All public logs

Jump to navigation Jump to search

Combined display of all available logs of ema. You can narrow down the view by selecting a log type, the username (case-sensitive), or the affected page (also case-sensitive).

Logs
(newest | oldest) View ( | ) (20 | 50 | 100 | 250 | 500)
  • 12:18, 23 September 2018 Dbeck talk contribs deleted page Ema-1208 (content was: "{{Behavior |Name=persist after os changes |Description=The 'persist after os changes' Behavior continues the execution of the malware instance after the operating system under which it is executing is modified, such as being installed or...")
  • 12:18, 23 September 2018 Dbeck talk contribs deleted page Ema-1070 (content was: "{{Behavior Instance |Associated Behavior=Ema-1208 |Name=UEFI Bootloader Injection |Description=Mac's UEFI bootloader can be exploit...", and the only contributor was "Cicalese" (talk))
  • 11:10, 16 September 2018 Dbeck talk contribs deleted page Ema-1178 (covered by Premium SMS Tool Fraud (Mobile ATT&CK))
  • 12:04, 7 September 2018 Dbeck talk contribs deleted page Ema-1241 (this is too close to definition of c2)
  • 11:46, 7 September 2018 Dbeck talk contribs deleted page Ema-1238 (moved into 'c2 host communication')
  • 11:46, 7 September 2018 Dbeck talk contribs deleted page Ema-1237 (moved into 'c2 host communication')
  • 11:46, 7 September 2018 Dbeck talk contribs deleted page Ema-1124 (moved into 'c2 host communication')
  • 11:45, 7 September 2018 Dbeck talk contribs deleted page Ema-1123 (moved into 'c2 host communication')
  • 10:41, 2 September 2018 Dbeck talk contribs deleted page Ema-1121 (content was: "{{Behavior |Name=fingerprint host |Description=The 'fingerprint host' Behavior creates a unique fingerprint for the system on which the malware instance is executing, e.g., based on the applications that are installed on the system. |Ass...")
  • 10:40, 2 September 2018 Dbeck talk contribs deleted page Ema-1096 (content was: "{{Behavior Instance |Associated Behavior=Ema-1121 |Name=OpCode Frequency Distribution |Description=Needs to be revisited |Supporting Details= |Code Snippets= |References={{Reference |URL=https://www.blackhat.com/presentations/bh-usa-06/B...")
  • 17:30, 1 September 2018 Dbeck talk contribs deleted page Ema-1172 (covered by inhibit memory dumping)
  • 13:17, 31 August 2018 Dbeck talk contribs deleted page Ema-1047 (content was: "{{Behavior |Name=virtualize packer |Description=Virtualizes [part of] packer stub code. This is a general category of anti-analysis and may...", and the only contributor was "Dbeck" (talk))
  • 13:07, 31 August 2018 Dbeck talk contribs deleted page Ema-1034 (covered by ATT&CK Process Injection)
  • 18:29, 30 August 2018 Dbeck talk contribs deleted page Ema-1050 (content was: "{{Behavior |Name=tool limitation |Description=Prevent the use of a tool via a specific limitation. This is a general category of anti-analysis and may refer to any number of techniques. |Associated Capabilities=Ema-1010,Ema-1026 }}")
  • 18:27, 30 August 2018 Dbeck talk contribs restored page Ema-1050 (6 revisions)
  • 18:27, 30 August 2018 Dbeck talk contribs deleted page Ema-1154 (content was: "{{Behavior |Name=block security websites |Description=The 'block security websites' Behavior prevents access from the system on which the malware instance is executing to one or more security vendor or security-related websites. |Associa...")
  • 18:27, 30 August 2018 Dbeck talk contribs restored page Ema-1154 (6 revisions)
  • 18:26, 30 August 2018 Dbeck talk contribs deleted page embedded file hooking (covered by ATT&CK Hooking)
  • 18:26, 30 August 2018 Dbeck talk contribs restored page embedded file hooking (6 revisions)
  • 18:07, 30 August 2018 Dbeck talk contribs deleted page embedded file hooking (covered by ATT&CK Hooking)
  • 18:04, 30 August 2018 Dbeck talk contribs deleted page Ema-1154 (covered by ATT&CK Disabling Security Tools)
  • 10:27, 30 August 2018 Dbeck talk contribs deleted page api hooking (overlaps with ATT&CK Hooking)
  • 10:26, 30 August 2018 Dbeck talk contribs deleted page Ema-1050 (overlaps with ATT&CK Disabling Security Tools)
  • 09:59, 30 August 2018 Dbeck talk contribs deleted page Ema-1224 (overlaps with ATT&CK Rootkit technique)
  • 09:56, 30 August 2018 Dbeck talk contribs restored page Ema-1224 (10 revisions)
  • 09:42, 30 August 2018 Dbeck talk contribs deleted page Ema-1224 (overlaps with ATT&CK Rootkit technique)
  • 10:53, 15 August 2018 Dbeck talk contribs deleted page Ema-1147 (content was: "{{Behavior |Name=disable OS security alerts |Description=The ‘disable OS security alerts’ Behavior disables operating system (OS) security alert messages that could lead to identification and/or notification of the presence of the ma...")
  • 10:47, 15 August 2018 Dbeck talk contribs deleted page Ema-1246 (content was: "{{Behavior |Name=inventory security products |Description=The 'inventory security products' Behavior creates an inventory of the security products installed or running on a system. |Associated Attributes=Attribute:27 |Associated Capabili...")
  • 10:47, 15 August 2018 Dbeck talk contribs deleted page Ema-1069 (content was: "{{Behavior Instance |Associated Behavior=Ema-1246 |Name=API Call: getInstalledPackages |Description=getInstalledPackages is used to get the list of installed Packages on the device, and is then compared against a list of security product...")
  • 08:53, 7 August 2018 Dbeck talk contribs deleted page Discovery (content was: "{{Capability |Name=Fraud |Description=Indicates that the malware instance is able to defraud a user or a system. }}")
  • 12:27, 27 July 2018 Dbeck talk contribs restored page hide kernel modules (10 revisions)
  • 12:25, 27 July 2018 Dbeck talk contribs deleted page hide kernel modules (content was: "{{Behavior |Name=hide kernel modules |Description=The 'hide kernel modules' Behavior hides the usage of any kernel modules by the malware instance. |Associated Attributes=Attribute:27 |Associated Capabilities=Ema-1028 }}")
  • 12:15, 27 July 2018 Dbeck talk contribs deleted page Ema-1151 (content was: "{{Behavior |Name=stop execution of security software |Description=The 'stop execution of security program' Behavior stops the execution of one or more instances of security software that may already be executing on a system. '''Examples...")
  • 12:15, 27 July 2018 Dbeck talk contribs deleted page Ema-1098 (content was: "{{Behavior Instance |Associated Behavior=Ema-1151 |Name=API Call: restartPackage |Description=Calling restartPackage on an already executing piece of security software can stop its its execution on a device. |Privilege Level=User space |...")
  • 11:29, 27 July 2018 Dbeck talk contribs deleted page & Component Firmware (content was: "{{Behavior |Name=injection |Description=Original file is injected in existing process (nothing written to disk and possibly higher privs). |...", and the only contributor was "Dbeck" (talk))
  • 11:25, 27 July 2018 Dbeck talk contribs deleted page Ema-1171 (content was: "{{Behavior |Name=feed misinformation during physical memory acquisition |Description=The 'feed misinformation during physical memory acquisition' Behavior reports inaccurate data when the contents of the physical memory of the system on...")
  • 10:58, 27 July 2018 Dbeck talk contribs deleted page Ema-1080 (content was: "{{Behavior Instance |Associated Behavior=Ema-1216 |Name=Web Injection |Description=On Macs, unpatched versions of applications can be exploited via malicious websites. |Privilege Level=User space |Supporting Details={{Supporting Detail |...")
  • 10:55, 27 July 2018 Dbeck talk contribs restored page Ema-1080 (24 revisions)
  • 10:53, 27 July 2018 Dbeck talk contribs deleted page Ema-1080 (content was: "{{Behavior Instance |Associated Behavior=Ema-1216 |Name=Web Injection |Description=On Macs, unpatched versions of applications can be exploited via malicious websites. |Privilege Level=User space |Supporting Details={{Supporting Detail |...")
  • 10:37, 27 July 2018 Dbeck talk contribs deleted page + malicious network driver (content was: "{{Behavior |Name=merge code sections |Description=Merge all sections; just one entry in the sections table. Only affects readability slightl...", and the only contributor was "Dbeck" (talk))
  • 10:36, 27 July 2018 Dbeck talk contribs deleted page Privilege Escalation (content was: "{{Behavior |Name=interleaving code |Description=A form of obfuscation that splits code into sections that are rearranged and con...", and the only contributor was "Ikirillov" (talk))
  • 10:28, 27 July 2018 Dbeck talk contribs deleted page + private api exploitation (Mobile) (content was: "{{Behavior |Name=symbolic obfuscation |Description=The removing or renaming of textual information in the code of the malware in...", and the only contributor was "Ikirillov" (talk))
  • 10:28, 27 July 2018 Dbeck talk contribs deleted page Credential Access (content was: "{{Behavior |Name=import address table obfuscation |Description=Obfuscation of the import address table of the malware instance,...", and the only contributor was "Ikirillov" (talk))
  • 10:27, 27 July 2018 Dbeck talk contribs deleted page & Rootkit (content was: "{{Behavior |Name=entrypoint obfuscation |Description=Obfuscation of the entry point of the malware executable, in order to hinde...", and the only contributor was "Ikirillov" (talk))
  • 10:25, 27 July 2018 Dbeck talk contribs deleted page Ema-1043 (content was: "{{Behavior |Name=minification |Description=Per wikipedia, minification is 'the process of removing all unnecessary characters from source co...", and the only contributor was "Dbeck" (talk))
  • 08:46, 27 July 2018 Dbeck talk contribs deleted page Ema-1042 (content was: "{{Behavior |Name=thunk insertion |Description=Variation on “jump”; also used by some compilers for user-generated functions (ex: Visual...", and the only contributor was "Dbeck" (talk))
  • 08:43, 27 July 2018 Dbeck talk contribs deleted page Ema-1040 (content was: "{{Behavior |Name=junk code insertion |Description=Insertion of dummy code between relevant opcodes. Can make signature writing more complex....", and the only contributor was "Dbeck" (talk))
  • 08:41, 27 July 2018 Dbeck talk contribs deleted page Ema-1041 (content was: "{{Behavior |Name=jump insertion |Description=Insertion of jumps to make analysis visually harder. |Associated Capabilities=Ema-1010 }}", and the only contributor was "Dbeck" (talk))
  • 08:40, 27 July 2018 Dbeck talk contribs deleted page Ema-1045 (content was: "{{Behavior |Name=fake code insertion |Description=Add fake code similar to known packers or known goods to fool identification. Can confuse...", and the only contributor was "Dbeck" (talk))
  • 08:17, 27 July 2018 Dbeck talk contribs deleted page Ema-1111 (content was: "{{Behavior |Name=steal web/network credential |Description=The 'steal web/network credential' Behavior steals usernames, passwords, or other forms of web (e.g., for logging into a website) and/or network credentials. |Associated Attribut...")
(newest | oldest) View ( | ) (20 | 50 | 100 | 250 | 500)