Behaviors
A Behavior corresponds to the specific purpose behind a particular snippet of code, as executed by a malware instance. Examples include keylogging, detecting a virtual machine, and installing a backdoor.
Behaviors are marked as follows:
- Behaviors defined in ATT&CK, which could be expanded with malware-related content are denoted with an &.
- Behaviors that might be potential ATT&CK techniques are denoted with a +.
- Behaviors that are only detected via malware analysis have no markings.
Name | Description | Associated Attributes | Associated Capabilities/ Subcapabilities | Aliases |
---|---|---|---|---|
& Bootkit | ATT&CK considers this a technique under the Persistence tactic. Might it also be a Defense Evasion tactic?
The 'execute before/external to kernel/hypervisor' Behavior executes some or all of the malware instance's code before or external to the system's kernel or hypervisor (e.g., through the BIOS). |
Defense Evasion | ||
& Component Firmware | Cisco routers can have their firmware images modified in order to maliciously infect and persist on end-user machines in a network. This is accomplished by using default or acquired credentials to gain access to a router and to install a backdoor.
The implant resides within a modified Cisco IOS image and, when loaded, maintains its persistence in the environment, even after a system reboot. However, any further modules loaded by the attacker will only exist in the router’s volatile memory and will not be available for use after reboot. Known Affected Hardware:
|
Persistence | ||
& Disabling Security Tools | Malware examples include:
|
Defense Evasion | ||
& Encrypt Files for Ransom (mobile) | The 'encrypt files' Behavior encrypts one or more files on the system on which the malware instance is executing, to make them unavailable for use by the users of the system.
This is currently an ATT&CK Mobile technique. For malware, it should be extended to ATT&CK Enterprise. A better name might be "Encrypt Files." |
Common: applicable platform, Common: encryption algorithm, Common: technique | Effects | |
& Generate Fraudulent Advertising Revenue (mobile) | The ATT&CK Generate Fraudulent Advertising Revenue could be expanded to apply more broadly to malware.
The 'click fraud' Behavior simulates legitimate user clicks on website advertisements for the purpose of revenue generation. |
Effects | ||
& Hooking | Alter API behavior, for example by inserting JMP/JCC instruction(s) at start of API code or to redirect benign API to a critical one. Sometimes hooking is used to prevent memory dumps.
Examples:
|
Anti-Behavioral Analysis | ||
& Lock User Out of Device (mobile) | The 'denial of service' Behavior causes the local machine on which the malware instance is executing and/or a remote network resource to be unavailable.
For malware, this might be extended to ATT&CK Enterprise (only defined for Mobile ATT&CK now). A better name might be "Denial of Service." |
Effects | DOS, DDOS | |
& Obfuscated Files or Information | This corresponds to the EMA 'code obfuscation' behavior.
This may be covered by the ATT&CK Obfuscated File or Information technique. However, the details below are more extensive than given in ATT&CK. The code in the malware instance is obfuscated to hinder static analysis. Examples:
* *Dead Code Insertion*: Inclusion of "dead" code in the malware instance with no real functionality but with the intent of impeding disassembly. * *Fake Code Insertion*: Add fake code similar to known packers or known goods to fool identification. Can confuse some automated unpackers. * *Jump Insertion*: Insertion of jumps to make analysis visually harder. * *Junk Code Insertion*: Insertion of dummy code between relevant opcodes. Can make signature writing more complex. * *Thunk Code Insertion*: Variation on “jump”; also used by some compilers for user-generated functions (ex: Visual Studio /INCREMENTAL. |
Anti-Static Analysis | ||
& Rootkit | A Rootkit may have the following capabilities:
|
Defense Evasion | ||
& Software Packing | See the ATT&CK Software Packing technique. | Anti-Static Analysis | ||
& Wipe Device Data (mobile) | The EMA 'erase data' Behavior destroys data stored on a disk or in memory by erasure.
This should be extended to ATT&CK Enterprise - is currently only defined in ATT&CK Mobile. A better name might be "Erase Data." |
Effects | wipe data | |
+ analysis tool discovery | Malware can employ various means to detect whether analysis tools are present or running on the system on which it is executing.
Methods:
|
Discovery | ||
+ compromise data integrity | Manipulates data stored on the file system of the system on which the malware instance is executing in order to compromise its integrity. | Effects | ||
+ destroy hardware | The 'destroy hardware' Behavior physically destroys a piece of hardware, e.g., by causing it to overheat. | Effects | ||
+ hijack system resources | Use system resources for other purposes. As a result, the system may not be available for intended uses.
Examples:
|
Effects | ||
+ install secondary program | The 'install secondary program' Behavior installs another, different malware instance on the system on which the malware instance is executing.
Examples:
|
Execution, Persistence | ||
+ malicious network driver | Malicious network drivers can be installed on several machines on a network via an exploited server with high uptime. Once the drivers are installed on the host machines, they can re-infect the server if it is restarted, can infect other machines on the network, and can redirect traffic on the network as they please.
These drivers can tunnel traffic from the outside into the network, allowing the attackers to access remote desktop sessions or to connect to servers inside the domain by using previously acquired credentials. Using the credentials, they can re-deploy the entire platform following a massive shutdown or power loss The malware persists on machines connected to the network even after reboot. Once the machine connects to the server, the malware repopulates itself on the server. This, in turn, infects the remaining machines on the network. The malware exploits a zero-day kernel-level vulnerability in Microsoft's Win32k TrueType-Font. |
Persistence | ||
+ manipulate network traffic | The 'manipulate network traffic' Behavior intercepts and manipulates network traffic going to or originating from the system on which the malware instance is executing. | Effects | ||
+ private api exploitation (Mobile) | On iOS, private APIs can be abused in the iOS system to implement malicious functionalities.
Such malware can download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack other apps’ execution to display advertisements, change Safari’s default search engine, bookmarks and opened pages, and upload device information to a C2 server. The malware uses tricks to hide its icons from iOS’s SpringBoard, which prevents the user from finding and deleting it. The components also use the same name and logos of system apps to trick iOS power users. |
Persistence | ||
+ send email | The 'send email message' Behavior sends an email message from the system on which the malware instance is executing to one or more recipients, most commonly for the purpose of spamming. | Common: network protocol | Execution | |
+ SMTP connection discovery | The 'smtp connection discovery' Behavior tests whether an outgoing SMTP connection can be made from the system on which the malware instance is executing to some SMTP server, by sending a test SMTP transaction. | Discovery | ||
+ surreptitious application installation | In OS X, application directories and files can be installed unbeknownst to the user. Web browsers and search engines can also be hijacked set to specific defaults. These files persist until the user manually deletes them.
One example is Geneio, a byproduct of the DYLD_PRINT_TIFILE vulnerability. Geneio can gain access to the MAC Keychain and persists until removed by the user. When the program is executed, it creates the following files:
Next, the program changes the default search engine and homepage to the following domain: search.genieo.com The program then installs the following browser extension: ~/Library/Safari/Extensions/Omnibar.safariextz When the user inputs a search query it will appear to be carried out using Google Search but the results will be from genieo.com. Genieo (8/31/2015): https://blog.malwarebytes.org/mac/2015/08/genieo-installer-tricks-keychain/ https://support.norton.com/sp/en/us/home/current/solutions/v103415336_EndUserProfile_en_us https://www.symantec.com/security_response/writeup.jsp?docid=2014-071013-3137-99 |
Persistence | ||
+ windows shutdown event | In Windows, the shutdown event triggered by WinLogon can be registered by an application to allow a malicious DLL a chance to execute every time a machine shuts down.
When the machine is shutdown the malware is loaded into memory. Then it downloads the primary malware and reinfects the machine. The malware will also lie dormant during incident reporting processes. HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify If the subkey doesn't exist you are in good shape. If a subkey with any name exists and it has a "shutdown" value then the dll in the "DLLName" key will be launched during the shutdown process. |
Persistence | ||
c2 communication | Client/server communication indicates C2 behavior.
Examples:
|
Command and Control | ||
call graph prevention | The 'call graph prevention' Behavior defeats accurate call graph generation during disassembly of the malware instance. | Anti-Static Analysis | ||
capture keyboard input | The 'capture keyboard input' Behavior captures data from the keyboard attached to the system on which the malware instance is running. | keylogging, keystroke logging, keyboard capturing | ||
code optimization | Code optimized in various ways can be harder to statically analyze.
Examples:
|
Anti-Static Analysis | ||
debugger detect & evade | The 'debugger evasion' Behavior detects whether the malware instance is being executed inside of a debugger and if so, executes benign path.
Variations:
|
Common: applicable platform, Common: technique | Anti-Behavioral Analysis | |
debugger obstruction | Make debugger session difficult (BlockInput, slow down, etc.). This is a general category of anti-analysis and may refer to any number of techniques.
Examples:
|
Command and Control: port number | Anti-Behavioral Analysis | |
debugger prevention | The 'debugger prevention' Behavior prevents the execution of the malware instance in a debugger.
Examples:
|
Anti-Behavioral Analysis | ||
delete SMS warning messages | The ‘remove SMS warning messages’ Behavior captures the message body of incoming SMS messages and aborts displaying messages that meets a certain criteria. | Defense Evasion | ||
domain name generation | The 'domain name generation' Behavior generates the domain name of the command and control server to which it connects. The algorithm can be complicated in more advanced bots; understanding the details so that names can be predicted can be useful in mitigation and response. | Command and Control | ||
emulator detect & evade | Detects whether the malware instance is being executed in an emulator; if so, a benign execution path is followed.
Examples:
|
Anti-Behavioral Analysis | anti-virtualization | |
emulator prevention | Defeats or prevents the execution of the malware instance in an emulator.
Examples:
|
Anti-Behavioral Analysis | ||
exploitation for analysis evasion | Detect or crash a tool via a specific backdoor. This is a general category of anti-analysis and may refer to any number of techniques. | Anti-Behavioral Analysis | ||
flow-oriented disassembler prevention | The 'flow-oriented disassembler prevention' Behavior defeats disassembly of the malware instance in a flow-oriented (recursive traversal) disassembler. Some examples also apply to linear disassemblers.
Examples:
|
Anti-Static Analysis | ||
illusionary issues | Makes the analyst think something incorrect happened. This is a general behavior might be implemented in a variety of ways. | Anti-Behavioral Analysis | ||
linear disassembler prevention | The 'linear disassembler prevention' Behavior prevent the disassembly of the malware instance in a linear disassembler. Some examples also apply to flow-oriented disassemblers.
Examples:
|
Anti-Static Analysis | ||
memory dump obstruction | Hinders retrieval and/or discovery of the contents of the physical memory of the system on which the malware instance is executing.
Examples:
|
Anti-Behavioral Analysis | anti-dumping | |
polymorphic code | Packer stub generates polymorphic code on the fly (same file executes differently). This is a general category of defense evasion and may refer to any number of techniques. This capability is typically only found through analysis of related samples.
Examples
|
Defense Evasion | ||
prevent concurrent execution | Indicates that the malware checks to see if it is already running on a system, in order to prevent multiple instances of the malware running concurrently. | Execution | ||
resource compression | Compresses resources, avoiding critical ones, such as main icon, manifest, etc. | Anti-Static Analysis | ||
sandbox detect & evade | Detects whether the malware instance is being executed inside of an instrumented sandbox environment (e.g., Cuckoo Sandbox). If so, conditional execution selects for benign execution path.
Examples:
|
Anti-Behavioral Analysis: targeted sandbox, Common: applicable platform, Common: technique | Anti-Behavioral Analysis | |
sandbox obstruction | The 'sandbox obstruction' Behavior impedes sandbox analysis.
Examples:
|
Anti-Behavioral Analysis: targeted sandbox | Anti-Behavioral Analysis | |
sandbox prevention | Defeats or prevents the execution of the malware instance in a sandbox environment.
Examples:
|
Anti-Behavioral Analysis | ||
secondary CPU execution | The 'execute non-main cpu code' Behavior executes some or all of the code of the malware instance on a secondary, non-CPU processor (e.g., a GPU). THEORETICAL at this point. | Defense Evasion | ||
suicide exit | The 'suicide exit' Behavior terminates the execution of the malware instance based on some trigger condition or value. | Secondary Operation: trigger type | Execution | |
virtual machine detect & evade | Detects whether the malware instance is being executed in a virtual machine (VM).
Possible methods:
|
Anti-Behavioral Analysis: targeted VM, Common: applicable platform, Common: technique | Anti-Behavioral Analysis | |
virtualized code | Virtualizes original code; dumped code won’t work without VM code.
Could also include virtualized [part of] packer stub code. This is a general category of anti-analysis and may refer to any number of techniques. |
Anti-Behavioral Analysis, Anti-Static Analysis |