maec_vocab_labels.txt

Label,Enumeration Value,Description
ActionObjectAssociationType,input,Specifies that the Associated_Object field serves as an input to the Action. This includes cases where an Object is used by the Action or an existing Object is modified by the Action.
ActionObjectAssociationType,output,Specifies that the Associated_Object field serves as an output to the Action. This includes cases where the Object is created anew by the Action or otherwise returned by the Action.
ActionObjectAssociationType,side-effect,Specifies that the Associated_Object field serves as a side-effect resulting from the Action. This includes cases where the Object is modified indirectly by the Action.
DebuggingActionName,check for remote debugger,Specifies the defined Action of checking for the presence of a remote debugger.
DebuggingActionName,check for kernel debugger,Specifies the defined Action of checking for the presence of a kernel debugger.
DeviceDriverActionName,load and call driver,Specifies the defined Action of loading a driver into a system and then calling the loaded driver.
DeviceDriverActionName,load driver,Specifies the defined Action of loading a driver into a system.
DeviceDriverActionName,unload driver,Specifies the defined Action of unloading a driver from a system.
DeviceDriverActionName,emulate driver,Specifies the defined Action of emulating an existing driver on a system.
DirectoryActionName,create directory,Specifies the defined Action of creating a new directory on the filesystem.
DirectoryActionName,delete directory,Specifies the defined Action of deleting an existing directory on the filesystem.
DirectoryActionName,monitor directory,Specifies the defined Action of monitoring an existing directory on the filesystem for changes.
DirectoryActionName,hide directory,Specifies the defined Action of hiding an existing directory.
DiskActionName,get disk type,Specifies the defined Action of getting the disk type.
DiskActionName,get disk attributes,"Specifies the defined Action of querying the attributes of a disk, such as the amount of available free space."
DiskActionName,mount disk,Specifies the defined Action of mounting an existing file system to a mounting point.
DiskActionName,unmount disk,Specifies the defined Action of unmounting an existing file system from a mounting point.
DiskActionName,emulate disk,Specifies the defined Action of emulating an existing disk.
DiskActionName,list disks,Specifies the defined Action of listing all disks available on a system.
DiskActionName,monitor disks,Specifies the defined Action of monitoring an existing disk for changes.
DNSActionName,send dns query,Specifies the defined Action of sending a DNS query
DNSActionName,send reverse dns lookup,Specifies the defined Action of sending a reverse DNS lookup
FileActionName,create file,Specifies the defined Action of creating a new file.
FileActionName,delete file,Specifies the defined Action of deleting an existing file.
FileActionName,copy file,Specifies the defined Action of copying an existing file from one location to another.
FileActionName,create file symbolic link,Specifies the defined Action of creating a symbolic link to an existing file.
FileActionName,find file,Specifies the defined Action of searching for an existing file.
FileActionName,get file attributes,Specifies the defined Action of getting the attributes of an existing file.
FileActionName,set file attributes,Specifies the defined Action of setting the file attributes for an existing file.
FileActionName,lock file,Specifies the defined Action of locking an existing file.
FileActionName,unlock file,Specifies the defined Action of unlocking an existing file.
FileActionName,modify file,Specifies the defined Action of modifying an existing file in some manner.
FileActionName,move file,Specifies the defined Action of moving an existing file from one location to another.
FileActionName,open file,Specifies the defined Action of opening an existing file for reading or writing.
FileActionName,read from file,Specifies the defined Action of reading from an existing file.
FileActionName,write to file,Specifies the defined Action of writing to an existing file.
FileActionName,rename file,Specifies the defined Action of renaming an existing file.
FileActionName,create file alternate data stream,Specifies the defined Action of creating an alternate data stream in an existing file.
FileActionName,send control code to file,Specifies the defined Action of sending a control code to a file.
FileActionName,create file mapping,Specifies the defined Action of creating a new file mapping object.
FileActionName,open file mapping,Specifies the defined Action of opening an existing file mapping object.
FileActionName,execute file,Specifies the defined Action of executing an existing file.
FileActionName,hide file,Specifies the defined Action of hiding an existing file.
FileActionName,close file,Specifies the defined Action of closing an existing file that previously opened for reading or writing.
FTPActionName,connect to ftp server,Specifies the defined Action of connecting to an existing FTP server.
FTPActionName,disconnect from ftp server,Specifies the defined Action of disconnecting from an existing FTP server.
FTPActionName,send ftp command,Specifies the defined Action of sending a command on an FTP server connection
GUIActionName,create window,Specifies the defined Action of creating a new window.
GUIActionName,kill window,Specifies the defined Action of killing an existing window.
GUIActionName,create dialog box,Specifies the defined Action of creating a new dialog box.
GUIActionName,enumerate windows,Specifies the defined Action of enumerating all open windows
GUIActionName,find window,Specifies the defined Action of search for a particular window.
GUIActionName,hide window,Specifies the defined Action of hiding an existing window.
GUIActionName,show window,Specifies the defined Action of showing an existing window
HookingActionName,add system call hook,Specifies the defined Action of adding a new system call hook.
HookingActionName,add windows hook,Specifies the defined Action of adding a new Windows application-defined hook procedure.
HookingActionName,hide hook,Specifies the defined action of hiding an existing hook.
HTTPActionName,send http get request,Specifies the defined Action of sending an HTTP GET client request to an existing server.
HTTPActionName,send http head request,Specifies the defined Action of sending an HTTP HEAD client request to an existing server.
HTTPActionName,send http post request,Specifies the defined Action of sending an HTTP HEAD client request to an existing server.
HTTPActionName,send http put request,Specifies the defined Action of sending an HTTP PUT client request to an existing server.
HTTPActionName,send http delete request,Specifies the defined Action of sending an HTTP DELETE client request to an existing server.
HTTPActionName,send http trace request,Specifies the defined Action of sending an HTTP TRACE client request to an existing server.
HTTPActionName,send http options request,Specifies the defined Action of sending an HTTP OPTIONS client request to an existing server.
HTTPActionName,send http connect request,Specifies the defined Action of sending an HTTP CONNECT client request to an existing server.
HTTPActionName,send http patch request,Specifies the defined Action of sending an HTTP PATCH client request to an existing server.
HTTPActionName,receive http response,Specifies the defined Action of receiving an HTTP server response for a prior HTTP request.
IPCActionName,create named pipe,Specifies the defined Action of creating a new named pipe.
IPCActionName,delete named pipe,Specifies the defined Action of deleting an existing named pipe.
IPCActionName,connect to named pipe,Specifies the defined Action of connecting to an existing named pipe.
IPCActionName,disconnect from named pipe,Specifies the defined Action of disconnecting from an existing named pipe.
IPCActionName,read from named pipe,Specifies the defined Action of reading some data from an existing named pipe.
IPCActionName,write to named pipe,Specifies the defined Action of writing some data to an existing named pipe.
IPCActionName,create mailslot,Specifies the defined Action of creating a new named mailslot.
IPCActionName,read from mailslot,Specifies the defined Action of reading some data from an existing named mailslot.
IPCActionName,write to mailslot,Specifies the defined Action of writing some data to an existing named mailslot.
IRCActionName,connect to irc server,Specifies the defined Action of connecting to an existing IRC server.
IRCActionName,disconnect from irc server,Specifies the defined Action of disconnecting from an existing IRC server.
IRCActionName,set irc nickname,Specifies the defined Action of setting an IRC nickname on an IRC server.
IRCActionName,join irc channel,Specifies the defined Action of joining a channel on an IRC server.
IRCActionName,leave irc channel,Specifies the defined Action of leaving a channel on an IRC server.
IRCActionName,send irc private message,Specifies the defined Action of sending a private message to another user on an IRC server.
IRCActionName,receive irc private message,Specifies the defined Action of receiving a private message from another user on an IRC server.
LibraryActionName,enumerate libraries,Specifies the defined Action of enumerating the libraries used by a process.
LibraryActionName,free library,Specifies the defined Action of freeing a library previously loaded into the address space of the calling process.
LibraryActionName,load library,Specifies the defined Action of loading a library into the address space of the calling process.
LibraryActionName,get function address,Specifies the defined Action of getting the address of an exported function or variable from a library.
LibraryActionName,call library function,Specifies the defined action of calling a function exported by a library.
NetworkActionName,open port,Specifies the defined Action of opening a network port.
NetworkActionName,close port,Specifies the defined Action of closing a network port.
NetworkActionName,connect to ip,Specifies the defined Action of connecting to an IP address.
NetworkActionName,disconnect from ip,Specifies the defined Action of disconnecting from a previously established connection with an IP address.
NetworkActionName,connect to url,Specifies the defined Action of connecting to a URL.
NetworkActionName,connect to socket address,"Specifies the defined Action of connecting to a socket address, consisting of an IP address and port number."
NetworkActionName,download file,Specifies the defined Action of downloading a file from a remote location.
NetworkActionName,upload file,Specifies the defined Action of uploading a file to a remote location.
NetworkActionName,listen on port,Specifies the defined Action of listening on a specific port.
NetworkActionName,send email message,Specifies the defined Action of sending an email message.
NetworkActionName,send icmp request,Specifies the defined Action of sending an ICMP request.
NetworkActionName,send network packet,Specifies the defined action of sending a packet on a network.
NetworkActionName,receive network packet,Specifies the defined action of receiving a packet on a network.
NetworkShareActionName,add connection to network share,Specifies the defined Action of adding a connection to an existing network share.
NetworkShareActionName,add network share,Specifies the defined Action of adding a new network share on a server.
NetworkShareActionName,delete network share,Specifies the defined Action of deleting an existing network share on a server.
NetworkShareActionName,connect to network share,Specifies the defined Action of connecting to an existing network share.
NetworkShareActionName,disconnect from network share,Specifies the defined Action of disconnecting from an existing network share.
NetworkShareActionName,enumerate network shares,Specifies the defined Action of enumerating the available shared resources on a server.
ProcessActionName,create process,Specifies the defined Action of creating a new process.
ProcessActionName,kill process,Specifies the defined Action of killing an existing process.
ProcessActionName,create process as user,Specifies the defined Action of creating a new process in the security context of a specified user.
ProcessActionName,enumerate processes,Specifies the defined Action of enumerating all of the running processes on a system.
ProcessActionName,open process,Specifies the defined Action of opening an existing process.
ProcessActionName,flush process instruction cache,Specifies the defined Action of flushing the instruction cache of an existing process.
ProcessActionName,get process current directory,Specifies the defined Action of getting the current directory of an existing process.
ProcessActionName,set process current directory,Specifies the defined Action of setting the current directory of an existing process.
ProcessActionName,get process environment variable,Specifies the defined Action of getting an environment variable used by an existing process.
ProcessActionName,set process environment variable,Specifies the defined Action of setting an environment variable used by an existing process.
ProcessActionName,sleep process,Specifies the defined Action of sleeping an existing process for some period of time.
ProcessActionName,get process startupinfo,Specifies the defined Action of getting the STARTUPINFO struct associated with an existing process
ProcessMemoryActionName,allocate process virtual memory,Specifies the defined Action of allocating some virtual memory region in an existing process.
ProcessMemoryActionName,free process virtual memory,Specifies the defined Action of freeing some virtual memory region from an existing process.
ProcessMemoryActionName,modify process virtual memory,Specifies the defined Action of modifying the protection on a memory region in the virtual address space
ProcessMemoryActionName,protection,of an existing process.
ProcessMemoryActionName,read from process memory,Specifies the defined Action of reading from a memory region of an existing process
ProcessMemoryActionName,write to process memory,Specifies the defined Action of writing to a memory region of an existing process.
ProcessMemoryActionName,map file into process,Specifies the defined Action of mapping an existing file into the address space of the calling process.
ProcessMemoryActionName,upmap file from process,Specifies the defined Action of unmapping an existing file from the address space of the calling process.
ProcessMemoryActionName,map library into process,Specifies the defined Action of mapping a library into the address space of the calling process
ProcessThreadActionName,create thread,Specifies the defined Action of creating a new thread in the virtual address space of the calling process.
ProcessThreadActionName,kill thread,Specifies the defined Action of killing a thread existing in the virtual address space of the calling process.
ProcessThreadActionName,create remote thread in process,Specifies the defined Action of creating a thread that runs in the virtual address space of another existing process.
ProcessThreadActionName,enumerate threads,Specifies the defined Action of enumerating all threads in the calling process.
ProcessThreadActionName,get thread username,Specifies the defined Action of getting the name or ID of the user associated with an existing thread.
ProcessThreadActionName,impersonate process,Specifies the defined Action of a thread in the calling process impersonating the security context of another existing process.
ProcessThreadActionName,revert thread to self,Specifies the defined Action of reverting an existing thread to its own security context.
ProcessThreadActionName,get thread context,Specifies the defined Action of getting the context structure (containing processor-specific register data) of an existing thread.
ProcessThreadActionName,set thread context,Specifies the defined Action of setting the context structure (containing processor-specific register data) for an existing thread.
ProcessThreadActionName,queue apc in thread,Specifies the defined Action of queuing a new Asynchronized Procedure Call (APC) in the context of an existing thread.
RegistryActionName,create registry key,Specifies the defined Action of creating a new registry key.
RegistryActionName,delete registry key,Specifies the defined Action of deleting an existing registry key.
RegistryActionName,open registry key,Specifies the defined Action of opening an existing registry key.
RegistryActionName,close registry key,Specifies the defined Action of closing a handle to an existing registry key.
RegistryActionName,create registry key value,Specifies the defined Action of creating a new named value under an existing registry key.
RegistryActionName,delete registry key value,Specifies the defined Action of deleting an existing named value under an existing registry key.
RegistryActionName,enumerate registry key subkeys,Specifies the defined Action of enumerating the registry key subkeys under an existing registry key.
RegistryActionName,enumerate registry key values,Specifies the defined Action of enumerating the named values under an existing registry key.
RegistryActionName,get registry key attributes,Specifies the defined Action of getting the attributes of an existing registry key.
RegistryActionName,read registry key value,Specifies the defined Action of reading an existing named value of an existing registry key.
RegistryActionName,modify registry key value,Specifies the defined Action of modifying an existing named value of an existing registry key.
RegistryActionName,modify registry key,Specifies the defined Action of modifying an existing registry key.
RegistryActionName,monitor registry key,Specifies the defined Action of monitoring an existing registry key for changes.
SocketActionName,create service,Specifies the defined Action of creating a new service.
SocketActionName,delete service,Specifies the defined Action of deleting an existing service.
SocketActionName,start service,Specifies the defined Action of starting an existing service.
SocketActionName,stop service,Specifies the defined Action of stopping an existing service.
SocketActionName,enumerate services,Specifies the defined Action of enumerating a specific set of services on a system.
SocketActionName,modify service configuration,Specifies the defined Action of modifying the configuration parameters of an existing service.
SocketActionName,open service,Specifies the defined Action of opening an existing service.
SocketActionName,send control code to service,Specifies the defined Action of sending a control code to an existing service.
SocketActionName,accept socket connection,Specifies the defined Action of accepting a socket connection.
SocketActionName,bind address to socket,Specifies the defined Action of binding a socket address to a socket.
SocketActionName,create socket,Specifies the defined Action of creating a new socket.
SocketActionName,close socket,Specifies the defined Action of closing an existing socket.
SocketActionName,connect to socket,Specifies the defined Action of connecting to an existing socket.
SocketActionName,disconnect from socket,Specifies the defined Action of disconnecting from an existing socket.
SocketActionName,listen on socket,Specifies the defined Action of listening on an existing socket.
SocketActionName,send data on socket,"Specifies the defined Action of sending data on an existing, connected socket."
SocketActionName,receive data on socket,Specifies the defined Action of receiving data on an existing socket
SocketActionName,send data to address on socket,"Specifies the defined Action of sending data to a specified IP address on an existing, unconnected socket."
SocketActionName,get host by address,Specifies the defined Action of getting information on a host from a local or remote host database by its IP address.
SocketActionName,get host by name,Specifies the defined Action of getting information on a host from a local or remote host database by its name.
SynchronizationActionName,create mutex,Specifies the defined Action of creating a new named mutex.
SynchronizationActionName,delete mutex,Specifies the defined Action of deleting an existing named mutex.
SynchronizationActionName,open mutex,Specifies the defined Action of opening an existing named mutex.
SynchronizationActionName,release mutex,Specifies the defined Action of releasing ownership of an existing named mutex.
SynchronizationActionName,create semaphore,Specifies the defined Action of creating a new named semaphore.
SynchronizationActionName,delete semaphore,Specifies the defined Action of deleting an existing named semaphore.
SynchronizationActionName,open semaphore,Specifies the defined Action of opening an existing named semaphore.
SynchronizationActionName,release semaphore,Specifies the defined Action of releasing ownership of an existing named semaphore.
SynchronizationActionName,create event,Specifies the defined Action of creating a new named event object.
SynchronizationActionName,delete event,Specifies the defined Action of deleting an existing named event object.
SynchronizationActionName,open event,Specifies the defined Action of opening an existing named event object.
SynchronizationActionName,reset event,Specifies the defined Action of resetting an existing named event object to the non-signaled state.
SynchronizationActionName,create critical section,Specifies the defined Action of creating a new critical section.
SynchronizationActionName,delete critical section,Specifies the defined Action of deleting an existing critical section object.
SynchronizationActionName,open critical section,Specifies the defined Action of opening an existing critical section object.
SynchronizationActionName,release critical section,Specifies the defined Action of releasing an existing critical section object.
SystemActionName,add scheduled task,Specifies the defined Action of adding a scheduled task to a system.
SystemActionName,shutdown system,Specifies the defined Action of shutting down a system.
SystemActionName,sleep system,Specifies the defined Action of sleeping a system for some period of time.
SystemActionName,get elapsed system up time,Specifies the defined Action of getting the elapsed up-time for a system.
SystemActionName,get netbios name,Specifies the defined Action of getting the NetBIOS name of a system.
SystemActionName,set netbios name,Specifies the defined Action of setting the NetBIOS name of a system.
SystemActionName,get system host name,Specifies the defined Action of getting the host name of a system.
SystemActionName,set system host name,Specifies the defined Action of setting the system host name of a system.
SystemActionName,get system time,"Specifies the defined Action of getting the system time of a system, represented in Coordinated Universal Time (UTC)."
SystemActionName,set system time,"Specifies the defined Action of setting the system time for a system, represented in Coordinated Universal Time (UTC)."
SystemActionName,get system local time,Specifies the defined Action of getting the local time of a system.
SystemActionName,set system local time,Specifies the defined Action of setting the local time of a system.
SystemActionName,get username,Specifies the defined Action of getting the username of the currently logged in user of a system.
SystemActionName,enumerate system handles,Specifies the defined Action of enumerating all open handles on a system.
SystemActionName,get system global flags,Specifies the defined Action of getting the enabled global flags on a system.
SystemActionName,set system global flags,Specifies the defined Action of setting system global flags on a system.
SystemActionName,get windows directory,Specifies the defined Action of getting the path to the Windows installation directory on a system.
SystemActionName,get windows system directory,Specifies the defined Action of getting the path to the Windows \System directory on a system.
SystemActionName,get windows temporary files directory,Specifies the defined Action of getting the path to the Windows Temporary Files Directory on a system.
UserActionName,add user,Specifies the defined Action of adding a new user.
UserActionName,delete user,Specifies the defined Action of deleting an existing user.
UserActionName,enumerate users,Specifies the defined Action of enumerating all users.
UserActionName,get user attributes,Specifies the defined Action of getting the attributes of an existing user.
UserActionName,logon as user,Specifies the defined Action of logging on as a specific user.
UserActionName,change password,Specifies the defined Action of changing an existing user's password.
UserActionName,add user to group,Specifies the defined Action of adding an existing user to an existing group.
UserActionName,remove user from group,Specifies the defined Action of removing an existing user from existing group.
UserActionName,invoke user privilege,Specifies the defined Action of invoking a privilege given to an existing user.
ImportanceType,high,Specifies that the field is of relative high importance.
ImportanceType,medium,Specifies that the field is of relative medium importance.
ImportanceType,low,Specifies that the field is of relative low importance.
ImportanceType,informational,Specifies that the field is only informational in its importance.
ImportanceType,numeric,"Specifies that the field has a numeric importance value, which is defined in another attribute or element."
ImportanceType,unknown,Specifies that the relative importance for the field is unknown.
MalwareEntityType,instance,Specifies that the particular malware entity being referred to is a single malware instance.
MalwareEntityType,family,Specifies that the particular malware entity being referred to is a single malware family.
MalwareEntityType,class,Specifies that the particular malware entity being referred to is a single class of malware.
CapabilityObjectiveRelationshipType,child of,Indicates that the Objective is a child of the Objective being referenced.
CapabilityObjectiveRelationshipType,parent of,Indicates that the Objective is a parent of the Objective being referenced.
CapabilityObjectiveRelationshipType,incorporates,Indicates that the Objective incorporates the Objective being referenced in a supporting or enabling role.
CapabilityObjectiveRelationshipType,incorporated by,Indicates that the Objective is incorporated in a supporting or enabling role by the Objective being referenced.
CommonCapabilityProperties,encryption algorithm,Refers to the name of the encryption algorithm used in the Capability or Objective.
CommonCapabilityProperties,protocol used,"Refers to the name of the network protocol used in the Capability or Strategic or Tactical Objective. It is recommended that protocols be specified by their acronym or abbreviated name, e.g. ""IRC"", ""HTTP""."
MalwareCapability,command and control,Indicates that the malware instance is able to receive and execute remotely submitted commands.
MalwareCapability,remote machine,Indicates that the malware instance is able to manipulate or access other remote machines.
MalwareCapability,manipulation,Indicates that the malware instance is able to elevate the privileges under which it executes.
MalwareCapability,privilege escalation,Indicates that the malware instance is able to steal data from the system on which it executes. This includes data
MalwareCapability,data theft,"stored in some form, e.g. in a file, as well as data that may be entered into some application such as a web- browser."
MalwareCapability,spying,Indicates that the malware instance is able to capture information from a system related to user or system activity
MalwareCapability,secondary operation,Indicates that the malware instance is able to achieve secondary objectives in conjunction with or after achieving its primary objectives.
MalwareCapability,anti-detection,Indicates that the malware instance is able to prevent itself and its components from being detected on a system.
MalwareCapability,anti-code analysis,Indicates that the malware instance is able to prevent code analysis or make it more difficult.
MalwareCapability,infection/propagation,"Indicates that the malware instance is able to propagate through the infection of a machine or is able to infect a file after executing on a system. The malware instance may infect actively (e.g., gain access to a machine directly) or passively (e.g., send malicious email). This Capability does not encompass any aspects of the initial infection that is done independently of the malware instance itself."
MalwareCapability,anti-behavioral analysis,Indicates that the malware instance is able to prevent behavioral analysis or make it more difficult.
MalwareCapability,integrity violation,Indicates that the malware instance is able to compromise the integrity of a system.
MalwareCapability,data exfiltration,Indicates that the malware instance is able to exfiltrate stolen data or perform tasks related to the exfiltration of stolen data.
MalwareCapability,probing,Indicates that the malware instance is able to probe its host system or network environment; most often this is done to support other Capabilities and their Objectives.
MalwareCapability,anti-removal,Indicates that the malware instance is able to prevent itself and its components from being removed from a system.
MalwareCapability,security degradation,Indicates that the malware instance is able to bypass or disable security features and/or controls.
MalwareCapability,availability violation,Indicates that the malware instance is able to compromise the availability of a system or some aspect of the system.
MalwareCapability,destruction,Indicates that the malware instance is able to destroy some aspect of a system.
MalwareCapability,fraud,Indicates that the malware instance is able to defraud a user or a system.
MalwareCapability,persistence,Indicates that the malware instance is able to persist and remain on a system regardless of system events.
MalwareCapability,machine access/control,Indicates that the malware instance is able to provide the means to access or control the machine on which it is resident.
MalwareLabel,adware,"Specifies any software that is funded by advertising. Some adware may install itself in such a manner as to become difficult to remove, hiding components and disabling removal techniques. Adware may also gather sensitive user information from a system."
MalwareLabel,appender,"Specifies a file-infecting virus that places its code at the end of the files it infects, adjusting the file's entry point to cause its code to be executed before that of the original file."
MalwareLabel,backdoor,"Specifies a piece of software which, once running on a system, opens a communication vector to the outside so that the computer can be accessed remotely by an attacker."
MalwareLabel,boot sector virus,Specifies a virus that infects the master boot record of a storage device.
MalwareLabel,bot,"Specifies a program which resides on an infected system, communicating with and forming part of a botnet. The bot may be implanted by a worm or trojan, which opens a backdoor. The bot then monitors the backdoor for further instructions."
MalwareLabel,clicker,"Specifies a trojan that makes a system visit a specific Web page, often very frequently and usually with the aim of increasing the traffic recorded by the site and thus increasing revenue from advertising. Clickers may also be used to carry out DDoS attacks."
MalwareLabel,companion virus,Specifies a virus that takes the place of a particular file on a system instead of injecting code into it.
MalwareLabel,cavity filler,"Specifies a type of file-infecting virus which seeks out unused space within the files it infects, inserting its code into these gaps to avoid changing the size of the file and thus not alerting integrity-checking software to its presence."
MalwareLabel,data diddler,"Specifies a type of malware that makes small, random changes to data, such as data in a spreadsheet, to render the data contained in a document inaccurate and in some cases worthless."
MalwareLabel,downloader,"Specifies a small trojan file programmed to download and execute other files, usually more complex malware."
MalwareLabel,dropper file,"Specifies a type of Trojan that deposits an enclosed payload onto a destination host computer by loading itself into memory, extracting the malicious payload, and then writing it to the file system."
MalwareLabel,file infector virus,"Specifies a virus that infects a system by inserting itself somewhere in existing files; this is the ""classic"" form of virus."
MalwareLabel,fork bomb,"Specifies a very simple form of malware, a type of rabbit which simply launches more copies of itself. Once a fork bomb is executed, it will attempt to run several identical processes, which will do the same, the number growing exponentially until the system resources are overwhelmed by the number of identical processes running, which may in some cases bring the system down and cause a denial of service."
MalwareLabel,greyware,"Specifies software that, while not definitely malicious, has a suspicious or potentially unwanted aspect."
MalwareLabel,implant,Specifies code inserted into an existing program using a code patcher or other tool.
MalwareLabel,infector,Specifies a function of malware that alters target files for the purpose of persisting and hiding the injected malware.
MalwareLabel,keylogger,"Specifies a type of program implanted on a system to monitor the keys pressed and thus record any sensitive data, such as passwords, entered by the user."
MalwareLabel,kleptographic worm,"Specifies a worm that encrypts information assets on compromised systems so they can only be decrypted by the worm's author, also known as information-stealing worm."
MalwareLabel,macro virus,"Specifies a virus that uses a macro language, for example in Microsoft Office documents. "
MalwareLabel,malcode,"Short for malicious code, also known as malware."
MalwareLabel,mass-mailer,Specifies fies a worm that uses email to propagate across the internet.
MalwareLabel,metamorphic virus,Specifies a virus that changes its own code with each infection.
MalwareLabel,mid-infector,"Specifies a type of file-infecting virus which places its code in the middle of files it infects. It may move a section of the original code to the end of the file, or simply push the code aside to make space for its own code."
MalwareLabel,mobile code,"Specifies (1) Code received from remote, possibly untrusted systems, but executed on a local system. (2) Software transferred between systems (e.g across a network) and executed on a local system without explicit installation or execution by the recipient."
MalwareLabel,multipartite virus,"Specifies malware that infects boot records, boot sectors, and files."
MalwareLabel,password stealer,"Specifies a type of trojan designed to steal passwords, personal data and details, or other sensitive information from the infected system."
MalwareLabel,polymorphic virus,"Specifies a type of virus that encrypts its code differently with each infection, or generation of infections."
MalwareLabel,premium dialer/smser,Specifies a piece of malware whose primary aim is to dial or send SMS messages to premium rate numbers.
MalwareLabel,prepender,Specifies a file-infecting virus which inserts code at the beginning of the files it infects.
MalwareLabel,ransomware,"Specifies a type of malware that encrypts files on a victim's system, demanding payment of ransom in return for the access codes required to unlock files."
MalwareLabel,rat,"Specifies a remote access trojan or RAT, which is a trojan horse capable of controlling a machine through commands issue by a remote attacker."
MalwareLabel,rogue anti-malware,Specifies a fake security product that demands money to clean phony infections.
MalwareLabel,rootkit,"Generally refers to a method of hiding files or processes from normal methods of monitoring, and is often used by malware to conceal its presence and activities. Originally, the term applied to UNIX-based operating systems - a root kit was a collection of tools to enable a user to obtain root (administrator-level) access to a system and conceal any changes they might make. Such tools often included trojanized versions of standard monitoring software which would hide the root kit operators' activities. More recently the term has generally been applied to malware using stealth techniques. Rootkits can operate at a number of levels, from the application level - simply replacing or adjusting the settings of system software to prevent the display of certain information - through hooking certain functions or inserting modules or drivers into the operating system kernel, to the deeper level of firmware or virtualization rook kits, which are activated before the operating system and thus even harder to detect while the system is running."
MalwareLabel,shellcode,"Specifies (1) A small piece of code that activates a command-line interface to a system that can be used to disable security measures, open a backdoor, or download further malicious code. (2) A small piece of code that opens a system up for exploitation, sometimes by not necessarily involving a command-line shell."
MalwareLabel,spaghetti packer,"A packer that obfuscates programs by emitting ""spaghetti"" code with a complex and tangled control structure."
MalwareLabel,spyware,"Specifies software that gathers information and passes it to a third-party without adequate permission from the owner of the data. It may also be used in a wider sense, to include software that makes changes to a system or any of its component software, or which makes use of system resources without the full understanding and consent of the system owner."
MalwareLabel,trojan horse,Specifies a piece of malicious code disguised as something inert or benign.
MalwareLabel,variant,"Refers to the fact that types of malware can be subdivided into a number of families, or groups sharing many similarities, generally based on the same blocks of code and sharing similar behaviours. Within a family, a variant signifies a single individual item that is uniquely different from other members of the same family."
MalwareLabel,virus,Specifies (1) A self-replicating malicious program that requires human interaction to replicate. (2) A self- replicating program that runs and spreads by modifying other programs or files.
MalwareLabel,wabbit,"Specifies a form of self-replicating malware that makes copies of itself on the local system. Unlike worms, wabbits do not attempt to spread across networks."
MalwareLabel,web bug,"Specifies a piece of code, generally a small file such as a tiny, transparent GIF image, which is used to track data on those viewing the page or mail in which it is hidden."
MalwareLabel,wiper,Specifies a piece of malware whose primary aim is to delete files or entire disks on a machine.
MalwareLabel,worm,"Specifies (1) A self-replicating malicious program that replicates using a network and does not require human interaction. (2) A self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread itself."
MalwareLabel,zip bomb,"Specifies a file compressed into some archive format and that expands to an enormous size when uncompressed, often by looping over the extraction code until the system's resources are exhausted."
AntiBehavioralAnalysisProperties,targeted vm,Refers to the name of a virtual machine (VM) targeted by the anti-behavioral analysis Capability or one of its child Strategic or Tactical Objectives.
AntiBehavioralAnalysisProperties,targeted sandbox,Refers to the name of a sandbox targeted by the anti-behavioral analysis Capability or one of its child Strategic or Tactical Objectives.
AntiBehavioralAnalysisStrategicObjectives,anti-vm,Indicates that the malware instance is able to prevent virtual machine (VM) based behavioral analysis or make it more difficult.
AntiBehavioralAnalysisStrategicObjectives,anti-sandbox,Indicates that the malware instance is able to prevent sandbox-based behavioral analysis or make it more difficult.
AntiBehavioralAnalysisTacticalObjectives,detect vm environment,Indicates that the malware instance is able to detect whether it is being executed in a virtual machine (VM).
AntiBehavioralAnalysisTacticalObjectives,overload sandbox,"Indicates that the malware instance is able to overload a sandbox (e.g., by generating a flood of meaningless behavioral data)."
AntiBehavioralAnalysisTacticalObjectives,prevent execution in sandbox,Indicates that the malware instance is able to prevent its execution in a sandbox.
AntiBehavioralAnalysisTacticalObjectives,detect sandbox environment,Indicates that the malware instance is able to detect whether it is being executed in a sandbox environment.
AntiBehavioralAnalysisTacticalObjectives,prevent execution in vm,Indicates that the malware instance is able to prevent its execution in a virtual machine (VM).
AntiCodeAnalysisStrategicObjective,anti-debugging,Indicates that the malware instance is able to prevent itself from being debugged and/or from being run in a debugger or is able to make debugging more difficult.
AntiCodeAnalysisStrategicObjective,code obfuscation,Indicates that the malware instance is able to obfuscate its code.
AntiCodeAnalysisStrategicObjective,anti-disassembly,Indicates that the malware instance is able to prevent itself from being disassembled or make disassembly more difficult.
AntiCodeAnalysisTacticalObjectives,transform control flow,Indicates that the malware instance is able to transform its control flow.
AntiCodeAnalysisTacticalObjectives,restructure arrays,"Indicates that the malware instance is able to restructure its arrays, making disassembly more difficult."
AntiCodeAnalysisTacticalObjectives,detect debugging,Indicates that the malware instance is able to detect its execution in a debugger.
AntiCodeAnalysisTacticalObjectives,prevent debugging,Indicates that the malware instance is able to prevent its execution in a debugger.
AntiCodeAnalysisTacticalObjectives,defeat flow-oriented (recursive traversal) disassemblers,Indicates that the malware instance is able to defeat its disassembly in a flow-oriented (recursive traversal) disassembler.
AntiCodeAnalysisTacticalObjectives,defeat linear disassemblers,Indicates that the malware instance is able to prevent its disassembly in a linear disassembler.
AntiCodeAnalysisTacticalObjectives,obfuscate instructions,Indicates that the malware instance obfuscates its instructions.
AntiCodeAnalysisTacticalObjectives,obfuscate imports,"Indicates that the malware instance is able to obfuscate its import table, making disassembly more difficult."
AntiCodeAnalysisTacticalObjectives,defeat call graph generation,Indicates that the malware instance is able to defeat accurate call graph generation during disassembly.
AntiCodeAnalysisTacticalObjectives,obfuscate runtime code,Indicates that the malware instance is able to obfuscate its runtime code.
AntiDetectionStrategicObjectives,security software evasion,"Indicates that the malware instance is able to evade security software (e.g., anti-virus tools)."
AntiDetectionStrategicObjectives,hide executing code,Indicates that the malware instance is able to hide its executing code.
AntiDetectionStrategicObjectives,self-modification,Indicates that the malware instance is able to modify itself.
AntiDetectionStrategicObjectives,anti-memory forensics,Indicates that the malware instance is able to prevent or make memory forensics more difficult
AntiDetectionStrategicObjectives,hide non-executing code,Indicates that the malware instance is able to hide its non-executing code.
AntiDetectionStrategicObjectives,hide malware artifacts,Indicates that the malware instance is able to hide its artifacts.
AntiDetectionTacticalObjectives,hide open network ports,Indicates that the malware instance is able to hide its open network ports.
AntiDetectionTacticalObjectives,execute before/external to kernel/hypervisor,"Indicates that the malware instance is able to execute some or all of its code before or external to the system's kernel or hypervisor (e.g., through the BIOS)."
AntiDetectionTacticalObjectives,encrypt self,Indicates that the malware is able to encrypt itself.
AntiDetectionTacticalObjectives,hide processes,Indicates that the malware instance is able to hide its processes.
AntiDetectionTacticalObjectives,hide network traffic,Indicates that the malware instance is able to hide its network traffic.
AntiDetectionTacticalObjectives,change/add content,Indicates that the malware instance is able to change or add to its content.
AntiDetectionTacticalObjectives,execute stealthy code,"Indicates that the malware instance is able to execute some or all of its code in a hidden manner (e.g., by injecting it into a benign process)."
AntiDetectionTacticalObjectives,hide registry artifacts,Indicates that the malware instance is able to hide its Windows registry artifacts.
AntiDetectionTacticalObjectives,hide userspace libraries,Indicates that the malware instance is able to hide its usage of userspace libraries.
AntiDetectionTacticalObjectives,hide arbitrary virtual memory,Indicates that the malware instance is able to hide arbitrary virtual memory to prevent retrieval.
AntiDetectionTacticalObjectives,execute non-main cpu code,"Indicates that the malware instance is able to execute some or all of its code on a secondary, non CPU processor (e.g., a GPU)."
AntiDetectionTacticalObjectives,feed misinformation during physical memory acquisition,Indicates that the malware instance is able to report inaccurate data when the content of physical memory is retrieved.
AntiDetectionTacticalObjectives,prevent physical memory acquisition,Indicates that the malware instance is able to prevent the contents of a system's physical memory from being retrieved.
AntiDetectionTacticalObjectives,prevent native api hooking,Indicates that the malware instance is able to prevent other software from hooking native APIs.
AntiDetectionTacticalObjectives,obfuscate artifact properties,"Indicates that the malware instance is able to hide the properties of its artifacts (e.g., by altering timestamps)."
AntiDetectionTacticalObjectives,hide kernel modules,Indicates that the malware instance is able to hide its usage of kernel modules.
AntiDetectionTacticalObjectives,hide code in file,Indicates that the malware instance is able to hide its code in a file.
AntiDetectionTacticalObjectives,hide services,Indicates that the malware instance is able to hide any system services it creates or injects itself into.
AntiDetectionTacticalObjectives,hide file system artifacts,Indicates that the malware instance is able to hide its file system artifacts.
AntiDetectionTacticalObjectives,hide threads,Indicates that the malware instance is able to hide its threads.
AntiRemovalStrategicObjectives,prevent malware artifact access,Indicates that the malware instance is able to prevent its artifacts from being accessed.
AntiRemovalStrategicObjectives,prevent malware artifact deletion,Indicates that the malware instance is able to prevent its artifacts from being deleted from a system.
AntiRemovalTacticalObjectives,prevent registry deletion,Indicates that the malware instance is able to prevent its Windows registry entries from being deleted from a system.
AntiRemovalTacticalObjectives,prevent api unhooking,Indicates that the malware instance is able to prevent its API hooks from being removed.
AntiRemovalTacticalObjectives,prevent file access,Indicates that the malware instance is able to prevent access to the file system.
AntiRemovalTacticalObjectives,prevent memory access,Indicates that the malware instance is able to prevent access to system memory where it may be storing code or data.
AntiRemovalTacticalObjectives,prevent registry access,Indicates that the malware instance is able to prevent access to the Windows registry.
AntiRemovalTacticalObjectives,prevent file deletion,Indicates that the malware instance is able to prevent its files from being deleted from a system.
AvailabilityViolationProperties,cryptocurrency type,Refers to the type of cryptocurrency targeted by the ‘mine for cryptocurrency’ Tactical Objective.
AvailabilityViolationStrategicObjectives,compromise data availability,Indicates that the malware instance is able to compromise the availability of data on a system.
AvailabilityViolationStrategicObjectives,compromise system availability,Indicates that the malware instance compromises the availability of the system.
AvailabilityViolationStrategicObjectives,cosume system resources,Indicates that the malware instance is able to consume system resources for its own purposes.
AvailabilityViolationTacticalObjectives,denial of service,"Indicates that the malware instance is able to cause a server to be unavailable, otherwise known as a denial of service (DOS)."
AvailabilityViolationTacticalObjectives,compromise local system availability,Indicates that the malware instance is able to cause the local system to be unavailable.
AvailabilityViolationTacticalObjectives,crack passwords,Indicates that the malware instance is able to consume system resources for password cracking.
AvailabilityViolationTacticalObjectives,mine for cryptocurrency,Indicates that the malware instance is able to consume system resources for cryptocurrency mining.
AvailabilityViolationTacticalObjectives,compromise access to information assets,"Indicates that the malware instance is able to prevent data from being accessed (e.g., by encrypting user data on a compromised system)."
CommandandControlProperties,frequency,"Refers to a description of the frequency that the ‘receive data from c2 server’ and ‘send data to c2 server’ Strategic Objectives, as well as their child Tactical Objectives, are employed. It is recommended that the description follow the format of ""every x [units]"", e.g., ""every 5 minutes""."
CommandandControlStrategicObjectives,determine c2 server,Indicates that the malware instance is able to identify one or more command and control (C2) servers with which to communicate.
CommandandControlStrategicObjectives,receive data from c2 server,"Indicates that the malware instance is able to control its behavior through some external stimulus (e.g., a remotely submitted command)."
CommandandControlStrategicObjectives,send data to c2 server,Indicates that the malware instance is able to send some data to a command and control server.
CommandandControlTacticalObjectives,check for payload,Indicates that the malware instance is able to query a command and control server to check whether a new malicious payload is available for download
CommandandControlTacticalObjectives,validate data,Indicates that the malware instance is able to validate the integrity of the data it receives from a command and control server.
CommandandControlTacticalObjectives,control malware via remote command,Indicates that the malware instance is able to execute commands issued to it from a remote source such as a command and control server for the purpose of controlling its behavior.
CommandandControlTacticalObjectives,send system information,Indicates that the malware instance is able to send data regarding the system on which it is executing to a command and control server.
CommandandControlTacticalObjectives,send heartbeat data,"Indicates that the malware instance is able to send heartbeat data to a command and control server, indicating that it is still active on the host system and able to communicate."
CommandandControlTacticalObjectives,generate c2 domain name(s),Indicates that the malware instance is able to generate the domain name of the command and control server to which it connects.
CommandandControlTacticalObjectives,update configuration,Indicates that the malware instance is able to update its configuration using data received from a command and control server.
DataExfiltrationProperties,archive type,Refers to the name of the file archive format used in the ‘stage data for exfiltration’ Strategic Objective and/or its ‘package data’ Tactical Objective.
DataExfiltrationProperties,file type,Refers to the name of the file format used for storing data to be exfiltrated as part of the data exfiltration Capability or its child Objectives.
DataExfiltrationStrategicObjectives,perform data exfiltration,Indicates that the malware instance is able to perform data exfiltration via some physical or virtual means.
DataExfiltrationStrategicObjectives,obfuscate data for exfiltration,Indicates that the malware is able to obfuscate data that will be exfiltrated.
DataExfiltrationStrategicObjectives,stage data for exfiltration,Indicates that the malware instance is able to gather and prepare data for exfiltration.
DataExfiltrationTacticalObjectives,exfiltrate via network,Indicates that that the malware instance is able to exfiltrate data using a covert channel.
DataExfiltrationTacticalObjectives,hide data,Indicates that the malware instance is able to exfiltrate data using a fax system.
DataExfiltrationTacticalObjectives,package data,"Indicates that the malware instance is able to exfiltrate data using physical media (e.g., a USB drive)."
DataExfiltrationTacticalObjectives,exfiltrate via dumpster dive,Indicates that the malware instance is able to encrypt data that will be exfiltrated.
DataExfiltrationTacticalObjectives,move data to staging server,Indicates that the malware instance is able to exfiltrate data across the network.
DataExfiltrationTacticalObjectives,exfiltrate via voip/phone,Indicates that the malware instance is able to hide data that will be exfiltrated in other formats (also known as steganography).
DataExfiltrationTacticalObjectives,exfiltrate via covert channel,Indicates that the malware instance is able to package data for exfiltration.
DataExfiltrationTacticalObjectives,exfiltrate via fax,"Indicates that the malware instance is able to exfiltrate data via dumpster dive (i.e., encoded data printed by malware is viewed as garbage and thrown away to then be physically picked up)."
DataExfiltrationTacticalObjectives,exfiltrate via physical media,Indicates that the malware instance is able to move data to be exfiltrated to a particular server to prepare for exfiltration.
DataExfiltrationTacticalObjectives,encrypt data,Indicates that the malware instance is able to exfiltrate data (encoded as audio) using a phone system.
DataTheftProperties,targeted application,Refers to the name of an application targeted by the ‘steal authentication credentials’ Strategic Objective.
DataTheftProperties,targeted website,Refers to the domain name of a website targeted by the ‘steal web/network credential’ Tactical Objective.
DataTheftStrategicObjectives,steal stored information,"Indicates that the malware instance is able to steal information stored on a system (e.g., files)."
DataTheftStrategicObjectives,steal user data,"Indicates that the malware instance is able to steal user data (e.g., email)."
DataTheftStrategicObjectives,steal system information,"Indicates that the malware instance is able to steal information about a system (e.g., network address data)."
DataTheftStrategicObjectives,steal authentication credentials,Indicates that the malware instance is able to steal authentication credentials.
DataTheftTacticalObjectives,steal dialed phone numbers,Indicates that the malware instance is able to steal the list of phone numbers that a user has dialed.
DataTheftTacticalObjectives,steal email data,Indicates that the malware instance is able to steal a user's email data
DataTheftTacticalObjectives,steal referrer urls,Indicates that the malware instance is able to steal HTTP referrer information (URL of the Web page that linked to the resource being requested).
DataTheftTacticalObjectives,steal cryptocurrency data,"Indicates that the malware instance is able to steal cryptocurrency data (e.g., Bitcoin wallets)."
DataTheftTacticalObjectives,steal pki software certificate,Indicates that the malware instance is able to steal one or more public key infrastructure (PKI) software certificates.
DataTheftTacticalObjectives,steal browser cache,Indicates that the malware instance is able to steal a user's browser cache
DataTheftTacticalObjectives,steal serial numbers,Indicates that the malware instance is able to steal serial numbers stored on a system.
DataTheftTacticalObjectives,steal sms database,Indicates that the malware instance is able to steal a user's short message service (SMS) (text messaging) database.
DataTheftTacticalObjectives,steal cookie,Indicates that the malware instance is able to steal cookies.
DataTheftTacticalObjectives,steal password hash,Indicates that the malware instance is able to steal password hashes.
DataTheftTacticalObjectives,steal make/model,Indicates that the malware instance is able to steal the information on the make and/or model of a system.
DataTheftTacticalObjectives,steal documents,Indicates that the malware instance is able to steal document files stored on a system.
DataTheftTacticalObjectives,steal network address,Indicates that the malware instance is able to steal information about the network addresses used by a system.
DataTheftTacticalObjectives,steal open port,Indicates that the malware instance is able to steal information about the open ports on a system.
DataTheftTacticalObjectives,steal images,Indicates that the malware instance is able to steal image files stored on a system.
DataTheftTacticalObjectives,steal browser history,Indicates that the malware instance is able to steal a user's browser history.
DataTheftTacticalObjectives,steal web/network credential,"Indicates that the malware instance is able to steal usernames, passwords, or other forms of network credentials."
DataTheftTacticalObjectives,steal pki key,Indicates icates that the malware instance is able to steal one or more public key infrastructure (PKI) keys.
DataTheftTacticalObjectives,steal contact list data,Indicates cates that the malware instance is able to steal a user's contact list.
DataTheftTacticalObjectives,steal database content,Indicates that the malware instance is able to steal database content.
DestructionProperties,erasure scope,"Refers to the scope of the erasure performed by the ‘erase data’ Tactical Objective. Recommended values are: 'whole disk', or 'targeted files'."
DestructionStrategicObjectives,destroy physical entity,Indicates that the malware instance is able to destroy a physical entity.
DestructionStrategicObjectives,destroy virtual entity,Indicates that the malware instance is able to destroy a virtual entity.
DestructionTacticalObjectives,erase data,Indicates that the malware instance is able to destroy data by erasure.
DestructionTacticalObjectives,destroy firmware,Indicates that the malware instance is able to destroy a system's firmware.
DestructionTacticalObjectives,destroy hardware,Indicates that the malware instance is able to destroy a system's hardware.
FraudStrategicObjectives,perform premium rate fraud,Indicates that the malware instance is able to send text messages or dial phone numbers that are charged at premium rates.
FraudStrategicObjectives,perform click fraud,Indicates that the malware instance is able to simulate clicks on website advertisements for the purpose of revenue generation.
FraudTacticalObjectives,access premium service,Indicates that the malware instance is able to access a premium service.
InfectionPropagationProperties,scope,"Refers to the scope of the infection or propagation performed by the malware instance via the Infection/Propagation Capability, i.e., whether it infects just the local machine or actively propagates to other machines as well. Recommended values are: 'local' or 'remote'."
InfectionPropagationProperties,infection targeting,"Refers to the type of targeting employed by the ‘infect remote machine’ Strategic Objective, i.e., whether the targeted machines are randomly selected, or chosen from some particular set. Recommended values are: 'targeted', 'semi-targeted', or 'untargeted'."
InfectionPropagationProperties,autonomy,"Refers to the type of autonomy employed by the ‘infect remote machine’ Strategic Objective, i.e., whether the remote infection is performed autonomously. Recommended values are: 'semi-autonomous', 'autonomous'."
InfectionPropagationProperties,targeted file type,"Refers to the types of files targeted by the ‘infect file’ Strategic Objective. It is recommended that files be specified via their extension, e.g., ""exe"", ""pdf"", etc."
InfectionPropagationProperties,targeted file architecture type,Refers to type of file architecture targeted by the ‘infect file’ Strategic Objective. Recommended values are: '32 bit' or '64 bit'.
InfectionPropagationProperties,file infection type,"Refers to the type of file infection employed by the ‘infect file’ Strategic Objective. Recommended values are: 'appending', 'prepending', 'overwriting', 'companion', 'variable key', 'polymorphic', or 'metamorphic'."
InfectionPropagationStrategicObjectives,prevent duplicate infection,Indicates that the malware instance is able to prevent itself from infecting a machine multiple times.
InfectionPropagationStrategicObjectives,infect file,Indicates that the malware instance is able to infect a file.
InfectionPropagationStrategicObjectives,infect remote machine,Indicates that the malware instance is able to self-propagate or infect a machine with malware that is different than itself.
InfectionPropagationTacticalObjectives,identify file,"Indicates that the malware instance is able to identify a file or files on a local, removable, and/or network drive for infection."
InfectionPropagationTacticalObjectives,perform autonomous remote infection,"Indicates that the malware instance is able to infect a remote machine autonomously, without the involvement of any end user (e.g., through the exploitation of a remote procedure call vulnerability)."
InfectionPropagationTacticalObjectives,identify target machine(s),"Indicates that the malware instance is able to identify one or more machines to be targeted for infection via some remote means (e.g., via email or the network)."
InfectionPropagationTacticalObjectives,perform social-engineering based remote infection,"Indicates that the malware instance is able to infect remote machines via some method that involves social engineering (e.g., sending an email with a malicious attachment)."
InfectionPropagationTacticalObjectives,inventory victims,indicates that the malware instance is able to keep an inventory of the victims that it remotely infects.
InfectionPropagationTacticalObjectives,write code into file,indicates that the malware instance is able to write code into a file.
InfectionPropagationTacticalObjectives,modify file,"indicates that the malware instance is able to modify a file in some other manner than writing code to it, such as packing it (in terms of binary executable packing)."
IntegrityViolationStrategicObjectives,compromise system operational integrity,Indicates that the malware instance is able to compromise the operational integrity of a system.
IntegrityViolationStrategicObjectives,compromise user data integrity,Indicates that the malware instance is able to compromise a system's user data.
IntegrityViolationStrategicObjectives,annoy user,Indicates that the malware instance is able to annoy the users of a system.
IntegrityViolationStrategicObjectives,compromise network operational integrity,Indicate that the malware instance is able to compromise the operational integrity of a network.
IntegrityViolationStrategicObjectives,compromise system data integrity,Indicates that the malware instance is able to compromise the integrity of a system's data.
IntegrityViolationTacticalObjectives,subvert system,Indicates that the malware instance is able to subvert a system to perform beyond its operational boundaries or to perform tasks for which it was not originally intended.
IntegrityViolationTacticalObjectives,corrupt system data,Indicates that the malware instance is able to corrupt a system's data.
IntegrityViolationTacticalObjectives,annoy local system user,Indicates that the malware instance is able to annoy local system users.
IntegrityViolationTacticalObjectives,intercept/manipulate network traffic,Indicates that the malware is able to intercept and/or manipulate traffic on a network.
IntegrityViolationTacticalObjectives,annoy remote user,Indicates that the malware instance is able to annoy a remote user.
IntegrityViolationTacticalObjectives,corrupt user data,Indicates that the malware instance is able to corrupt a system's user data.
MachineAccessControlProperties,backdoor type,"Refers to the type of backdoor, e.g., reverse shell, employed by the ‘install backdoor’ Strategic Objective."
MachineAccessControlStrategicObjectives,control local machine,"Indicates that the malware instance is able to control the machine on which it is resident. Examples of malware with this capability include bots, backdoors, and RATs."
MachineAccessControlStrategicObjectives,install backdoor,"Indicates that the malware instance is able to install a backdoor, capable of providing covert remote access to the machine on which it is resident."
MachineAccessControlTacticalObjectives,control machine via remote command,"Indicates that the malware instance is able to execute commands issued to it from a remote source, for the purpose of controlling the machine on which it is resident."
PersistenceProperties,scope,"Refers to the scope of persistence employed by the persistence Capability, i.e., whether the malware instance make itself persist, or whether it makes other malware components persist. Recommended values are: 'self', or 'other malware/components'."
PersistenceStrategicObjectives,persist to re-infect system,Indicates that the malware instance is able to re-infect a system after some of its components have been removed.
PersistenceStrategicObjectives,gather information for improvement,Indicates that the malware instance is able to gather information from its environment to make itself less likely to be detected.
PersistenceStrategicObjectives,ensure compatibility,Indicates that the malware instance is able to manipulate or modify the system on which it executes to ensure that it is able to continue executing.
PersistenceStrategicObjectives,persist to continuously execute on system,"Indicates that the malware instance is able to continue to execute on a system after significant system events (e.g., after a reboot)."
PersistenceTacticalObjectives,reinstantiate self after initial detection,Indicates that the malware instance s able to re-establish itself on the system after it is initially detected.
PersistenceTacticalObjectives,limit application type/version,Indicates that the malware instance is able to limit the type or version of an application that runs on a system in order to ensure that it is able to continue executing.
PersistenceTacticalObjectives,persist after os install/reinstall,Indicates that the malware instance is able to continue to execute after the operating system is installed or reinstalled.
PersistenceTacticalObjectives,drop/retrieve debug log file,Indicates that the malware instance is able to generate and retrieve a log file of errors associated with the malware.
PersistenceTacticalObjectives,persist independent of hard disk/os changes,Indicates that the malware instance is able to continue to execute after changes to the hard disk or the operating system have been made.
PersistenceTacticalObjectives,persist after system reboot,Indicates that the malware instance is able to continue to execute after a system reboot.
PrivilegeEscalationProperties,user privilege escalation type,"Refers to the type of user privilege escalation employed by the ‘escalate user privilege’ Strategic Objective. Recommended values are: 'horizontal', or 'vertical'."
PrivilegeEscalationStrategicObjectives,impersonate user,Indicates that the malware instance is able to impersonate another user to operate within a different security context (also known as horizontal privilege escalation).
PrivilegeEscalationStrategicObjectives,escalate user privilege,Indicates that the malware instance is able to obtain a higher level of access than intended by the system (also known as vertical privilege escalation).
PrivilegeEscalationTacticalObjectives,elevate cpu mode,Indicates that the malware instance is able to elevate the CPU (processor) mode under which it executes.
ProbingStrategicObjectives,probe host configuration,Indicates that the malware instance is able to probe the configuration of the host system on which it executes.
ProbingStrategicObjectives,probe network configuration,"Indicates that the malware instance is able to probe the properties of its network environment, e.g., to determine whether it funnels traffic through a proxy."
ProbingTacticalObjectives,identify os,Indicates that the malware instance is able to identify the operating system under which it executes.
ProbingTacticalObjectives,check for proxy,Indicates that the malware instance is able to check whether the network environment in which it executes contains a hardware or software proxy.
ProbingTacticalObjectives,check for firewall,Indicates that the malware instance is able to check whether the network environment in which it executes contains a hardware or software firewall.
ProbingTacticalObjectives,check for network drives,Indicates that the malware instance is able to check for network drives that may be present in the network environment.
ProbingTacticalObjectives,map local network,Indicates that the malware instance is able to map the layout of the local network environment in which it executes.
ProbingTacticalObjectives,inventory system applications,Indicates that the malware instance is able to inventory the applications installed on the system on which it executes.
ProbingTacticalObjectives,check language,Indicates that the malware instance is able to check the language of the host system on which it executes.
ProbingTacticalObjectives,check for internet connectivity,Indicates that the malware instance is able to check whether the network environment in which it executes is connected to the internet.
RemoteMachineManipulationStrategicObjectives,access remote machine,Indicates that the malware instance is able to access a remote machine.
RemoteMachineManipulationStrategicObjectives,search for remote machine,Indicates that the malware instance is able to search for remote machines to target.
RemoteMachineManipulationTacticalObjectives,compromise remote machine,Indicates that the malware instance is able to gain control of a remote machine through compromise.
SecondaryOperationProperties,trigger type,"Refers to a description of the trigger used to wake or terminate the malware instance in the ‘lie dormant’ or ‘suicide exit’ Strategic Objectives, respectively."
SecondaryOperationStrategicObjectives,patch operating system file(s),Indicates that the malware instance is able to patch or modify the critical system files of the operating system under which it executes.
SecondaryOperationStrategicObjectives,remove traces of infection,Indicates that the malware instance is able to remove traces of its infection of a system.
SecondaryOperationStrategicObjectives,log activity,Indicates that the malware instance is able to log its own activity.
SecondaryOperationStrategicObjectives,lay dormant,Indicates that the malware instance is able to lay dormant on a system for some period of time.
SecondaryOperationStrategicObjectives,install other components,"Indicates that the malware instance is able to install additional components. This encompasses the dropping/downloading of other malicious components such as libraries, other malware, and tools."
SecondaryOperationStrategicObjectives,suicide exit,Indicates that the malware instance is able to terminate itself based on some condition or value.
SecondaryOperationTacticalObjectives,install secondary module,Indicates that the malware instance is able to install a secondary module (typically related to itself).
SecondaryOperationTacticalObjectives,install secondary malware,Indicates that the malware instance is able to install another malware instance.
SecondaryOperationTacticalObjectives,install legitimate software,Indicates that the malware instance is able to install legitimate software.
SecondaryOperationTacticalObjectives,remove self,Indicates that the malware instance is able to remove itself from the system.
SecondaryOperationTacticalObjectives,remove system artifacts,Indicates that the malware instance is able to remove its artifacts from a system.
SecurityDegradationProperties,targeted program,Refers to the name of a program targeted by the ‘degrade security programs’ Strategic Objective or one of its child Tactical Objectives.
SecurityDegradationStrategicObjectives,disable server provider security features,Indicates that the malware instance is able to bypass or disable third-party security features that would otherwise identify or notify users of its presence.
SecurityDegradationStrategicObjectives,degrade security programs,"Indicates that the malware instance is able to degrade security programs running on a system, either by stopping them from executing or by making changes to their code or configuration parameters."
SecurityDegradationStrategicObjectives,disable system updates,Indicates that the malware instance is able to disable the downloading and installation of system updates.
SecurityDegradationStrategicObjectives,disable os security features,Indicates that the malware instance is able to bypass inherent operating system security mechanisms that typically involve elevated privileges.
SecurityDegradationStrategicObjectives,disable [host-based or os] access controls,Indicates that the malware instance is able to bypass access control mechanisms designed to prevent unauthorized or unprivileged use or execution of applications or files.
SecurityDegradationTacticalObjectives,stop execution of security program,Indicates that the malware instance is able to stop one or more security programs that may already be executing on a system.
SecurityDegradationTacticalObjectives,disable firewall,Indicates that the malware instance is able to evade or disable the host-based firewall or otherwise prevent the blocking of network communications.
SecurityDegradationTacticalObjectives,disable access right checking,"Indicates that the malware instance is able to bbypass, disable, or modify the access tokens or access control lists, thereby enabling the malware to read, write, or execute a file with one or more of these controls set."
SecurityDegradationTacticalObjectives,disable kernel patching protection,Indicates that the malware instance is able to bypass or disable PatchGuard; thus it is capable of operating at the same level as the kernel and kernel mode drivers (KMD).
SecurityDegradationTacticalObjectives,prevent access to security websites,Indicates that the malware instance is able to prevent access from a system to one or more security vendor or security-related websites.
SecurityDegradationTacticalObjectives,remove sms warning messages,Indicates that the malware instance is able to capture the message body of incoming SMS messages and abort the broadcasting of a message that meets a certain criteria.
SecurityDegradationTacticalObjectives,modify security program configuration,Indicates that the malware instance is able to modify the configuration of one or more security programs running on a system in order to hamper their usefulness and ability to detect the malware instance.
SecurityDegradationTacticalObjectives,prevent security program from running,Indicates that the malware instance is able to prevent one or more security programs from running on a system.
SecurityDegradationTacticalObjectives,disable system update services/daemons,Indicates that the malware instance is able to disable system update services or daemons that may be running on a system.
SecurityDegradationTacticalObjectives,disable system service pack/patch installation,Indicates that the malware instance is able to disable the system's ability to install service packs or patches.
SecurityDegradationTacticalObjectives,disable system file overwrite protection,"Indicates that the malware instance is able to bypass or disable the Windows file protection feature; thus, enabling system files to be modified or replaced."
SecurityDegradationTacticalObjectives,disable privilege limiting,Indicates that the malware instance is able to bypass controls that limit the privileges that can be granted to a user or entity.
SecurityDegradationTacticalObjectives,gather security product info,Indicates that the malware instance is able to gather information about the security products installed or running on a system.
SecurityDegradationTacticalObjectives,disable os security alerts,Indicates that the malware instance is able to evade or disable identification and/or notification of its presence by inherent features of the operating system.
SecurityDegradationTacticalObjectives,disable user account control,"Indicates that the malware instance is able to bypass or disable user account control (UAC); thus, enabling a user to run an application with elevated privileges."
SpyingStrategicObjectives,capture system input peripheral data,Indicates that the malware instance is able to capture data from a system's input peripheral devices.
SpyingStrategicObjectives,capture system state data,"Indicates that the malware instance is able to capture information about a system's state (e.g., from its RAM)."
SpyingStrategicObjectives,capture system interface data,Indicates that the malware instance is able to capture data from a system's interfaces.
SpyingStrategicObjectives,capture system output peripheral data,indicates that the malware instance is able to capture data sent to a system's output peripheral devices.
SpyingTacticalObjectives,capture system screenshot,"Indicates that the malware instance is able to capture images of what is currently being displayed on a system's screen, either locally or remotely via a remote desktop protocol."
SpyingTacticalObjectives,capture camera input,Indicates that the malware instance is able to capture data from a system's camera.
SpyingTacticalObjectives,capture file system,Indicates that the malware instance is able to capture data from a system's file system.
SpyingTacticalObjectives,capture printer output,Indicates that the malware instance is able to capture data sent to a system's printer.
SpyingTacticalObjectives,capture gps data,Indicates that the malware instance is able to capture system GPS data.
SpyingTacticalObjectives,capture keyboard input,Indicates that the malware instance is able to capture data from a system's keyboard.
SpyingTacticalObjectives,capture mouse input,Indicates that the malware instance is able to capture data from a system's mouse.
SpyingTacticalObjectives,capture microphone input,Indicates that the malware instance is able to capture data from a system's microphone.
SpyingTacticalObjectives,capture system network traffic,Indicates that the malware instance is able to capture system network traffic.
SpyingTacticalObjectives,capture touchscreen input,Indicates that the malware instance is able to capture data from a system's touchscreen.
SpyingTacticalObjectives,capture system memory,Indicates that the malware instance is able to capture data from a system's RAM.
MalwareConfigurationParameter,magic number,Refers to a configuration parameter that captures a file signature that may be used to identify or validate the content the malware instance.
MalwareConfigurationParameter,id,Refers to a configuration parameter that captures an identifier for the malware instance.
MalwareConfigurationParameter,group id,Refers to a configuration parameter that captures an identifier for a collection of malware instances.
MalwareConfigurationParameter,mutex,Refers to a configuration parameter that captures a unique mutex value associated the malware instance.
MalwareConfigurationParameter,filename,Refers to a configuration parameter that captures the name of a malicious binary such as one that is downloaded or embedded within the malware instance.
MalwareConfigurationParameter,installation path,"Refers to a configuration parameter that captures a location on disk to which the malware instance is installed, copied, or moved."
MalwareDevelopmentTool,builder,Specifies a malware builder tool (commonly used to mass-produce malware) that was used to generate the malware instance.
MalwareDevelopmentTool,compiler,Specifies a compiler tool that was used to compile the code composing the malware instance.
MalwareDevelopmentTool,linker,Specifies a linker tool that was used to link the object files associated with the malware instance.
MalwareDevelopmentTool,packer,Specifies a packer tool that was used to shrink the size of the executable binary associated with the malware instance. Packers are also sometimes referred to as 'compressors'.
MalwareDevelopmentTool,crypter,Specifies a crypter tool that was used to encrypt the executable binary associated with the malware instance.
MalwareDevelopmentTool,protector,Specifies a protector tool that was used to obfuscate the executable binary associated with the malware instance to make it more difficult to reverse engineer.
MalwareSubjectRelationshipType,downloads,Specifies that the Malware Subject downloads one or more other Malware Subject (s).
MalwareSubjectRelationshipType,downloaded by,Specifies that the current Malware Subject was downloaded by one or more other Malware Subject(s).
MalwareSubjectRelationshipType,drops,Specifies that the Malware Subject drops (or writes to disk) one or more other Malware Subject(s).
MalwareSubjectRelationshipType,dropped by,Specifies that the current Malware Subject was dropped (or written to disk) by one or more other Malware Subject(s).
MalwareSubjectRelationshipType,extracts,Specifies that the Malware Subject extracts (from an embedded archive or another container) one or more other Malware Subject(s).
MalwareSubjectRelationshipType,extracted from,Specifies that the current Malware Subject was extracted from one or more other Malware Subject(s).
MalwareSubjectRelationshipType,direct descendant of,Specifies that the current Malware Subject is a direct descendant (i.e. in terms of development lineage) of one or more other Malware Subject(s).
MalwareSubjectRelationshipType,direct ancestor of,Specifies that the current Malware Subject is a direct ancestor (i.e. in terms of development lineage) of one or more other Malware Subject(s).
MalwareSubjectRelationshipType,memory image of,Specifies that the current Malware Subject represents a memory image associated with one or more other Malware Subject(s).
MalwareSubjectRelationshipType,contained in memory image,Specifies that the current Malware Subject is a malware binary or component contained in one or more other Malware Subject(s) that represent memory images.
MalwareSubjectRelationshipType,disk image of,Specifies that the current Malware Subject represents a disk image associated with one or more other Malware Subject(s).
MalwareSubjectRelationshipType,contained in disk image,Specifies that the current Malware Subject is a malware binary or component contained in one or more other Malware Subject(s) that represent disk images.
MalwareSubjectRelationshipType,network traffic capture of,Specifies that the current Malware Subject represents captured network traffic associated with one or more other Malware Subject(s).
MalwareSubjectRelationshipType,contained in network traffic capture,Specifies that the current Malware Subject is a malware binary or component contained in one or more other Malware Subject(s) that represent captures of network traffic.
MalwareSubjectRelationshipType,packed version of,Specifies that the current Malware Subject represents a packed version (in terms of executable binary packing) of one or more other Malware Subject(s).
MalwareSubjectRelationshipType,unpacked version of,Specifies that the current Malware Subject represents an unpacked version (in terms of executable binary packing) of one or more other Malware Subject(s).
MalwareSubjectRelationshipType,installs,Specifies that the current Malware Subject installs one or more other Malware Subject(s).
MalwareSubjectRelationshipType,installed by,Specifies that the current Malware Subject is installed by one or more other Malware Subject(s).
MalwareSubjectRelationshipType,64-bit version of,Specifies that the current Malware Subject is a 64-bit version of one or more other Malware Subject(s).
MalwareSubjectRelationshipType,32-bit version of,Specifies that the current Malware Subject is a 32-bit version of one or more other Malware Subject(s).
MalwareSubjectRelationshipType,encrypted version of,Specifies that the current Malware Subject is an encrypted version of one or more other Malware Subject(s).
MalwareSubjectRelationshipType,decrypted version of,Specifies that the current Malware Subject is a decrypted version of one or more other Malware Subject(s).
GroupingRelationshipType,same malware family,Indicates that the Malware Subjects in the MAEC Package are all part of the same malware family.
GroupingRelationshipType,clustered together,Indicates that the Malware Subjects in the MAEC Package were clustered together by some algorithm or other mechanism.
GroupingRelationshipType,observed together,"Indicates that the Malware Subjects in the MAEC Package were observed together, such as on a host system, in some archive, etc. Note that there may not be any relationship between the Malware Subjects beyond co-location."
GroupingRelationshipType,part of intrusion set,Indicates that the Malware Subjects in the MAEC Package were found as part of the same malware intrusion set.
GroupingRelationshipType,same malware toolkit,"Indicates that the Malware Subjects in the MAEC Package were all created using the same malware toolkit, independent of toolkit version."