Capabilities

From ema
Jump to: navigation, search

A Capability corresponds to a high-level ability that a malware instance possesses. Examples include anti-detection, command and control, and privilege escalation.

A Capability may have attributes associated with it. For example, the data theft capability can be further specified by the attributes 'targeted application,' and 'targeted website'.


Name Description Associated Attributes Aliases
anti-behavioral analysis Indicates that the malware instance is able to prevent behavioral analysis or make it more difficult. Anti-Behavioral Analysis: targeted VM, Anti-Behavioral Analysis: targeted sandbox anti-runtime analysis
anti-detection Indicates that the malware instance is able to prevent itself and its components from being detected on a system.
anti-removal Indicates that the malware instance is able to prevent itself and its components from being removed from a system.
anti-static analysis Indicates that the malware instance is able to prevent static/code analysis or make it more difficult.
anti-static analysis Indicates that the malware instance is able to prevent static/code analysis or make it more difficult.
anti-static analysis Indicates that the malware instance is able to prevent static/code analysis or make it more difficult.
anti-static analysis Indicates that the malware instance is able to prevent static/code analysis or make it more difficult.
availability violation Indicates that the malware instance is able to compromise the availability of a system or some aspect of the system. Availability Violation: cryptocurrency type
command and control Indicates that the malware instance is able to receive and/or execute remotely submitted commands. Command and Control: frequency, Command and Control: port number, Common: applicable platform, Common: encryption algorithm, Common: network protocol, Common: technique c2
data theft Indicates that the malware instance is able to steal data from the system on which it executes. This includes data stored in some form, e.g. in a file, as well as data that may be entered into some application such as a web-browser. Data Theft: targeted application, Data Theft: targeted website
destruction Indicates that the malware instance is able to destroy some aspect of a system. Destruction: erasure scope
fraud Indicates that the malware instance is able to defraud a user or a system.
infection/propagation Indicates that the malware instance is able to propagate through the infection of a machine or is able to infect a file after executing on a system. The malware instance may infect actively (e.g., gain access to a machine directly) or passively (e.g., send malicious email). This Capability does not encompass any aspects of the initial infection that is done independently of the malware instance itself. Infection Propagation: autonomy, Infection Propagation: file infection type, Infection Propagation: file modification type, Infection Propagation: infection targeting, Infection Propagation: scope, Infection Propagation: targeted file architecture type, Infection Propagation: targeted file type
integrity violation Indicates that the malware instance is able to compromise the integrity of a system.
persistence Indicates that the malware instance is able to persist and remain on a system regardless of system events. Persistence: scope
secondary operation Indicates that the malware instance is able to achieve secondary objectives in conjunction with or after achieving its primary objectives. Secondary Operation: trigger type
security degradation Indicates that the malware instance is able to bypass or disable security features and/or controls. Security Degradation: targeted program
spying Indicates that the malware instance is able to capture information from a system related to user or system activity (e.g., from a system's peripheral devices).