All public logs

Jump to navigation Jump to search

Combined display of all available logs of ema. You can narrow down the view by selecting a log type, the username (case-sensitive), or the affected page (also case-sensitive).

Logs
(newest | oldest) View (newer 250 | ) (20 | 50 | 100 | 250 | 500)
  • 16:07, 30 September 2020 127.0.0.1 talk created page smw/schema:Group:Schema properties (Semantic MediaWiki group import)
  • 16:07, 30 September 2020 127.0.0.1 talk created page smw/schema:Group:Extra special properties (Semantic Extra Special Properties import)
  • 16:07, 30 September 2020 127.0.0.1 talk created page smw/schema:Group:Exif special properties (Semantic Extra Special Properties import)
  • 20:01, 14 November 2018 Dbeck talk contribs deleted page c2 communication (content was: "{{Behavior |Name=code insertion |Description=Inserting code to impede disassembly. '''Examples:''' * Dead Code Insertion: Inclusion of "dead" code in the malware instance with no real functionality but with the intent of impeding disas...")
  • 12:40, 22 October 2018 Dbeck talk contribs restored page & Generate Fraudulent Advertising Revenue (mobile) (10 revisions)
  • 12:16, 18 October 2018 Dbeck talk contribs deleted page Ema-1226 (content was: "{{Behavior |Name=prevent native API hooking |Description=The 'prevent native api hooking' Behavior prevents other software from hooking native system APIs. |Associated Capabilities=Ema-1028 }}")
  • 12:12, 18 October 2018 Dbeck talk contribs deleted page Ema-1183 (content was: "{{Behavior |Name=prevent memory access |Description=The 'prevent memory access' Behavior prevents access to system memory where the malware instance may be storing code or data. |Associated Capabilities=Ema-1028 }}")
  • 11:53, 18 October 2018 Dbeck talk contribs deleted page Ema-1182 (content was: "{{Behavior |Name=prevent registry deletion |Description=The 'prevent registry deletion' Behavior prevent Windows registry keys and/or values associated with the malware instance from being deleted from a system. |Associated Capabilities=...")
  • 11:50, 18 October 2018 Dbeck talk contribs deleted page Ema-1185 (content was: "{{Behavior |Name=prevent registry access |Description=The 'prevent registry access' Behavior prevents access to the Windows registry, including to the entire registry and/or to particular registry keys/values. |Associated Capabilities=Em...")
  • 11:48, 18 October 2018 Dbeck talk contribs deleted page Ema-1181 (content was: "{{Behavior |Name=prevent file deletion |Description=The 'prevent file deletion' Behavior prevents files and/or directories associated with the malware instance from being deleted from a system. |Associated Capabilities=Ema-1028 }}")
  • 11:47, 18 October 2018 Dbeck talk contribs deleted page Ema-1184 (content was: "{{Behavior |Name=prevent file access |Description=The 'prevent file access' Behavior prevents access to the file system, including to specific files and/or directories associated with the malware instance. |Associated Capabilities=Ema-10...")
  • 11:46, 18 October 2018 Dbeck talk contribs deleted page Ema-1180 (content was: "{{Behavior |Name=prevent API unhooking |Description=The 'prevent api unhooking' Behavior prevent the API hooks installed by the malware instance from being removed. |Associated Capabilities=Ema-1028 }}")
  • 11:42, 18 October 2018 Dbeck talk contribs deleted page Ema-1222 (content was: "{{Behavior |Name=hide userspace libraries: Rootkit |Description=The 'hide userspace libraries' Behavior hides the usage of userspace libraries by the malware instance. |Associated Capabilities=Ema-1028 }}")
  • 11:42, 18 October 2018 Dbeck talk contribs deleted page Ema-1218 (content was: "{{Behavior |Name=hide threads: Rootkit |Description=The 'hide threads' Behavior hides one or more threads that belong to the malware instance. |Associated Capabilities=Ema-1028 }}")
  • 11:42, 18 October 2018 Dbeck talk contribs deleted page Ema-1219 (content was: "{{Behavior |Name=hide services: Rootkit |Description=The 'hide services' Behavior hides any system services that the malware instance creates or injects itself into. |Associated Capabilities=Ema-1028 }}")
  • 11:40, 18 October 2018 Dbeck talk contribs deleted page Ema-1149 (content was: "{{Behavior |Name=disable system file overwrite protection: Disabling Security Tools |Description=The ‘disable system file overwrite protection’ Behavior disables system file overwrite protection mechanisms such as Windows file protec...")
  • 16:54, 17 October 2018 Dbeck talk contribs deleted page Ema-1223 (content was: "{{Behavior |Name=execute stealthy code |Description=The 'execute stealthy code' Behavior executes some or all of the code of the malware instance in a hidden manner (e.g., by injecting it into a benign process). |Associated Capabilities=...")
  • 16:52, 17 October 2018 Dbeck talk contribs deleted page Ema-1252 (content was: "{{Behavior |Name=evade static heuristic |Description=Some AV can be easily fool by analyzing it. For example, an heuristic engine can try to figure out if a file are using a dual extension (e.g: invoice.doc.exe) and determine the file as...")
  • 16:15, 14 October 2018 Dbeck talk contribs deleted page Ema-1134 (content was: "{{Behavior |Name=log activity |Description=The 'log activity' Behavior logs the activity of the malware instance. |Associated Capabilities=Ema-1011 |References= }}")
  • 15:57, 14 October 2018 Dbeck talk contribs deleted page Ema-1209 (content was: "{{Behavior |Name=persist after system reboot |Description=The 'persist after system reboot' Behavior continues the execution of the malware instance after a system reboot. |Associated Attributes=Attribute:27 |Associated Capabilities=Ema-...")
  • 15:57, 14 October 2018 Dbeck talk contribs deleted page Ema-1074 (content was: "{{Behavior Instance |Associated Behavior=Ema-1209 |Name=Router Firmware Image Modification |Description=Cisco routers can have their firmware images modified in order to maliciously infect and persist on end-user machines in a network. T...")
  • 15:48, 14 October 2018 Dbeck talk contribs deleted page Ema-1071 (content was: "{{Behavior Instance |Associated Behavior=Ema-1209 |Name=Private API Exploitation |Description=On iOS, private APIs can be abused in the iOS system to implement malicious functionalities. |Privilege Level=User space |Supporting Details={{...")
  • 15:29, 14 October 2018 Dbeck talk contribs deleted page + private api exploitation (Mobile) (content was: "{{Behavior |Name=UEFI Bootloader Injection |Description=Mac's UEFI bootloader can be exploited in a number of ways via an EFI DXE driver tha...", and the only contributor was "Dbeck" (talk))
  • 15:26, 14 October 2018 Dbeck talk contribs deleted page Ema-1073 (content was: "{{Behavior Instance |Associated Behavior=Ema-1209 |Name=Windows Shutdown Event |Description=In Windows, the shutdown event triggered by WinLogon can be registered by an application to allow a malicious DLL a chance to execute every time...")
  • 15:22, 14 October 2018 Dbeck talk contribs deleted page Ema-1104 (content was: "{{Behavior Instance |Associated Behavior=Ema-1209 |Name=Malicious Network Driver |Description=Malicious network drivers can be installed on several machines on a network via an exploited server with high uptime. Once the drivers are inst...")
  • 15:00, 14 October 2018 Dbeck talk contribs deleted page Ema-1085 (content was: "{{Behavior Instance |Associated Behavior=Ema-1209 |Name=+ Surreptitious Application Installation |Description=In OSX, application directories and files can be installed unbeknownst to the user. Web browsers and search engines can also be...")
  • 14:45, 14 October 2018 Dbeck talk contribs deleted page Ema-1083 (content was: "{{Behavior Instance |Associated Behavior=Ema-1209 |Name=Kernel Extension (Kext) Rootkit |Description=On Macs, Kext (kernel extension) rootkits can be created via the Generic Kernel Extension template in XCode and exist in the kernel even...")
  • 14:43, 14 October 2018 Dbeck talk contribs deleted page Ema-1077 (content was: "{{Behavior Instance |Associated Behavior=Ema-1209 |Name=Launchd.conf Exploitation |Description=launchd is the first user-mode program to execute during OS X’s initialization. The launchd.conf file contains configuration parameters for...")
  • 14:41, 14 October 2018 Dbeck talk contribs deleted page Ema-1082 (content was: "{{Behavior Instance |Associated Behavior=Ema-1209 |Name=Launch Daemon and Launch Agent Exploitation |Description=On Macs, launch daemons and launch agents can be abused to gain mailware persistence. |Privilege Level=User space |Supportin...")
  • 14:36, 14 October 2018 Dbeck talk contribs deleted page Ema-1075 (content was: "{{Behavior Instance |Associated Behavior=Ema-1209 |Name=DYLD_INSERT_LIBRARIES Exploitation |Description=In Mac OSX, DYLD_INSERT_LIBRARIES can be abused to load malicious libraries to ensure that a malicious library will persistently be l...")
  • 14:27, 14 October 2018 Dbeck talk contribs deleted page Ema-1216 (content was: "{{Behavior |Name=autonomous remote infection |Description=The 'autonomous remote infection' Behavior infects a remote machine autonomously, without the involvement of any end user (e.g., through the exploitation of a remote procedure cal...")
  • 14:17, 14 October 2018 Dbeck talk contribs deleted page Ema-1137 (content was: "{{Behavior |Name=install legitimate software |Description=The 'install legitimate software' Behavior install legitimate (i.e. non-malware) software on the same system on which the malware instance is executing. |Associated Capabilities=E...")
  • 21:07, 11 October 2018 Dbeck talk contribs deleted page Ema-1212 (content was: "{{Behavior |Name=re-instantiate self |Description=The 're-instantiate self' Behavior re-establishes the malware instance on the system after it is initially detected and partially removed. |Associated Capabilities=Ema-1016 }}")
  • 14:21, 9 October 2018 Dbeck talk contribs deleted page Ema-1136 (content was: "{{Behavior |Name=install secondary module |Description=The 'install secondary module' Behavior installs a secondary module (typically related to the malware instance itself) on the same system on which the malware instance is executing....")
  • 19:44, 3 October 2018 Dbeck talk contribs deleted page Ema-1165 (content was: "{{Behavior |Name=XXX-encrypt self |Description=The 'encrypt self' Behavior encrypts the executing code (in memory) that belongs to the malware instance. |Associated Attributes=Attribute:6 |Associated Capabilities=Ema-1028 }}")
  • 19:24, 3 October 2018 Dbeck talk contribs restored page api hooking (11 revisions)
  • 14:55, 3 October 2018 Dbeck talk contribs deleted page & Generate Fraudulent Advertising Revenue (mobile) (content was: "{{Behavior |Name=XXX-click fraud |Description=The 'click fraud' Behavior simulates legitimate user clicks on website advertisements for the purpose of revenue generation. |Associated Capabilities=Ema-1002 |References={{Reference |Date=20...")
  • 14:50, 3 October 2018 Dbeck talk contribs deleted page Ema-1240 (content was: "{{Behavior |Name=update configuration |Description=The 'update configuration' Behavior updates the configuration of the malware instance using data received from a command and control server. |Associated Capabilities=Ema-1017 }}")
  • 14:34, 3 October 2018 Dbeck talk contribs deleted page Ema-1120 (content was: "{{Behavior |Name=host fingerprint |Description=Compare a previously computed host fingerprint to one computed for the current system on which the malware instance is executing, to determine if the malware instance is still executing on t...")
  • 14:34, 3 October 2018 Dbeck talk contribs deleted page Ema-1095 (content was: "{{Behavior Instance |Associated Behavior=Ema-1120 |Name=API Call: GetVolumeInformation |Description=Abusing this API call on Windows can give an attacker the GUID on a system drive. This can then be compared to a running host's GUID valu...")
  • 14:22, 3 October 2018 Dbeck talk contribs deleted page + surreptitious application installation (content was: "{{Behavior |Name=XXX-hardware detection |Description=Malware can inspect the hardware of the OS/"box" that it is running on and use this to determine whether it's being executed on a sandbox. This includes: * Memory size: Most modern ma...")
  • 14:21, 3 October 2018 Dbeck talk contribs deleted page & Hooking (content was: "{{Behavior |Name=user interaction detection |Description=Malware can detect if there is any "user" activity on the sandbox, such as the movement of the mouse cursor or a non-default wallpaper. Can also determine a user environment (vs a...")
  • 11:57, 3 October 2018 Dbeck talk contribs deleted page Ema-1038 (content was: "{{Behavior |Name=instruction overlap |Description=Jumping after the first byte of an instruction. Confuses some disassemblers. |Associated C...", and the only contributor was "Dbeck" (talk))
  • 11:56, 3 October 2018 Dbeck talk contribs deleted page Ema-1036 (content was: "{{Behavior |Name=imports by hash |Description=DLL loaded and then each export name is parsed until it matches a specific hash, instead of a...", and the only contributor was "Dbeck" (talk))
  • 22:08, 2 October 2018 Dbeck talk contribs deleted page Ema-1044 (content was: "{{Behavior |Name=stack strings |Description=Strings are built and decrypted on the stack at each use, then discarded (to avoid obvious refer...", and the only contributor was "Dbeck" (talk))
  • 22:06, 2 October 2018 Dbeck talk contribs deleted page + windows shutdown event (content was: "{{Behavior |Name=import compression |Description=Imports are stored and loaded with a more compact import table format. Each DLL needed by t...", and the only contributor was "Dbeck" (talk))
  • 13:15, 2 October 2018 Dbeck talk contribs deleted page & Software Packing (content was: "{{Behavior |Name=execution delay |Description=This technique is used for delaying execution of the malicious code. Stalling code is typically executed before any malicious behavior. The attacker’s aim is to delay the execution of the m...")
  • 22:17, 27 September 2018 Dbeck talk contribs restored page embedded file hooking (6 revisions)
  • 22:16, 27 September 2018 Dbeck talk contribs deleted page + malicious network driver (content was: "{{Behavior |Name=test |Description=test |Associated Capabilities=Ema-1026 }}", and the only contributor was "Dbeck" (talk))
  • 13:19, 23 September 2018 Dbeck talk contribs deleted page Ema-1236 (content was: "{{Behavior |Name=c2 host communication |Description=The 'c2 host communication' includes: * 'check for payload' - checks whether a new payload is available for download. * 'request email address list' - requests the current list of emai...")
  • 13:18, 23 September 2018 Dbeck talk contribs deleted page Ema-1208 (content was: "{{Behavior |Name=persist after os changes |Description=The 'persist after os changes' Behavior continues the execution of the malware instance after the operating system under which it is executing is modified, such as being installed or...")
  • 13:18, 23 September 2018 Dbeck talk contribs deleted page Ema-1070 (content was: "{{Behavior Instance |Associated Behavior=Ema-1208 |Name=UEFI Bootloader Injection |Description=Mac's UEFI bootloader can be exploit...", and the only contributor was "Cicalese" (talk))
  • 12:10, 16 September 2018 Dbeck talk contribs deleted page Ema-1178 (covered by Premium SMS Tool Fraud (Mobile ATT&CK))
  • 13:04, 7 September 2018 Dbeck talk contribs deleted page Ema-1241 (this is too close to definition of c2)
  • 12:46, 7 September 2018 Dbeck talk contribs deleted page Ema-1238 (moved into 'c2 host communication')
  • 12:46, 7 September 2018 Dbeck talk contribs deleted page Ema-1237 (moved into 'c2 host communication')
  • 12:46, 7 September 2018 Dbeck talk contribs deleted page Ema-1124 (moved into 'c2 host communication')
  • 12:45, 7 September 2018 Dbeck talk contribs deleted page Ema-1123 (moved into 'c2 host communication')
  • 11:41, 2 September 2018 Dbeck talk contribs deleted page Ema-1121 (content was: "{{Behavior |Name=fingerprint host |Description=The 'fingerprint host' Behavior creates a unique fingerprint for the system on which the malware instance is executing, e.g., based on the applications that are installed on the system. |Ass...")
  • 11:40, 2 September 2018 Dbeck talk contribs deleted page Ema-1096 (content was: "{{Behavior Instance |Associated Behavior=Ema-1121 |Name=OpCode Frequency Distribution |Description=Needs to be revisited |Supporting Details= |Code Snippets= |References={{Reference |URL=https://www.blackhat.com/presentations/bh-usa-06/B...")
  • 18:30, 1 September 2018 Dbeck talk contribs deleted page Ema-1172 (covered by inhibit memory dumping)
  • 14:17, 31 August 2018 Dbeck talk contribs deleted page Ema-1047 (content was: "{{Behavior |Name=virtualize packer |Description=Virtualizes [part of] packer stub code. This is a general category of anti-analysis and may...", and the only contributor was "Dbeck" (talk))
  • 14:07, 31 August 2018 Dbeck talk contribs deleted page Ema-1034 (covered by ATT&CK Process Injection)
  • 19:29, 30 August 2018 Dbeck talk contribs deleted page Ema-1050 (content was: "{{Behavior |Name=tool limitation |Description=Prevent the use of a tool via a specific limitation. This is a general category of anti-analysis and may refer to any number of techniques. |Associated Capabilities=Ema-1010,Ema-1026 }}")
  • 19:27, 30 August 2018 Dbeck talk contribs restored page Ema-1050 (6 revisions)
  • 19:27, 30 August 2018 Dbeck talk contribs deleted page Ema-1154 (content was: "{{Behavior |Name=block security websites |Description=The 'block security websites' Behavior prevents access from the system on which the malware instance is executing to one or more security vendor or security-related websites. |Associa...")
  • 19:27, 30 August 2018 Dbeck talk contribs restored page Ema-1154 (6 revisions)
  • 19:26, 30 August 2018 Dbeck talk contribs deleted page embedded file hooking (covered by ATT&CK Hooking)
  • 19:26, 30 August 2018 Dbeck talk contribs restored page embedded file hooking (6 revisions)
  • 19:07, 30 August 2018 Dbeck talk contribs deleted page embedded file hooking (covered by ATT&CK Hooking)
  • 19:04, 30 August 2018 Dbeck talk contribs deleted page Ema-1154 (covered by ATT&CK Disabling Security Tools)
  • 11:27, 30 August 2018 Dbeck talk contribs deleted page api hooking (overlaps with ATT&CK Hooking)
  • 11:26, 30 August 2018 Dbeck talk contribs deleted page Ema-1050 (overlaps with ATT&CK Disabling Security Tools)
  • 10:59, 30 August 2018 Dbeck talk contribs deleted page Ema-1224 (overlaps with ATT&CK Rootkit technique)
  • 10:56, 30 August 2018 Dbeck talk contribs restored page Ema-1224 (10 revisions)
  • 10:42, 30 August 2018 Dbeck talk contribs deleted page Ema-1224 (overlaps with ATT&CK Rootkit technique)
  • 11:53, 15 August 2018 Dbeck talk contribs deleted page Ema-1147 (content was: "{{Behavior |Name=disable OS security alerts |Description=The ‘disable OS security alerts’ Behavior disables operating system (OS) security alert messages that could lead to identification and/or notification of the presence of the ma...")
  • 11:47, 15 August 2018 Dbeck talk contribs deleted page Ema-1246 (content was: "{{Behavior |Name=inventory security products |Description=The 'inventory security products' Behavior creates an inventory of the security products installed or running on a system. |Associated Attributes=Attribute:27 |Associated Capabili...")
  • 11:47, 15 August 2018 Dbeck talk contribs deleted page Ema-1069 (content was: "{{Behavior Instance |Associated Behavior=Ema-1246 |Name=API Call: getInstalledPackages |Description=getInstalledPackages is used to get the list of installed Packages on the device, and is then compared against a list of security product...")
  • 09:53, 7 August 2018 Dbeck talk contribs deleted page Discovery (content was: "{{Capability |Name=Fraud |Description=Indicates that the malware instance is able to defraud a user or a system. }}")
  • 13:27, 27 July 2018 Dbeck talk contribs restored page hide kernel modules (10 revisions)
  • 13:25, 27 July 2018 Dbeck talk contribs deleted page hide kernel modules (content was: "{{Behavior |Name=hide kernel modules |Description=The 'hide kernel modules' Behavior hides the usage of any kernel modules by the malware instance. |Associated Attributes=Attribute:27 |Associated Capabilities=Ema-1028 }}")
  • 13:15, 27 July 2018 Dbeck talk contribs deleted page Ema-1151 (content was: "{{Behavior |Name=stop execution of security software |Description=The 'stop execution of security program' Behavior stops the execution of one or more instances of security software that may already be executing on a system. '''Examples...")
  • 13:15, 27 July 2018 Dbeck talk contribs deleted page Ema-1098 (content was: "{{Behavior Instance |Associated Behavior=Ema-1151 |Name=API Call: restartPackage |Description=Calling restartPackage on an already executing piece of security software can stop its its execution on a device. |Privilege Level=User space |...")
  • 12:29, 27 July 2018 Dbeck talk contribs deleted page & Component Firmware (content was: "{{Behavior |Name=injection |Description=Original file is injected in existing process (nothing written to disk and possibly higher privs). |...", and the only contributor was "Dbeck" (talk))
  • 12:25, 27 July 2018 Dbeck talk contribs deleted page Ema-1171 (content was: "{{Behavior |Name=feed misinformation during physical memory acquisition |Description=The 'feed misinformation during physical memory acquisition' Behavior reports inaccurate data when the contents of the physical memory of the system on...")
  • 11:58, 27 July 2018 Dbeck talk contribs deleted page Ema-1080 (content was: "{{Behavior Instance |Associated Behavior=Ema-1216 |Name=Web Injection |Description=On Macs, unpatched versions of applications can be exploited via malicious websites. |Privilege Level=User space |Supporting Details={{Supporting Detail |...")
  • 11:55, 27 July 2018 Dbeck talk contribs restored page Ema-1080 (24 revisions)
  • 11:53, 27 July 2018 Dbeck talk contribs deleted page Ema-1080 (content was: "{{Behavior Instance |Associated Behavior=Ema-1216 |Name=Web Injection |Description=On Macs, unpatched versions of applications can be exploited via malicious websites. |Privilege Level=User space |Supporting Details={{Supporting Detail |...")
  • 11:37, 27 July 2018 Dbeck talk contribs deleted page + malicious network driver (content was: "{{Behavior |Name=merge code sections |Description=Merge all sections; just one entry in the sections table. Only affects readability slightl...", and the only contributor was "Dbeck" (talk))
  • 11:36, 27 July 2018 Dbeck talk contribs deleted page Privilege Escalation (content was: "{{Behavior |Name=interleaving code |Description=A form of obfuscation that splits code into sections that are rearranged and con...", and the only contributor was "Ikirillov" (talk))
  • 11:28, 27 July 2018 Dbeck talk contribs deleted page + private api exploitation (Mobile) (content was: "{{Behavior |Name=symbolic obfuscation |Description=The removing or renaming of textual information in the code of the malware in...", and the only contributor was "Ikirillov" (talk))
  • 11:28, 27 July 2018 Dbeck talk contribs deleted page Credential Access (content was: "{{Behavior |Name=import address table obfuscation |Description=Obfuscation of the import address table of the malware instance,...", and the only contributor was "Ikirillov" (talk))
  • 11:27, 27 July 2018 Dbeck talk contribs deleted page & Rootkit (content was: "{{Behavior |Name=entrypoint obfuscation |Description=Obfuscation of the entry point of the malware executable, in order to hinde...", and the only contributor was "Ikirillov" (talk))
  • 11:25, 27 July 2018 Dbeck talk contribs deleted page Ema-1043 (content was: "{{Behavior |Name=minification |Description=Per wikipedia, minification is 'the process of removing all unnecessary characters from source co...", and the only contributor was "Dbeck" (talk))
  • 09:46, 27 July 2018 Dbeck talk contribs deleted page Ema-1042 (content was: "{{Behavior |Name=thunk insertion |Description=Variation on “jump”; also used by some compilers for user-generated functions (ex: Visual...", and the only contributor was "Dbeck" (talk))
  • 09:43, 27 July 2018 Dbeck talk contribs deleted page Ema-1040 (content was: "{{Behavior |Name=junk code insertion |Description=Insertion of dummy code between relevant opcodes. Can make signature writing more complex....", and the only contributor was "Dbeck" (talk))
  • 09:41, 27 July 2018 Dbeck talk contribs deleted page Ema-1041 (content was: "{{Behavior |Name=jump insertion |Description=Insertion of jumps to make analysis visually harder. |Associated Capabilities=Ema-1010 }}", and the only contributor was "Dbeck" (talk))
  • 09:40, 27 July 2018 Dbeck talk contribs deleted page Ema-1045 (content was: "{{Behavior |Name=fake code insertion |Description=Add fake code similar to known packers or known goods to fool identification. Can confuse...", and the only contributor was "Dbeck" (talk))
  • 09:17, 27 July 2018 Dbeck talk contribs deleted page Ema-1111 (content was: "{{Behavior |Name=steal web/network credential |Description=The 'steal web/network credential' Behavior steals usernames, passwords, or other forms of web (e.g., for logging into a website) and/or network credentials. |Associated Attribut...")
  • 09:16, 27 July 2018 Dbeck talk contribs deleted page Ema-1094 (content was: "{{Behavior Instance |Associated Behavior=Ema-1111 |Name=API Call: DeviceIoControlFile |Description=Hooking Nt/ZwDeviceIoControlFile can allow for network sniffing by inspecting the data on a network interface, through its device driver....")
  • 09:15, 27 July 2018 Dbeck talk contribs deleted page Ema-1093 (content was: "{{Behavior Instance |Associated Behavior=Ema-1111 |Name=API Call: HttpSendRequest |Description=Hooking HttpSendRequest can allow for the sniffing of data contained inside HTTP requests, which may include web/network credentials. |Privile...")
  • 09:14, 27 July 2018 Dbeck talk contribs deleted page Ema-1106 (content was: "{{Behavior Instance |Associated Behavior=Ema-1232 |Name=API Call: TranslateMessage |Description=The capture keyboard input behavior...", and the only contributor was "Cicalese" (talk))
  • 08:53, 27 July 2018 Dbeck talk contribs deleted page Ema-1176 (content was: "{{Behavior |Name=mine for cryptocurrency |Description=The 'mine for cryptocurrency' Behavior consumes system resources for cryptocurrency (e.g., Bitcoin, Litecoin, etc.) mining. |Associated Attributes=Attribute:7 |Associated Capabilities...")
  • 08:36, 27 July 2018 Dbeck talk contribs deleted page Ema-1234 (content was: "{{Behavior |Name=detect installed analysis tools |Description=Indicates that the malware instance attempts to detect whether certain analysis tools are present on the system on which it is executing. |Associated Capabilities=Ema-1026 }}")
  • 17:54, 17 July 2018 Dbeck talk contribs deleted page Self Debugging (content was: "{{Capability |Name=availability violation |Description=Indicates that the malware instance is able to compromise the availability of a system or some aspect of the system. |Associated Attributes=Attribute:7 }}")
  • 17:54, 17 July 2018 Dbeck talk contribs deleted page resource compression (content was: "{{Subcapability |Name=compromise system availability |Description=Indicates that the malware instance is able to compromise the availability of the local system on which it is executing and/or one or more remote systems. |Associated Capa...")
  • 17:54, 17 July 2018 Dbeck talk contribs deleted page Ema-1040 (content was: "{{Subcapability |Name=consume system resources |Description=Indicates that the malware instance is able to consume system resources for its own purposes, such as password cracking. |Associated Capabilities=Ema-1003 }}")
  • 17:54, 17 July 2018 Dbeck talk contribs deleted page debugger obstruction (content was: "{{Subcapability |Name=compromise data availability |Description=Indicates that the malware instance is able to compromise the availability of data on the local system on which it is executing and/or one or more remote systems. |Associate...")
  • 17:50, 17 July 2018 Dbeck talk contribs deleted page + windows shutdown event (content was: "{{Subcapability |Name=install other components |Description=Indicates that the malware instance is able to install additional components. This encompasses the dropping/downloading of other malicious components such as libraries, other ma...")
  • 17:50, 17 July 2018 Dbeck talk contribs deleted page Interrupt Hooking (content was: "{{Subcapability |Name=email spam |Description=Indicates that the malware instance is able to send spam email messages. |Associated Attributes=Attribute:5 |Associated Capabilities=Ema-1011 }}")
  • 17:29, 17 July 2018 Dbeck talk contribs deleted page c2 communication (content was: "{{Capability |Name=integrity violation |Description=Indicates that the malware instance is able to compromise the integrity of a system. }}")
  • 17:29, 17 July 2018 Dbeck talk contribs deleted page sandbox prevention (content was: "{{Subcapability |Name=data integrity violation |Description=Indicates that the malware instance is able to compromise the integrity of some data that resides on (e.g., in the case of files) or is received/transmitted (e.g., in the case o...")
  • 17:27, 17 July 2018 Dbeck talk contribs deleted page & Obfuscated Files or Information (content was: "{{Capability |Name=security degradation |Description=Indicates that the malware instance is able to bypass or disable security features and/or controls. |Associated Attributes=Attribute:17 }}")
  • 17:27, 17 July 2018 Dbeck talk contribs deleted page Ema-1034 (content was: "{{Subcapability |Name=security software degradation |Description=Indicates that the malware instance is able to bypass or disable security programs running on a system, either by stopping them from executing or by making changes to their...")
  • 17:26, 17 July 2018 Dbeck talk contribs deleted page polymorphic code (content was: "{{Subcapability |Name=service provider security feature degradation |Description=Indicates that the malware instance is able to bypass or disable mobile device service provider security features that would otherwise identify or notify us...")
  • 17:26, 17 July 2018 Dbeck talk contribs deleted page api hooking (content was: "{{Subcapability |Name=OS security feature degradation |Description=Indicates that the malware instance is able to bypass or disable operating system (OS) security mechanisms. |Associated Capabilities=Ema-1004 }}")
  • 10:33, 16 July 2018 Dbeck talk contribs deleted page + analysis tool discovery (content was: "{{Capability |Name=anti-removal |Description=Indicates that the malware instance is able to prevent itself and its components from being removed from a system. }}")
  • 10:31, 16 July 2018 Dbeck talk contribs deleted page Ema-1041 (content was: "{{Subcapability |Name=prevent artifact deletion |Description=Indicates that the malware instance is able to prevent its artifacts (e.g., files, registry keys, etc.) from being deleted. |Associated Capabilities=Ema-1005 }}")
  • 10:05, 16 July 2018 Dbeck talk contribs deleted page Ema-1042 (content was: "{{Subcapability |Name=prevent artifact access |Description=Indicates that the malware instance is able to prevent its artifacts (e.g., files, registry keys, etc.) from being accessed. |Associated Capabilities=Ema-1005 }}")
  • 03:35, 16 July 2018 Dbeck talk contribs deleted page Ema-1052 (content was: "{{Subcapability |Name=continuous execution |Description=Indicates that the malware instance is able to continue to execute on a system after significant system events, such as a system reboot. |Associated Capabilities=Ema-1016 }}")
  • 03:34, 16 July 2018 Dbeck talk contribs deleted page Ema-1053 (content was: "{{Subcapability |Name=system re-infection |Description=Indicates that the malware instance is able to re-infect a system after one or more of its components have been removed. |Associated Capabilities=Ema-1016 }}")
  • 03:32, 16 July 2018 Dbeck talk contribs deleted page exploitation for analysis evasion (content was: "{{Subcapability |Name=input peripheral capture |Description=Indicates that the malware instance is able to capture data from a system's input peripheral devices, such as a keyboard or mouse. |Associated Capabilities=Ema-1012 }}")
  • 03:30, 16 July 2018 Dbeck talk contribs deleted page Ema-1054 (content was: "{{Subcapability |Name=remote machine infection |Description=Indicates that the malware instance is able to self-propagate to a remote machine or infect a machine with malware that is different than itself. |Associated Attributes=Attribut...")
  • 03:27, 16 July 2018 Dbeck talk contribs deleted page + private api exploitation (Mobile) (content was: "{{Subcapability |Name=authentication credentials theft |Description=Indicates that the malware instance is able to steal authentication credentials. |Associated Capabilities=Ema-1014 }}")
  • 03:23, 16 July 2018 Dbeck talk contribs deleted page Ema-1059 (content was: "{{Subcapability |Name=send data to c2 server |Description=Indicates that the malware instance is able to send some data to a command and control server. |Associated Capabilities=Ema-1017 }}")
  • 03:22, 16 July 2018 Dbeck talk contribs deleted page Ema-1057 (content was: "{{Subcapability |Name=receive data from c2 server |Description=Indicates that the malware instance is able to receive some data from a command and control server. |Associated Attributes=Attribute:5 |Associated Capabilities=Ema-1017 }}")
  • 03:20, 16 July 2018 Dbeck talk contribs deleted page Ema-1056 (content was: "{{Subcapability |Name=determine c2 server |Description=Indicates that the malware instance is able to identify one or more command and control (C2) servers with which to communicate. |Associated Capabilities=Ema-1017 }}")
  • 16:17, 15 July 2018 Dbeck talk contribs deleted page Ema-1044 (content was: "{{Subcapability |Name=virtual entity destruction |Description=Indicates that the malware instance is able to destroy a virtual entity. |Associated Capabilities=Ema-1002 }}")
  • 16:16, 15 July 2018 Dbeck talk contribs deleted page Ema-1045 (content was: "{{Subcapability |Name=physical entity destruction |Description=Indicates that the malware instance is able to destroy physical entities. |Associated Capabilities=Ema-1002 }}")
  • 16:10, 15 July 2018 Dbeck talk contribs deleted page & Rootkit (content was: "{{Capability |Name=anti-static analysis |Description=Indicates that the malware instance is able to prevent static/code analysis or make it more difficult. }}")
  • 16:09, 15 July 2018 Dbeck talk contribs deleted page Ema-1067 (content was: "{{Subcapability |Name=anti-debugging |Description=Indicates that the malware instance is able to prevent itself from being debugged and/or from being run in a debugger or is able to make debugging more difficult. |Associated Capabilities...")
  • 16:09, 15 July 2018 Dbeck talk contribs deleted page Anti-Static Analysis (content was: "{{Capability |Name=anti-detection |Description=Indicates that the malware instance is able to prevent itself and its components from being detected on a system. }}")
  • 16:09, 15 July 2018 Dbeck talk contribs deleted page Ema-1060 (content was: "{{Subcapability |Name=self-modification |Description=Indicates that the malware instance is able to modify itself. |Associated Attributes=Attribute:16 |Associated Capabilities=Ema-1010 }}")
  • 16:08, 15 July 2018 Dbeck talk contribs deleted page Ema-1064 (content was: "{{Subcapability |Name=anti-disassembly |Description=Indicates that the malware instance is able to prevent itself from being disassembled or make disassembly more difficult. |Associated Capabilities=Ema-1015 }}")
  • 16:08, 15 July 2018 Dbeck talk contribs deleted page Ema-1062 (content was: "{{Subcapability |Name=anti-memory forensics |Description=Indicates that the malware instance is able to prevent or make memory forensics more difficult. |Associated Capabilities=Ema-1015 }}")
  • 16:06, 15 July 2018 Dbeck talk contribs deleted page Ema-1061 (content was: "{{Subcapability |Name=security software evasion |Description=Indicates that the malware instance is able to evade security software (e.g., anti-virus tools). |Associated Capabilities=Ema-1010 }}")
  • 16:06, 15 July 2018 Dbeck talk contribs deleted page Ema-1058 (content was: "{{Subcapability |Name=hide executing code |Description=Indicates that the malware instance is able to hide its executing code. |Associated Capabilities=Ema-1010 }}")
  • 16:06, 15 July 2018 Dbeck talk contribs deleted page Privilege Escalation (content was: "{{Subcapability |Name=anti-virus evasion |Description=Indicates that the malware instance is able to evade detection by anti-virus tools. |Associated Capabilities=Ema-1010 |References={{Reference |URL=http://unprotect.tdgt.org/index.php/...")
  • 16:05, 15 July 2018 Dbeck talk contribs deleted page Credential Access (content was: "{{Capability |Name=anti-behavioral analysis |Description=Indicates that the malware instance is able to prevent behavioral analysis or make it more difficult. |Associated Attributes=Attribute:4, Attribute:3 |Aliases=anti-runtime analysis }}")
  • 16:03, 15 July 2018 Dbeck talk contribs deleted page Ema-1264 (content was: "{{Subcapability |Name=anti-emulation |Description=Indicates that the malware is able to prevent itself from being executed in an emulator or make the emulation process more difficult. |Associated Capabilities=Ema-1018 }}")
  • 16:02, 15 July 2018 Dbeck talk contribs deleted page Ema-1068 (content was: "{{Subcapability |Name=anti-sandbox |Description=Indicates that the malware instance is able to prevent sandbox-based behavioral analysis or make it more difficult. |Associated Attributes=Attribute:3 |Associated Capabilities=Ema-1018 }}")
  • 16:02, 15 July 2018 Dbeck talk contribs deleted page Ema-1065 (content was: "{{Subcapability |Name=anti-VM |Description=Indicates that the malware instance is able to prevent virtual machine (VM) based behavioral analysis or make it more difficult. |Associated Attributes=Attribute:4 |Associated Capabilities=Ema-1...")
  • 16:01, 15 July 2018 Dbeck talk contribs deleted page Monitoring thread (content was: "{{Subcapability |Name=environment awareness |Description=Indicates that the malware instance can fingerprint or otherwise identify the environment in which it is executing, for the purpose of altering its behavior based on this environme...")
  • 12:01, 14 May 2018 Ikirillov talk contribs deleted page Ema-1063 (content was: "{{Subcapability |Name=hide artifacts |Description=Indicates that the malware instance is able to hide its artifacts, such as files and open ports. |Associated Capabilities=Ema-1010 }}")
  • 12:00, 14 May 2018 Ikirillov talk contribs deleted page Ema-1167 (content was: "{{Behavior |Name=hide file system artifacts |Description=The 'hide file system artifacts' Behavior hides one or more file system artifacts (e.g., files and/or directories) associated with the malware instance. |Associated Capabilities=Em...")
  • 12:00, 14 May 2018 Ikirillov talk contribs deleted page Ema-1168 (content was: "{{Behavior |Name=hide network traffic |Description=The 'hide network traffic' Behavior hides network traffic associated with the malware instance. |Associated Capabilities=Ema-1063 |References= }}")
  • 11:59, 14 May 2018 Ikirillov talk contribs deleted page Ema-1170 (content was: "{{Behavior |Name=hide open network ports |Description=The 'hide open network ports' Behavior hides one or more open network ports associated with the malware instance. |Associated Capabilities=Ema-1063 |References= }}")
  • 11:59, 14 May 2018 Ikirillov talk contribs deleted page Ema-1166 (content was: "{{Behavior |Name=hide registry artifacts |Description=The 'hide registry artifacts' Behavior hides one or more Windows registry artifacts (e.g., keys and/or values) associated with the malware instance. |Associated Capabilities=Ema-1063...")
  • 11:58, 14 May 2018 Ikirillov talk contribs deleted page Ema-1169 (content was: "{{Behavior |Name=obfuscate artifact properties |Description=The 'obfuscate artifact properties' Behavior hides the properties of one or more artifacts associated with the malware instance (e.g., by altering file system timestamps). |Asso...")
  • 13:35, 25 April 2018 Ikirillov talk contribs deleted page Ema-1242 (content was: "{{Behavior |Name=validate data |Description=The 'validate data' Behavior validates the integrity of data received from a command and control server. |Associated Capabilities=Ema-1057 |References= }}")
  • 13:34, 25 April 2018 Ikirillov talk contribs deleted page illusionary issues (content was: "{{Subcapability |Name=clean traces of infection |Description=Indicates that the malware instance is able to clean traces of its infection (e.g., file system artifacts) from a system. |Associated Capabilities=Ema-1011 }}")
  • 13:33, 25 April 2018 Ikirillov talk contribs deleted page Ema-1139 (content was: "{{Behavior |Name=remove self |Description=The 'remove self' Behavior removes the malware instance from the system on which it is executing. |Associated Capabilities=Ema-1031 |References= }}")
  • 13:25, 25 April 2018 Ikirillov talk contribs deleted page Ema-1140 (content was: "{{Behavior |Name=remove system artifacts |Description=The 'remove system artifacts' Behavior removes artifacts associated with the malware instance (e.g., files, directories, Windows registry keys, etc.) from the system on which it is ex...")
  • 13:18, 25 April 2018 Ikirillov talk contribs deleted page Ema-1108 (content was: "{{Behavior |Name=steal browser cookies |Description=The 'steal browser cookies' Behavior steals one or more browser cookies stored on the system on which the malware instance is executing. |Associated Capabilities=Ema-1020 |References={{...")
  • 13:17, 25 April 2018 Ikirillov talk contribs deleted page Ema-1107 (content was: "{{Behavior |Name=steal digital certificates |Description=The 'steal digital certificates' Behavior steals one or more digital private keys that may be present on the system on which the malware instance is executing, to then use to hijac...")
  • 13:16, 25 April 2018 Ikirillov talk contribs deleted page Ema-1110 (content was: "{{Behavior |Name=steal password hashes |Description=The 'steal password hashes' Behavior steals password hashes. |Associated Capabilities=Ema-1020 |References= }}")
  • 13:16, 25 April 2018 Ikirillov talk contribs deleted page Ema-1109 (content was: "{{Behavior |Name=steal PKI key |Description=The 'steal PKI key' Behavior steals one or more public key infrastructure (PKI) keys. |Associated Capabilities=Ema-1020 |References= }}")
  • 12:27, 25 April 2018 Ikirillov talk contribs deleted page & Hooking (content was: "{{Subcapability |Name=stored information theft |Description=Indicates that the malware instance is able to steal information stored on a system (e.g., files). |Associated Capabilities=Ema-1014 }}")
  • 12:26, 25 April 2018 Ikirillov talk contribs deleted page Ema-1118 (content was: "{{Behavior |Name=steal cryptocurrency data |Description=The 'steal cryptocurrency data' Behavior steals cryptocurrency data that may be stored on a system (e.g., Bitcoin wallets). |Associated Capabilities=Ema-1021 |References= }}")
  • 12:25, 25 April 2018 Ikirillov talk contribs deleted page Ema-1119 (content was: "{{Behavior |Name=steal database content |Description=The 'steal database content' Behavior steals content from a database that the malware instance may be able to access. |Associated Capabilities=Ema-1021 |References= }}")
  • 12:25, 25 April 2018 Ikirillov talk contribs deleted page Ema-1250 (content was: "{{Behavior |Name=steal documents |Description=The 'steal documents' Behavior steals document files (e.g., PDF) stored on a system. |Associated Capabilities=Ema-1021 |References= }}")
  • 12:25, 25 April 2018 Ikirillov talk contribs deleted page Ema-1117 (content was: "{{Behavior |Name=steal images |Description=The 'steal images' Behavior steals image files that may be stored on a system. |Associated Capabilities=Ema-1021 |References= }}")
  • 12:24, 25 April 2018 Ikirillov talk contribs deleted page Ema-1249 (content was: "{{Behavior |Name=steal serial numbers |Description=The 'steal serial numbers' Behavior steals serial numbers stored on a system. |Associated Capabilities=Ema-1021 |References= }}")
  • 12:24, 25 April 2018 Ikirillov talk contribs deleted page + surreptitious application installation (content was: "{{Subcapability |Name=user data theft |Description=Indicates that the malware instance is able to steal data associated with one or more users (e.g., browser history). |Associated Capabilities=Ema-1014 }}")
  • 12:24, 25 April 2018 Ikirillov talk contribs deleted page Ema-1248 (content was: "{{Behavior |Name=steal browser cache |Description=The 'steal browser cache' Behavior steals a user's browser cache. |Associated Attributes=Attribute:8 |Associated Capabilities=Ema-1022 |References= }}")
  • 12:23, 25 April 2018 Ikirillov talk contribs deleted page Ema-1114 (content was: "{{Behavior |Name=steal browser history |Description=The 'steal browser history' Behavior steals a user's browser history. |Associated Capabilities=Ema-1022 |References= }}")
  • 12:23, 25 April 2018 Ikirillov talk contribs deleted page Ema-1112 (content was: "{{Behavior |Name=steal contact list data |Description=The 'steal contact list data' Behavior steals a user's contact list. |Associated Capabilities=Ema-1022 |References={{Reference |Date=2015/02/06 |Malware Family=XAgent |URL=http://www....")
  • 12:23, 25 April 2018 Ikirillov talk contribs deleted page Ema-1116 (content was: "{{Behavior |Name=steal dialed phone numbers |Description=The 'steal dialed phone numbers' Behavior steals the list of phone numbers that a user has dialed (i.e. on a mobile device). |Associated Capabilities=Ema-1022 |References= }}")
  • 12:22, 25 April 2018 Ikirillov talk contribs deleted page Ema-1251 (content was: "{{Behavior |Name=steal email data |Description=The 'steal email data' Behavior steals a user's email data. |Associated Attributes=Attribute:8, Attribute:9 |Associated Capabilities=Ema-1022 |References= }}")
  • 12:22, 25 April 2018 Ikirillov talk contribs deleted page Ema-1113 (content was: "{{Behavior |Name=steal referrer URLs |Description=The 'steal referrer URLs' Behavior steals HTTP referrer information (URL of the webpage that linked to the resource being requested). |Associated Capabilities=Ema-1022 |References= }}")
  • 12:21, 25 April 2018 Ikirillov talk contribs deleted page Ema-1115 (content was: "{{Behavior |Name=steal SMS database |Description=The 'steal SMS database' Behavior steals a user's short message service (SMS) (text messaging) database (i.e. on a mobile device). |Associated Capabilities=Ema-1022 |References={{Reference...")
  • 11:59, 25 April 2018 Ikirillov talk contribs deleted page Anti-Behavioral Analysis (content was: "{{Subcapability |Name=system operational integrity violation |Description=Indicates that the malware instance is able to compromise the operational integrity of the system on which it is executing and/or one or more remote systems, e.g.,...")
  • 11:58, 25 April 2018 Ikirillov talk contribs deleted page Ema-1231 (content was: "{{Behavior |Name=detect installed anti-virus tools |Description=Indicates that the malware instance attempts to detect whether certain anti-virus tools are present on the system on which it is executing. |Associated Capabilities=Ema-1034 }}")
  • 11:58, 25 April 2018 Ikirillov talk contribs deleted page Ema-1152 (content was: "{{Behavior |Name=prevent security software from executing |Description=The 'prevent security software from executing' Behavior prevents one or more instances of security software from executing on a system. |Associated Attributes=Attribu...")
  • 11:55, 25 April 2018 Ikirillov talk contribs deleted page & Component Firmware (content was: "{{Subcapability |Name=system update degradation |Description=Indicates that the malware instance is able to disable the downloading and installation of system updates and patches. |Associated Capabilities=Ema-1004 }}")
  • 11:55, 25 April 2018 Ikirillov talk contribs deleted page Ema-1148 (content was: "{{Behavior |Name=disable update services/daemons |Description=The 'disable update services/daemons' Behavior disables system update services or daemons that may be already be running on the system on which the malware instance is executi...")
  • 11:55, 25 April 2018 Ikirillov talk contribs deleted page Ema-1150 (content was: "{{Behavior |Name=disable service pack/patch installation |Description=The 'disable service pack/patch installation' Behavior disables the system's ability to install service packs and/or patches. |Associated Capabilities=Ema-1033 |Refere...")
  • 11:53, 25 April 2018 Ikirillov talk contribs deleted page Ema-1036 (content was: "{{Subcapability |Name=access control degradation |Description=Indicates that the malware instance is able to bypass or disable access control mechanisms designed to prevent unauthorized or unprivileged use or execution of applications or...")
  • 11:53, 25 April 2018 Ikirillov talk contribs deleted page Ema-1142 (content was: "{{Behavior |Name=disable privilege limiting |Description=The 'disable privilege limiting' Behavior bypasses or disables mechanisms that limit the privileges that can be granted to a user or entity. |Associated Capabilities=Ema-1036 |Refe...")
  • 11:53, 25 April 2018 Ikirillov talk contribs deleted page Ema-1144 (content was: "{{Behavior |Name=disable firewall |Description=The ‘disable firewall’ Behavior evades or disables the host-based firewall running on the system on which the malware instance is executing. |Associated Capabilities=Ema-1036 |References...")
  • 11:52, 25 April 2018 Ikirillov talk contribs deleted page Ema-1143 (content was: "{{Behavior |Name=disable access rights checking |Description=The ‘disable access rights checking’ Behavior bypasses, disables, or modifies access tokens or access control lists, thereby enabling the malware instance to read, write, o...")
  • 16:46, 24 April 2018 Ikirillov talk contribs deleted page Ema-1055 (content was: "{{Subcapability |Name=file infection |Description=Indicates that the malware instance is able to infect one or more files. |Associated Attributes=Attribute:15, Attribute:11, Attribute:14, Attribute:13 |Associated Capabilities=Ema-1009 }}")
  • 16:46, 24 April 2018 Ikirillov talk contribs deleted page Ema-1243 (content was: "{{Behavior |Name=identify file |Description=The 'identify file' Behavior identifies one or more files on a local, removable, and/or network drive for infection. |Associated Attributes=Attribute:13,Attribute:14 |Associated Capabilities=Em...")
  • 16:45, 24 April 2018 Ikirillov talk contribs deleted page Ema-1217 (content was: "{{Behavior |Name=modify file |Description=The 'modify file' Behavior modifies a file in some other manner than writing code to it, such as packing it (in terms of binary executable packing). |Associated Attributes=Attribute:13,Attribute:...")
  • 16:45, 24 April 2018 Ikirillov talk contribs deleted page Ema-1245 (content was: "{{Behavior |Name=write code into file |Description=The 'write code into file' Behavior writes code into one or more files. |Associated Attributes=Attribute:13,Attribute:14,Attribute:15 |Associated Capabilities=Ema-1055 |References= }}")
  • 16:45, 24 April 2018 Ikirillov talk contribs deleted page Ema-1262 (content was: "{{Behavior |Name=file system instantiation |Description=Indicates that the malware instance instantiates itself on the file syst...", and the only contributor was "Ikirillov" (talk))
  • 16:44, 24 April 2018 Ikirillov talk contribs deleted page Ema-1214 (content was: "{{Behavior |Name=identify target machines |Description=The 'identify target machine(s)' Behavior identifies one or more machines to be targeted for infection via some remote means (e.g., via email or the network). |Associated Capabilitie...")
  • 16:44, 24 April 2018 Ikirillov talk contribs deleted page Ema-1215 (content was: "{{Behavior |Name=inventory victims |Description=The 'inventory victims' Behavior keeps an inventory of the victims that are remotely infected by the malware instance. |Associated Capabilities=Ema-1054 |References= }}")
  • 16:44, 24 April 2018 Ikirillov talk contribs deleted page Ema-1213 (content was: "{{Behavior |Name=social-engineering based remote infection |Description=The 'social-engineering based remote infection' Behavior infects remote machines via some method that involves social engineering (e.g., sending an email with a mali...")
  • 16:43, 24 April 2018 Ikirillov talk contribs deleted page Screen Resolution Testing (content was: "{{Capability |Name=machine access/control |Description=Indicates that the malware instance is able to access or control one or more remote machines and/or the machine on which it is executing. |Associated Attributes=Attribute:21 }}")
  • 16:43, 24 April 2018 Ikirillov talk contribs deleted page Ema-1128 (content was: "{{Behavior |Name=install backdoor |Description=The 'install backdoor' Behavior installs a backdoor on the system on which the malware instance is executing, capable of providing covert remote access to the system. |Associated Capabilitie...")
  • 16:43, 24 April 2018 Ikirillov talk contribs deleted page Defense Evasion (content was: "{{Subcapability |Name=local machine control |Description=Indicates that the malware instance is able to control the machine on which it is executing. |Associated Capabilities=Ema-1000 }}")
  • 16:43, 24 April 2018 Ikirillov talk contribs deleted page Ema-1129 (content was: "{{Behavior |Name=control local machine via remote command |Description=The 'control local machine via remote command' Behavior controls the machine on which the malware instance is executing, through one or more remotely sent commands. |...")
  • 16:42, 24 April 2018 Ikirillov talk contribs deleted page + malicious network driver (content was: "{{Subcapability |Name=remote machine access |Description=Indicates that the malware instance is able to access one or more remote machines. |Associated Capabilities=Ema-1000 }}")
  • 16:42, 24 April 2018 Ikirillov talk contribs deleted page Ema-1130 (content was: "{{Behavior |Name=compromise remote machine |Description=The 'compromise remote machine' Behavior gains control of a remote machine through compromise, e.g., by exploiting a particular vulnerability. |Associated Capabilities=Ema-1029 |Ref...")
  • 16:42, 24 April 2018 Ikirillov talk contribs deleted page Ema-1131 (content was: "{{Behavior |Name=search for remote machines |Description=The 'search for remote machines' Behavior searches for one or more remote machines to target. |Associated Capabilities=Ema-1000 |References= }}")
  • 12:20, 24 April 2018 Ikirillov talk contribs deleted page Timing/Date Checks (content was: "{{Capability |Name=data exfiltration |Description=Indicates that the malware instance is able to exfiltrate stolen data or perform tasks related to the exfiltration of stolen data. |Associated Attributes=Attribute:1, Attribute:2 }}")
  • 12:20, 24 April 2018 Ikirillov talk contribs deleted page Ema-1038 (content was: "{{Subcapability |Name=data obfuscation |Description=Indicates that the malware is able to obfuscate data that will be exfiltrated. |Associated Capabilities=Ema-1007 }}")
  • 12:19, 24 April 2018 Ikirillov talk contribs deleted page Ema-1164 (content was: "{{Behavior |Name=hide data in other formats |Description=The 'hide data in other formats' Behavior hides data that will be exfiltrated in other formats (e.g., image files). |Associated Attributes=Attribute:2 |Associated Capabilities=Ema-...")
  • 12:16, 24 April 2018 Ikirillov talk contribs deleted page Ema-1206 (content was: "{{Behavior |Name=capture camera input |Description=The 'capture camera input' Behavior captures data from a system's camera, including from embedded cameras (i.e. on mobile devices) and/or attached webcams. |Associated Capabilities=Ema-1...")
  • 12:16, 24 April 2018 Ikirillov talk contribs deleted page Ema-1204 (content was: "{{Behavior |Name=capture microphone input |Description=The 'capture microphone input' Behavior capture data from a system's microphone, including from embedded microphones (i.e. on mobile devices) and those that may be attached externall...")
  • 12:16, 24 April 2018 Ikirillov talk contribs deleted page Ema-1205 (content was: "{{Behavior |Name=capture mouse input |Description=The 'capture mouse input' Behavior captures data from a system's mouse. |Associated Capabilities=Ema-1049 |References= }}")
  • 12:15, 24 April 2018 Ikirillov talk contribs deleted page Ema-1203 (content was: "{{Behavior |Name=capture touchscreen input |Description=The 'capture touchscreen input' Behavior captures data from a system's touchscreen. |Associated Capabilities=Ema-1049 |References= }}")
  • 12:15, 24 April 2018 Ikirillov talk contribs deleted page virtualized code (content was: "{{Subcapability |Name=output peripheral capture |Description=Indicates that the malware instance captures data sent to a system's output peripherals, such as a display. |Associated Capabilities=Ema-1012 }}")
  • 12:15, 24 April 2018 Ikirillov talk contribs deleted page Ema-1197 (content was: "{{Behavior |Name=capture printer output |Description=The 'capture printer output' Behavior captures data sent to a system's printer, either locally or remotely. |Associated Capabilities=Ema-1046 |References= }}")
  • 12:15, 24 April 2018 Ikirillov talk contribs deleted page Ema-1198 (content was: "{{Behavior |Name=capture system screenshot |Description=The 'capture system screenshot' Behavior captures images of what is currently being displayed on a system's screen, either locally (i.e. on a display) or remotely via a remote deskt...")
  • 12:15, 24 April 2018 Ikirillov talk contribs deleted page Ema-1047 (content was: "{{Subcapability |Name=system interface data capture |Description=Indicates that the malware instance is able to capture data from a system's logical or physical interfaces, such as from a network interface. |Associated Capabilities=Ema-1...")
  • 12:14, 24 April 2018 Ikirillov talk contribs deleted page Ema-1199 (content was: "{{Behavior |Name=capture GPS data |Description=The 'capture gps data' Behavior captures GPS data from the system on which the malware instance is executing. |Associated Capabilities=Ema-1047 |References={{Reference |Date=2012/04/05 |Malw...")
  • 12:14, 24 April 2018 Ikirillov talk contribs deleted page Ema-1200 (content was: "{{Behavior |Name=capture system network traffic |Description=The 'capture system network traffic' Behavior captures network traffic from the system on which the malware instance is executing. |Associated Capabilities=Ema-1047 |Aliases=pa...")
  • 12:12, 24 April 2018 Ikirillov talk contribs deleted page embedded file hooking (content was: "{{Subcapability |Name=system state data capture |Description=Indicates that the malware instance is able to capture information about a system's state (e.g., data currently in its RAM). |Associated Capabilities=Ema-1012 }}")
  • 12:12, 24 April 2018 Ikirillov talk contribs deleted page Ema-1202 (content was: "{{Behavior |Name=capture file system |Description=The 'capture file system' Behavior captures data from a file system. |Associated Capabilities=Ema-1048 |Aliases=file system dump |References= }}")
  • 12:12, 24 April 2018 Ikirillov talk contribs deleted page Ema-1201 (content was: "{{Behavior |Name=capture system memory |Description=The 'capture system memory' Behavior captures data from a system's RAM. |Associated Attributes=Attribute:27 |Associated Capabilities=Ema-1048 |Aliases=memory dump |References= }}")
  • 12:11, 24 April 2018 Ikirillov talk contribs deleted page Ema-1102 (content was: "{{Behavior Instance |Associated Behavior=Ema-1201 |Name=API Call: SomeAPI |Description=Some description. |Supporting Details= |Code Snippets={{Code Snippet |Code Language=x86 assembly }} |References={{Reference |Malware Family=Test |URL=...")
  • 12:05, 24 April 2018 Ikirillov talk contribs deleted page Ema-1263 (content was: "{{Subcapability |Name=hide non-executing code |Description=Indicates that the malware instance is able to hide its non-executing...", and the only contributor was "Ikirillov" (talk))
  • 12:02, 24 April 2018 Ikirillov talk contribs deleted page Ema-1163 (content was: "{{Behavior |Name=encrypt data |Description=The 'encrypt data' Behavior encrypts data that will be exfiltrated. |Associated Attributes=Attribute:6 |Associated Capabilities=Ema-1038 |References= }}")
  • 11:17, 24 April 2018 Ikirillov talk contribs deleted page & Software Packing (content was: "{{Capability |Name=privilege escalation |Description=Indicates that the malware instance is able to elevate the privileges under which it executes. |Associated Attributes=Attribute:19 }}")
  • 11:16, 24 April 2018 Ikirillov talk contribs deleted page Ema-1133 (content was: "{{Behavior |Name=impersonate user |Description=The 'impersonate user' Behavior impersonates another user in order to operate within a different security context. |Associated Attributes=Attribute:19 |Associated Capabilities=Ema-1013 |Alia...")
  • 11:16, 24 April 2018 Ikirillov talk contribs deleted page Timing/Up-time Check (content was: "{{Capability |Name=probing |Description=Indicates that the malware instance is able to probe its host system or network environment; most often this is done to support other Capabilities and their Objectives. }}")
  • 11:16, 24 April 2018 Ikirillov talk contribs deleted page Ema-1043 (content was: "{{Subcapability |Name=host configuration probing |Description=Indicates that the malware instance is able to probe the configuration of the host system on which it executes. |Associated Capabilities=Ema-1006 |Aliases=host enumeration }}")
  • 11:15, 24 April 2018 Ikirillov talk contribs deleted page Ema-1194 (content was: "{{Behavior |Name=check language |Description=The 'check language' Behavior checks the language of the host system on which it executes. |Associated Capabilities=Ema-1043 |References= }}")
  • 11:15, 24 April 2018 Ikirillov talk contribs deleted page Ema-1192 (content was: "{{Behavior |Name=determine host IP address |Description=The 'determine host ip address' Behavior determines the IP address of the host system on which the malware instance is executing. |Associated Capabilities=Ema-1043 |References= }}")
  • 11:15, 24 April 2018 Ikirillov talk contribs deleted page Ema-1193 (content was: "{{Behavior |Name=identify OS |Description=The 'identify os' Behavior identifies the operating system under which the malware instance is executing. |Associated Capabilities=Ema-1043 |References= }}")
  • 11:15, 24 April 2018 Ikirillov talk contribs deleted page Ema-1191 (content was: "{{Behavior |Name=inventory system applications |Description=The 'inventory system applications' Behavior inventories the applications installed on the system on which the malware instance is executing. |Associated Capabilities=Ema-1043 |...")
  • 11:15, 24 April 2018 Ikirillov talk contribs deleted page Ema-1066 (content was: "{{Subcapability |Name=network environment probing |Description=Indicates that the malware instance is able to probe the properties of its network environment, e.g. to determine whether it funnels traffic through a proxy. |Associated Capa...")
  • 11:14, 24 April 2018 Ikirillov talk contribs deleted page Ema-1190 (content was: "{{Behavior |Name=map local network |Description=The 'map local network' Behavior maps the layout of the local network environment in which the malware instance is executing. |Associated Capabilities=Ema-1066 |References= }}")
  • 11:14, 24 April 2018 Ikirillov talk contribs deleted page Ema-1188 (content was: "{{Behavior |Name=test for firewall |Description=The 'test for firewall' Behavior tests whether the network environment in which the malware instance is executing contains a hardware or software firewall. |Associated Capabilities=Ema-1066...")
  • 11:13, 24 April 2018 Ikirillov talk contribs deleted page Ema-1189 (content was: "{{Behavior |Name=test for internet connectivity |Description=The 'test for internet connectivity' Behavior tests whether the network environment in which the malware instance is executing is connected to the internet. |Associated Capabil...")
  • 11:13, 24 April 2018 Ikirillov talk contribs deleted page Ema-1187 (content was: "{{Behavior |Name=test for network drives |Description=The 'test for network drives' Behavior tests for network drives that may be present in the network environment in which the malware instance is executing. |Associated Capabilities=Ema...")
  • 11:13, 24 April 2018 Ikirillov talk contribs deleted page Ema-1186 (content was: "{{Behavior |Name=test for proxy |Description=The 'test for proxy' Behavior tests whether the network environment in which the malware instance is executing contains a hardware or software proxy. |Associated Capabilities=Ema-1066 |Referen...")
  • 11:03, 24 April 2018 Ikirillov talk contribs deleted page Ema-1153 (content was: "{{Behavior |Name=modify security software configuration |Description=The 'modify security software configuration' Behavior modifies the configuration of one or more instances of security software (e.g., anti-virus) running on a system in...")
  • 11:02, 24 April 2018 Ikirillov talk contribs deleted page Ema-1247 (content was: "{{Behavior |Name=degrade security program |Description=The 'degrade security program' Behavior degrades one or more security programs running on a system, either by stopping them from executing or by making changes to their code or confi...")
  • 10:21, 24 April 2018 Ikirillov talk contribs deleted page code optimization (content was: "{{Subcapability |Name=data staging |Description=Indicates that the malware instance is able to gather, prepare, and stage data for exfiltration. |Associated Capabilities=Ema-1007 }}")
  • 10:20, 24 April 2018 Ikirillov talk contribs deleted page Ema-1161 (content was: "{{Behavior |Name=move data to staging server |Description=The 'move data to staging server' Behavior moves data to be exfiltrated to a particular server, to prepare it for exfiltration. |Associated Capabilities=Ema-1037 |References= }}")
  • 10:19, 24 April 2018 Ikirillov talk contribs deleted page Ema-1162 (content was: "{{Behavior |Name=package data |Description=The 'package data' Behavior packages data for exfiltration, e.g., by adding it to an archive file. |Associated Attributes=Attribute:1 |Associated Capabilities=Ema-1037 |References= }}")
  • 10:19, 24 April 2018 Ikirillov talk contribs deleted page Ema-1156 (content was: "{{Behavior |Name=exfiltrate data via VoIP/phone |Description=The 'exfiltrate data via VoIP/phone' Behavior behaviors exfiltrate data (encoded as audio) using a phone system, such as through voice over IP (VoIP). |Associated Capabilities=...")
  • 10:18, 24 April 2018 Ikirillov talk contribs deleted page Ema-1158 (content was: "{{Behavior |Name=exfiltrate data via physical media |Description=The 'exfiltrate data via physical media' Behavior exfiltrates data by writing it to physical media (e.g., to a USB flash drive). |Associated Capabilities=Ema-1007 |Referen...")
  • 10:18, 24 April 2018 Ikirillov talk contribs deleted page Ema-1157 (content was: "{{Behavior |Name=exfiltrate data via network |Description=The 'exfiltrate data via network' Behavior exfiltrates data through the computer network connected to the system on which the malware instance is executing. |Associated Attributes...")
  • 10:18, 24 April 2018 Ikirillov talk contribs deleted page Ema-1159 (content was: "{{Behavior |Name=exfiltrate data via fax |Description=The 'exfiltrate data via fax' Behavior exfiltrates data using a fax system. |Associated Capabilities=Ema-1007 |References= }}")
  • 10:18, 24 April 2018 Ikirillov talk contribs deleted page Ema-1155 (content was: "{{Behavior |Name=exfiltrate data via dumpster dive |Description=The 'exfiltrate via dumpster dive' Behavior exfiltrates data via dumpster dive - i.e, encoded data printed by malware is viewed as garbage and thrown away to then be physica...")
  • 10:17, 24 April 2018 Ikirillov talk contribs deleted page Ema-1160 (content was: "{{Behavior |Name=exfiltrate data via covert channel |Description=The 'exfiltrate data via covert channel' Behavior exfiltrates data using a covert channel, such as a DNS tunnel or NTP. |Associated Capabilities=Ema-1007 |References= }}")
  • 17:03, 23 April 2018 Ikirillov talk contribs deleted page Ema-1132 (content was: "{{Behavior |Name=elevate privilege |Description=The 'elevate privilege' Behavior elevates the privilege level under which the malware instance is executing. |Associated Capabilities=Ema-1013 |Aliases=vertical privilege escalation |Refere...")
  • 16:35, 23 April 2018 Ikirillov talk contribs deleted page Ema-1145 (content was: "{{Behavior |Name=disable user account control |Description=The ‘disable user account control’ Behavior bypasses or disables Windows' user account control (UAC), enabling the malware instance and/or its component to execute with eleva...")
  • 15:56, 23 April 2018 Ikirillov talk contribs deleted page Ema-1101 (content was: "{{Behavior Instance |Associated Behavior=Ema-1169 |Name=MACE Value Manipulation |Description=On Windows systems, MACE values can be deleted or modified in order to disguise malicious files and programs. This is done by changing the times...")
  • 15:43, 23 April 2018 Ikirillov talk contribs deleted page Ema-1078 (content was: "{{Behavior Instance |Associated Behavior=Ema-1209 |Name=Startup Item Exploitation |Description=In Mac OSX, startup items allow a command or script to automatically be executed during OSX initialization. These items can be abused by execu...")
  • 15:42, 23 April 2018 Ikirillov talk contribs deleted page Ema-1084 (content was: "{{Behavior Instance |Associated Behavior=Ema-1209 |Name=Windows Task Scheduler Spawning |Description=In Windows, the Windows Task Scheduler can be exploited to spawn a persistent malware which can be used to both steal various types of i...")
  • 15:42, 23 April 2018 Ikirillov talk contribs deleted page Ema-1086 (content was: "{{Behavior Instance |Associated Behavior=Ema-1209 |Name=Encrypted Autostart Registry Key |Description=In Windows, an encrypted autostart registry key can be created, which when decrypted can install and run PowerShell code without leavin...")
  • 15:41, 23 April 2018 Ikirillov talk contribs deleted page Ema-1076 (content was: "{{Behavior Instance |Associated Behavior=Ema-1209 |Name=Rc.common Exploitation |Description=RC scripts are used in another BSD-flavoured persistence technique that works on OS X, allowing scripts or commands to automatically be executed....")
  • 15:41, 23 April 2018 Ikirillov talk contribs deleted page Ema-1081 (content was: "{{Behavior Instance |Associated Behavior=Ema-1209 |Name=Login/Logout Hooks |Description=In Mac OSX, login/logout hooks can be created to automatically execute commands or scripts upon a user logging into or out of a system. |Privilege Le...")
  • 15:40, 23 April 2018 Ikirillov talk contribs deleted page Ema-1079 (content was: "{{Behavior Instance |Associated Behavior=Ema-1209 |Name=Login Items |Description=On Macs, login items can be abused to create autostart applications which execute malicious code. |Privilege Level=User space |Supporting Details={{Supporti...")
(newest | oldest) View (newer 250 | ) (20 | 50 | 100 | 250 | 500)