Capabilities

From ema
Jump to: navigation, search

A Capability corresponds to a high-level ability that a malware instance possesses. Examples include anti-detection, command and control, and privilege escalation.

A Capability may have attributes associated with it. For example, the data theft capability can be further specified by the attributes 'targeted application,' and 'targeted website'.


Name Description Associated Attributes Aliases
anti-behavioral analysis Indicates that the malware instance is able to prevent behavioral analysis or make it more difficult. Anti-Behavioral Analysis: targeted VM, Anti-Behavioral Analysis: targeted sandbox anti-runtime analysis
anti-code analysis Indicates that the malware instance is able to prevent code analysis or make it more difficult.
anti-detection Indicates that the malware instance is able to prevent itself and its components from being detected on a system.
anti-removal Indicates that the malware instance is able to prevent itself and its components from being removed from a system.
availability violation Indicates that the malware instance is able to compromise the availability of a system or some aspect of the system. Availability Violation: cryptocurrency type
command and control Indicates that the malware instance is able to receive and/or execute remotely submitted commands. Command and Control: frequency, Command and Control: port number, Common: applicable platform, Common: encryption algorithm, Common: network protocol, Common: technique c2
data exfiltration Indicates that the malware instance is able to exfiltrate stolen data or perform tasks related to the exfiltration of stolen data. Data Exfiltration: archive type, Data Exfiltration: file type
data theft Indicates that the malware instance is able to steal data from the system on which it executes. This includes data stored in some form, e.g. in a file, as well as data that may be entered into some application such as a web-browser. Data Theft: targeted application, Data Theft: targeted website
destruction Indicates that the malware instance is able to destroy some aspect of a system. Destruction: erasure scope
fraud Indicates that the malware instance is able to defraud a user or a system.
infection/propagation Indicates that the malware instance is able to propagate through the infection of a machine or is able to infect a file after executing on a system. The malware instance may infect actively (e.g., gain access to a machine directly) or passively (e.g., send malicious email). This Capability does not encompass any aspects of the initial infection that is done independently of the malware instance itself. Infection Propagation: autonomy, Infection Propagation: file infection type, Infection Propagation: file modification type, Infection Propagation: infection targeting, Infection Propagation: scope, Infection Propagation: targeted file architecture type, Infection Propagation: targeted file type
integrity violation Indicates that the malware instance is able to compromise the integrity of a system.
machine access/control Indicates that the malware instance is able to access or control one or more remote machines and/or the machine on which it is executing. Machine Access Control: backdoor type
persistence Indicates that the malware instance is able to persist and remain on a system regardless of system events. Persistence: scope
privilege escalation Indicates that the malware instance is able to elevate the privileges under which it executes. Privilege Escalation: user privilege escalation type
probing Indicates that the malware instance is able to probe its host system or network environment; most often this is done to support other Capabilities and their Objectives.
secondary operation Indicates that the malware instance is able to achieve secondary objectives in conjunction with or after achieving its primary objectives. Secondary Operation: trigger type
security degradation Indicates that the malware instance is able to bypass or disable security features and/or controls. Security Degradation: targeted program
spying Indicates that the malware instance is able to capture information from a system related to user or system activity (e.g., from a system's peripheral devices).