gitea-mirror/capa
1
0
Fork 0
mirror of https://github.com/mandiant/capa.git synced 2025-12-12 15:49:46 -08:00
Code Issues Packages Projects Releases Wiki Activity

linter: add MBC names and IDs to the linting script

Browse Source
This commit is contained in:
Baptistin Boilot
2022-02-06 11:47:49 +01:00
parent 5bfe706b56
commit d026d21073
2 changed files with 818 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

817
scripts/linter-data.json
View File

@@ -759,5 +759,822 @@
"T1529": "System Shutdown/Reboot",
"T1565.002": "Data Manipulation::Transmitted Data Manipulation"
}
},
"mbc": {
"Anti-Behavioral Analysis": {
"B0007.009": "Sandbox Detection::Timing/Uptime Check",
"B0001.022": "Debugger Detection::RtlAdjustPrivilege",
"B0001.001": "Debugger Detection::API Hook Detection",
"B0007.005": "Sandbox Detection::Product Key/ID Testing",
"B0002.005": "Debugger Evasion::Code Integrity Check",
"B0001.035": "Debugger Detection::Process Environment Block BeingDebugged",
"B0007.004": "Sandbox Detection::Injected DLL Testing",
"B0005.003": "Emulator Evasion::Unusual/Undocumented API Calls",
"B0001.024": "Debugger Detection::SetHandleInformation",
"B0009.016": "Virtual Machine Detection::Modern Specs Check - USB drive",
"B0009.028": "Virtual Machine Detection::Unique Hardware/Firmware Check - MAC Address",
"B0009.014": "Virtual Machine Detection::Modern Specs Check - Total physical memory",
"B0002.010": "Debugger Evasion::Import Obfuscation",
"F0001.010": "Software Packing::VMProtect",
"B0001.003": "Debugger Detection::CloseHandle",
"B0006.006": "Memory Dump Evasion::Guard Pages",
"B0009.025": "Virtual Machine Detection::Unique Hardware/Firmware Check - I/O Communication Port",
"B0025.004": "Conditional Execution::Host Fingerprint Check",
"B0002.009": "Debugger Evasion::Hook Interrupt",
"B0004": "Emulator Detection",
"B0002.008": "Debugger Evasion::Guard Pages",
"B0009.006": "Virtual Machine Detection::Check Running Services",
"B0002.013": "Debugger Evasion::Malloc Use",
"F0003.006": "Hooking::Export Address Table (EAT) Hooking",
"B0009.015": "Virtual Machine Detection::Modern Specs Check - Drive size",
"B0001.017": "Debugger Detection::Page Exception Breakpoint Detection",
"B0009.004": "Virtual Machine Detection::Check Processes",
"B0001.012": "Debugger Detection::NtQueryInformationProcess",
"B0002.029": "Debugger Evasion::Thread Timeout",
"B0036.001": "Capture Evasion::Memory-only Payload",
"F0003.001": "Hooking::Import Address Table (IAT) Hooking",
"B0036": "Capture Evasion",
"B0002.028": "Debugger Evasion::Tampering",
"B0005.004": "Emulator Evasion::Extra Loops/Time Locks",
"B0009.009": "Virtual Machine Detection::Check Windows",
"F0003.005": "Hooking::Shadow SDT Hooking",
"B0007": "Sandbox Detection",
"B0009.037": "Virtual Machine Detection::Instruction Testing - VMCPUID",
"B0006.009": "Memory Dump Evasion::Flow Opcode Obstruction",
"B0002.001": "Debugger Evasion::Block Interrupts",
"B0006.002": "Memory Dump Evasion::Erase the PE header",
"B0009.034": "Virtual Machine Detection::Instruction Testing - CPUID",
"B0003": "Dynamic Analysis Evasion",
"B0007.001": "Sandbox Detection::Check Clipboard Data",
"B0001.037": "Debugger Detection::Process Environment Block IsDebugged",
"B0006.001": "Memory Dump Evasion::Code Encryption in Memory",
"F0001.011": "Software Packing::Themida",
"B0001.019": "Debugger Detection::Process Environment Block",
"B0002.025": "Debugger Evasion::Self-Unmapping",
"B0002.018": "Debugger Evasion::Pipeline Misdirection",
"B0002.030": "Debugger Evasion::Use Interrupts",
"B0002.023": "Debugger Evasion::Section Misalignment",
"F0001.002": "Software Packing::Standard Compression",
"B0005.001": "Emulator Evasion::Different Opcode Sets",
"B0009.003": "Virtual Machine Detection::Check Named System Objects",
"B0009.002": "Virtual Machine Detection::Check Memory Artifacts",
"B0003.003": "Dynamic Analysis Evasion::Delayed Execution",
"B0003.010": "Dynamic Analysis Evasion::Restart",
"B0002.002": "Debugger Evasion::Break Point Clearing",
"B0008": "Executable Code Virtualization",
"B0001.027": "Debugger Detection::TIB Aware",
"F0001.007": "Software Packing::Custom Compression of Data",
"B0001.004": "Debugger Detection::Debugger Artifacts",
"B0009.031": "Virtual Machine Detection::Instruction Testing - SGDT/SLDT (no pill)",
"B0036.002": "Capture Evasion::Encrypted Payloads",
"B0001.028": "Debugger Detection::Timing/Delay Check",
"F0001.004": "Software Packing::Standard Compression of Data",
"B0001.005": "Debugger Detection::Hardware Breakpoints",
"F0001.003": "Software Packing::Standard Compression of Code",
"F0003.002": "Hooking::Inline Patching",
"B0002.007": "Debugger Evasion::Get Base Indirectly",
"B0009": "Virtual Machine Detection",
"B0005": "Emulator Evasion",
"B0003.002": "Dynamic Analysis Evasion::Data Flood",
"B0001.023": "Debugger Detection::SeDebugPrivilege",
"B0002.016": "Debugger Evasion::Obfuscate Library Use",
"B0007.006": "Sandbox Detection::Screen Resolution Testing",
"B0009.036": "Virtual Machine Detection::Instruction Testing - RDTSC",
"B0006.004": "Memory Dump Evasion::SizeOfImage",
"B0003.005": "Dynamic Analysis Evasion::Drop Code",
"B0006.008": "Memory Dump Evasion::Feed Misinformation",
"B0009.010": "Virtual Machine Detection::Guest Process Testing",
"B0002.020": "Debugger Evasion::Relocate API Code",
"B0006": "Memory Dump Evasion",
"B0001.016": "Debugger Detection::OutputDebugString",
"B0002.011": "Debugger Evasion::Inlining",
"B0009.012": "Virtual Machine Detection::Human User Check",
"B0002.012": "Debugger Evasion::Loop Escapes",
"F0001.013": "Software Packing::ASPack",
"B0009.013": "Virtual Machine Detection::Modern Specs Check",
"F0001.008": "Software Packing::UPX",
"B0001.029": "Debugger Detection::TLS Callbacks",
"F0001.012": "Software Packing::Armadillo",
"B0001.014": "Debugger Detection::NtSetInformationThread",
"B0001.025": "Debugger Detection::Software Breakpoints",
"B0003.009": "Dynamic Analysis Evasion::Illusion",
"B0008.001": "Executable Code Virtualization::Multiple VMs",
"B0001.011": "Debugger Detection::Monitoring Thread",
"B0002.022": "Debugger Evasion::RtlAdjustPrivilege",
"F0003.004": "Hooking::System Service Dispatch Table Hooking",
"B0001.013": "Debugger Detection::NtQueryObject",
"B0009.018": "Virtual Machine Detection::Modern Specs Check - Processor count",
"F0003.003": "Hooking::Procedure Hooking",
"B0001": "Debugger Detection",
"B0002.015": "Debugger Evasion::Nanomites",
"B0002.024": "Debugger Evasion::Self-Debugging",
"B0004.002": "Emulator Detection::Check for WINE Version",
"B0001.015": "Debugger Detection::NtYieldExecution/SwitchToThread",
"B0009.005": "Virtual Machine Detection::Check Registry Keys",
"B0001.006": "Debugger Detection::Interrupt 0x2d",
"B0009.011": "Virtual Machine Detection::HTML5 Performance Object Check",
"B0001.018": "Debugger Detection::Parent Process",
"B0009.008": "Virtual Machine Detection::Check Virtual Devices",
"B0009.022": "Virtual Machine Detection::Check Windows - Title bars",
"B0009.023": "Virtual Machine Detection::Unique Hardware/Firmware Check",
"B0004.001": "Emulator Detection::Check for Emulator-related Files",
"B0001.036": "Debugger Detection::Process Environment Block NtGlobalFlag",
"B0009.026": "Virtual Machine Detection::Unique Hardware/Firmware Check - CPU Name",
"B0007.002": "Sandbox Detection::Check Files",
"F0001.006": "Software Packing::Custom Compression of Code",
"B0003.007": "Dynamic Analysis Evasion::Hook File System",
"B0009.032": "Virtual Machine Detection::Instruction Testing - SMSW",
"B0006.010": "Memory Dump Evasion::Hook memory mapping APIs",
"B0009.007": "Virtual Machine Detection::Check Software",
"B0001.026": "Debugger Detection::Stack Canary",
"B0009.020": "Virtual Machine Detection::Check Windows - Window size",
"B0007.003": "Sandbox Detection::Human User Check",
"B0006.011": "Memory Dump Evasion::Patch MmGetPhysicalMemoryRanges",
"B0006.005": "Memory Dump Evasion::Tampering",
"B0001.034": "Debugger Detection::Anti-debugging Instructions",
"B0007.008": "Sandbox Detection::Timing/Date Check",
"B0001.030": "Debugger Detection::UnhandledExceptionFilter",
"B0002.026": "Debugger Evasion::Static Linking",
"B0001.002": "Debugger Detection::CheckRemoteDebuggerPresent",
"B0025": "Conditional Execution",
"B0002.004": "Debugger Evasion::Change SizeOfImage",
"B0009.017": "Virtual Machine Detection::Modern Specs Check - Printer",
"B0002.006": "Debugger Evasion::Exception Misdirection",
"B0009.021": "Virtual Machine Detection::Check Windows - Unique windows",
"B0003.008": "Dynamic Analysis Evasion::Hook Interrupt",
"F0001.001": "Software Packing::Nested Packing",
"B0001.007": "Debugger Detection::Interrupt 1",
"B0001.032": "Debugger Detection::Timing/Delay Check GetTickCount",
"B0001.031": "Debugger Detection::WudfIsAnyDebuggerPresent",
"B0009.038": "Virtual Machine Detection::Instruction Testing - VPCEXT",
"B0002": "Debugger Evasion",
"B0025.003": "Conditional Execution::GetVolumeInformation",
"B0009.024": "Virtual Machine Detection::Unique Hardware/Firmware Check - BIOS",
"B0003.006": "Dynamic Analysis Evasion::Encode File",
"B0006.007": "Memory Dump Evasion::On-the-Fly APIs",
"B0009.019": "Virtual Machine Detection::Modern Specs Check - Keyboard layout",
"B0009.033": "Virtual Machine Detection::Instruction Testing - STR",
"F0003": "Hooking",
"B0009.001": "Virtual Machine Detection::Check File and Directory Artifacts",
"B0025.002": "Conditional Execution::Environmental Keys",
"B0002.014": "Debugger Evasion::Modify PE Header",
"B0003.001": "Dynamic Analysis Evasion::Alternative ntdll.dll",
"B0002.003": "Debugger Evasion::Byte Stealing",
"B0009.035": "Virtual Machine Detection::Instruction Testing - IN",
"B0025.008": "Conditional Execution::Deposited Keys",
"B0009.030": "Virtual Machine Detection::Instruction Testing - SIDT (red pill)",
"B0001.021": "Debugger Detection::ProcessHeap",
"B0007.007": "Sandbox Detection::Self Check",
"B0002.027": "Debugger Evasion::Stolen API Code",
"B0004.003": "Emulator Detection::Check Emulator-related Registry Keys",
"B0009.029": "Virtual Machine Detection::Instruction Testing",
"B0002.017": "Debugger Evasion::Parallel Threads",
"B0005.002": "Emulator Evasion::Undocumented Opcodes",
"F0001.005": "Software Packing::Custom Compression",
"B0002.021": "Debugger Evasion::Return Obfuscation",
"B0009.027": "Virtual Machine Detection::Unique Hardware/Firmware Check - CPU Location",
"B0006.003": "Memory Dump Evasion::Hide virtual memory",
"B0001.009": "Debugger Detection::Memory Breakpoints",
"B0001.010": "Debugger Detection::Memory Write Watching",
"B0036.003": "Capture Evasion::Multiple Stages of Loaders",
"B0003.004": "Dynamic Analysis Evasion::Demo Mode",
"B0004.004": "Emulator Detection::Failed Network Connections",
"B0001.008": "Debugger Detection::IsDebuggerPresent",
"B0025.001": "Conditional Execution::Suicide Exit",
"B0025.005": "Conditional Execution::Secure Triggers",
"B0025.006": "Conditional Execution::Token Check",
"B0025.007": "Conditional Execution::Runs as Service",
"B0001.033": "Debugger Detection::Timing/Delay Check QueryPerformanceCounter",
"F0001.009": "Software Packing::Confuser",
"B0002.019": "Debugger Evasion::Pre-Debug",
"F0001": "Software Packing",
"B0001.020": "Debugger Detection::Process Jobs"
},
"Anti-Static Analysis": {
"B0032.004": "Executable Code Obfuscation::Fake Code Insertion",
"B0032.009": "Executable Code Obfuscation::Entry Point Obfuscation",
"B0032.014": "Executable Code Obfuscation::Interleaving Code",
"F0001.010": "Software Packing::VMProtect",
"B0032.001": "Executable Code Obfuscation::API Hashing",
"B0032.017": "Executable Code Obfuscation::Stack Strings",
"B0032.006": "Executable Code Obfuscation::Thunk Code Insertion",
"B0032.002": "Executable Code Obfuscation::Code Insertion",
"B0034.002": "Executable Code Optimization::Minification",
"F0001.011": "Software Packing::Themida",
"B0032.010": "Executable Code Obfuscation::Guard Pages",
"B0032.013": "Executable Code Obfuscation::Instruction Overlap",
"B0032.015": "Executable Code Obfuscation::Merged Code Sections",
"F0001.002": "Software Packing::Standard Compression",
"B0032.003": "Executable Code Obfuscation::Dead Code Insertion",
"B0008": "Executable Code Virtualization",
"F0001.007": "Software Packing::Custom Compression of Data",
"B0012": "Disassembler Evasion",
"B0010.002": "Call Graph Generation Evasion::Invoke NTDLL System Calls via Encoded Table",
"B0012.002": "Disassembler Evasion::Conditional Misdirection",
"F0001.004": "Software Packing::Standard Compression of Data",
"F0001.003": "Software Packing::Standard Compression of Code",
"B0032.007": "Executable Code Obfuscation::Junk Code Insertion",
"B0032.008": "Executable Code Obfuscation::Data Value Obfuscation",
"B0012.003": "Disassembler Evasion::Value Dependent Jumps",
"B0012.005": "Disassembler Evasion::VBA Stomping",
"B0012.001": "Disassembler Evasion::Argument Obfuscation",
"E1027.m08": "Obfuscated Files or Information::Encryption-Custom Algorithm",
"F0001.013": "Software Packing::ASPack",
"E1027.m04": "Obfuscated Files or Information::Encryption",
"F0001.008": "Software Packing::UPX",
"F0001.012": "Software Packing::Armadillo",
"B0008.001": "Executable Code Virtualization::Multiple VMs",
"B0032": "Executable Code Obfuscation",
"E1027.m03": "Obfuscated Files or Information::Encoding-Custom Algorithm",
"E1027.m01": "Obfuscated Files or Information::Encoding",
"B0032.012": "Executable Code Obfuscation::Import Compression",
"F0001.006": "Software Packing::Custom Compression of Code",
"B0045.002": "Data Flow Analysis Evasion::Implicit Flows",
"E1027": "Obfuscated Files or Information",
"B0032.016": "Executable Code Obfuscation::Structured Exception Handling (SEH)",
"B0032.005": "Executable Code Obfuscation::Jump Insertion",
"E1027.m05": "Obfuscated Files or Information::Encryption-Standard Algorithm",
"B0010.001": "Call Graph Generation Evasion::Two-layer Function Return",
"F0001.001": "Software Packing::Nested Packing",
"B0045.001": "Data Flow Analysis Evasion::Control Dependence",
"B0034": "Executable Code Optimization",
"B0010": "Call Graph Generation Evasion",
"B0032.011": "Executable Code Obfuscation::Import Address Table Obfuscation",
"B0034.001": "Executable Code Optimization::Jump/Call Absolute Address",
"B0045.003": "Data Flow Analysis Evasion::Arbitrary Memory Corruption",
"B0012.004": "Disassembler Evasion::Variable Recomposition",
"E1027.m06": "Obfuscated Files or Information::Encryption of Code",
"F0001.005": "Software Packing::Custom Compression",
"B0032.018": "Executable Code Obfuscation::Symbol Obfuscation",
"E1027.m02": "Obfuscated Files or Information::Encoding-Standard Algorithm",
"E1027.m07": "Obfuscated Files or Information::Encryption of Data",
"B0045": "Data Flow Analysis Evasion",
"F0001.009": "Software Packing::Confuser",
"F0001": "Software Packing"
},
"Collection": {
"E1056": "Input Capture",
"F0003.006": "Hooking::Export Address Table (EAT) Hooking",
"F0003.001": "Hooking::Import Address Table (IAT) Hooking",
"F0003.005": "Hooking::Shadow SDT Hooking",
"F0002.001": "Keylogging::Application Hook",
"E1056.m01": "Input Capture::Mouse Events",
"B0028.002": "Cryptocurrency::Ethereum",
"F0003.002": "Hooking::Inline Patching",
"F0002": "Keylogging",
"B0028": "Cryptocurrency",
"F0003.004": "Hooking::System Service Dispatch Table Hooking",
"F0003.003": "Hooking::Procedure Hooking",
"F0002.002": "Keylogging::Polling",
"F0003": "Hooking",
"E1113.m01": "Screen Capture::WinAPI",
"E1113": "Screen Capture",
"B0028.001": "Cryptocurrency::Bitcoin",
"B0028.003": "Cryptocurrency::Zcash"
},
"Command and Control": {
"B0030.001": "C2 Communication::Send Data",
"B0030.010": "C2 Communication::Request Email Address List",
"B0030": "C2 Communication",
"B0030.015": "C2 Communication::File search",
"B0030.005": "C2 Communication::Check for Payload",
"B0030.008": "C2 Communication::Request Command",
"B0031": "Domain Name Generation",
"B0030.002": "C2 Communication::Receive Data",
"B0030.013": "C2 Communication::Execute File",
"B0030.007": "C2 Communication::Send Heartbeat",
"E1105": "Remote File Copy",
"B0030.009": "C2 Communication::Request Email Template",
"B0030.011": "C2 Communication::Authenticate",
"B0030.012": "C2 Communication::Directory Listing",
"B0030.003": "C2 Communication::Server to Client File Transfer",
"B0030.004": "C2 Communication::Implant to Controller File Transfer",
"B0030.014": "C2 Communication::Execute Shell Command",
"B0030.006": "C2 Communication::Send System Information",
"B0030.016": "C2 Communication::Start Interactive Shell"
},
"Credential Access": {
"E1056": "Input Capture",
"F0003.006": "Hooking::Export Address Table (EAT) Hooking",
"F0003.001": "Hooking::Import Address Table (IAT) Hooking",
"F0003.005": "Hooking::Shadow SDT Hooking",
"F0002.001": "Keylogging::Application Hook",
"E1056.m01": "Input Capture::Mouse Events",
"B0028.002": "Cryptocurrency::Ethereum",
"F0003.002": "Hooking::Inline Patching",
"F0002": "Keylogging",
"B0028": "Cryptocurrency",
"F0003.004": "Hooking::System Service Dispatch Table Hooking",
"F0003.003": "Hooking::Procedure Hooking",
"F0002.002": "Keylogging::Polling",
"F0003": "Hooking",
"E1113.m01": "Screen Capture::WinAPI",
"E1113": "Screen Capture",
"B0028.001": "Cryptocurrency::Bitcoin",
"B0028.003": "Cryptocurrency::Zcash"
},
"Defense Evasion": {
"F0009.001": "Component Firmware::Router Firmware",
"F0015.004": "Hijack Execution Flow::Shadow System Service Dispatch Table Hooking",
"F0004.007": "Disable or Evade Security Tools::Bypass Windows File Protection",
"F0001.010": "Software Packing::VMProtect",
"F0005.002": "Hidden Files and Directories::Location",
"E1055.m05": "Process Injection::Injection via Windows Fibers",
"B0025.004": "Conditional Execution::Host Fingerprint Check",
"F0015.003": "Hijack Execution Flow::Import Address Table (IAT) Hooking",
"F0003.006": "Hooking::Export Address Table (EAT) Hooking",
"F0003.001": "Hooking::Import Address Table (IAT) Hooking",
"F0004.008": "Disable or Evade Security Tools::Heavens Gate",
"B0040.001": "Covert Location::Hide Data in Registry",
"F0005": "Hidden Files and Directories",
"F0003.005": "Hooking::Shadow SDT Hooking",
"E1055": "Process Injection",
"F0015.001": "Hijack Execution Flow::Export Address Table (EAT) Hooking",
"E1055.m04": "Process Injection::Patch Process Command Line",
"B0029.001": "Polymorphic Code::Packer Stub",
"F0001.011": "Software Packing::Themida",
"F0007.001": "Self Deletion::COMSPEC Environment Variable",
"F0001.002": "Software Packing::Standard Compression",
"F0013": "Bootkit",
"F0004.004": "Disable or Evade Security Tools::AMSI Bypass",
"F0001.007": "Software Packing::Custom Compression of Data",
"B0029.002": "Polymorphic Code::Call Indirections",
"E1014.m17": "Rootkit::Memory Rootkit",
"F0001.004": "Software Packing::Standard Compression of Data",
"F0001.003": "Software Packing::Standard Compression of Code",
"F0003.002": "Hooking::Inline Patching",
"E1478": "Install Insecure or Malicious Configuration",
"E1014.m16": "Rootkit::Kernel Mode Rootkit",
"B0040.002": "Covert Location::Steganography",
"F0009": "Component Firmware",
"F0015.005": "Hijack Execution Flow::System Service Dispatch Table Hooking",
"E1564.m04": "Hidden Artifacts::Hidden Services",
"B0027.002": "Alternative Installation Location::Registry Install",
"B0037": "Bypass Data Execution Prevention",
"B0029.003": "Polymorphic Code::Code Reordering",
"E1027.m08": "Obfuscated Files or Information::Encryption-Custom Algorithm",
"F0007": "Self Deletion",
"B0027": "Alternative Installation Location",
"F0001.013": "Software Packing::ASPack",
"E1564.m03": "Hidden Artifacts::Hidden Processes",
"F0015.002": "Hijack Execution Flow::Inline Patching",
"E1027.m04": "Obfuscated Files or Information::Encryption",
"E1564.m05": "Hidden Artifacts::Hidden Kernel Modules",
"E1014.m12": "Rootkit::Application Rootkit",
"F0001.008": "Software Packing::UPX",
"F0001.012": "Software Packing::Armadillo",
"E1027.m03": "Obfuscated Files or Information::Encoding-Custom Algorithm",
"F0003.004": "Hooking::System Service Dispatch Table Hooking",
"F0003.003": "Hooking::Procedure Hooking",
"F0004.002": "Disable or Evade Security Tools::Disable System File Overwrite Protection",
"F0005.004": "Hidden Files and Directories::Timestamp",
"F0005.001": "Hidden Files and Directories::Extension",
"E1027.m01": "Obfuscated Files or Information::Encoding",
"E1014.m14": "Rootkit::Hardware/Firmware Rootkit",
"F0001.006": "Software Packing::Custom Compression of Code",
"E1055.m02": "Process Injection::Injection and Persistence via Registry Modification",
"F0004.001": "Disable or Evade Security Tools::Disable Kernel Patch Protection",
"B0027.001": "Alternative Installation Location::Fileless Malware",
"F0004.006": "Disable or Evade Security Tools::Force Lazy Writing",
"E1055.m03": "Process Injection::Injection using Shims",
"E1027": "Obfuscated Files or Information",
"B0025": "Conditional Execution",
"F0015": "Hijack Execution Flow",
"F0004.009": "Disable or Evade Security Tools::Disable Code Integrity",
"B0037.001": "Bypass Data Execution Prevention::ROP Chains",
"E1027.m05": "Obfuscated Files or Information::Encryption-Standard Algorithm",
"F0001.001": "Software Packing::Nested Packing",
"E1014.m13": "Rootkit::Bootloader",
"E1014": "Rootkit",
"F0004.005": "Disable or Evade Security Tools::Modify Policy",
"B0025.003": "Conditional Execution::GetVolumeInformation",
"E1014.m15": "Rootkit::Hypervisor/Virtualized Rootkit",
"E1112": "Modify Registry",
"F0003": "Hooking",
"B0025.002": "Conditional Execution::Environmental Keys",
"F0004.003": "Disable or Evade Security Tools::Unhook APIs",
"F0015.006": "Hijack Execution Flow::Abuse Windows Function Calls",
"F0005.003": "Hidden Files and Directories::Attribute",
"B0025.008": "Conditional Execution::Deposited Keys",
"E1027.m06": "Obfuscated Files or Information::Encryption of Code",
"F0006": "Indicator Blocking",
"F0001.005": "Software Packing::Custom Compression",
"E1055.m01": "Process Injection::Hook Injection via SetWindowsHooksEx",
"B0040": "Covert Location",
"E1027.m02": "Obfuscated Files or Information::Encoding-Standard Algorithm",
"F0006.001": "Indicator Blocking::Remove SMS Warning Messages",
"E1564.m02": "Hidden Artifacts::Direct Kernel Object Manipulation",
"B0029": "Polymorphic Code",
"E1564": "Hidden Artifacts",
"E1564.m01": "Hidden Artifacts::Hidden Userspace Libraries",
"F0004": "Disable or Evade Security Tools",
"E1027.m07": "Obfuscated Files or Information::Encryption of Data",
"B0025.001": "Conditional Execution::Suicide Exit",
"B0025.005": "Conditional Execution::Secure Triggers",
"B0025.006": "Conditional Execution::Token Check",
"B0025.007": "Conditional Execution::Runs as Service",
"F0001.009": "Software Packing::Confuser",
"F0001": "Software Packing"
},
"Discovery": {
"E1010": "Application Window Discovery",
"B0046": "Code Discovery",
"B0046.001": "Code Discovery::Enumerate PE Sections",
"B0043": "Taskbar Discovery",
"B0013.007": "Analysis Tool Discovery::Process detection - Sandboxes",
"B0013.001": "Analysis Tool Discovery::Process detection",
"B0046.003": "Code Discovery::Parse PE Header",
"B0013.009": "Analysis Tool Discovery::Known Window",
"B0013.003": "Analysis Tool Discovery::Process detection - SysInternals Suite Tools",
"B0013.006": "Analysis Tool Discovery::Process detection - PE Utilities",
"B0013.005": "Analysis Tool Discovery::Process detection - Process Utilities",
"B0013": "Analysis Tool Discovery",
"E1083.m01": "File and Directory Discovery::Log File",
"B0046.002": "Code Discovery::Inspect Section Memory Permissions",
"B0013.002": "Analysis Tool Discovery::Process detection - Debuggers",
"B0013.004": "Analysis Tool Discovery::Process detection - PCAP Utilities",
"B0014": "SMTP Connection Discovery",
"E1010.m01": "Application Window Discovery::Window Text",
"E1082": "System Information Discovery",
"E1083": "File and Directory Discovery",
"B0013.008": "Analysis Tool Discovery::Known File Location",
"B0038": "Self Discovery",
"E1082.m01": "System Information Discovery::Generate Windows Exception"
},
"Execution": {
"E1203.m05": "Exploitation for Client Execution::Sysinternals",
"E1203.m06": "Exploitation for Client Execution::Windows Utilities",
"B0025.004": "Conditional Execution::Host Fingerprint Check",
"B0020": "Send Email",
"B0011.001": "Remote Commands::Delete File",
"B0011.007": "Remote Commands::Upload File",
"E1203.m01": "Exploitation for Client Execution::Remote Desktop Protocols (RDP)",
"B0011.005": "Remote Commands::Sleep",
"B0021": "Send Poisoned Text Message",
"E1203.m02": "Exploitation for Client Execution::Java-based Web Servers",
"B0024": "Prevent Concurrent Execution",
"B0011.006": "Remote Commands::Uninstall",
"B0011.003": "Remote Commands::Execute",
"E1203.m03": "Exploitation for Client Execution::File Transfer Protocol (FTP) Servers",
"B0011.004": "Remote Commands::Shutdown",
"B0011": "Remote Commands",
"E1203": "Exploitation for Client Execution",
"E1569.m01": "System Services::MSDTC",
"E1204": "User Interaction",
"E1059": "Command and Scripting Interpreter",
"B0025": "Conditional Execution",
"B0044": "Execution Dependency",
"B0011.002": "Remote Commands::Download File",
"B0025.003": "Conditional Execution::GetVolumeInformation",
"B0023": "Install Additional Program",
"E1569": "System Services",
"B0025.002": "Conditional Execution::Environmental Keys",
"B0025.008": "Conditional Execution::Deposited Keys",
"E1203.m04": "Exploitation for Client Execution::Red Hat JBoss Enterprise Products",
"B0025.001": "Conditional Execution::Suicide Exit",
"B0025.005": "Conditional Execution::Secure Triggers",
"B0025.006": "Conditional Execution::Token Check",
"B0025.007": "Conditional Execution::Runs as Service"
},
"Exfiltration": {
"E1560": "Archive Collected Data",
"E1560.m04": "Archive Collected Data::Encoding - Custom Encoding",
"E1020": "Automated Exfiltration",
"E1560.m06": "Archive Collected Data::Encryption - Custom Encryption",
"E1560.m05": "Archive Collected Data::Encryption - Standard Encryption",
"E1020.m01": "Automated Exfiltration::Exfiltrate via File Hosting Service",
"E1560.m03": "Archive Collected Data::Encoding - Standard Encoding",
"E1560.m02": "Archive Collected Data::Encryption",
"E1560.m01": "Archive Collected Data::Encoding"
},
"Impact": {
"F0009.001": "Component Firmware::Router Firmware",
"B0017": "Destroy Hardware",
"E1203.m05": "Exploitation for Client Execution::Sysinternals",
"E1203.m06": "Exploitation for Client Execution::Windows Utilities",
"E1190": "Exploit Kit Behavior",
"E1485": "Data Destruction",
"E1486": "Data Encrypted for Impact",
"E1203.m01": "Exploitation for Client Execution::Remote Desktop Protocols (RDP)",
"B0019": "Manipulate Network Traffic",
"E1203.m02": "Exploitation for Client Execution::Java-based Web Servers",
"E1485.m03": "Data Destruction::Delete Application/Software",
"F0009": "Component Firmware",
"E1203.m03": "Exploitation for Client Execution::File Transfer Protocol (FTP) Servers",
"E1472.m02": "Generate Fraudulent Advertising Revenue::Advertisement Replacement Fraud",
"F0014": "Disk Wipe",
"E1485.m04": "Data Destruction::Delete Shadow Copies",
"E1203": "Exploitation for Client Execution",
"B0039": "Spamming",
"B0042": "Modify Hardware",
"B0018.002": "Resource Hijacking::Cryptojacking",
"B0042.003": "Modify Hardware::Printer",
"B0022.001": "Remote Access::Reverse Shell",
"E1486.001": "Data Encrypted for Impact::Ransom Note",
"B0018.001": "Resource Hijacking::Password Cracking",
"E1485.m02": "Data Destruction::Empty Recycle Bin",
"B0033": "Denial of Service",
"B0016": "Compromise Data Integrity",
"E1472.m01": "Generate Fraudulent Advertising Revenue::Click Hijacking",
"B0022": "Remote Access",
"B0042.001": "Modify Hardware::CDROM",
"B0042.002": "Modify Hardware::Mouse",
"E1510": "Clipboard Modification",
"E1203.m04": "Exploitation for Client Execution::Red Hat JBoss Enterprise Products",
"B0018": "Resource Hijacking",
"E1472": "Generate Fraudulent Advertising Revenue"
},
"Lateral Movement": {
"E1195.m02": "Supply Chain Compromise::Exploit Private APIs",
"B0020": "Send Email",
"E1195": "Supply Chain Compromise",
"B0026": "Malicious Network Driver",
"B0021": "Send Poisoned Text Message",
"E1105": "Remote File Copy",
"E1195.m01": "Supply Chain Compromise::Abuse Enterprise Certificates"
},
"Communication": {
"C0005.002": "WinINet::InternetOpen",
"C0012.002": "SMTP Communication::Request",
"C0011.005": "DNS Communication::Resolve Free Hosting Domain",
"C0003.004": "Interprocess Communication::Write Pipe",
"C0002.012": "HTTP Communication::Create Request",
"C0002.013": "HTTP Communication::Set Header",
"C0002.001": "HTTP Communication::Server",
"C0002.002": "HTTP Communication::Client",
"C0014.001": "ICMP Communication::Generate Traffic",
"C0001.017": "Socket Communication::Receive UDP Data",
"C0002.015": "HTTP Communication::Receive Request",
"C0011": "DNS Communication",
"C0002.008": "HTTP Communication::WinHTTP",
"C0002.018": "HTTP Communication::Start Server",
"C0002.011": "HTTP Communication::Extract Body",
"C0012.001": "SMTP Communication::Server Connect",
"C0001.008": "Socket Communication::TCP Client",
"C0002.004": "HTTP Communication::Open URL",
"C0002.006": "HTTP Communication::Download URL",
"C0012": "SMTP Communication",
"C0011.002": "DNS Communication::Server Connect",
"C0001.014": "Socket Communication::Send TCP Data",
"C0002.009": "HTTP Communication::Connect to Server",
"C0005.004": "WinINet::InternetReadFile",
"C0002.003": "HTTP Communication::Send Request",
"C0002.005": "HTTP Communication::Send Data",
"C0004": "FTP Communication",
"C0001.012": "Socket Communication::Get Socket Status",
"C0002.017": "HTTP Communication::Get Response",
"C0001.011": "Socket Communication::Create TCP Socket",
"C0001": "Socket Communication",
"C0005": "WinINet",
"C0002.014": "HTTP Communication::Read Header",
"C0001.003": "Socket Communication::Create Socket",
"C0014.002": "ICMP Communication::Echo Request",
"C0002.016": "HTTP Communication::Send Response",
"C0001.005": "Socket Communication::Start TCP Server",
"C0005.001": "WinINet::InternetConnect",
"C0001.007": "Socket Communication::Send Data",
"C0001.009": "Socket Communication::Initialize Winsock Library",
"C0001.013": "Socket Communication::UDP Client",
"C0001.010": "Socket Communication::Create UDP Socket",
"C0001.015": "Socket Communication::Send UDP Data",
"C0002.007": "HTTP Communication::WinINet",
"C0005.003": "WinINet::InternetOpenURL",
"C0004.001": "FTP Communication::Send File",
"C0003.002": "Interprocess Communication::Connect Pipe",
"C0001.002": "Socket Communication::TCP Server",
"C0001.016": "Socket Communication::Receive TCP Data",
"C0001.006": "Socket Communication::Receive Data",
"C0001.004": "Socket Communication::Connect Socket",
"C0003.003": "Interprocess Communication::Read Pipe",
"C0002": "HTTP Communication",
"C0014": "ICMP Communication",
"C0011.001": "DNS Communication::Resolve",
"C0003": "Interprocess Communication",
"C0002.010": "HTTP Communication::IWebBrowser",
"C0011.004": "DNS Communication::Resolve TLD",
"C0001.001": "Socket Communication::Set Socket Config",
"C0005.005": "WinINet::InternetWriteFile",
"C0011.003": "DNS Communication::DDNS Domain Connect",
"C0003.001": "Interprocess Communication::Create Pipe",
"C0004.002": "FTP Communication::WinINet"
},
"Cryptography": {
"C0061": "Hashed Message Authentication Code",
"C0027.002": "Encrypt Data::Blowfish",
"C0027.014": "Encrypt Data::Block Cipher",
"C0031.006": "Decrypt Data::HC-128",
"C0031": "Decrypt Data",
"C0029": "Cryptographic Hash",
"C0027.010": "Encrypt Data::RC6",
"C0027.001": "Encrypt Data::AES",
"C0021": "Generate Pseudo-random Sequence",
"C0027": "Encrypt Data",
"C0031.008": "Decrypt Data::RC4",
"C0021.001": "Generate Pseudo-random Sequence::GetTickCount",
"C0031.001": "Decrypt Data::AES",
"C0028.001": "Encryption Key::Import Public Key",
"C0027.003": "Encrypt Data::Camellia",
"C0029.002": "Cryptographic Hash::SHA1",
"C0028.002": "Encryption Key::RC4 KSA",
"C0027.006": "Encrypt Data::HC-128",
"C0031.002": "Decrypt Data::Block Cipher",
"C0027.008": "Encrypt Data::Sosemanuk",
"C0028": "Encryption Key",
"C0029.004": "Cryptographic Hash::SHA224",
"C0031.013": "Decrypt Data::Stream Cipher",
"C0031.011": "Decrypt Data::Skipjack",
"C0021.004": "Generate Pseudo-random Sequence::RC4 PRGA",
"C0029.001": "Cryptographic Hash::MD5",
"C0029.003": "Cryptographic Hash::SHA256",
"C0031.014": "Decrypt Data::Twofish",
"C0029.006": "Cryptographic Hash::Snefru",
"C0031.003": "Decrypt Data::Blowfish",
"C0027.011": "Encrypt Data::RSA",
"C0031.005": "Decrypt Data::3DES",
"C0031.004": "Decrypt Data::Camellia",
"C0027.012": "Encrypt Data::Stream Cipher",
"C0027.007": "Encrypt Data::HC-256",
"C0027.004": "Encrypt Data::3DES",
"C0021.005": "Generate Pseudo-random Sequence::Mersenne Twister",
"C0059": "Crypto Library",
"C0029.005": "Cryptographic Hash::Tiger",
"C0031.010": "Decrypt Data::RSA",
"C0031.012": "Decrypt Data::Sosemanuk",
"C0021.003": "Generate Pseudo-random Sequence::Use API",
"C0027.013": "Encrypt Data::Skipjack",
"C0031.007": "Decrypt Data::HC-256",
"C0027.005": "Encrypt Data::Twofish",
"C0021.002": "Generate Pseudo-random Sequence::rand",
"C0027.009": "Encrypt Data::RC4",
"C0031.009": "Decrypt Data::RC6"
},
"Data": {
"C0030.005": "Non-Cryptographic Hash::FNV",
"C0026.001": "Encode Data::Base64",
"C0053.002": "Decode Data::XOR",
"C0020": "Use Constant",
"C0030.003": "Non-Cryptographic Hash::Fast-Hash",
"C0024.002": "Compress Data::IEncodingFilterFactory",
"C0025.002": "Decompress Data::IEncodingFilterFactory",
"C0032.004": "Checksum::Verhoeff",
"C0032.005": "Checksum::Adler",
"C0025.003": "Decompress Data::aPLib",
"C0025.001": "Decompress Data::QuickLZ",
"C0060": "Compression Library",
"C0032": "Checksum",
"C0024.001": "Compress Data::QuickLZ",
"C0026.002": "Encode Data::XOR",
"C0030": "Non-Cryptographic Hash",
"C0032.001": "Checksum::CRC32",
"C0053": "Decode Data",
"C0053.001": "Decode Data::Base64",
"C0019": "Check String",
"C0030.004": "Non-Cryptographic Hash::dhash",
"C0026": "Encode Data",
"C0032.003": "Checksum::BSD",
"C0030.002": "Non-Cryptographic Hash::pHash",
"C0030.001": "Non-Cryptographic Hash::MurmurHash",
"C0032.002": "Checksum::Luhn",
"C0058": "Modulo",
"C0024": "Compress Data",
"C0025": "Decompress Data"
},
"File System": {
"C0016.001": "Create File::Create Office Document",
"C0052": "Writes File",
"C0049": "Get File Attributes",
"C0046": "Create Directory",
"C0015": "Alter File Extension",
"C0063": "Move File",
"C0050": "Set File Attributes",
"C0016": "Create File",
"C0056": "Read Virtual Disk",
"C0051": "Read File",
"C0015.001": "Alter File Extension::Append Extension",
"C0045": "Copy File",
"C0016.002": "Create File::Create Ransomware File",
"C0047": "Delete File",
"C0048": "Delete Directory"
},
"Hardware": {
"C0057": "Simulate Hardware",
"C0057.001": "Simulate Hardware::Ctrl-Alt-Del",
"C0037.001": "Install Driver::Minifilter",
"C0023": "Load Driver",
"C0023.001": "Load Driver::Minifilter",
"C0037": "Install Driver",
"C0057.002": "Simulate Hardware::Mouse Click"
},
"Memory": {
"C0010": "Overflow Buffer",
"C0008": "Change Memory Protection",
"C0006": "Heap Spray",
"C0007": "Allocate Memory",
"C0008.002": "Change Memory Protection::Executable Heap",
"C0008.001": "Change Memory Protection::Executable Stack",
"C0009": "Stack Pivot",
"C0044": "Free Memory"
},
"Operating System": {
"C0036.006": "Registry::Query Registry Value",
"C0035": "Wallpaper",
"C0034.001": "Environment Variable::Set Variable",
"C0036.002": "Registry::Delete Registry Key",
"C0036.001": "Registry::Set Registry Key",
"C0036.007": "Registry::Delete Registry Value",
"C0036.003": "Registry::Open Registry Key",
"C0036.005": "Registry::Query Registry Key",
"C0033": "Console",
"C0034.002": "Environment Variable::Get Variable",
"C0034": "Environment Variable",
"C0036": "Registry",
"C0036.004": "Registry::Create Registry Key"
},
"Process": {
"C0018": "Terminate Process",
"C0055": "Suspend Thread",
"C0017": "Create Process",
"C0064": "Enumerate Threads",
"C0017.002": "Create Process::Create Process via WMI",
"C0017.001": "Create Process::Create Process via Shellcode",
"C0038": "Create Thread",
"C0039": "Terminate Thread",
"C0043": "Check Mutex",
"C0066": "Open Thread",
"C0041": "Set Thread Local Storage Value",
"C0022.001": "Synchronization::Create Mutex",
"C0065": "Open Process",
"C0017.003": "Create Process::Create Suspended Process",
"C0042": "Create Mutex",
"C0022": "Synchronization",
"C0054": "Resume Thread",
"C0040": "Allocate Thread Local Storage"
},
"Persistence": {
"F0009.001": "Component Firmware::Router Firmware",
"F0015.004": "Hijack Execution Flow::Shadow System Service Dispatch Table Hooking",
"F0005.002": "Hidden Files and Directories::Location",
"F0015.003": "Hijack Execution Flow::Import Address Table (IAT) Hooking",
"F0003.006": "Hooking::Export Address Table (EAT) Hooking",
"F0003.001": "Hooking::Import Address Table (IAT) Hooking",
"F0005": "Hidden Files and Directories",
"F0003.005": "Hooking::Shadow SDT Hooking",
"F0015.001": "Hijack Execution Flow::Export Address Table (EAT) Hooking",
"F0012": "Registry Run Keys / Startup Folder",
"B0026": "Malicious Network Driver",
"F0013": "Bootkit",
"F0003.002": "Hooking::Inline Patching",
"F0011": "Modify Existing Service",
"E1478": "Install Insecure or Malicious Configuration",
"F0009": "Component Firmware",
"F0015.005": "Hijack Execution Flow::System Service Dispatch Table Hooking",
"E1564.m04": "Hidden Artifacts::Hidden Services",
"E1564.m03": "Hidden Artifacts::Hidden Processes",
"F0015.002": "Hijack Execution Flow::Inline Patching",
"E1564.m05": "Hidden Artifacts::Hidden Kernel Modules",
"E1105": "Remote File Copy",
"F0003.004": "Hooking::System Service Dispatch Table Hooking",
"F0003.003": "Hooking::Procedure Hooking",
"B0022.001": "Remote Access::Reverse Shell",
"F0005.004": "Hidden Files and Directories::Timestamp",
"F0005.001": "Hidden Files and Directories::Extension",
"B0035": "Shutdown Event",
"F0010.001": "Kernel Modules and Extensions::Device Driver",
"F0015": "Hijack Execution Flow",
"B0022": "Remote Access",
"E1112": "Modify Registry",
"F0010": "Kernel Modules and Extensions",
"F0003": "Hooking",
"F0015.006": "Hijack Execution Flow::Abuse Windows Function Calls",
"F0005.003": "Hidden Files and Directories::Attribute",
"E1564.m02": "Hidden Artifacts::Direct Kernel Object Manipulation",
"E1564": "Hidden Artifacts",
"E1564.m01": "Hidden Artifacts::Hidden Userspace Libraries"
},
"Privilege Escalation": {
"F0015.004": "Hijack Execution Flow::Shadow System Service Dispatch Table Hooking",
"E1055.m05": "Process Injection::Injection via Windows Fibers",
"F0015.003": "Hijack Execution Flow::Import Address Table (IAT) Hooking",
"F0003.006": "Hooking::Export Address Table (EAT) Hooking",
"F0003.001": "Hooking::Import Address Table (IAT) Hooking",
"F0003.005": "Hooking::Shadow SDT Hooking",
"E1055": "Process Injection",
"F0015.001": "Hijack Execution Flow::Export Address Table (EAT) Hooking",
"E1055.m04": "Process Injection::Patch Process Command Line",
"F0003.002": "Hooking::Inline Patching",
"F0011": "Modify Existing Service",
"F0015.005": "Hijack Execution Flow::System Service Dispatch Table Hooking",
"F0015.002": "Hijack Execution Flow::Inline Patching",
"F0003.004": "Hooking::System Service Dispatch Table Hooking",
"F0003.003": "Hooking::Procedure Hooking",
"E1055.m02": "Process Injection::Injection and Persistence via Registry Modification",
"E1055.m03": "Process Injection::Injection using Shims",
"F0010.001": "Kernel Modules and Extensions::Device Driver",
"F0015": "Hijack Execution Flow",
"F0010": "Kernel Modules and Extensions",
"F0003": "Hooking",
"F0015.006": "Hijack Execution Flow::Abuse Windows Function Calls",
"E1055.m01": "Process Injection::Hook Injection via SetWindowsHooksEx"
}
}
}