Subcapabilities
From ema
A Subcapability represents a more granular characterization of a Capability. Not all Capabilities have Subcapabilities.
| Name | Description | Associated Attributes | Associated Capabilities | Aliases |
|---|---|---|---|---|
| access control degradation | Indicates that the malware instance is able to bypass or disable access control mechanisms designed to prevent unauthorized or unprivileged use or execution of applications or files. | security degradation | ||
| anti-debugging | Indicates that the malware instance is able to prevent itself from being debugged and/or from being run in a debugger or is able to make debugging more difficult. | anti-code analysis | ||
| anti-disassembly | Indicates that the malware instance is able to prevent itself from being disassembled or make disassembly more difficult. | anti-code analysis | ||
| anti-emulation | Indicates that the malware is able to prevent itself from being executed in an emulator or make the emulation process more difficult. | anti-behavioral analysis | ||
| anti-memory forensics | Indicates that the malware instance is able to prevent or make memory forensics more difficult. | anti-code analysis | ||
| anti-sandbox | Indicates that the malware instance is able to prevent sandbox-based behavioral analysis or make it more difficult. | Anti-Behavioral Analysis: targeted sandbox | anti-behavioral analysis | |
| anti-virus evasion | Indicates that the malware instance is able to evade detection by anti-virus tools. | anti-detection | ||
| anti-VM | Indicates that the malware instance is able to prevent virtual machine (VM) based behavioral analysis or make it more difficult. | Anti-Behavioral Analysis: targeted VM | anti-behavioral analysis | |
| authentication credentials theft | Indicates that the malware instance is able to steal authentication credentials. | data theft | ||
| clean traces of infection | Indicates that the malware instance is able to clean traces of its infection (e.g., file system artifacts) from a system. | secondary operation | ||
| compromise data availability | Indicates that the malware instance is able to compromise the availability of data on the local system on which it is executing and/or one or more remote systems. | availability violation | ||
| compromise system availability | Indicates that the malware instance is able to compromise the availability of the local system on which it is executing and/or one or more remote systems. | availability violation | ||
| consume system resources | Indicates that the malware instance is able to consume system resources for its own purposes, such as password cracking. | availability violation | ||
| continuous execution | Indicates that the malware instance is able to continue to execute on a system after significant system events, such as a system reboot. | persistence | ||
| data integrity violation | Indicates that the malware instance is able to compromise the integrity of some data that resides on (e.g., in the case of files) or is received/transmitted (e.g., in the case of network traffic) by the system on which it is executing. | integrity violation | ||
| data obfuscation | Indicates that the malware is able to obfuscate data that will be exfiltrated. | data exfiltration | ||
| data staging | Indicates that the malware instance is able to gather, prepare, and stage data for exfiltration. | data exfiltration | ||
| determine c2 server | Indicates that the malware instance is able to identify one or more command and control (C2) servers with which to communicate. | command and control | ||
| email spam | Indicates that the malware instance is able to send spam email messages. | Common: network protocol | secondary operation | |
| ensure compatibility | Indicates that the malware instance is able to manipulate or modify the system on which it executes to ensure that it is able to continue executing. | persistence | ||
| environment awareness | Indicates that the malware instance can fingerprint or otherwise identify the environment in which it is executing, for the purpose of altering its behavior based on this environment. | anti-behavioral analysis | environment keying, environment sensitivity | |
| file infection | Indicates that the malware instance is able to infect one or more files. | Infection Propagation: file infection type, Infection Propagation: infection targeting, Infection Propagation: targeted file architecture type, Infection Propagation: targeted file type | infection/propagation | |
| hide artifacts | Indicates that the malware instance is able to hide its artifacts, such as files and open ports. | anti-detection | ||
| hide executing code | Indicates that the malware instance is able to hide its executing code. | anti-detection | ||
| hide non-executing code | Indicates that the malware instance is able to hide its non-executing code. | anti-detection | ||
| host configuration probing | Indicates that the malware instance is able to probe the configuration of the host system on which it executes. | probing | host enumeration | |
| information gathering for improvement | Indicates that the malware instance is able to gather information from its environment to make itself less likely to be detected. | persistence | ||
| input peripheral capture | Indicates that the malware instance is able to capture data from a system's input peripheral devices, such as a keyboard or mouse. | spying | ||
| install other components | Indicates that the malware instance is able to install additional components. This encompasses the dropping/downloading of other malicious components such as libraries, other malware, and tools. | secondary operation | ||
| local machine control | Indicates that the malware instance is able to control the machine on which it is executing. | machine access/control | ||
| network environment probing | Indicates that the malware instance is able to probe the properties of its network environment, e.g. to determine whether it funnels traffic through a proxy. | probing | network enumeration | |
| OS security feature degradation | Indicates that the malware instance is able to bypass or disable operating system (OS) security mechanisms. | security degradation | ||
| output peripheral capture | Indicates that the malware instance captures data sent to a system's output peripherals, such as a display. | spying | ||
| physical entity destruction | Indicates that the malware instance is able to destroy physical entities. | destruction | ||
| prevent artifact access | Indicates that the malware instance is able to prevent its artifacts (e.g., files, registry keys, etc.) from being accessed. | anti-removal | ||
| prevent artifact deletion | Indicates that the malware instance is able to prevent its artifacts (e.g., files, registry keys, etc.) from being deleted. | anti-removal | ||
| receive data from c2 server | Indicates that the malware instance is able to receive some data from a command and control server. | Common: network protocol | command and control | |
| remote machine access | Indicates that the malware instance is able to access one or more remote machines. | machine access/control | ||
| remote machine infection | Indicates that the malware instance is able to self-propagate to a remote machine or infect a machine with malware that is different than itself. | Infection Propagation: autonomy, Infection Propagation: infection targeting, Infection Propagation: scope | infection/propagation | |
| security software degradation | Indicates that the malware instance is able to bypass or disable security programs running on a system, either by stopping them from executing or by making changes to their code or configuration parameters. | security degradation | ||
| security software evasion | Indicates that the malware instance is able to evade security software (e.g., anti-virus tools). | anti-detection | ||
| self-modification | Indicates that the malware instance is able to modify itself. | Infection Propagation: file modification type | anti-detection | |
| send data to c2 server | Indicates that the malware instance is able to send some data to a command and control server. | command and control | ||
| service provider security feature degradation | Indicates that the malware instance is able to bypass or disable mobile device service provider security features that would otherwise identify or notify users of its presence. | security degradation | ||
| stored information theft | Indicates that the malware instance is able to steal information stored on a system (e.g., files). | data theft | ||
| system interface data capture | Indicates that the malware instance is able to capture data from a system's logical or physical interfaces, such as from a network interface. | spying | ||
| system operational integrity violation | Indicates that the malware instance is able to compromise the operational integrity of the system on which it is executing and/or one or more remote systems, e.g., by causing them to operate beyond their set of specified operational parameters. | integrity violation | ||
| system re-infection | Indicates that the malware instance is able to re-infect a system after one or more of its components have been removed. | persistence | ||
| system state data capture | Indicates that the malware instance is able to capture information about a system's state (e.g., data currently in its RAM). | spying | ||
| system update degradation | Indicates that the malware instance is able to disable the downloading and installation of system updates and patches. | security degradation | ||
| user data theft | Indicates that the malware instance is able to steal data associated with one or more users (e.g., browser history). | data theft | ||
| virtual entity destruction | Indicates that the malware instance is able to destroy a virtual entity. | destruction |
