Subcapabilities

From ema
Jump to: navigation, search

A Subcapability represents a more granular characterization of a Capability. Not all Capabilities have Subcapabilities.

Name Description Associated Attributes Associated Capabilities Aliases
anti-debugging Indicates that the malware instance is able to prevent itself from being debugged and/or from being run in a debugger or is able to make debugging more difficult. anti-static analysis
anti-disassembly Indicates that the malware instance is able to prevent itself from being disassembled or make disassembly more difficult. anti-static analysis
anti-emulation Indicates that the malware is able to prevent itself from being executed in an emulator or make the emulation process more difficult. anti-behavioral analysis
anti-memory forensics Indicates that the malware instance is able to prevent or make memory forensics more difficult. anti-static analysis
anti-sandbox Indicates that the malware instance is able to prevent sandbox-based behavioral analysis or make it more difficult. Anti-Behavioral Analysis: targeted sandbox anti-behavioral analysis
anti-virus evasion Indicates that the malware instance is able to evade detection by anti-virus tools. anti-detection
anti-VM Indicates that the malware instance is able to prevent virtual machine (VM) based behavioral analysis or make it more difficult. Anti-Behavioral Analysis: targeted VM anti-behavioral analysis
authentication credentials theft Indicates that the malware instance is able to steal authentication credentials. data theft
compromise data availability Indicates that the malware instance is able to compromise the availability of data on the local system on which it is executing and/or one or more remote systems. availability violation
compromise system availability Indicates that the malware instance is able to compromise the availability of the local system on which it is executing and/or one or more remote systems. availability violation
consume system resources Indicates that the malware instance is able to consume system resources for its own purposes, such as password cracking. availability violation
continuous execution Indicates that the malware instance is able to continue to execute on a system after significant system events, such as a system reboot. persistence
data integrity violation Indicates that the malware instance is able to compromise the integrity of some data that resides on (e.g., in the case of files) or is received/transmitted (e.g., in the case of network traffic) by the system on which it is executing. integrity violation
determine c2 server Indicates that the malware instance is able to identify one or more command and control (C2) servers with which to communicate. command and control
email spam Indicates that the malware instance is able to send spam email messages. Common: network protocol secondary operation
environment awareness Indicates that the malware instance can fingerprint or otherwise identify the environment in which it is executing, for the purpose of altering its behavior based on this environment. anti-behavioral analysis environment keying, environment sensitivity
hide executing code Indicates that the malware instance is able to hide its executing code. anti-detection
input peripheral capture Indicates that the malware instance is able to capture data from a system's input peripheral devices, such as a keyboard or mouse. spying
install other components Indicates that the malware instance is able to install additional components. This encompasses the dropping/downloading of other malicious components such as libraries, other malware, and tools. secondary operation
OS security feature degradation Indicates that the malware instance is able to bypass or disable operating system (OS) security mechanisms. security degradation
physical entity destruction Indicates that the malware instance is able to destroy physical entities. destruction
prevent artifact access Indicates that the malware instance is able to prevent its artifacts (e.g., files, registry keys, etc.) from being accessed. anti-removal
prevent artifact deletion Indicates that the malware instance is able to prevent its artifacts (e.g., files, registry keys, etc.) from being deleted. anti-removal
receive data from c2 server Indicates that the malware instance is able to receive some data from a command and control server. Common: network protocol command and control
remote machine infection Indicates that the malware instance is able to self-propagate to a remote machine or infect a machine with malware that is different than itself. Infection Propagation: autonomy, Infection Propagation: infection targeting, Infection Propagation: scope infection/propagation
security software degradation Indicates that the malware instance is able to bypass or disable security programs running on a system, either by stopping them from executing or by making changes to their code or configuration parameters. security degradation
security software evasion Indicates that the malware instance is able to evade security software (e.g., anti-virus tools). anti-detection
self-modification Indicates that the malware instance is able to modify itself. Infection Propagation: file modification type anti-detection
send data to c2 server Indicates that the malware instance is able to send some data to a command and control server. command and control
service provider security feature degradation Indicates that the malware instance is able to bypass or disable mobile device service provider security features that would otherwise identify or notify users of its presence. security degradation
system re-infection Indicates that the malware instance is able to re-infect a system after one or more of its components have been removed. persistence
virtual entity destruction Indicates that the malware instance is able to destroy a virtual entity. destruction