mbc_summary.md

Malware Objectives

Objective	Description
Anti-Behavioral Analysis	Behaviors that prevent, obstruct, or evade behavioral analysis of malware--for example, analysis done using a sandbox or debugger. Because the underlying methods differ, separate "detection" and "evasion" behaviors are defined for some anti-behavioral analysis areas.
Anti-Static Analysis	Behaviors and code characteristics that prevent or hinder static analysis of the malware. Simple static analysis identifies features such as embedded strings, header information, or file metadata. More involved static analysis involves the disassembly of the binary code.
Collection	Behaviors that enable malware to identify and gather information, such as sensitive files, from a machine or network. Sources often targeted include drives, browsers, audio/video, and email. Often the malware's next objective is to exfiltrate the information gathered.
Command and Control	Behaviors that enable malware to communicate with systems such as C2 servers or bots. Malware can establish command and control with various levels of covertness, depending on system configuration and network topology.
Credential Access	Behaviors to obtain credential access, allowing it or its underlying threat actor to assume control of an account with the associated system and network permissions.
Defense Evasion	Behaviors that enable malware to evade detection.
Discovery	Behaviors that enable malware to gain knowledge about the system and network.
Execution	Behaviors that enable malware to execute code on a system to achieve a variety of goals.
Exfiltration	Behaviors that enable malware to steal data from a system. This includes stored data, such as files, as well as data input into applications, such as web browsers.
Impact	Behaviors that enable malware to manipulate, interrupt, or destroy systems and data.
Lateral Movement	Behaviors that enable malware to propagate or otherwise move through an environment. Lateral movement may be active, happening via direct machine access, or may be passive (for example, done via malicious email).
Persistence	Behaviors that enable malware to remain on a system regardless of system events, such as reboots.
Privilege Escalation	Behaviors that enable malware to obtain higher level permissions. These behaviors often overlap with Persistence behaviors.

Malware Behaviors

ID	Objective(s)	Behavior	Related ATT&CK Technique
B0001	ANTI-BEHAVIORAL ANALYSIS	Debugger Detection	none
B0002	ANTI-BEHAVIORAL ANALYSIS	Debugger Evasion	Debugger Evasion (T1622)
B0003	ANTI-BEHAVIORAL ANALYSIS	Dynamic Analysis Evasion	Virtualization/Sandbox Evasion (T1497,T1633)
B0004	ANTI-BEHAVIORAL ANALYSIS	Emulator Detection	none
B0005	ANTI-BEHAVIORAL ANALYSIS	Emulator Evasion	none
B0006	ANTI-BEHAVIORAL ANALYSIS	Memory Dump Evasion	none
B0007	ANTI-BEHAVIORAL ANALYSIS	Sandbox Detection	Virtualization/Sandbox Evasion: System Checks (T1497.001,T1633.001); Virtualization/Sandbox Evasion: User Activity Based Checks (T1497.002)
B0008	ANTI-BEHAVIORAL ANALYSIS, ANTI-STATIC ANALYSIS	Executable Code Virtualization	none
B0009	ANTI-BEHAVIORAL ANALYSIS	Virtual Machine Detection	Virtualization/Sandbox Evasion (T1497,T1633)
B0010	ANTI-STATIC ANALYSIS	Call Graph Generation Evasion	none
B0011	EXECUTION	Remote Commands	Virtualization/Sandbox Evasion (T1497,T1633)
B0012	ANTI-STATIC ANALYSIS	Disassembler Evasion	none
B0013	DISCOVERY	Analysis Tool Discovery	none
B0014	DISCOVERY	SMTP Connection Discovery	none
B0015	not defined	---	---
B0016	IMPACT	Compromise Data Integrity	Data Manipulation: Stored Data Manipulation (T1565.001)
B0017	IMPACT	Destroy Hardware	none
B0018	IMPACT	Resource Hijacking	Resource Hijacking (T1496)
B0019	IMPACT	Manipulate Network Traffic	Data Manipulation: Transmitted Data Manipulation (T1565.002)
B0020	EXECUTION, LATERAL MOVEMENT	Send Email	Phishing (T1566)
B0021	EXECUTION, LATERAL MOVEMENT	Send Poisoned Text Message	none
B0022	IMPACT, PERSISTENCE	Remote Access	none
B0023	EXECUTION	Install Additional Program	none
B0024	EXECUTION	Prevent Concurrent Execution	none
B0025	ANTI-BEHAVIORAL ANALYSIS, EXECUTION	Conditional Execution	Execution Guardrails (T1480)
B0026	LATERAL MOVEMENT, PERSISTENCE	Malicious Network Driver	none
B0027	DEFENSE EVASION	Alternative Installation Location	none
B0028	COLLECTION, CREDENTIAL ACCESS	Cryptocurrency	none
B0029	DEFENSE EVASION	Polymorphic Code	none
B0030	COMMAND AND CONTROL	C2 Communication	none
B0031	COMMAND AND CONTROL	Domain Name Generation	Dynamic Resolution: Domain Name Generation (T1568.002)
B0032	ANTI-STATIC ANALYSIS	Executable Code Obfuscation	none
B0033	IMPACT	Denial of Service	Network Denial of Service (T1498)
B0034	ANTI-STATIC ANALYSIS	Executable Code Optimization	none
B0035	PERSISTENCE	Shutdown Event	none
B0036	ANTI-BEHAVIORAL ANALYSIS	Capture Evasion	none
B0037	DEFENSE EVASION	Bypass Data Execution Prevention	none
B0038	DISCOVERY	Self Discovery	none
B0039	IMPACT	Spamming	none
B0040	DEFENSE EVASION	Covert Location	none
B0041	not defined	---	---
B0042	IMPACT	Modify Hardware	none
B0043	DISCOVERY	Taskbar Discovery	none
B0044	EXECUTION	Execution Dependency	none
B0045	ANTI-STATIC ANALYSIS	Data Flow Analysis Evasion	none
B0046	DISCOVERY	Code Discovery	none
B0047	DEFENSE EVASION, PERSISTENCE	Install Insecure or Malicious Configuration	none

Malware Micro-objectives

Objective	Description
Communication Micro-objective	Micro-behaviors that enable malware to communicate.
Cryptography Micro-objective	Micro-behaviors that enable malware to use crypto.
Data Micro-objective	Micro-behaviors related to malware manipulating data.
File System Micro-objective	Micro-behaviors related to file manipulation.
Hardware Micro-objective	Micro-behaviors related to hardware.
Memory Micro-objective	Micro-behaviors related to malware manipulating machine memory.
Operating System Micro-objective	Micro-behaviors related to operating systems.
Process Micro-objective	Micro-behaviors related to processes.

Malware Micro-behaviors

ID	Objective(s)	Micro-behavior
C0001	COMMUNICATION	Socket Communication
C0002	COMMUNICATION	HTTP Communication
C0003	COMMUNICATION	Interprocess Communication
C0004	COMMUNICATION	FTP Communication
C0005	COMMUNICATION	WinINet
C0006	MEMORY	Heap Spray
C0007	MEMORY	Allocate Memory
C0008	MEMORY	Change Memory Protection
C0009	MEMORY	Stack Pivot
C0010	MEMORY	Overflow Buffer
C0011	COMMUNICATION	DNS Communication
C0012	COMMUNICATION	SMTP Communication
C0014	COMMUNICATION	ICMP Communication
C0015	FILE SYSTEM	Alter File Extension
C0016	FILE SYSTEM	Create File
C0017	PROCESS	Create Process
C0018	PROCESS	Terminate Process
C0019	DATA	Check String
C0020	DATA	Use Constant
C0021	CRYPTOGRAPHY	Generate Pseudo-random Sequence
C0022	PROCESS	Synchronization
C0023	HARDWARE	Load Driver
C0024	DATA	Compress Data
C0025	DATA	Decompress Data
C0026	DATA	Encode Data
C0027	CRYPTOGRAPHY	Encrypt Data
C0028	CRYPTOGRAPHY	Encryption Key
C0029	CRYPTOGRAPHY	Cryptographic Hash
C0030	DATA	Non-Cryptographic Hash
C0031	CRYPTOGRAPHY	Decrypt Data
C0032	DATA	Checksum
C0033	OPERATING SYSTEM	Console
C0034	OPERATING SYSTEM	Environment Variable
C0035	OPERATING SYSTEM	Wallpaper
C0036	OPERATING SYSTEM	Registry
C0037	HARDWARE	Install Driver
C0038	PROCESS	Create Thread
C0039	PROCESS	Terminate Thread
C0040	PROCESS	Allocate Thread Local Storage
C0041	PROCESS	Set Thread Local Storage Value
C0042	PROCESS	Create Mutex
C0043	PROCESS	Check Mutex
C0044	MEMORY	Free Memory
C0045	FILE SYSTEM	Copy File
C0046	FILE SYSTEM	Create Directory
C0047	FILE SYSTEM	Delete File
C0048	FILE SYSTEM	Delete Directory
C0049	FILE SYSTEM	Get File Attributes
C0050	FILE SYSTEM	Set File Attributes
C0051	FILE SYSTEM	Read File
C0052	FILE SYSTEM	Writes File
C0053	DATA	Decode Data
C0054	PROCESS	Resume Thread
C0055	PROCESS	Suspend Thread
C0056	FILE SYSTEM	Read Virtual Disk
C0057	HARDWARE	Simulate Hardware
C0058	DATA	Modulo
C0059	CRYPTOGRAPHY	Crypto Library
C0060	DATA	Compression Library
C0061	CRYPTOGRAPHY	Hashed Message Authentication Code
C0063	FILE SYSTEM	Move File
C0064	PROCESS	Enumerate Threads
C0065	PROCESS	Open Process
C0066	PROCESS	Open Thread
C0068	CRYPTOGRAPHY	Crypto Algorithm
C0069	CRYPTOGRAPHY	Crypto Constant

Enhanced Malware ATT&CK Techniques

ID	Objective(s)	Technique
E1010	DISCOVERY	Application Window Discovery
E1014	DEFENSE EVASION	Rootkit
E1020	EXFILTRATION	Automated Exfiltration
E1027	ANTI-STATIC ANALYSIS, DEFENSE EVASION	Obfuscated Files or Information
E1055	DEFENSE EVASION, PRIVILEGE ESCALATION	Process Injection
E1056	COLLECTION, CREDENTIAL ACCESS	Input Capture
E1059	EXECUTION	Command and Scripting Interpreter
E1082	DISCOVERY	System Information Discovery
E1083	DISCOVERY	File and Directory Discovery
E1105	COMMAND AND CONTROL, LATERAL MOVEMENT, PERSISTENCE	Ingress Tool Transfer
E1112	DEFENSE EVASION, PERSISTENCE	Modify Registry
E1113	COLLECTION, CREDENTIAL ACCESS	Screen Capture
E1190	IMPACT	Exploit Kit
E1195	LATERAL MOVEMENT	Supply Chain Compromise
E1203	EXECUTION, IMPACT	Exploitation for Client Execution
E1204	EXECUTION	User Execution
E1485	IMPACT	Data Destruction
E1486	IMPACT	Data Encrypted for Impact
E1510	IMPACT	Clipboard Modification
E1560	EXFILTRATION	Archive Collected Data
E1564	DEFENSE EVASION, PERSISTENCE	Hide Artifacts
E1569	EXECUTION	System Services
E1608	PRIVILEGE ESCALATION	Install Certificate
E1643	IMPACT	Generate Traffic from Victim

Enhanced Malware ATT&CK Sub-techniques

ID	Objective(s)	Sub-technique
F0001	ANTI-BEHAVIORAL ANALYSIS, ANTI-STATIC ANALYSIS, DEFENSE EVASION	Software Packing
F0002	COLLECTION, CREDENTIAL ACCESS	Keylogging
F0004	DEFENSE EVASION	Disable or Evade Security Tools
F0005	DEFENSE EVASION, PERSISTENCE	Hidden Files and Directories
F0006	DEFENSE EVASION	Indicator Blocking
F0007	DEFENSE EVASION	Self Deletion
F0009	DEFENSE EVASION, IMPACT, PERSISTENCE	Component Firmware
F0010	PERSISTENCE, PRIVILEGE ESCALATION	Kernel Modules and Extensions
F0011	PERSISTENCE, PRIVILEGE ESCALATION	Modify Existing Service
F0012	PERSISTENCE	Registry Run Keys / Startup Folder
F0013	DEFENSE EVASION, PERSISTENCE	Bootkit
F0014	IMPACT	Disk Wipe
F0015	ANTI-BEHAVIORAL ANALYSIS, COLLECTION, CREDENTIAL ACCESS, DEFENSE EVASION, PERSISTENCE, PRIVILEGE ESCALATION	Hijack Execution Flow