Merge pull request #44 from RichieB2B/ncsc-nl/stealth-malware
Add Stealth Malware Taxonomy as defined by Joanna Rutkowskapull/46/head
commit
bd16ea1916
|
@ -33,6 +33,7 @@ The following taxonomies are described:
|
||||||
- [NATO Classification Marking](./nato)
|
- [NATO Classification Marking](./nato)
|
||||||
- [Open Threat Taxonomy v1.1 (SANS)](./open-threat)
|
- [Open Threat Taxonomy v1.1 (SANS)](./open-threat)
|
||||||
- [OSINT Open Source Intelligence - Classification](./osint)
|
- [OSINT Open Source Intelligence - Classification](./osint)
|
||||||
|
- [Stealth Malware Taxonomy as defined by Joanna Rutkowska](./stealth-malware)
|
||||||
- [The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used.](./pap)
|
- [The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used.](./pap)
|
||||||
- [TLP - Traffic Light Protocol](./tlp)
|
- [TLP - Traffic Light Protocol](./tlp)
|
||||||
- Vocabulary for Event Recording and Incident Sharing [VERIS](./veris)
|
- Vocabulary for Event Recording and Incident Sharing [VERIS](./veris)
|
||||||
|
|
|
@ -0,0 +1,35 @@
|
||||||
|
# Stealth Malware Taxonomy
|
||||||
|
|
||||||
|
## Malware Types
|
||||||
|
|
||||||
|
All malware samples should be classified into one of the categories listed in the table below.
|
||||||
|
|
||||||
|
<dl>
|
||||||
|
<dt>Type 0</dt>
|
||||||
|
<dd>No OS or system compromise. The malware runs as a normal user process using only official API calls.<dd>
|
||||||
|
|
||||||
|
<dt>Type I</dt>
|
||||||
|
<dd>The malware modifies constant sections of the kernel and/or processes such as code sections.<dd>
|
||||||
|
|
||||||
|
<dt>Type II</dt>
|
||||||
|
<dd>The malware does not modify constant sections but only the dynamic sections of the kernel and/or processes such as data sections.<dd>
|
||||||
|
|
||||||
|
<dt>Type III</dt>
|
||||||
|
<dd>The malware does not modify any sections of the kernel and/or processes but influences the system without modifying the OS. For example using hardware virtualization techniques.<dd>
|
||||||
|
</dl>
|
||||||
|
|
||||||
|
# Machine-parsable Stealth Malware Taxonomy
|
||||||
|
|
||||||
|
The repository contains a [JSON file including the machine-parsable tags](machinetag.json)
|
||||||
|
along with their human-readable description. The software can use both
|
||||||
|
representation on the user-interface and store the tag as machine-parsable.
|
||||||
|
|
||||||
|
~~~~
|
||||||
|
stealth_malware:type="II"
|
||||||
|
~~~~
|
||||||
|
|
||||||
|
Based on:
|
||||||
|
|
||||||
|
https://vxheaven.org/lib/pdf/Introducing%20Stealth%20Malware%20Taxonomy.pdf
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,37 @@
|
||||||
|
{
|
||||||
|
"namespace": "stealth_malware",
|
||||||
|
"description": "Classification based on malware stealth techniques. Described in https://vxheaven.org/lib/pdf/Introducing%20Stealth%20Malware%20Taxonomy.pdf",
|
||||||
|
"version": 1,
|
||||||
|
"refs": [
|
||||||
|
"https://vxheaven.org/lib/pdf/Introducing%20Stealth%20Malware%20Taxonomy.pdf"
|
||||||
|
],
|
||||||
|
"predicates": [
|
||||||
|
{
|
||||||
|
"value": "type",
|
||||||
|
"expanded": "Stealth techninque type"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"values": [
|
||||||
|
{
|
||||||
|
"predicate": "type",
|
||||||
|
"entry": [
|
||||||
|
{
|
||||||
|
"value": "0",
|
||||||
|
"expanded": "No OS or system compromise. The malware runs as a normal user process using only official API calls."
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"value": "I",
|
||||||
|
"expanded": "The malware modifies constant sections of the kernel and/or processes such as code sections."
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"value": "II",
|
||||||
|
"expanded": "The malware does not modify constant sections but only the dynamic sections of the kernel and/or processes such as data sections."
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"value": "III",
|
||||||
|
"expanded": "The malware does not modify any sections of the kernel and/or processes but influences the system without modifying the OS. For example using hardware virtualization techniques."
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
Loading…
Reference in New Issue