Attributes

From ema
Jump to: navigation, search

Attributes correspond to features that can be associated with Capabilities, Subcapabilities, Behaviors, and Obfuscation Methods. Each Attribute can define enumerable values for the Attribute.

Anti-Behavioral Analysis

Availability Violation

Command and Control

Common

Data Exfiltration

Data Theft

Destruction

Infection Propagation

Machine Access Control

Persistence

Privilege Escalation

Secondary Operation

Security Degradation

Attribute Category Name Description Attribute Type Enumerable Values
Anti-Behavioral Analysis targeted sandbox The 'targeted sandbox' value refers to the name of a sandbox targeted by the Anti-Behavioral Analysis Capability. Free-form String
Anti-Behavioral Analysis targeted VM The 'targeted VM' value refers to the name of a virtual machine (VM) targeted by the Anti-Behavioral Analysis Capability. Free-form String
Availability Violation cryptocurrency type The 'cryptocurrency type' value refers to the type of cryptocurrency targeted. Free-form String
Command and Control frequency The 'frequency' value refers to a description of the frequency with which a C2 Server sends and receives data. It is recommended that the description follow the format of "every x (units)", e.g., "every 5 minutes." Free-form String
Command and Control port number The 'port number' value refers to the port number used by the malware instance in its command and control communications. Free-form String
Common applicable platform The `applicable platform' value refers to a platform that a behavior or capability is specific to. Enumerable List Android (unknown version), Android 1.0.x, Android 1.1.x, Android 1.5.x, Android 1.6.x, Android 2.0.x, Android 2.1.x, Android 2.2.x, Android 2.3.x, Android 3.0.x, Android 3.1.x, Android 3.2.x, Android 4.0.x, Android 4.1.x, Android 4.2.x, Android 4.3.x, Android 4.4.x, Android 5.0.x, Android 5.1.x, iOS (unknown version), iOS 1.0.x, iOS 1.1.x, iOS 2.0.x, iOS 2.1.x, iOS 2.2.x, iOS 3.0.x, iOS 3.1.x, iOS 3.2.x, iOS 4.0.x, iOS 4.1.x, iOS 4.2.x, iOS 4.3.x, iOS 5.0.x, iOS 5.1.x, iOS 6.0.x, iOS 6.1.x, iOS 7.0.x, iOS 7.1.x, iOS 8.0.x, iOS 8.1.x, iOS 8.2.x, iOS 8.3.x, iOS 8.4.x, Linux (unknown kernel version), Linux Kernel 2.4.x, Linux Kernel 2.6.x, Linux Kernel 3.0.x, Linux Kernel 3.1.x, Linux Kernel 3.10.x, Linux Kernel 3.11.x, Linux Kernel 3.12.x, Linux Kernel 3.13.x, Linux Kernel 3.14.x, Linux Kernel 3.15.x, Linux Kernel 3.16.x, Linux Kernel 3.17.x, Linux Kernel 3.18.x, Linux Kernel 3.19.x, Linux Kernel 3.2.x, Linux Kernel 3.3.x, Linux Kernel 3.4.x, Linux Kernel 3.5.x, Linux Kernel 3.6.x, Linux Kernel 3.7.x, Linux Kernel 3.8.x, Linux Kernel 3.9.x, Linux Kernel 4.0.x, Linux Kernel 4.1.x, Mac OS X (unknown version), Mac OS X 10.0.x, Mac OS X 10.1.x, Mac OS X 10.10.x, Mac OS X 10.11.x, Mac OS X 10.2.x, Mac OS X 10.3.x, Mac OS X 10.4.x, Mac OS X 10.5.x, Mac OS X 10.6.x, Mac OS X 10.7.x, Mac OS X 10.8.x, Mac OS X 10.9.x, Windows (unknown version), Windows 10, Windows 7, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2003, Windows Server 2003 SP1, Windows Server 2003 SP2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2008 R2 SP1, Windows Server 2008 SP1, Windows Server 2008 SP2, Windows Server 2012, Windows Server 2012 R2, Windows Vista, Windows Vista SP1, Windows Vista SP2, Windows XP, Windows XP SP1, Windows XP SP2, Windows XP SP3
Common encryption algorithm The 'encryption algorithm' value refers to the name of the encryption algorithm used in the Capability or Behavior. Enumerable List AES 256, rc4, RSA
Common network protocol The 'network protocol' Attribute refers to the name of the network protocol used in the Capability or Behavior. Enumerable List ftp, http, https, irc, smtp
Common technique The `technique' value refers to techniques that are used in an instance of a behavior. Enumerable List api call checking, bios manipulation, direct kernel object manipulation, dll search path hijacking, file system manipulation, firmware manipulation, inline/iat/eat hooking, irp filtering, periodic check/recreation, windows registry manipulation, windows service manipulation
Data Exfiltration archive type The 'archive type' value refers to the name of the file archive format used. Enumerable List 7z, bzip, gz, rar, zip
Data Exfiltration file type The 'file type' value refers to the name of the file format used for storing data to be exfiltrated as part of the Data Exfiltration Capability or its child Objectives. Enumerable List doc, exe, pdf
Data Theft targeted application The 'targeted application' attribute refers to the name of an application targeted by the Data Theft capability. Free-form String
Data Theft targeted website The 'targeted website' value refers to the domain name of a website targeted by the Data Theft capability. Free-form String
Destruction erasure scope The 'erasure scope' value refers to the scope of the erasure performed. Enumerable List targeted files, whole disk
Infection Propagation autonomy The 'autonomy' value refers to the level of autonomy employed by the malware. Enumerable List autonomous, dependent, semi-autonomous
Infection Propagation file infection type The 'file infection type' value refers to the method that an exe infector uses to infect a file. Enumerable List appending, cavity infector, companion, inserting, overwriting, prepending
Infection Propagation file modification type The `file modification type` value refers to how a malware file modifies itself to avoid detection. Enumerable List metamorphic, polymorphic, variable key
Infection Propagation infection targeting The 'targeting' value refers to the type of targeting employed by the Infect Remote Machine Strategic Objective, i.e. whether the targeted machines are randomly selected, or chosen from some particular set. Enumerable List semi-targeted, targeted, untargeted
Infection Propagation scope The 'scope' value refers to the scope of the infection or propagation performed by the malware instance via the Infection/Propagation Capability, i.e. whether it infects just the local machine or actively propagates to other machines as well. Enumerable List local, remote
Infection Propagation targeted file architecture type The 'targeted file architecture' value refers to type of file architecture targeted by the Infect File Strategic Objective. Enumerable List 32 bit, 64 bit
Infection Propagation targeted file type The 'targeted file type' value refers to the types of files targeted by the Infect File Strategic Objective. Enumerable List doc, exe, pdf
Machine Access Control backdoor type The 'backdoor type' value refers to the type of backdoor employed. Enumerable List reverse shell
Persistence scope The 'scope' value refers to the scope of persistence employed by the malware instance. Enumerable List other malware/components, self
Privilege Escalation user privilege escalation type The 'user privilege escalation type' value refers to the type of user privilege escalation employed. Enumerable List horizontal, vertical
Secondary Operation trigger type The 'trigger type' value refers to a description of the trigger used to wake or terminate the malware instance. Free-form String
Security Degradation targeted program The 'targeted program' value refers to the name of a program targeted by a Behavior of the Security Degradation Capability. Free-form String