MAEC 5.0 Malware behavior

pull/103/head
makflwana 2018-05-24 23:02:50 +10:00 committed by GitHub
parent 6c6ee40fea
commit c6d95aeaeb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 614 additions and 0 deletions

View File

@ -0,0 +1,614 @@
{
"namespace": "MAEC Malware Bahaviors",
"description": "Malware behaviours based on MAEC 5.0",
"version": 1,
"predicates": [
{
"value": "maec-malware-behavior",
"expanded": "MAEC Malware behavior"
}
],
"values": [
{
"predicate": "maec-malware-behavior",
"entry": [
{
"value": "access-premium-service",
"expanded": "access-premium-service"
},
{
"value": "autonomous-remote-infection",
"expanded": "autonomous-remote-infection"
},
{
"value": "block-security-websites",
"expanded": "block-security-websites"
},
{
"value": "capture-camera-input",
"expanded": "capture-camera-input"
},
{
"value": "capture-file-system-data",
"expanded": "capture-file-system-data"
},
{
"value": "capture-gps-data",
"expanded": "capture-gps-data"
},
{
"value": "capture-keyboard-input",
"expanded": "capture-keyboard-input"
},
{
"value": "capture-microphone-input",
"expanded": "capture-microphone-input"
},
{
"value": "capture-mouse-input",
"expanded": "capture-mouse-input"
},
{
"value": "capture-printer-output",
"expanded": "capture-printer-output"
},
{
"value": "capture-system-memory",
"expanded": "capture-system-memory"
},
{
"value": "capture-system-network-traffic",
"expanded": "capture-system-network-traffic"
},
{
"value": "capture-system-screenshot",
"expanded": "capture-system-screenshot"
},
{
"value": "capture-touchscreen-input",
"expanded": "capture-touchscreen-input"
},
{
"value": "check-for-payload",
"expanded": "check-for-payload"
},
{
"value": "click-fraud",
"expanded": "click-fraud"
},
{
"value": "compare-host-fingerprints",
"expanded": "compare-host-fingerprints"
},
{
"value": "compromise-remote-machine",
"expanded": "compromise-remote-machinen"
},
{
"value": "control-local-machine-via-remote-command",
"expanded": "control-local-machine-via-remote-command"
},
{
"value": "control-malware-via-remote-command",
"expanded": "control-malware-via-remote-command"
},
{
"value": "crack-passwords",
"expanded": "crack-passwords"
},
{
"value": "defeat-call-graph-generation",
"expanded": "defeat-call-graph-generation"
},
{
"value": "defeat-emulator",
"expanded": "defeat-emulator"
},
{
"value": "defeat-flow-oriented-disassembler",
"expanded": "defeat-flow-oriented-disassembler"
},
{
"value": "defeat-linear-disassembler",
"expanded": "defeat-linear-disassembler"
},
{
"value": "degrade-security-program",
"expanded": "degrade-security-program"
},
{
"value": "denial-of-service",
"expanded": "denial-of-service"
},
{
"value": "destroy-hardware",
"expanded": "destroy-hardware"
},
{
"value": "detect-debugging",
"expanded": "detect-debugging"
},
{
"value": "detect-emulator",
"expanded": "detect-emulator"
},
{
"value": "detect-installed-analysis-tools",
"expanded": "detect-installed-analysis-tools"
},
{
"value": "detect-installed-av-tools",
"expanded": "detect-installed-av-tools"
},
{
"value": "detect-sandbox-environment",
"expanded": "detect-sandbox-environment"
},
{
"value": "detect-vm-environment",
"expanded": "detect-vm-environment"
},
{
"value": "determine-host-ip-address",
"expanded": "determine-host-ip-address"
},
{
"value": "disable-access-rights-checking",
"expanded": "disable-access-rights-checking"
},
{
"value": "disable-firewall",
"expanded": "disable-firewall"
},
{
"value": "disable-kernel-patch-protection",
"expanded": "disable-kernel-patch-protection"
},
{
"value": "disable-os-security-alerts",
"expanded": "disable-os-security-alerts"
},
{
"value": "disable-privilege-limiting",
"expanded": "disable-privilege-limiting"
},
{
"value": "disable-service-pack-patch-installation",
"expanded": "disable-service-pack-patch-installation"
},
{
"value": "disable-system-file-overwrite-protection",
"expanded": "disable-system-file-overwrite-protection"
},
{
"value": "disable-update-services-daemons",
"expanded": "disable-update-services-daemons"
},
{
"value": "disable-user-account-control",
"expanded": "disable-user-account-control"
},
{
"value": "drop-retrieve-debug-log-file",
"expanded": "drop-retrieve-debug-log-file"
},
{
"value": "elevate-privilege",
"expanded": "elevate-privilege"
},
{
"value": "encrypt-data",
"expanded": "encrypt-data"
},
{
"value": "encrypt-files",
"expanded": "encrypt-files"
},
{
"value": "encrypt-self",
"expanded": "encrypt-self"
},
{
"value": "erase-data",
"expanded": "erase-data"
},
{
"value": "evade-static-heuristic",
"expanded": "evade-static-heuristic"
},
{
"value": "execute-before-external-to-kernel-hypervisor",
"expanded": "execute-before-external-to-kernel-hypervisor"
},
{
"value": "execute-non-main-cpu-code",
"expanded": "execute-non-main-cpu-code"
},
{
"value": "execute-stealthy-code",
"expanded": "execute-stealthy-code"
},
{
"value": "exfiltrate-data-via-covert channel",
"expanded": "exfiltrate-data-via-covert channel"
},
{
"value": "exfiltrate-data-via--dumpster-dive",
"expanded": "exfiltrate-data-via-dumpster-dives"
},
{
"value": "exfiltrate-data-via-fax",
"expanded": "exfiltrate-data-via-fax"
},
{
"value": "exfiltrate-data-via-network",
"expanded": "exfiltrate-data-via-network"
},
{
"value": "exfiltrate-data-via-physical-media",
"expanded": "exfiltrate-data-via-physical-media"
},
{
"value": "exfiltrate-data-via-voip-phone",
"expanded": "exfiltrate-data-via-voip-phone"
},
{
"value": "feed-misinformation-during-physical-memory-acquisition",
"expanded": "feed-misinformation-during-physical-memory-acquisition"
},
{
"value": "file-system-instantiation",
"expanded": "file-system-instantiation"
},
{
"value": "fingerprint-host",
"expanded": "fingerprint-host"
},
{
"value": "generate-c2-domain-names",
"expanded": "generate-c2-domain-names"
},
{
"value": "hide-arbitrary-virtual-memory",
"expanded": "hide-arbitrary-virtual-memory"
},
{
"value": "hide-data-in-other-formats",
"expanded": "hide-data-in-other-formats"
},
{
"value": "hide-file-system-artifacts",
"expanded": "hide-file-system-artifacts"
},
{
"value": "hide-kernel-modules",
"expanded": "hide-kernel-modules"
},
{
"value": "hide-network-traffic",
"expanded": "hide-network-traffic"
},
{
"value": "hide-open-network-ports",
"expanded": "hide-open-network-ports"
},
{
"value": "hide-processes",
"expanded": "hide-processes"
},
{
"value": "hide-services",
"expanded": "hide-services"
},
{
"value": "hide-threads",
"expanded": "hide-threads"
},
{
"value": "hide-userspace-libraries",
"expanded": "hide-userspace-libraries"
},
{
"value": "identify-file",
"expanded": "identify-file"
},
{
"value": "identify-os",
"expanded": "identify-os"
},
{
"value": "identify-target-machines",
"expanded": "identify-target-machines"
},
{
"value": "impersonate-user",
"expanded": "impersonate-user"
},
{
"value": "install-backdoor",
"expanded": "install-backdoor"
},
{
"value": "install-legitimate-software",
"expanded": "install-legitimate-software"
},
{
"value": "install-secondary-malware",
"expanded": "install-secondary-malware"
},
{
"value": "install-secondary-module",
"expanded": "install-secondary-module"
},
{
"value": "intercept-manipulate-network-traffic",
"expanded": "intercept-manipulate-network-traffic"
},
{
"value": "inventory-security-products",
"expanded": "inventory-security-products"
},
{
"value": "inventory-system-applications",
"expanded": "inventory-system-applications"
},
{
"value": "inventory-victims",
"expanded": "inventory-victims"
},
{
"value": "limit-application-type-version",
"expanded": "limit-application-type-version"
},
{
"value": "log-activity",
"expanded": "log-activity"
},
{
"value": "inventory-victims",
"expanded": "inventory-victims"
},
{
"value": "manipulate-file-system-data",
"expanded": "manipulate-file-system-data"
},
{
"value": "map-local-network",
"expanded": "map-local-network"
},
{
"value": "mine-for-cryptocurrency",
"expanded": "mine-for-cryptocurrency"
},
{
"value": "modify-file",
"expanded": "modify-file"
},
{
"value": "modify-security-software-configuration",
"expanded": "modify-security-software-configuration"
},
{
"value": "move-data-to-staging-server",
"expanded": "move-data-to-staging-server"
},
{
"value": "obfuscate-artifact-properties",
"expanded": "obfuscate-artifact-properties"
},
{
"value": "overload-sandbox",
"expanded": "overload-sandbox"
},
{
"value": "package-data",
"expanded": "package-data"
},
{
"value": "persist-after-hardware-changes",
"expanded": "persist-after-hardware-changes"
},
{
"value": "persist-after-os-changes",
"expanded": "persist-after-os-changes"
},
{
"value": "persist-after-system-reboot",
"expanded": "persist-after-system-reboot"
},
{
"value": "prevent-api-unhooking",
"expanded": "prevent-api-unhooking"
},
{
"value": "prevent-concurrent-execution",
"expanded": "prevent-concurrent-execution"
},
{
"value": "prevent-debugging",
"expanded": "prevent-debugging"
},
{
"value": "prevent-file-access",
"expanded": "prevent-file-access"
},
{
"value": "prevent-file-deletion",
"expanded": "prevent-file-deletion"
},
{
"value": "prevent-memory-access",
"expanded": "prevent-memory-access"
},
{
"value": "prevent-native-api-hooking",
"expanded": "prevent-native-api-hooking"
},
{
"value": "prevent-physical-memory-acquisition",
"expanded": "prevent-physical-memory-acquisition"
},
{
"value": "prevent-registry-access",
"expanded": "prevent-registry-access"
},
{
"value": "prevent-registry-deletion",
"expanded": "prevent-registry-deletion"
}
{
"value": "prevent-security-software-from-executing",
"expanded": "prevent-security-software-from-executing"
},
{
"value": "re-instantiate-self",
"expanded": "re-instantiate-self"
},
{
"value": "remove-self",
"expanded": "remove-self"
},
{
"value": "remove-sms-warning-messages",
"expanded": "remove-sms-warning-messages"
},
{
"value": "remove-system-artifacts",
"expanded": "remove-system-artifacts"
},
{
"value": "request-email-address-list",
"expanded": "request-email-address-list"
},
{
"value": "request-email-template",
"expanded": "request-email-template"
},
{
"value": "search-for-remote-machines",
"expanded": "search-for-remote-machines"
},
{
"value": "send-beacon",
"expanded": "send-beacon"
},
{
"value": "send-email-message",
"expanded": "send-email-message"
},
{
"value": "social-engineering-based-remote-infection",
"expanded": "social-engineering-based-remote-infection"
},
{
"value": "steal-browser-cache",
"expanded": "steal-browser-cache"
},
{
"value": "steal-browser-cookies",
"expanded": "steal-browser-cookies"
},
{
"value": "steal-browser-history",
"expanded": "steal-browser-history"
},
{
"value": "steal-contact-list-data",
"expanded": "steal-contact-list-data"
},
{
"value": "steal-cryptocurrency-data",
"expanded": "steal-cryptocurrency-data"
},
{
"value": "steal-database-content",
"expanded": "steal-database-content"
},
{
"value": "steal-dialed-phone-numbers",
"expanded": "steal-dialed-phone-numbers"
},
{
"value": "steal-digital-certificates",
"expanded": "steal-digital-certificates"
},
{
"value": "steal-documents",
"expanded": "steal-documents"
},
{
"value": "steal-email-data",
"expanded": "steal-email-data"
},
{
"value": "steal-images",
"expanded": "steal-images"
},
{
"value": "steal-password-hashes",
"expanded": "steal-password-hashes"
},
{
"value": "steal-pki-key",
"expanded": "steal-pki-key"
},
{
"value": "steal-referrer-urls",
"expanded": "steal-referrer-urls"
},
{
"value": "steal-serial-numbers",
"expanded": "steal-serial-numbers"
},
{
"value": "steal-sms-database",
"expanded": "steal-sms-database"
},
{
"value": "steal-web-network-credential",
"expanded": "steal-web-network-credential"
},
{
"value": "stop-execution-of-security-software",
"expanded": "stop-execution-of-security-software"
},
{
"value": "suicide-exit",
"expanded": "suicide-exit"
},
{
"value": "test-for-firewall",
"expanded": "test-for-firewall"
},
{
"value": "test-for-internet-connectivity",
"expanded": "test-for-internet-connectivity"
},
{
"value": "test-for-network-drives",
"expanded": "test-for-network-drives"
},
{
"value": "test-for-proxy",
"expanded": "test-for-proxy"
},
{
"value": "test-smtp-connection",
"expanded": "test-smtp-connection"
},
{
"value": "update-configuration",
"expanded": "update-configuration"
},
{
"value": "validate-data",
"expanded": "validate-data"
},
{
"value": "write-code-into-file",
"expanded": "write-code-into-file"
}
],
}
]
}