Merge branch 'makflwana-master'

pull/105/head
Alexandre Dulaunoy 2018-05-25 10:48:53 +02:00
commit 4757f4f9e5
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
4 changed files with 1064 additions and 0 deletions

View File

@ -0,0 +1,86 @@
{
"namespace": "MAEC Delivery Vectors",
"description": "Vectors used to deliver malware based on MAEC 5.0",
"version": 1,
"predicates": [
{
"value": "maec-delivery-vector",
"expanded": "MAEC Delivery Vector"
}
],
"values": [
{
"predicate": "maec-delivery-vector",
"entry": [
{
"value": "active-attacker",
"expanded": "active Attacker"
},
{
"value": "auto-executing-media",
"expanded": "auto-executing-media"
},
{
"value": "downloader",
"expanded": "downloader"
},
{
"value": "dropper",
"expanded": "dropper"
},
{
"value": "email-attachment",
"expanded": "email-attachment"
},
{
"value": "exploit-kit-landing-page",
"expanded": "exploit-kit-landing-page"
},
{
"value": "fake-website",
"expanded": "fake-website"
},
{
"value": "janitor-attack",
"expanded": "janitor-attack"
},
{
"value": "malicious-iframes",
"expanded": "malicious-iframes"
},
{
"value": "malvertising",
"expanded": "malvertising"
},
{
"value": "media-baiting",
"expanded": "media-baiting"
},
{
"value": "pharming",
"expanded": "pharming"
},
{
"value": "phishing",
"expanded": "phishing"
},
{
"value": "trojanized-link",
"expanded": "trojanized-link"
},
{
"value": "trojanized-software",
"expanded": "trojanized-software"
},
{
"value": "usb-cable-syncing",
"expanded": "usb-cable-syncing"
},
{
"value": "watering-hole",
"expanded": "watering-hole"
}
]
}
]
}

View File

@ -0,0 +1,614 @@
{
"namespace": "MAEC Malware Bahaviors",
"description": "Malware behaviours based on MAEC 5.0",
"version": 1,
"predicates": [
{
"value": "maec-malware-behavior",
"expanded": "MAEC Malware behavior"
}
],
"values": [
{
"predicate": "maec-malware-behavior",
"entry": [
{
"value": "access-premium-service",
"expanded": "access-premium-service"
},
{
"value": "autonomous-remote-infection",
"expanded": "autonomous-remote-infection"
},
{
"value": "block-security-websites",
"expanded": "block-security-websites"
},
{
"value": "capture-camera-input",
"expanded": "capture-camera-input"
},
{
"value": "capture-file-system-data",
"expanded": "capture-file-system-data"
},
{
"value": "capture-gps-data",
"expanded": "capture-gps-data"
},
{
"value": "capture-keyboard-input",
"expanded": "capture-keyboard-input"
},
{
"value": "capture-microphone-input",
"expanded": "capture-microphone-input"
},
{
"value": "capture-mouse-input",
"expanded": "capture-mouse-input"
},
{
"value": "capture-printer-output",
"expanded": "capture-printer-output"
},
{
"value": "capture-system-memory",
"expanded": "capture-system-memory"
},
{
"value": "capture-system-network-traffic",
"expanded": "capture-system-network-traffic"
},
{
"value": "capture-system-screenshot",
"expanded": "capture-system-screenshot"
},
{
"value": "capture-touchscreen-input",
"expanded": "capture-touchscreen-input"
},
{
"value": "check-for-payload",
"expanded": "check-for-payload"
},
{
"value": "click-fraud",
"expanded": "click-fraud"
},
{
"value": "compare-host-fingerprints",
"expanded": "compare-host-fingerprints"
},
{
"value": "compromise-remote-machine",
"expanded": "compromise-remote-machinen"
},
{
"value": "control-local-machine-via-remote-command",
"expanded": "control-local-machine-via-remote-command"
},
{
"value": "control-malware-via-remote-command",
"expanded": "control-malware-via-remote-command"
},
{
"value": "crack-passwords",
"expanded": "crack-passwords"
},
{
"value": "defeat-call-graph-generation",
"expanded": "defeat-call-graph-generation"
},
{
"value": "defeat-emulator",
"expanded": "defeat-emulator"
},
{
"value": "defeat-flow-oriented-disassembler",
"expanded": "defeat-flow-oriented-disassembler"
},
{
"value": "defeat-linear-disassembler",
"expanded": "defeat-linear-disassembler"
},
{
"value": "degrade-security-program",
"expanded": "degrade-security-program"
},
{
"value": "denial-of-service",
"expanded": "denial-of-service"
},
{
"value": "destroy-hardware",
"expanded": "destroy-hardware"
},
{
"value": "detect-debugging",
"expanded": "detect-debugging"
},
{
"value": "detect-emulator",
"expanded": "detect-emulator"
},
{
"value": "detect-installed-analysis-tools",
"expanded": "detect-installed-analysis-tools"
},
{
"value": "detect-installed-av-tools",
"expanded": "detect-installed-av-tools"
},
{
"value": "detect-sandbox-environment",
"expanded": "detect-sandbox-environment"
},
{
"value": "detect-vm-environment",
"expanded": "detect-vm-environment"
},
{
"value": "determine-host-ip-address",
"expanded": "determine-host-ip-address"
},
{
"value": "disable-access-rights-checking",
"expanded": "disable-access-rights-checking"
},
{
"value": "disable-firewall",
"expanded": "disable-firewall"
},
{
"value": "disable-kernel-patch-protection",
"expanded": "disable-kernel-patch-protection"
},
{
"value": "disable-os-security-alerts",
"expanded": "disable-os-security-alerts"
},
{
"value": "disable-privilege-limiting",
"expanded": "disable-privilege-limiting"
},
{
"value": "disable-service-pack-patch-installation",
"expanded": "disable-service-pack-patch-installation"
},
{
"value": "disable-system-file-overwrite-protection",
"expanded": "disable-system-file-overwrite-protection"
},
{
"value": "disable-update-services-daemons",
"expanded": "disable-update-services-daemons"
},
{
"value": "disable-user-account-control",
"expanded": "disable-user-account-control"
},
{
"value": "drop-retrieve-debug-log-file",
"expanded": "drop-retrieve-debug-log-file"
},
{
"value": "elevate-privilege",
"expanded": "elevate-privilege"
},
{
"value": "encrypt-data",
"expanded": "encrypt-data"
},
{
"value": "encrypt-files",
"expanded": "encrypt-files"
},
{
"value": "encrypt-self",
"expanded": "encrypt-self"
},
{
"value": "erase-data",
"expanded": "erase-data"
},
{
"value": "evade-static-heuristic",
"expanded": "evade-static-heuristic"
},
{
"value": "execute-before-external-to-kernel-hypervisor",
"expanded": "execute-before-external-to-kernel-hypervisor"
},
{
"value": "execute-non-main-cpu-code",
"expanded": "execute-non-main-cpu-code"
},
{
"value": "execute-stealthy-code",
"expanded": "execute-stealthy-code"
},
{
"value": "exfiltrate-data-via-covert channel",
"expanded": "exfiltrate-data-via-covert channel"
},
{
"value": "exfiltrate-data-via--dumpster-dive",
"expanded": "exfiltrate-data-via-dumpster-dives"
},
{
"value": "exfiltrate-data-via-fax",
"expanded": "exfiltrate-data-via-fax"
},
{
"value": "exfiltrate-data-via-network",
"expanded": "exfiltrate-data-via-network"
},
{
"value": "exfiltrate-data-via-physical-media",
"expanded": "exfiltrate-data-via-physical-media"
},
{
"value": "exfiltrate-data-via-voip-phone",
"expanded": "exfiltrate-data-via-voip-phone"
},
{
"value": "feed-misinformation-during-physical-memory-acquisition",
"expanded": "feed-misinformation-during-physical-memory-acquisition"
},
{
"value": "file-system-instantiation",
"expanded": "file-system-instantiation"
},
{
"value": "fingerprint-host",
"expanded": "fingerprint-host"
},
{
"value": "generate-c2-domain-names",
"expanded": "generate-c2-domain-names"
},
{
"value": "hide-arbitrary-virtual-memory",
"expanded": "hide-arbitrary-virtual-memory"
},
{
"value": "hide-data-in-other-formats",
"expanded": "hide-data-in-other-formats"
},
{
"value": "hide-file-system-artifacts",
"expanded": "hide-file-system-artifacts"
},
{
"value": "hide-kernel-modules",
"expanded": "hide-kernel-modules"
},
{
"value": "hide-network-traffic",
"expanded": "hide-network-traffic"
},
{
"value": "hide-open-network-ports",
"expanded": "hide-open-network-ports"
},
{
"value": "hide-processes",
"expanded": "hide-processes"
},
{
"value": "hide-services",
"expanded": "hide-services"
},
{
"value": "hide-threads",
"expanded": "hide-threads"
},
{
"value": "hide-userspace-libraries",
"expanded": "hide-userspace-libraries"
},
{
"value": "identify-file",
"expanded": "identify-file"
},
{
"value": "identify-os",
"expanded": "identify-os"
},
{
"value": "identify-target-machines",
"expanded": "identify-target-machines"
},
{
"value": "impersonate-user",
"expanded": "impersonate-user"
},
{
"value": "install-backdoor",
"expanded": "install-backdoor"
},
{
"value": "install-legitimate-software",
"expanded": "install-legitimate-software"
},
{
"value": "install-secondary-malware",
"expanded": "install-secondary-malware"
},
{
"value": "install-secondary-module",
"expanded": "install-secondary-module"
},
{
"value": "intercept-manipulate-network-traffic",
"expanded": "intercept-manipulate-network-traffic"
},
{
"value": "inventory-security-products",
"expanded": "inventory-security-products"
},
{
"value": "inventory-system-applications",
"expanded": "inventory-system-applications"
},
{
"value": "inventory-victims",
"expanded": "inventory-victims"
},
{
"value": "limit-application-type-version",
"expanded": "limit-application-type-version"
},
{
"value": "log-activity",
"expanded": "log-activity"
},
{
"value": "inventory-victims",
"expanded": "inventory-victims"
},
{
"value": "manipulate-file-system-data",
"expanded": "manipulate-file-system-data"
},
{
"value": "map-local-network",
"expanded": "map-local-network"
},
{
"value": "mine-for-cryptocurrency",
"expanded": "mine-for-cryptocurrency"
},
{
"value": "modify-file",
"expanded": "modify-file"
},
{
"value": "modify-security-software-configuration",
"expanded": "modify-security-software-configuration"
},
{
"value": "move-data-to-staging-server",
"expanded": "move-data-to-staging-server"
},
{
"value": "obfuscate-artifact-properties",
"expanded": "obfuscate-artifact-properties"
},
{
"value": "overload-sandbox",
"expanded": "overload-sandbox"
},
{
"value": "package-data",
"expanded": "package-data"
},
{
"value": "persist-after-hardware-changes",
"expanded": "persist-after-hardware-changes"
},
{
"value": "persist-after-os-changes",
"expanded": "persist-after-os-changes"
},
{
"value": "persist-after-system-reboot",
"expanded": "persist-after-system-reboot"
},
{
"value": "prevent-api-unhooking",
"expanded": "prevent-api-unhooking"
},
{
"value": "prevent-concurrent-execution",
"expanded": "prevent-concurrent-execution"
},
{
"value": "prevent-debugging",
"expanded": "prevent-debugging"
},
{
"value": "prevent-file-access",
"expanded": "prevent-file-access"
},
{
"value": "prevent-file-deletion",
"expanded": "prevent-file-deletion"
},
{
"value": "prevent-memory-access",
"expanded": "prevent-memory-access"
},
{
"value": "prevent-native-api-hooking",
"expanded": "prevent-native-api-hooking"
},
{
"value": "prevent-physical-memory-acquisition",
"expanded": "prevent-physical-memory-acquisition"
},
{
"value": "prevent-registry-access",
"expanded": "prevent-registry-access"
},
{
"value": "prevent-registry-deletion",
"expanded": "prevent-registry-deletion"
},
{
"value": "prevent-security-software-from-executing",
"expanded": "prevent-security-software-from-executing"
},
{
"value": "re-instantiate-self",
"expanded": "re-instantiate-self"
},
{
"value": "remove-self",
"expanded": "remove-self"
},
{
"value": "remove-sms-warning-messages",
"expanded": "remove-sms-warning-messages"
},
{
"value": "remove-system-artifacts",
"expanded": "remove-system-artifacts"
},
{
"value": "request-email-address-list",
"expanded": "request-email-address-list"
},
{
"value": "request-email-template",
"expanded": "request-email-template"
},
{
"value": "search-for-remote-machines",
"expanded": "search-for-remote-machines"
},
{
"value": "send-beacon",
"expanded": "send-beacon"
},
{
"value": "send-email-message",
"expanded": "send-email-message"
},
{
"value": "social-engineering-based-remote-infection",
"expanded": "social-engineering-based-remote-infection"
},
{
"value": "steal-browser-cache",
"expanded": "steal-browser-cache"
},
{
"value": "steal-browser-cookies",
"expanded": "steal-browser-cookies"
},
{
"value": "steal-browser-history",
"expanded": "steal-browser-history"
},
{
"value": "steal-contact-list-data",
"expanded": "steal-contact-list-data"
},
{
"value": "steal-cryptocurrency-data",
"expanded": "steal-cryptocurrency-data"
},
{
"value": "steal-database-content",
"expanded": "steal-database-content"
},
{
"value": "steal-dialed-phone-numbers",
"expanded": "steal-dialed-phone-numbers"
},
{
"value": "steal-digital-certificates",
"expanded": "steal-digital-certificates"
},
{
"value": "steal-documents",
"expanded": "steal-documents"
},
{
"value": "steal-email-data",
"expanded": "steal-email-data"
},
{
"value": "steal-images",
"expanded": "steal-images"
},
{
"value": "steal-password-hashes",
"expanded": "steal-password-hashes"
},
{
"value": "steal-pki-key",
"expanded": "steal-pki-key"
},
{
"value": "steal-referrer-urls",
"expanded": "steal-referrer-urls"
},
{
"value": "steal-serial-numbers",
"expanded": "steal-serial-numbers"
},
{
"value": "steal-sms-database",
"expanded": "steal-sms-database"
},
{
"value": "steal-web-network-credential",
"expanded": "steal-web-network-credential"
},
{
"value": "stop-execution-of-security-software",
"expanded": "stop-execution-of-security-software"
},
{
"value": "suicide-exit",
"expanded": "suicide-exit"
},
{
"value": "test-for-firewall",
"expanded": "test-for-firewall"
},
{
"value": "test-for-internet-connectivity",
"expanded": "test-for-internet-connectivity"
},
{
"value": "test-for-network-drives",
"expanded": "test-for-network-drives"
},
{
"value": "test-for-proxy",
"expanded": "test-for-proxy"
},
{
"value": "test-smtp-connection",
"expanded": "test-smtp-connection"
},
{
"value": "update-configuration",
"expanded": "update-configuration"
},
{
"value": "validate-data",
"expanded": "validate-data"
},
{
"value": "write-code-into-file",
"expanded": "write-code-into-file"
}
]
}
]
}

View File

@ -0,0 +1,298 @@
{
"namespace": "MAEC Malware Capabilities",
"description": "Malware Capabilities based on MAEC 5.0",
"version": 1,
"predicates": [
{
"value": "maec-malware-capability",
"expanded": "MAEC Malware capability"
}
],
"values": [
{
"predicate": "maec-malware-capability",
"entry": [
{
"value": "anti-behavioral-analysis",
"expanded": "anti-behavioral-analysis"
},
{
"value": "anti-code-analysis",
"expanded": "anti-code-analysis"
},
{
"value": "anti-detection",
"expanded": "anti-detection"
},
{
"value": "anti-removal",
"expanded": "anti-removal"
},
{
"value": "availability-violation",
"expanded": "availability-violation"
},
{
"value": "collection",
"expanded": "collection"
},
{
"value": "command-and-control",
"expanded": "command-and-control"
},
{
"value": "data-theft",
"expanded": "data-theft"
},
{
"value": "destruction",
"expanded": "destruction"
},
{
"value": "discovery",
"expanded": "discovery"
},
{
"value": "exfiltration",
"expanded": "exfiltration"
},
{
"value": "fraud",
"expanded": "fraud"
},
{
"value": "infection-propagation",
"expanded": "infection-propagation"
},
{
"value": "integrity-violation",
"expanded": "integrity-violationk"
},
{
"value": "machine-access-control",
"expanded": "machine-access-control"
},
{
"value": "persistence",
"expanded": "persistence"
},
{
"value": "privilege-escalation",
"expanded": "privilege-escalation"
},
{
"value": "secondary-operation",
"expanded": "secondary-operation"
},
{
"value": "security-degradation",
"expanded": "security-degradation"
},
{
"value": "access-control-degradation",
"expanded": "access-control-degradation"
},
{
"value": "security-degradation",
"expanded": "security-degradation"
},
{
"value": "anti-debugging",
"expanded": "anti-debugging"
},
{
"value": "anti-disassembly",
"expanded": "anti-disassembly"
},
{
"value": "anti-emulation",
"expanded": "anti-emulation"
},
{
"value": "anti-memory-forensics",
"expanded": "anti-memory-forensics"
},
{
"value": "anti-sandbox",
"expanded": "anti-sandbox"
},
{
"value": "anti-virus-evasion",
"expanded": "anti-virus-evasion"
},
{
"value": "anti-vm",
"expanded": "anti-vm"
},
{
"value": "authentication-credentials-theft",
"expanded": "authentication-credentials-theft"
},
{
"value": "clean-traces-of-infection",
"expanded": "clean-traces-of-infection"
},
{
"value": "communicate-with-c2-server",
"expanded": "communicate-with-c2-servern"
},
{
"value": "compromise-data-availability",
"expanded": "compromise-data-availability"
},
{
"value": "compromise-system-availability",
"expanded": "compromise-system-availability"
},
{
"value": "consume-system-resources",
"expanded": "consume-system-resources"
},
{
"value": "continuous-execution",
"expanded": "continuous-execution"
},
{
"value": "data-integrity-violation",
"expanded": "data-integrity-violation"
},
{
"value": "data-obfuscation",
"expanded": "data-obfuscation"
},
{
"value": "data-staging",
"expanded": "data-staging"
},
{
"value": "determine-c2-server",
"expanded": "determine-c2-server"
},
{
"value": "email-spam",
"expanded": "email-spam"
},
{
"value": "ensure-compatibility",
"expanded": "ensure-compatibility"
},
{
"value": "environment-awareness",
"expanded": "environment-awareness"
},
{
"value": "file-infection",
"expanded": "file-infection"
},
{
"value": "hide-artifacts",
"expanded": "hide-artifacts"
},
{
"value": "hide-executing-code",
"expanded": "hide-executing-code"
},
{
"value": "hide-non-executing-code",
"expanded": "hide-non-executing-code"
},
{
"value": "host-configuration-probing",
"expanded": "host-configuration-probing"
},
{
"value": "information-gathering-for-improvement",
"expanded": "information-gathering-for-improvement"
},
{
"value": "input-peripheral-capture",
"expanded": "input-peripheral-capture"
},
{
"value": "install-other-components",
"expanded": "install-other-components"
},
{
"value": "local-machine-control",
"expanded": "local-machine-control"
},
{
"value": "network-environment-probing",
"expanded": "network-environment-probing"
},
{
"value": "os-security-feature-degradation",
"expanded": "os-security-feature-degradation"
},
{
"value": "output-peripheral-capture",
"expanded": "output-peripheral-capture"
},
{
"value": "physical-entity-destruction",
"expanded": "physical-entity-destruction"
},
{
"value": "prevent-artifact-access",
"expanded": "prevent-artifact-access"
},
{
"value": "prevent-artifact-deletion",
"expanded": "prevent-artifact-deletion"
},
{
"value": "remote-machine-access",
"expanded": "remote-machine-access"
},
{
"value": "security-software-degradation",
"expanded": "security-software-degradation"
},
{
"value": "security-software-evasion",
"expanded": "security-software-evasion"
},
{
"value": "self-modification",
"expanded": "self-modification"
},
{
"value": "service-provider-security-feature-degradation",
"expanded": "service-provider-security-feature-degradation"
},
{
"value": "stored-information-theft",
"expanded": "stored-information-theft"
},
{
"value": "system-interface-data-capture",
"expanded": "system-interface-data-capture"
},
{
"value": "system-operational-integrity-violation",
"expanded": "system-operational-integrity-violation"
},
{
"value": "system-re-infection",
"expanded": "system-re-infection"
},
{
"value": "system-state-data-capture",
"expanded": "system-state-data-capture"
},
{
"value": "system-update-degradation",
"expanded": "system-update-degradation"
},
{
"value": "user-data-theft",
"expanded": "user-data-theft"
},
{
"value": "virtual-entity-destruction",
"expanded": "virtual-entity-destruction"
}
]
}
]
}

View File

@ -0,0 +1,66 @@
{
"namespace": "MAEC Obfuscation methods",
"description": "Obfuscation methods used by malware based on MAEC 5.0",
"version": 1,
"predicates": [
{
"value": "maec-obfuscation-methods",
"expanded": "MAEC Obfuscation methods"
}
],
"values": [
{
"predicate": "maec-obfuscation-methods",
"entry": [
{
"value": "packing",
"expanded": "packing"
},
{
"value": "code-encryption",
"expanded": "code-encryption"
},
{
"value": "dead-code-insertion",
"expanded": "dead-code-insertion"
},
{
"value": "entry-point-obfuscation",
"expanded": "entry-point-obfuscation"
},
{
"value": "import-address-table-obfuscation",
"expanded": "import-address-table-obfuscation"
},
{
"value": "interleaving-code",
"expanded": "interleaving-code"
},
{
"value": "symbolic-obfuscation",
"expanded": "symbolic-obfuscation"
},
{
"value": "string-obfuscation",
"expanded": "string-obfuscation"
},
{
"value": "subroutine-reordering",
"expanded": "subroutine-reordering"
},
{
"value": "code-transposition",
"expanded": "code-transposition"
},
{
"value": "instruction-substitution",
"expanded": "instruction-substitution"
},
{
"value": "register-reassignment",
"expanded": "register-reassignment"
}
]
}
]
}