A Capability corresponds to a high-level ability that a malware instance possesses. Examples include anti-detection, command and control, and privilege escalation.
A Capability may have attributes associated with it. For example, the data theft capability can be further specified by the attributes 'targeted application,' and 'targeted website'.
|Anti-Behavioral Analysis||Indicates that the malware instance is able to prevent behavioral analysis or make it more difficult.|
|Anti-Static Analysis||Indicates that the malware instance is able to prevent static analysis or make it more difficult. Simpler static analysis identifies features such as embedded strings, header information, hash values, and file metadata (e.g., creation date). More involved static analysis involves the disassembly of the binary code.|
|Collection||Indicates that the malware instance is able to capture information from a system related to user or system activity (e.g., from a system's peripheral devices).|
|Command and Control||Indicates that the malware instance is able to communicate (receive and/or execute remotely submitted commands) with systems under its control within a target network.||Command and Control: frequency, Command and Control: port number, Common: applicable platform, Common: encryption algorithm, Common: network protocol, Common: technique||c2|
|Credential Access||Indicates that the malware instance is able to gain access to or control over system, domain, or service credentials.|
|Defense Evasion||Indicates that the malware instance is able to evade detection or avoid other defenses.|
|Discovery||Indicates that the malware instance is able to gain knowledge about the system and internal network.|
|Effects||Indicates that the malware instance is able to execute its mission.||Destruction: erasure scope|
|Execution||Indicates that the malware instance is able to execute its code on a local or remote system to achieve secondary objectives in conjunction with or after achieving its primary objectives.||Secondary Operation: trigger type|
|Exfiltration||Indicates that the malware instance is able to steal data from the system on which it executes. This includes data stored in some form, e.g. in a file, as well as data that may be entered into some application such as a web-browser.||Data Theft: targeted website|
|Lateral Movement||Indicates that the malware instance is able to propagate through the infection of a machine or is able to infect a file after executing on a system. The malware instance may infect actively (e.g., gain access to a machine directly) or passively (e.g., send malicious email). This Capability does not encompass any aspects of the initial infection that is done independently of the malware instance itself.||Infection Propagation: autonomy, Infection Propagation: file infection type, Infection Propagation: file modification type, Infection Propagation: infection targeting, Infection Propagation: scope, Infection Propagation: targeted file architecture type, Infection Propagation: targeted file type|
|Persistence||Indicates that the malware instance is able to persist and remain on a system regardless of system events.||Persistence: scope|
|Privilege Escalation||Indicates that the malware instance is able to obtain a higher level of permission.|