611 lines
17 KiB
JSON
611 lines
17 KiB
JSON
{
|
|
"namespace": "maec-malware-behavior",
|
|
"description": "Malware behaviours based on MAEC 5.0",
|
|
"version": 1,
|
|
"predicates": [
|
|
{
|
|
"value": "maec-malware-behavior",
|
|
"expanded": "MAEC Malware behavior"
|
|
}
|
|
],
|
|
"values": [
|
|
{
|
|
"predicate": "maec-malware-behavior",
|
|
"entry": [
|
|
{
|
|
"value": "access-premium-service",
|
|
"expanded": "access-premium-service"
|
|
},
|
|
{
|
|
"value": "autonomous-remote-infection",
|
|
"expanded": "autonomous-remote-infection"
|
|
},
|
|
{
|
|
"value": "block-security-websites",
|
|
"expanded": "block-security-websites"
|
|
},
|
|
{
|
|
"value": "capture-camera-input",
|
|
"expanded": "capture-camera-input"
|
|
},
|
|
{
|
|
"value": "capture-file-system-data",
|
|
"expanded": "capture-file-system-data"
|
|
},
|
|
{
|
|
"value": "capture-gps-data",
|
|
"expanded": "capture-gps-data"
|
|
},
|
|
{
|
|
"value": "capture-keyboard-input",
|
|
"expanded": "capture-keyboard-input"
|
|
},
|
|
{
|
|
"value": "capture-microphone-input",
|
|
"expanded": "capture-microphone-input"
|
|
},
|
|
{
|
|
"value": "capture-mouse-input",
|
|
"expanded": "capture-mouse-input"
|
|
},
|
|
{
|
|
"value": "capture-printer-output",
|
|
"expanded": "capture-printer-output"
|
|
},
|
|
{
|
|
"value": "capture-system-memory",
|
|
"expanded": "capture-system-memory"
|
|
},
|
|
{
|
|
"value": "capture-system-network-traffic",
|
|
"expanded": "capture-system-network-traffic"
|
|
},
|
|
{
|
|
"value": "capture-system-screenshot",
|
|
"expanded": "capture-system-screenshot"
|
|
},
|
|
{
|
|
"value": "capture-touchscreen-input",
|
|
"expanded": "capture-touchscreen-input"
|
|
},
|
|
{
|
|
"value": "check-for-payload",
|
|
"expanded": "check-for-payload"
|
|
},
|
|
{
|
|
"value": "click-fraud",
|
|
"expanded": "click-fraud"
|
|
},
|
|
{
|
|
"value": "compare-host-fingerprints",
|
|
"expanded": "compare-host-fingerprints"
|
|
},
|
|
{
|
|
"value": "compromise-remote-machine",
|
|
"expanded": "compromise-remote-machinen"
|
|
},
|
|
{
|
|
"value": "control-local-machine-via-remote-command",
|
|
"expanded": "control-local-machine-via-remote-command"
|
|
},
|
|
{
|
|
"value": "control-malware-via-remote-command",
|
|
"expanded": "control-malware-via-remote-command"
|
|
},
|
|
{
|
|
"value": "crack-passwords",
|
|
"expanded": "crack-passwords"
|
|
},
|
|
{
|
|
"value": "defeat-call-graph-generation",
|
|
"expanded": "defeat-call-graph-generation"
|
|
},
|
|
{
|
|
"value": "defeat-emulator",
|
|
"expanded": "defeat-emulator"
|
|
},
|
|
{
|
|
"value": "defeat-flow-oriented-disassembler",
|
|
"expanded": "defeat-flow-oriented-disassembler"
|
|
},
|
|
{
|
|
"value": "defeat-linear-disassembler",
|
|
"expanded": "defeat-linear-disassembler"
|
|
},
|
|
{
|
|
"value": "degrade-security-program",
|
|
"expanded": "degrade-security-program"
|
|
},
|
|
{
|
|
"value": "denial-of-service",
|
|
"expanded": "denial-of-service"
|
|
},
|
|
{
|
|
"value": "destroy-hardware",
|
|
"expanded": "destroy-hardware"
|
|
},
|
|
{
|
|
"value": "detect-debugging",
|
|
"expanded": "detect-debugging"
|
|
},
|
|
{
|
|
"value": "detect-emulator",
|
|
"expanded": "detect-emulator"
|
|
},
|
|
{
|
|
"value": "detect-installed-analysis-tools",
|
|
"expanded": "detect-installed-analysis-tools"
|
|
},
|
|
{
|
|
"value": "detect-installed-av-tools",
|
|
"expanded": "detect-installed-av-tools"
|
|
},
|
|
{
|
|
"value": "detect-sandbox-environment",
|
|
"expanded": "detect-sandbox-environment"
|
|
},
|
|
{
|
|
"value": "detect-vm-environment",
|
|
"expanded": "detect-vm-environment"
|
|
},
|
|
{
|
|
"value": "determine-host-ip-address",
|
|
"expanded": "determine-host-ip-address"
|
|
},
|
|
{
|
|
"value": "disable-access-rights-checking",
|
|
"expanded": "disable-access-rights-checking"
|
|
},
|
|
{
|
|
"value": "disable-firewall",
|
|
"expanded": "disable-firewall"
|
|
},
|
|
{
|
|
"value": "disable-kernel-patch-protection",
|
|
"expanded": "disable-kernel-patch-protection"
|
|
},
|
|
{
|
|
"value": "disable-os-security-alerts",
|
|
"expanded": "disable-os-security-alerts"
|
|
},
|
|
{
|
|
"value": "disable-privilege-limiting",
|
|
"expanded": "disable-privilege-limiting"
|
|
},
|
|
{
|
|
"value": "disable-service-pack-patch-installation",
|
|
"expanded": "disable-service-pack-patch-installation"
|
|
},
|
|
{
|
|
"value": "disable-system-file-overwrite-protection",
|
|
"expanded": "disable-system-file-overwrite-protection"
|
|
},
|
|
{
|
|
"value": "disable-update-services-daemons",
|
|
"expanded": "disable-update-services-daemons"
|
|
},
|
|
{
|
|
"value": "disable-user-account-control",
|
|
"expanded": "disable-user-account-control"
|
|
},
|
|
{
|
|
"value": "drop-retrieve-debug-log-file",
|
|
"expanded": "drop-retrieve-debug-log-file"
|
|
},
|
|
{
|
|
"value": "elevate-privilege",
|
|
"expanded": "elevate-privilege"
|
|
},
|
|
{
|
|
"value": "encrypt-data",
|
|
"expanded": "encrypt-data"
|
|
},
|
|
{
|
|
"value": "encrypt-files",
|
|
"expanded": "encrypt-files"
|
|
},
|
|
{
|
|
"value": "encrypt-self",
|
|
"expanded": "encrypt-self"
|
|
},
|
|
{
|
|
"value": "erase-data",
|
|
"expanded": "erase-data"
|
|
},
|
|
{
|
|
"value": "evade-static-heuristic",
|
|
"expanded": "evade-static-heuristic"
|
|
},
|
|
{
|
|
"value": "execute-before-external-to-kernel-hypervisor",
|
|
"expanded": "execute-before-external-to-kernel-hypervisor"
|
|
},
|
|
{
|
|
"value": "execute-non-main-cpu-code",
|
|
"expanded": "execute-non-main-cpu-code"
|
|
},
|
|
{
|
|
"value": "execute-stealthy-code",
|
|
"expanded": "execute-stealthy-code"
|
|
},
|
|
{
|
|
"value": "exfiltrate-data-via-covert channel",
|
|
"expanded": "exfiltrate-data-via-covert channel"
|
|
},
|
|
{
|
|
"value": "exfiltrate-data-via--dumpster-dive",
|
|
"expanded": "exfiltrate-data-via-dumpster-dives"
|
|
},
|
|
{
|
|
"value": "exfiltrate-data-via-fax",
|
|
"expanded": "exfiltrate-data-via-fax"
|
|
},
|
|
{
|
|
"value": "exfiltrate-data-via-network",
|
|
"expanded": "exfiltrate-data-via-network"
|
|
},
|
|
{
|
|
"value": "exfiltrate-data-via-physical-media",
|
|
"expanded": "exfiltrate-data-via-physical-media"
|
|
},
|
|
{
|
|
"value": "exfiltrate-data-via-voip-phone",
|
|
"expanded": "exfiltrate-data-via-voip-phone"
|
|
},
|
|
{
|
|
"value": "feed-misinformation-during-physical-memory-acquisition",
|
|
"expanded": "feed-misinformation-during-physical-memory-acquisition"
|
|
},
|
|
{
|
|
"value": "file-system-instantiation",
|
|
"expanded": "file-system-instantiation"
|
|
},
|
|
{
|
|
"value": "fingerprint-host",
|
|
"expanded": "fingerprint-host"
|
|
},
|
|
{
|
|
"value": "generate-c2-domain-names",
|
|
"expanded": "generate-c2-domain-names"
|
|
},
|
|
{
|
|
"value": "hide-arbitrary-virtual-memory",
|
|
"expanded": "hide-arbitrary-virtual-memory"
|
|
},
|
|
{
|
|
"value": "hide-data-in-other-formats",
|
|
"expanded": "hide-data-in-other-formats"
|
|
},
|
|
{
|
|
"value": "hide-file-system-artifacts",
|
|
"expanded": "hide-file-system-artifacts"
|
|
},
|
|
{
|
|
"value": "hide-kernel-modules",
|
|
"expanded": "hide-kernel-modules"
|
|
},
|
|
{
|
|
"value": "hide-network-traffic",
|
|
"expanded": "hide-network-traffic"
|
|
},
|
|
{
|
|
"value": "hide-open-network-ports",
|
|
"expanded": "hide-open-network-ports"
|
|
},
|
|
{
|
|
"value": "hide-processes",
|
|
"expanded": "hide-processes"
|
|
},
|
|
{
|
|
"value": "hide-services",
|
|
"expanded": "hide-services"
|
|
},
|
|
{
|
|
"value": "hide-threads",
|
|
"expanded": "hide-threads"
|
|
},
|
|
{
|
|
"value": "hide-userspace-libraries",
|
|
"expanded": "hide-userspace-libraries"
|
|
},
|
|
{
|
|
"value": "identify-file",
|
|
"expanded": "identify-file"
|
|
},
|
|
{
|
|
"value": "identify-os",
|
|
"expanded": "identify-os"
|
|
},
|
|
{
|
|
"value": "identify-target-machines",
|
|
"expanded": "identify-target-machines"
|
|
},
|
|
{
|
|
"value": "impersonate-user",
|
|
"expanded": "impersonate-user"
|
|
},
|
|
{
|
|
"value": "install-backdoor",
|
|
"expanded": "install-backdoor"
|
|
},
|
|
{
|
|
"value": "install-legitimate-software",
|
|
"expanded": "install-legitimate-software"
|
|
},
|
|
{
|
|
"value": "install-secondary-malware",
|
|
"expanded": "install-secondary-malware"
|
|
},
|
|
{
|
|
"value": "install-secondary-module",
|
|
"expanded": "install-secondary-module"
|
|
},
|
|
{
|
|
"value": "intercept-manipulate-network-traffic",
|
|
"expanded": "intercept-manipulate-network-traffic"
|
|
},
|
|
{
|
|
"value": "inventory-security-products",
|
|
"expanded": "inventory-security-products"
|
|
},
|
|
{
|
|
"value": "inventory-system-applications",
|
|
"expanded": "inventory-system-applications"
|
|
},
|
|
{
|
|
"value": "inventory-victims",
|
|
"expanded": "inventory-victims"
|
|
},
|
|
{
|
|
"value": "limit-application-type-version",
|
|
"expanded": "limit-application-type-version"
|
|
},
|
|
{
|
|
"value": "log-activity",
|
|
"expanded": "log-activity"
|
|
},
|
|
{
|
|
"value": "manipulate-file-system-data",
|
|
"expanded": "manipulate-file-system-data"
|
|
},
|
|
{
|
|
"value": "map-local-network",
|
|
"expanded": "map-local-network"
|
|
},
|
|
{
|
|
"value": "mine-for-cryptocurrency",
|
|
"expanded": "mine-for-cryptocurrency"
|
|
},
|
|
{
|
|
"value": "modify-file",
|
|
"expanded": "modify-file"
|
|
},
|
|
{
|
|
"value": "modify-security-software-configuration",
|
|
"expanded": "modify-security-software-configuration"
|
|
},
|
|
{
|
|
"value": "move-data-to-staging-server",
|
|
"expanded": "move-data-to-staging-server"
|
|
},
|
|
{
|
|
"value": "obfuscate-artifact-properties",
|
|
"expanded": "obfuscate-artifact-properties"
|
|
},
|
|
{
|
|
"value": "overload-sandbox",
|
|
"expanded": "overload-sandbox"
|
|
},
|
|
{
|
|
"value": "package-data",
|
|
"expanded": "package-data"
|
|
},
|
|
{
|
|
"value": "persist-after-hardware-changes",
|
|
"expanded": "persist-after-hardware-changes"
|
|
},
|
|
{
|
|
"value": "persist-after-os-changes",
|
|
"expanded": "persist-after-os-changes"
|
|
},
|
|
{
|
|
"value": "persist-after-system-reboot",
|
|
"expanded": "persist-after-system-reboot"
|
|
},
|
|
{
|
|
"value": "prevent-api-unhooking",
|
|
"expanded": "prevent-api-unhooking"
|
|
},
|
|
{
|
|
"value": "prevent-concurrent-execution",
|
|
"expanded": "prevent-concurrent-execution"
|
|
},
|
|
{
|
|
"value": "prevent-debugging",
|
|
"expanded": "prevent-debugging"
|
|
},
|
|
{
|
|
"value": "prevent-file-access",
|
|
"expanded": "prevent-file-access"
|
|
},
|
|
{
|
|
"value": "prevent-file-deletion",
|
|
"expanded": "prevent-file-deletion"
|
|
},
|
|
{
|
|
"value": "prevent-memory-access",
|
|
"expanded": "prevent-memory-access"
|
|
},
|
|
{
|
|
"value": "prevent-native-api-hooking",
|
|
"expanded": "prevent-native-api-hooking"
|
|
},
|
|
{
|
|
"value": "prevent-physical-memory-acquisition",
|
|
"expanded": "prevent-physical-memory-acquisition"
|
|
},
|
|
{
|
|
"value": "prevent-registry-access",
|
|
"expanded": "prevent-registry-access"
|
|
},
|
|
{
|
|
"value": "prevent-registry-deletion",
|
|
"expanded": "prevent-registry-deletion"
|
|
},
|
|
{
|
|
"value": "prevent-security-software-from-executing",
|
|
"expanded": "prevent-security-software-from-executing"
|
|
},
|
|
{
|
|
"value": "re-instantiate-self",
|
|
"expanded": "re-instantiate-self"
|
|
},
|
|
{
|
|
"value": "remove-self",
|
|
"expanded": "remove-self"
|
|
},
|
|
{
|
|
"value": "remove-sms-warning-messages",
|
|
"expanded": "remove-sms-warning-messages"
|
|
},
|
|
{
|
|
"value": "remove-system-artifacts",
|
|
"expanded": "remove-system-artifacts"
|
|
},
|
|
{
|
|
"value": "request-email-address-list",
|
|
"expanded": "request-email-address-list"
|
|
},
|
|
{
|
|
"value": "request-email-template",
|
|
"expanded": "request-email-template"
|
|
},
|
|
{
|
|
"value": "search-for-remote-machines",
|
|
"expanded": "search-for-remote-machines"
|
|
},
|
|
{
|
|
"value": "send-beacon",
|
|
"expanded": "send-beacon"
|
|
},
|
|
{
|
|
"value": "send-email-message",
|
|
"expanded": "send-email-message"
|
|
},
|
|
{
|
|
"value": "social-engineering-based-remote-infection",
|
|
"expanded": "social-engineering-based-remote-infection"
|
|
},
|
|
{
|
|
"value": "steal-browser-cache",
|
|
"expanded": "steal-browser-cache"
|
|
},
|
|
{
|
|
"value": "steal-browser-cookies",
|
|
"expanded": "steal-browser-cookies"
|
|
},
|
|
{
|
|
"value": "steal-browser-history",
|
|
"expanded": "steal-browser-history"
|
|
},
|
|
{
|
|
"value": "steal-contact-list-data",
|
|
"expanded": "steal-contact-list-data"
|
|
},
|
|
{
|
|
"value": "steal-cryptocurrency-data",
|
|
"expanded": "steal-cryptocurrency-data"
|
|
},
|
|
{
|
|
"value": "steal-database-content",
|
|
"expanded": "steal-database-content"
|
|
},
|
|
{
|
|
"value": "steal-dialed-phone-numbers",
|
|
"expanded": "steal-dialed-phone-numbers"
|
|
},
|
|
{
|
|
"value": "steal-digital-certificates",
|
|
"expanded": "steal-digital-certificates"
|
|
},
|
|
{
|
|
"value": "steal-documents",
|
|
"expanded": "steal-documents"
|
|
},
|
|
{
|
|
"value": "steal-email-data",
|
|
"expanded": "steal-email-data"
|
|
},
|
|
{
|
|
"value": "steal-images",
|
|
"expanded": "steal-images"
|
|
},
|
|
{
|
|
"value": "steal-password-hashes",
|
|
"expanded": "steal-password-hashes"
|
|
},
|
|
{
|
|
"value": "steal-pki-key",
|
|
"expanded": "steal-pki-key"
|
|
},
|
|
{
|
|
"value": "steal-referrer-urls",
|
|
"expanded": "steal-referrer-urls"
|
|
},
|
|
{
|
|
"value": "steal-serial-numbers",
|
|
"expanded": "steal-serial-numbers"
|
|
},
|
|
{
|
|
"value": "steal-sms-database",
|
|
"expanded": "steal-sms-database"
|
|
},
|
|
{
|
|
"value": "steal-web-network-credential",
|
|
"expanded": "steal-web-network-credential"
|
|
},
|
|
{
|
|
"value": "stop-execution-of-security-software",
|
|
"expanded": "stop-execution-of-security-software"
|
|
},
|
|
{
|
|
"value": "suicide-exit",
|
|
"expanded": "suicide-exit"
|
|
},
|
|
{
|
|
"value": "test-for-firewall",
|
|
"expanded": "test-for-firewall"
|
|
},
|
|
{
|
|
"value": "test-for-internet-connectivity",
|
|
"expanded": "test-for-internet-connectivity"
|
|
},
|
|
{
|
|
"value": "test-for-network-drives",
|
|
"expanded": "test-for-network-drives"
|
|
},
|
|
{
|
|
"value": "test-for-proxy",
|
|
"expanded": "test-for-proxy"
|
|
},
|
|
{
|
|
"value": "test-smtp-connection",
|
|
"expanded": "test-smtp-connection"
|
|
},
|
|
{
|
|
"value": "update-configuration",
|
|
"expanded": "update-configuration"
|
|
},
|
|
{
|
|
"value": "validate-data",
|
|
"expanded": "validate-data"
|
|
},
|
|
{
|
|
"value": "write-code-into-file",
|
|
"expanded": "write-code-into-file"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|