering-for-improvement" - }, - { - "value": "input-peripheral-capture", - "expanded": "input-peripheral-capture" - }, - { - "value": "install-other-components", - "expanded": "install-other-components" - }, - { - "value": "local-machine-control", - "expanded": "local-machine-control" - }, - { - "value": "network-environment-probing", - "expanded": "network-environment-probing" - }, - { - "value": "os-security-feature-degradation", - "expanded": "os-security-feature-degradation" - }, - { - "value": "output-peripheral-capture", - "expanded": "output-peripheral-capture" - }, - { - "value": "physical-entity-destruction", - "expanded": "physical-entity-destruction" - }, - { - "value": "prevent-artifact-access", - "expanded": "prevent-artifact-access" - }, - { - "value": "prevent-artifact-deletion", - "expanded": "prevent-artifact-deletion" - }, - { - "value": "remote-machine-access", - "expanded": "remote-machine-access" - }, - { - "value": "security-software-degradation", - "expanded": "security-software-degradation" - }, - { - "value": "security-software-evasion", - "expanded": "security-software-evasion" - }, - { - "value": "self-modification", - "expanded": "self-modification" - }, - { - "value": "service-provider-security-feature-degradation", - "expanded": "service-provider-security-feature-degradation" - }, - { - "value": "stored-information-theft", - "expanded": "stored-information-theft" - }, - { - "value": "system-interface-data-capture", - "expanded": "system-interface-data-capture" - }, - { - "value": "system-operational-integrity-violation", - "expanded": "system-operational-integrity-violation" - }, - { - "value": "system-re-infection", - "expanded": "system-re-infection" - }, - { - "value": "system-state-data-capture", - "expanded": "system-state-data-capture" - }, - { - "value": "system-update-degradation", - "expanded": "system-update-degradation" - }, - { - "value": "user-data-theft", - "expanded": "user-data-theft" - }, - { - "value": "virtual-entity-destruction", - "expanded": "virtual-entity-destruction" - } - ], - } - ] -} From 1f11339abe33f1cf4605f5901b959dfb6272ac41 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 25 May 2018 10:48:02 +0200 Subject: [PATCH 7/7] fix: Ensure javascript is valid --- maec-delivery-vectors/machinetag.json | 2 +- maec-malware-behavior/machinetag.json | 4 ++-- maec-malware-capabilities/machinetag.json | 2 +- maec-malware-obfuscation-methods/machinetag.json | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/maec-delivery-vectors/machinetag.json b/maec-delivery-vectors/machinetag.json index b026458..937ca61 100644 --- a/maec-delivery-vectors/machinetag.json +++ b/maec-delivery-vectors/machinetag.json @@ -80,7 +80,7 @@ "value": "watering-hole", "expanded": "watering-hole" } - ], + ] } ] } diff --git a/maec-malware-behavior/machinetag.json b/maec-malware-behavior/machinetag.json index 6112dff..f0584e1 100644 --- a/maec-malware-behavior/machinetag.json +++ b/maec-malware-behavior/machinetag.json @@ -455,7 +455,7 @@ { "value": "prevent-registry-deletion", "expanded": "prevent-registry-deletion" - } + }, { "value": "prevent-security-software-from-executing", "expanded": "prevent-security-software-from-executing" @@ -608,7 +608,7 @@ "value": "write-code-into-file", "expanded": "write-code-into-file" } - ], + ] } ] } diff --git a/maec-malware-capabilities/machinetag.json b/maec-malware-capabilities/machinetag.json index a1b4cd1..8f15375 100644 --- a/maec-malware-capabilities/machinetag.json +++ b/maec-malware-capabilities/machinetag.json @@ -292,7 +292,7 @@ "value": "virtual-entity-destruction", "expanded": "virtual-entity-destruction" } - ], + ] } ] } diff --git a/maec-malware-obfuscation-methods/machinetag.json b/maec-malware-obfuscation-methods/machinetag.json index 8d7d1dd..1e3fae1 100644 --- a/maec-malware-obfuscation-methods/machinetag.json +++ b/maec-malware-obfuscation-methods/machinetag.json @@ -60,7 +60,7 @@ "value": "register-reassignment", "expanded": "register-reassignment" } - ], + ] } ] }