Subcapabilities

From ema
Jump to: navigation, search

A Subcapability represents a more granular characterization of a Capability. Not all Capabilities have Subcapabilities.

Name Description Associated Attributes Associated Capabilities Aliases
access control degradation Indicates that the malware instance is able to bypass or disable access control mechanisms designed to prevent unauthorized or unprivileged use or execution of applications or files. security degradation
anti-debugging Indicates that the malware instance is able to prevent itself from being debugged and/or from being run in a debugger or is able to make debugging more difficult. anti-code analysis
anti-disassembly Indicates that the malware instance is able to prevent itself from being disassembled or make disassembly more difficult. anti-code analysis
anti-emulation Indicates that the malware is able to prevent itself from being executed in an emulator or make the emulation process more difficult. anti-behavioral analysis
anti-memory forensics Indicates that the malware instance is able to prevent or make memory forensics more difficult. anti-code analysis
anti-sandbox Indicates that the malware instance is able to prevent sandbox-based behavioral analysis or make it more difficult. Anti-Behavioral Analysis: targeted sandbox anti-behavioral analysis
anti-virus evasion Indicates that the malware instance is able to evade detection by anti-virus tools. anti-detection
anti-VM Indicates that the malware instance is able to prevent virtual machine (VM) based behavioral analysis or make it more difficult. Anti-Behavioral Analysis: targeted VM anti-behavioral analysis
authentication credentials theft Indicates that the malware instance is able to steal authentication credentials. data theft
clean traces of infection Indicates that the malware instance is able to clean traces of its infection (e.g., file system artifacts) from a system. secondary operation
compromise data availability Indicates that the malware instance is able to compromise the availability of data on the local system on which it is executing and/or one or more remote systems. availability violation
compromise system availability Indicates that the malware instance is able to compromise the availability of the local system on which it is executing and/or one or more remote systems. availability violation
consume system resources Indicates that the malware instance is able to consume system resources for its own purposes, such as password cracking. availability violation
continuous execution Indicates that the malware instance is able to continue to execute on a system after significant system events, such as a system reboot. persistence
data integrity violation Indicates that the malware instance is able to compromise the integrity of some data that resides on (e.g., in the case of files) or is received/transmitted (e.g., in the case of network traffic) by the system on which it is executing. integrity violation
data obfuscation Indicates that the malware is able to obfuscate data that will be exfiltrated. data exfiltration
data staging Indicates that the malware instance is able to gather, prepare, and stage data for exfiltration. data exfiltration
determine c2 server Indicates that the malware instance is able to identify one or more command and control (C2) servers with which to communicate. command and control
email spam Indicates that the malware instance is able to send spam email messages. Common: network protocol secondary operation
ensure compatibility Indicates that the malware instance is able to manipulate or modify the system on which it executes to ensure that it is able to continue executing. persistence
environment awareness Indicates that the malware instance can fingerprint or otherwise identify the environment in which it is executing, for the purpose of altering its behavior based on this environment. anti-behavioral analysis environment keying, environment sensitivity
file infection Indicates that the malware instance is able to infect one or more files. Infection Propagation: file infection type, Infection Propagation: infection targeting, Infection Propagation: targeted file architecture type, Infection Propagation: targeted file type infection/propagation
hide artifacts Indicates that the malware instance is able to hide its artifacts, such as files and open ports. anti-detection
hide executing code Indicates that the malware instance is able to hide its executing code. anti-detection
hide non-executing code Indicates that the malware instance is able to hide its non-executing code. anti-detection
host configuration probing Indicates that the malware instance is able to probe the configuration of the host system on which it executes. probing host enumeration
information gathering for improvement Indicates that the malware instance is able to gather information from its environment to make itself less likely to be detected. persistence
input peripheral capture Indicates that the malware instance is able to capture data from a system's input peripheral devices, such as a keyboard or mouse. spying
install other components Indicates that the malware instance is able to install additional components. This encompasses the dropping/downloading of other malicious components such as libraries, other malware, and tools. secondary operation
local machine control Indicates that the malware instance is able to control the machine on which it is executing. machine access/control
network environment probing Indicates that the malware instance is able to probe the properties of its network environment, e.g. to determine whether it funnels traffic through a proxy. probing network enumeration
OS security feature degradation Indicates that the malware instance is able to bypass or disable operating system (OS) security mechanisms. security degradation
output peripheral capture Indicates that the malware instance captures data sent to a system's output peripherals, such as a display. spying
physical entity destruction Indicates that the malware instance is able to destroy physical entities. destruction
prevent artifact access Indicates that the malware instance is able to prevent its artifacts (e.g., files, registry keys, etc.) from being accessed. anti-removal
prevent artifact deletion Indicates that the malware instance is able to prevent its artifacts (e.g., files, registry keys, etc.) from being deleted. anti-removal
receive data from c2 server Indicates that the malware instance is able to receive some data from a command and control server. Common: network protocol command and control
remote machine access Indicates that the malware instance is able to access one or more remote machines. machine access/control
remote machine infection Indicates that the malware instance is able to self-propagate to a remote machine or infect a machine with malware that is different than itself. Infection Propagation: autonomy, Infection Propagation: infection targeting, Infection Propagation: scope infection/propagation
security software degradation Indicates that the malware instance is able to bypass or disable security programs running on a system, either by stopping them from executing or by making changes to their code or configuration parameters. security degradation
security software evasion Indicates that the malware instance is able to evade security software (e.g., anti-virus tools). anti-detection
self-modification Indicates that the malware instance is able to modify itself. Infection Propagation: file modification type anti-detection
send data to c2 server Indicates that the malware instance is able to send some data to a command and control server. command and control
service provider security feature degradation Indicates that the malware instance is able to bypass or disable mobile device service provider security features that would otherwise identify or notify users of its presence. security degradation
stored information theft Indicates that the malware instance is able to steal information stored on a system (e.g., files). data theft
system interface data capture Indicates that the malware instance is able to capture data from a system's logical or physical interfaces, such as from a network interface. spying
system operational integrity violation Indicates that the malware instance is able to compromise the operational integrity of the system on which it is executing and/or one or more remote systems, e.g., by causing them to operate beyond their set of specified operational parameters. integrity violation
system re-infection Indicates that the malware instance is able to re-infect a system after one or more of its components have been removed. persistence
system state data capture Indicates that the malware instance is able to capture information about a system's state (e.g., data currently in its RAM). spying
system update degradation Indicates that the malware instance is able to disable the downloading and installation of system updates and patches. security degradation
user data theft Indicates that the malware instance is able to steal data associated with one or more users (e.g., browser history). data theft
virtual entity destruction Indicates that the malware instance is able to destroy a virtual entity. destruction