Skip to content

Latest commit

 

History

History
151 lines (120 loc) · 13.3 KB

README.md

File metadata and controls

151 lines (120 loc) · 13.3 KB

Malware Behavior Catalog v3.1

The Malware Behavior Catalog (MBC) is a catalog of malware objectives and behaviors, created to support malware analysis-oriented use cases, such as labeling, similarity analysis, and standardized reporting. Please see the FAQ page for answers to common questions, and read the newsletters for information on the most recent MBC updates and activity.

Open-source malware analysis tools map their output to MBC and ATT&CK:

MBC supports other community efforts:

Check out MBC presentations:

To join the MBC mailing list, please send a request to [email protected].

Objectives

As shown below, malware objectives are based on ATT&CK tactics, and are tailored for the malware analysis use case of characterizing malware based on known objectives and behaviors. Two malware analysis-specific objectives not in ATT&CK are also defined (ANTI-BEHAVIORAL ANALYSIS and ANTI-STATIC ANALYSIS).

Behaviors

Under each objective, MBC captures all behaviors and code characteristics discovered during malware analysis, with links to ATT&CK techniques as appropriate. Names of MBC behaviors may or may not match related ATT&CK techniques. Any content provided on behavior pages is supplemental to ATT&CK content. In other words, ATT&CK content is not duplicated in MBC, and MBC users will reference ATT&CK while capturing malware behaviors.

Methods

Methods are associated with behaviors and serve different roles, depending on the behavior. In some cases, a method further refines a behavior (i.e., sub-behavior); in other cases, a method is an implementation of a behavior. Previously, methods had no ATT&CK counterpart, but beginning in April 2020, ATT&CK defines sub-techniques, which are similar to methods.

Note that a method cannot be used without a behavior.

Micro-objectives / Micro-behaviors

Some malware behaviors are low-level, support many objectives and other behaviors, and aren't necessarily malicious. For example, a TCP socket may be created, or a string may be checked for some condition. Because such behaviors are often noted in malware analysis, they are captured in MBC. See Micro-behaviors for details.

Identifiers

As shown below, the letter of an identifier relays information about a behavior. Note that letters used in MBC v2 and v3 are changed from MBC v1.

Letter Example Description
B B0040 An MBC behavior.
C C0015 An MBC micro-behavior.
T T1234 An ATT&CK technique.
E E1234 An ATT&CK technique that has been enhanced with malware-specific details. The numerical portion of the identifier will match the ATT&CK ID (e.g., E1234 enhances T1234).
F F0004 An ATT&CK sub-technique that has been enhanced with malware-specific details.

Two letters of an identifier relay information about an objective.

Letter Example Description
OB OB0001 An MBC objective.
OC OC0003 An MBC micro-objective.

Identifiers of methods are formatted in the same way as ATT&CK sub-techniques. If MBC defines a new method for an existing ATT&CK technique, the identifier is changed from "T" to "E" and an "m" identifier is added (e.g., a method added to T1234 would be denoted E1234.m01 and is different than T1234.001, although both refer to the T1234 ATT&CK technique). Method identifiers of "B", "C", and "F" behaviors are defined without the "m" (e.g., B0008.009; C0005.002; F0001.005).

When two or more MBC behaviors refine the same ATT&CK technique, each is given an MBC identifier and each references the ATT&CK identifier. When a new ATT&CK technique is defined after an MBC behavior has been defined, the preexisting MBC identifier is preserved and the new ATT&CK identifier is referenced.

In cases where an MBC behavior enhances a technique/sub-technique that is defined in both ATT&CK Mobile and Enterprise, the "E" identifier used in MBC corresponds to the Enterprise identifier. For example, the Obfuscated Files or Information technique has identifier T1027 in Enterprise, identifier T1406 in Mobile, and identifier E1027 in MBC.

Canonical Representation

The canonical representation for MBC content is OBJECTIVE::Behavior::Method. For example, ANTI-BEHAVIORAL ANALYSIS::Debugger Detection::Process Environment Block.

Objectives and behaviors can be used alone, but a method must be associated with a behavior.

STIX 2.1 Representation

A STIX 2.1 representation for MBC v3.1 is available in the mbc-stix2.1 repository. It's based on a refined STIX 2.1 Malware Behavior Extension that includes new STIX domain objects for MBC objectives, behaviors, and methods.

Navigator View

This visual representation of the MBC Matrix is based on the ATT&CK Navigator. Two views are available:

Malware Corpus

The MBC contains a malware corpus where each malware entry is decomposed into behaviors that are mapped to ATT&CK and MBC. The mappings are based on open source malware analysis reports. Note that some malware types are also present in the ATT&CK software page. We refer readers to the corresponding ATT&CK page for a list of identified ATT&CK techniques. However, we will list any newly identified ATT&CK techniques in the MBC malware page.

Malware Objective Descriptions

Malware objectives are defined in the table below. Follow the links to view associated behaviors.

Objective Description
Anti-Behavioral Analysis Malware aims to prevent, obstruct, or evade behavioral analysis, such as analysis done using a sandbox or debugger.
Anti-Static Analysis Malware aims to prevent static analysis or make it more difficult.
Collection Malware aims to identify and gather information from a machine or network.
Command and Control Malware aims to communicate with compromised systems to control them.
Credential Access Malware aims to steal account names and passwords.
Defense Evasion Malware aims to evade detection.
Discovery Malware aims to gain knowledge about the environment.
Execution Malware aims to execute code on a system.
Exfiltration Malware aims to steal data.
Impact Malware aims to manipulate, interrupt, or destroy systems or data.
Lateral Movement Malware aims to propagate or otherwise move through an environment. Lateral movement may be active, happening via direct machine access, or may be passive (for example, done via malicious email).
Persistence Malware aims to remain on a system.
Privilege Escalation Malware aims to obtain higher level permissions.

MBC Behaviors

The table below lists MBC behaviors and related ATT&CK techniques. In most cases, related ATT&CK techniques were defined after the MBC behavior was defined. Please see the MBC Summary for a listing of all MBC content.

ID Objective(s) Behavior Related ATT&CK Technique
B0001 ANTI-BEHAVIORAL ANALYSIS Debugger Detection none
B0002 ANTI-BEHAVIORAL ANALYSIS Debugger Evasion Debugger Evasion (T1622)
B0003 ANTI-BEHAVIORAL ANALYSIS Dynamic Analysis Evasion Virtualization/Sandbox Evasion (T1497,T1633)
B0004 ANTI-BEHAVIORAL Emulator Detection none
B0005 ANTI-BEHAVIORAL Emulator Evasion none
B0006 ANTI-BEHAVIORAL Memory Dump Evasion none
B0007 ANTI-BEHAVIORAL Sandbox Detection Virtualization/Sandbox Evasion: System Checks (T1497.001,T1633.001); Virtualization/Sandbox Evasion: User Activity Based Checks (T1497.002)
B0008 ANTI-BEHAVIORAL ANALYSIS, ANTI-STATIC ANALYSIS Executable Code Virtualization none
B0009 ANTI-BEHAVIORAL ANALYSIS Virtual Machine Detection Virtualization/Sandbox Evasion (T1497,T1633)
B0010 ANTI-STATIC ANALYSIS Call Graph Generation Evasion none
B0011 EXECUTION Remote Commands none
B0012 ANTI-STATIC ANALYSIS Disassembler Evasion none
B0013 DISCOVERY Analysis Tool Discovery none
B0014 DISCOVERY SMTP Connection Discovery none
B0015 not defined --- ---
B0016 IMPACT Compromise Data Integrity Data Manipulation: Stored Data Manipulation (T1565.001)
B0017 IMPACT Destroy Hardware none
B0018 IMPACT Resource Hijacking Resource Hijacking (T1496)
B0019 IMPACT Manipulate Network Traffic Data Manipulation: Transmitted Data Manipulation (T1565.002)
B0020 EXECUTION, LATERAL MOVEMENT Send Email Phishing (T1566)
B0021 EXECUTION, LATERAL MOVEMENT Send Poisoned Email none
B0022 IMPACT, PERSISTENCE Remote Access none
B0023 EXECUTION Install Additional Program none
B0024 EXECUTION Prevent Concurrent Execution none
B0025 ANTI-BEHAVIORAL ANALYSIS//EXECUTION Conditional Execution Execution Guardrails (T1480)
B0026 LATERAL MOVEMENT, PERSISTENCE Malicious Network Driver none
B0027 DEFENSE EVASION Alternative Installation Location none
B0028 CREDENTIAL ACCESS Cryptocurrency none
B0029 DEFENSE EVASION Polymorphic Code none
B0030 COMMAND AND CONTROL Command and Control Communication none
B0031 COMMAND AND CONTROL Domain Name Generation Dynamic Resolution: Domain Name Generation (T1568.002)
B0032 ANTI-STATIC ANALYSIS Executable Code Obfuscation none
B0033 IMPACT Denial of Service Network Denial of Service (T1498)
B0034 ANTI-STATIC ANALYSIS Executable Code Optimization none
B0035 PERSISTENCE Shutdown Event none
B0036 ANTI-BEHAVIORAL ANALYSIS Capture Evasion none
B0037 DEFENSE EVASION Bypass Data Execution Prevention none
B0038 DISCOVERY Self Discovery none
B0039 IMPACT Spamming none
B0040 DEFENSE EVASION Covert Location none
B0041 not defined --- ---
B0042 IMPACT Modify Hardware none
B0043 DISCOVERY Taskbar Discovery none
B0044 EXECUTION Execution Dependency none
B0045 ANTI-STATIC ANALYSIS Data Flow Analysis Evasion none
B0046 DISCOVERY Code Discovery none
B0047 DEFENSE EVASION, PERSISTENCE Install Insecure or Malicious Code none

Citing MBC

If you use MBC, please cite it as specified in the CITATION file or by using GitHub's sidebar citation widget, which provides both APA and BibTeX formats.

Copyright © 2021-2023, The MITRE Corporation. Terms of Use.