{ "namespace": "maec-malware-behavior", "description": "Malware behaviours based on MAEC 5.0", "version": 1, "predicates": [ { "value": "maec-malware-behavior", "expanded": "MAEC Malware behavior" } ], "values": [ { "predicate": "maec-malware-behavior", "entry": [ { "value": "access-premium-service", "expanded": "access-premium-service" }, { "value": "autonomous-remote-infection", "expanded": "autonomous-remote-infection" }, { "value": "block-security-websites", "expanded": "block-security-websites" }, { "value": "capture-camera-input", "expanded": "capture-camera-input" }, { "value": "capture-file-system-data", "expanded": "capture-file-system-data" }, { "value": "capture-gps-data", "expanded": "capture-gps-data" }, { "value": "capture-keyboard-input", "expanded": "capture-keyboard-input" }, { "value": "capture-microphone-input", "expanded": "capture-microphone-input" }, { "value": "capture-mouse-input", "expanded": "capture-mouse-input" }, { "value": "capture-printer-output", "expanded": "capture-printer-output" }, { "value": "capture-system-memory", "expanded": "capture-system-memory" }, { "value": "capture-system-network-traffic", "expanded": "capture-system-network-traffic" }, { "value": "capture-system-screenshot", "expanded": "capture-system-screenshot" }, { "value": "capture-touchscreen-input", "expanded": "capture-touchscreen-input" }, { "value": "check-for-payload", "expanded": "check-for-payload" }, { "value": "click-fraud", "expanded": "click-fraud" }, { "value": "compare-host-fingerprints", "expanded": "compare-host-fingerprints" }, { "value": "compromise-remote-machine", "expanded": "compromise-remote-machinen" }, { "value": "control-local-machine-via-remote-command", "expanded": "control-local-machine-via-remote-command" }, { "value": "control-malware-via-remote-command", "expanded": "control-malware-via-remote-command" }, { "value": "crack-passwords", "expanded": "crack-passwords" }, { "value": "defeat-call-graph-generation", "expanded": "defeat-call-graph-generation" }, { "value": "defeat-emulator", "expanded": "defeat-emulator" }, { "value": "defeat-flow-oriented-disassembler", "expanded": "defeat-flow-oriented-disassembler" }, { "value": "defeat-linear-disassembler", "expanded": "defeat-linear-disassembler" }, { "value": "degrade-security-program", "expanded": "degrade-security-program" }, { "value": "denial-of-service", "expanded": "denial-of-service" }, { "value": "destroy-hardware", "expanded": "destroy-hardware" }, { "value": "detect-debugging", "expanded": "detect-debugging" }, { "value": "detect-emulator", "expanded": "detect-emulator" }, { "value": "detect-installed-analysis-tools", "expanded": "detect-installed-analysis-tools" }, { "value": "detect-installed-av-tools", "expanded": "detect-installed-av-tools" }, { "value": "detect-sandbox-environment", "expanded": "detect-sandbox-environment" }, { "value": "detect-vm-environment", "expanded": "detect-vm-environment" }, { "value": "determine-host-ip-address", "expanded": "determine-host-ip-address" }, { "value": "disable-access-rights-checking", "expanded": "disable-access-rights-checking" }, { "value": "disable-firewall", "expanded": "disable-firewall" }, { "value": "disable-kernel-patch-protection", "expanded": "disable-kernel-patch-protection" }, { "value": "disable-os-security-alerts", "expanded": "disable-os-security-alerts" }, { "value": "disable-privilege-limiting", "expanded": "disable-privilege-limiting" }, { "value": "disable-service-pack-patch-installation", "expanded": "disable-service-pack-patch-installation" }, { "value": "disable-system-file-overwrite-protection", "expanded": "disable-system-file-overwrite-protection" }, { "value": "disable-update-services-daemons", "expanded": "disable-update-services-daemons" }, { "value": "disable-user-account-control", "expanded": "disable-user-account-control" }, { "value": "drop-retrieve-debug-log-file", "expanded": "drop-retrieve-debug-log-file" }, { "value": "elevate-privilege", "expanded": "elevate-privilege" }, { "value": "encrypt-data", "expanded": "encrypt-data" }, { "value": "encrypt-files", "expanded": "encrypt-files" }, { "value": "encrypt-self", "expanded": "encrypt-self" }, { "value": "erase-data", "expanded": "erase-data" }, { "value": "evade-static-heuristic", "expanded": "evade-static-heuristic" }, { "value": "execute-before-external-to-kernel-hypervisor", "expanded": "execute-before-external-to-kernel-hypervisor" }, { "value": "execute-non-main-cpu-code", "expanded": "execute-non-main-cpu-code" }, { "value": "execute-stealthy-code", "expanded": "execute-stealthy-code" }, { "value": "exfiltrate-data-via-covert channel", "expanded": "exfiltrate-data-via-covert channel" }, { "value": "exfiltrate-data-via--dumpster-dive", "expanded": "exfiltrate-data-via-dumpster-dives" }, { "value": "exfiltrate-data-via-fax", "expanded": "exfiltrate-data-via-fax" }, { "value": "exfiltrate-data-via-network", "expanded": "exfiltrate-data-via-network" }, { "value": "exfiltrate-data-via-physical-media", "expanded": "exfiltrate-data-via-physical-media" }, { "value": "exfiltrate-data-via-voip-phone", "expanded": "exfiltrate-data-via-voip-phone" }, { "value": "feed-misinformation-during-physical-memory-acquisition", "expanded": "feed-misinformation-during-physical-memory-acquisition" }, { "value": "file-system-instantiation", "expanded": "file-system-instantiation" }, { "value": "fingerprint-host", "expanded": "fingerprint-host" }, { "value": "generate-c2-domain-names", "expanded": "generate-c2-domain-names" }, { "value": "hide-arbitrary-virtual-memory", "expanded": "hide-arbitrary-virtual-memory" }, { "value": "hide-data-in-other-formats", "expanded": "hide-data-in-other-formats" }, { "value": "hide-file-system-artifacts", "expanded": "hide-file-system-artifacts" }, { "value": "hide-kernel-modules", "expanded": "hide-kernel-modules" }, { "value": "hide-network-traffic", "expanded": "hide-network-traffic" }, { "value": "hide-open-network-ports", "expanded": "hide-open-network-ports" }, { "value": "hide-processes", "expanded": "hide-processes" }, { "value": "hide-services", "expanded": "hide-services" }, { "value": "hide-threads", "expanded": "hide-threads" }, { "value": "hide-userspace-libraries", "expanded": "hide-userspace-libraries" }, { "value": "identify-file", "expanded": "identify-file" }, { "value": "identify-os", "expanded": "identify-os" }, { "value": "identify-target-machines", "expanded": "identify-target-machines" }, { "value": "impersonate-user", "expanded": "impersonate-user" }, { "value": "install-backdoor", "expanded": "install-backdoor" }, { "value": "install-legitimate-software", "expanded": "install-legitimate-software" }, { "value": "install-secondary-malware", "expanded": "install-secondary-malware" }, { "value": "install-secondary-module", "expanded": "install-secondary-module" }, { "value": "intercept-manipulate-network-traffic", "expanded": "intercept-manipulate-network-traffic" }, { "value": "inventory-security-products", "expanded": "inventory-security-products" }, { "value": "inventory-system-applications", "expanded": "inventory-system-applications" }, { "value": "inventory-victims", "expanded": "inventory-victims" }, { "value": "limit-application-type-version", "expanded": "limit-application-type-version" }, { "value": "log-activity", "expanded": "log-activity" }, { "value": "manipulate-file-system-data", "expanded": "manipulate-file-system-data" }, { "value": "map-local-network", "expanded": "map-local-network" }, { "value": "mine-for-cryptocurrency", "expanded": "mine-for-cryptocurrency" }, { "value": "modify-file", "expanded": "modify-file" }, { "value": "modify-security-software-configuration", "expanded": "modify-security-software-configuration" }, { "value": "move-data-to-staging-server", "expanded": "move-data-to-staging-server" }, { "value": "obfuscate-artifact-properties", "expanded": "obfuscate-artifact-properties" }, { "value": "overload-sandbox", "expanded": "overload-sandbox" }, { "value": "package-data", "expanded": "package-data" }, { "value": "persist-after-hardware-changes", "expanded": "persist-after-hardware-changes" }, { "value": "persist-after-os-changes", "expanded": "persist-after-os-changes" }, { "value": "persist-after-system-reboot", "expanded": "persist-after-system-reboot" }, { "value": "prevent-api-unhooking", "expanded": "prevent-api-unhooking" }, { "value": "prevent-concurrent-execution", "expanded": "prevent-concurrent-execution" }, { "value": "prevent-debugging", "expanded": "prevent-debugging" }, { "value": "prevent-file-access", "expanded": "prevent-file-access" }, { "value": "prevent-file-deletion", "expanded": "prevent-file-deletion" }, { "value": "prevent-memory-access", "expanded": "prevent-memory-access" }, { "value": "prevent-native-api-hooking", "expanded": "prevent-native-api-hooking" }, { "value": "prevent-physical-memory-acquisition", "expanded": "prevent-physical-memory-acquisition" }, { "value": "prevent-registry-access", "expanded": "prevent-registry-access" }, { "value": "prevent-registry-deletion", "expanded": "prevent-registry-deletion" }, { "value": "prevent-security-software-from-executing", "expanded": "prevent-security-software-from-executing" }, { "value": "re-instantiate-self", "expanded": "re-instantiate-self" }, { "value": "remove-self", "expanded": "remove-self" }, { "value": "remove-sms-warning-messages", "expanded": "remove-sms-warning-messages" }, { "value": "remove-system-artifacts", "expanded": "remove-system-artifacts" }, { "value": "request-email-address-list", "expanded": "request-email-address-list" }, { "value": "request-email-template", "expanded": "request-email-template" }, { "value": "search-for-remote-machines", "expanded": "search-for-remote-machines" }, { "value": "send-beacon", "expanded": "send-beacon" }, { "value": "send-email-message", "expanded": "send-email-message" }, { "value": "social-engineering-based-remote-infection", "expanded": "social-engineering-based-remote-infection" }, { "value": "steal-browser-cache", "expanded": "steal-browser-cache" }, { "value": "steal-browser-cookies", "expanded": "steal-browser-cookies" }, { "value": "steal-browser-history", "expanded": "steal-browser-history" }, { "value": "steal-contact-list-data", "expanded": "steal-contact-list-data" }, { "value": "steal-cryptocurrency-data", "expanded": "steal-cryptocurrency-data" }, { "value": "steal-database-content", "expanded": "steal-database-content" }, { "value": "steal-dialed-phone-numbers", "expanded": "steal-dialed-phone-numbers" }, { "value": "steal-digital-certificates", "expanded": "steal-digital-certificates" }, { "value": "steal-documents", "expanded": "steal-documents" }, { "value": "steal-email-data", "expanded": "steal-email-data" }, { "value": "steal-images", "expanded": "steal-images" }, { "value": "steal-password-hashes", "expanded": "steal-password-hashes" }, { "value": "steal-pki-key", "expanded": "steal-pki-key" }, { "value": "steal-referrer-urls", "expanded": "steal-referrer-urls" }, { "value": "steal-serial-numbers", "expanded": "steal-serial-numbers" }, { "value": "steal-sms-database", "expanded": "steal-sms-database" }, { "value": "steal-web-network-credential", "expanded": "steal-web-network-credential" }, { "value": "stop-execution-of-security-software", "expanded": "stop-execution-of-security-software" }, { "value": "suicide-exit", "expanded": "suicide-exit" }, { "value": "test-for-firewall", "expanded": "test-for-firewall" }, { "value": "test-for-internet-connectivity", "expanded": "test-for-internet-connectivity" }, { "value": "test-for-network-drives", "expanded": "test-for-network-drives" }, { "value": "test-for-proxy", "expanded": "test-for-proxy" }, { "value": "test-smtp-connection", "expanded": "test-smtp-connection" }, { "value": "update-configuration", "expanded": "update-configuration" }, { "value": "validate-data", "expanded": "validate-data" }, { "value": "write-code-into-file", "expanded": "write-code-into-file" } ] } ] }