From c6d95aeaeb91f32c927fb17deb33e823c4e8ba4e Mon Sep 17 00:00:00 2001 From: makflwana Date: Thu, 24 May 2018 23:02:50 +1000 Subject: [PATCH] MAEC 5.0 Malware behavior --- maec-malware-behavior/machinetag.json | 614 ++++++++++++++++++++++++++ 1 file changed, 614 insertions(+) create mode 100644 maec-malware-behavior/machinetag.json diff --git a/maec-malware-behavior/machinetag.json b/maec-malware-behavior/machinetag.json new file mode 100644 index 0000000..6112dff --- /dev/null +++ b/maec-malware-behavior/machinetag.json @@ -0,0 +1,614 @@ +{ + "namespace": "MAEC Malware Bahaviors", + "description": "Malware behaviours based on MAEC 5.0", + "version": 1, + "predicates": [ + { + "value": "maec-malware-behavior", + "expanded": "MAEC Malware behavior" + } + ], + "values": [ + { + "predicate": "maec-malware-behavior", + "entry": [ + { + "value": "access-premium-service", + "expanded": "access-premium-service" + }, + { + "value": "autonomous-remote-infection", + "expanded": "autonomous-remote-infection" + }, + { + "value": "block-security-websites", + "expanded": "block-security-websites" + }, + { + "value": "capture-camera-input", + "expanded": "capture-camera-input" + }, + { + "value": "capture-file-system-data", + "expanded": "capture-file-system-data" + }, + { + "value": "capture-gps-data", + "expanded": "capture-gps-data" + }, + { + "value": "capture-keyboard-input", + "expanded": "capture-keyboard-input" + }, + { + "value": "capture-microphone-input", + "expanded": "capture-microphone-input" + }, + { + "value": "capture-mouse-input", + "expanded": "capture-mouse-input" + }, + { + "value": "capture-printer-output", + "expanded": "capture-printer-output" + }, + { + "value": "capture-system-memory", + "expanded": "capture-system-memory" + }, + { + "value": "capture-system-network-traffic", + "expanded": "capture-system-network-traffic" + }, + { + "value": "capture-system-screenshot", + "expanded": "capture-system-screenshot" + }, + { + "value": "capture-touchscreen-input", + "expanded": "capture-touchscreen-input" + }, + { + "value": "check-for-payload", + "expanded": "check-for-payload" + }, + { + "value": "click-fraud", + "expanded": "click-fraud" + }, + { + "value": "compare-host-fingerprints", + "expanded": "compare-host-fingerprints" + }, + { + "value": "compromise-remote-machine", + "expanded": "compromise-remote-machinen" + }, + { + "value": "control-local-machine-via-remote-command", + "expanded": "control-local-machine-via-remote-command" + }, + { + "value": "control-malware-via-remote-command", + "expanded": "control-malware-via-remote-command" + }, + { + "value": "crack-passwords", + "expanded": "crack-passwords" + }, + { + "value": "defeat-call-graph-generation", + "expanded": "defeat-call-graph-generation" + }, + { + "value": "defeat-emulator", + "expanded": "defeat-emulator" + }, + { + "value": "defeat-flow-oriented-disassembler", + "expanded": "defeat-flow-oriented-disassembler" + }, + { + "value": "defeat-linear-disassembler", + "expanded": "defeat-linear-disassembler" + }, + { + "value": "degrade-security-program", + "expanded": "degrade-security-program" + }, + { + "value": "denial-of-service", + "expanded": "denial-of-service" + }, + { + "value": "destroy-hardware", + "expanded": "destroy-hardware" + }, + { + "value": "detect-debugging", + "expanded": "detect-debugging" + }, + { + "value": "detect-emulator", + "expanded": "detect-emulator" + }, + { + "value": "detect-installed-analysis-tools", + "expanded": "detect-installed-analysis-tools" + }, + { + "value": "detect-installed-av-tools", + "expanded": "detect-installed-av-tools" + }, + { + "value": "detect-sandbox-environment", + "expanded": "detect-sandbox-environment" + }, + { + "value": "detect-vm-environment", + "expanded": "detect-vm-environment" + }, + { + "value": "determine-host-ip-address", + "expanded": "determine-host-ip-address" + }, + { + "value": "disable-access-rights-checking", + "expanded": "disable-access-rights-checking" + }, + { + "value": "disable-firewall", + "expanded": "disable-firewall" + }, + { + "value": "disable-kernel-patch-protection", + "expanded": "disable-kernel-patch-protection" + }, + { + "value": "disable-os-security-alerts", + "expanded": "disable-os-security-alerts" + }, + { + "value": "disable-privilege-limiting", + "expanded": "disable-privilege-limiting" + }, + { + "value": "disable-service-pack-patch-installation", + "expanded": "disable-service-pack-patch-installation" + }, + { + "value": "disable-system-file-overwrite-protection", + "expanded": "disable-system-file-overwrite-protection" + }, + { + "value": "disable-update-services-daemons", + "expanded": "disable-update-services-daemons" + }, + { + "value": "disable-user-account-control", + "expanded": "disable-user-account-control" + }, + { + "value": "drop-retrieve-debug-log-file", + "expanded": "drop-retrieve-debug-log-file" + }, + { + "value": "elevate-privilege", + "expanded": "elevate-privilege" + }, + { + "value": "encrypt-data", + "expanded": "encrypt-data" + }, + { + "value": "encrypt-files", + "expanded": "encrypt-files" + }, + { + "value": "encrypt-self", + "expanded": "encrypt-self" + }, + { + "value": "erase-data", + "expanded": "erase-data" + }, + { + "value": "evade-static-heuristic", + "expanded": "evade-static-heuristic" + }, + { + "value": "execute-before-external-to-kernel-hypervisor", + "expanded": "execute-before-external-to-kernel-hypervisor" + }, + { + "value": "execute-non-main-cpu-code", + "expanded": "execute-non-main-cpu-code" + }, + { + "value": "execute-stealthy-code", + "expanded": "execute-stealthy-code" + }, + { + "value": "exfiltrate-data-via-covert channel", + "expanded": "exfiltrate-data-via-covert channel" + }, + { + "value": "exfiltrate-data-via--dumpster-dive", + "expanded": "exfiltrate-data-via-dumpster-dives" + }, + { + "value": "exfiltrate-data-via-fax", + "expanded": "exfiltrate-data-via-fax" + }, + { + "value": "exfiltrate-data-via-network", + "expanded": "exfiltrate-data-via-network" + }, + { + "value": "exfiltrate-data-via-physical-media", + "expanded": "exfiltrate-data-via-physical-media" + }, + { + "value": "exfiltrate-data-via-voip-phone", + "expanded": "exfiltrate-data-via-voip-phone" + }, + { + "value": "feed-misinformation-during-physical-memory-acquisition", + "expanded": "feed-misinformation-during-physical-memory-acquisition" + }, + { + "value": "file-system-instantiation", + "expanded": "file-system-instantiation" + }, + { + "value": "fingerprint-host", + "expanded": "fingerprint-host" + }, + { + "value": "generate-c2-domain-names", + "expanded": "generate-c2-domain-names" + }, + { + "value": "hide-arbitrary-virtual-memory", + "expanded": "hide-arbitrary-virtual-memory" + }, + { + "value": "hide-data-in-other-formats", + "expanded": "hide-data-in-other-formats" + }, + { + "value": "hide-file-system-artifacts", + "expanded": "hide-file-system-artifacts" + }, + { + "value": "hide-kernel-modules", + "expanded": "hide-kernel-modules" + }, + { + "value": "hide-network-traffic", + "expanded": "hide-network-traffic" + }, + { + "value": "hide-open-network-ports", + "expanded": "hide-open-network-ports" + }, + { + "value": "hide-processes", + "expanded": "hide-processes" + }, + { + "value": "hide-services", + "expanded": "hide-services" + }, + { + "value": "hide-threads", + "expanded": "hide-threads" + }, + { + "value": "hide-userspace-libraries", + "expanded": "hide-userspace-libraries" + }, + { + "value": "identify-file", + "expanded": "identify-file" + }, + { + "value": "identify-os", + "expanded": "identify-os" + }, + { + "value": "identify-target-machines", + "expanded": "identify-target-machines" + }, + { + "value": "impersonate-user", + "expanded": "impersonate-user" + }, + { + "value": "install-backdoor", + "expanded": "install-backdoor" + }, + { + "value": "install-legitimate-software", + "expanded": "install-legitimate-software" + }, + { + "value": "install-secondary-malware", + "expanded": "install-secondary-malware" + }, + { + "value": "install-secondary-module", + "expanded": "install-secondary-module" + }, + { + "value": "intercept-manipulate-network-traffic", + "expanded": "intercept-manipulate-network-traffic" + }, + { + "value": "inventory-security-products", + "expanded": "inventory-security-products" + }, + { + "value": "inventory-system-applications", + "expanded": "inventory-system-applications" + }, + { + "value": "inventory-victims", + "expanded": "inventory-victims" + }, + { + "value": "limit-application-type-version", + "expanded": "limit-application-type-version" + }, + { + "value": "log-activity", + "expanded": "log-activity" + }, + { + "value": "inventory-victims", + "expanded": "inventory-victims" + }, + { + "value": "manipulate-file-system-data", + "expanded": "manipulate-file-system-data" + }, + { + "value": "map-local-network", + "expanded": "map-local-network" + }, + { + "value": "mine-for-cryptocurrency", + "expanded": "mine-for-cryptocurrency" + }, + { + "value": "modify-file", + "expanded": "modify-file" + }, + { + "value": "modify-security-software-configuration", + "expanded": "modify-security-software-configuration" + }, + { + "value": "move-data-to-staging-server", + "expanded": "move-data-to-staging-server" + }, + { + "value": "obfuscate-artifact-properties", + "expanded": "obfuscate-artifact-properties" + }, + { + "value": "overload-sandbox", + "expanded": "overload-sandbox" + }, + { + "value": "package-data", + "expanded": "package-data" + }, + { + "value": "persist-after-hardware-changes", + "expanded": "persist-after-hardware-changes" + }, + { + "value": "persist-after-os-changes", + "expanded": "persist-after-os-changes" + }, + { + "value": "persist-after-system-reboot", + "expanded": "persist-after-system-reboot" + }, + { + "value": "prevent-api-unhooking", + "expanded": "prevent-api-unhooking" + }, + { + "value": "prevent-concurrent-execution", + "expanded": "prevent-concurrent-execution" + }, + { + "value": "prevent-debugging", + "expanded": "prevent-debugging" + }, + { + "value": "prevent-file-access", + "expanded": "prevent-file-access" + }, + { + "value": "prevent-file-deletion", + "expanded": "prevent-file-deletion" + }, + { + "value": "prevent-memory-access", + "expanded": "prevent-memory-access" + }, + { + "value": "prevent-native-api-hooking", + "expanded": "prevent-native-api-hooking" + }, + { + "value": "prevent-physical-memory-acquisition", + "expanded": "prevent-physical-memory-acquisition" + }, + { + "value": "prevent-registry-access", + "expanded": "prevent-registry-access" + }, + { + "value": "prevent-registry-deletion", + "expanded": "prevent-registry-deletion" + } + { + "value": "prevent-security-software-from-executing", + "expanded": "prevent-security-software-from-executing" + }, + { + "value": "re-instantiate-self", + "expanded": "re-instantiate-self" + }, + { + "value": "remove-self", + "expanded": "remove-self" + }, + { + "value": "remove-sms-warning-messages", + "expanded": "remove-sms-warning-messages" + }, + { + "value": "remove-system-artifacts", + "expanded": "remove-system-artifacts" + }, + { + "value": "request-email-address-list", + "expanded": "request-email-address-list" + }, + { + "value": "request-email-template", + "expanded": "request-email-template" + }, + { + "value": "search-for-remote-machines", + "expanded": "search-for-remote-machines" + }, + { + "value": "send-beacon", + "expanded": "send-beacon" + }, + { + "value": "send-email-message", + "expanded": "send-email-message" + }, + { + "value": "social-engineering-based-remote-infection", + "expanded": "social-engineering-based-remote-infection" + }, + { + "value": "steal-browser-cache", + "expanded": "steal-browser-cache" + }, + { + "value": "steal-browser-cookies", + "expanded": "steal-browser-cookies" + }, + { + "value": "steal-browser-history", + "expanded": "steal-browser-history" + }, + { + "value": "steal-contact-list-data", + "expanded": "steal-contact-list-data" + }, + { + "value": "steal-cryptocurrency-data", + "expanded": "steal-cryptocurrency-data" + }, + { + "value": "steal-database-content", + "expanded": "steal-database-content" + }, + { + "value": "steal-dialed-phone-numbers", + "expanded": "steal-dialed-phone-numbers" + }, + { + "value": "steal-digital-certificates", + "expanded": "steal-digital-certificates" + }, + { + "value": "steal-documents", + "expanded": "steal-documents" + }, + { + "value": "steal-email-data", + "expanded": "steal-email-data" + }, + { + "value": "steal-images", + "expanded": "steal-images" + }, + { + "value": "steal-password-hashes", + "expanded": "steal-password-hashes" + }, + { + "value": "steal-pki-key", + "expanded": "steal-pki-key" + }, + { + "value": "steal-referrer-urls", + "expanded": "steal-referrer-urls" + }, + { + "value": "steal-serial-numbers", + "expanded": "steal-serial-numbers" + }, + { + "value": "steal-sms-database", + "expanded": "steal-sms-database" + }, + { + "value": "steal-web-network-credential", + "expanded": "steal-web-network-credential" + }, + { + "value": "stop-execution-of-security-software", + "expanded": "stop-execution-of-security-software" + }, + { + "value": "suicide-exit", + "expanded": "suicide-exit" + }, + { + "value": "test-for-firewall", + "expanded": "test-for-firewall" + }, + { + "value": "test-for-internet-connectivity", + "expanded": "test-for-internet-connectivity" + }, + { + "value": "test-for-network-drives", + "expanded": "test-for-network-drives" + }, + { + "value": "test-for-proxy", + "expanded": "test-for-proxy" + }, + { + "value": "test-smtp-connection", + "expanded": "test-smtp-connection" + }, + { + "value": "update-configuration", + "expanded": "update-configuration" + }, + { + "value": "validate-data", + "expanded": "validate-data" + }, + { + "value": "write-code-into-file", + "expanded": "write-code-into-file" + } + ], + } + ] +}