mbc_summary.md

Malware Objectives

ID	Objective	Description
OB0001	Anti-Behavioral Analysis	Behaviors that prevent, obstruct, or evade behavioral analysis of malware--for example, analysis done using a sandbox or debugger. Because the underlying methods differ, separate "detection" and "evasion" behaviors are defined for some anti-behavioral analysis areas.
OB0002	Anti-Static Analysis	Behaviors and code characteristics that prevent or hinder static analysis of the malware. Simple static analysis identifies features such as embedded strings, header information, or file metadata. More involved static analysis involves the disassembly of the binary code.
OB0003	Collection	Behaviors that enable malware to identify and gather information, such as sensitive files, from a machine or network. Sources often targeted include drives, browsers, audio/video, and email. Often the malware's next objective is to exfiltrate the information gathered.
OB0004	Command and Control	Behaviors that enable malware to communicate with systems such as C2 servers or bots. Malware can establish command and control with various levels of covertness, depending on system configuration and network topology.
OB0005	Credential Access	Behaviors to obtain credential access, allowing it or its underlying threat actor to assume control of an account with the associated system and network permissions.
OB0006	Defense Evasion	Behaviors that enable malware to evade detection.
OB0007	Discovery	Behaviors that enable malware to gain knowledge about the system and network.
OB0009	Execution	Behaviors that enable malware to execute code on a system to achieve a variety of goals.
OB0010	Exfiltration	Behaviors that enable malware to steal data from a system. This includes stored data, such as files, as well as data input into applications, such as web browsers.
OB0008	Impact	Behaviors that enable malware to manipulate, interrupt, or destroy systems and data.
OB0011	Lateral Movement	Behaviors that enable malware to propagate or otherwise move through an environment. Lateral movement may be active, happening via direct machine access, or may be passive (for example, done via malicious email).
OB0012	Persistence	Behaviors that enable malware to remain on a system regardless of system events, such as reboots.
OB0013	Privilege Escalation	Behaviors that enable malware to obtain higher level permissions. These behaviors often overlap with Persistence behaviors.

Malware Micro-objectives

ID	Micro-objective	Description
OC0006	Communication	Micro-behaviors that enable malware to communicate.
OC0005	Cryptography	Micro-behaviors that enable malware to use crypto.
OC0004	Data	Micro-behaviors related to malware manipulating data.
OC0001	File System	Micro-behaviors related to file manipulation.
OC0007	Hardware	Micro-behaviors related to hardware.
OC0002	Memory	Micro-behaviors related to malware manipulating machine memory.
OC0008	Operating System	Micro-behaviors related to operating systems.
OC0003	Process	Micro-behaviors related to processes.

Malware Behaviors

ID	Behavior	Objective(s)	Related ATT&CK Technique
B0010	Call Graph Generation Evasion	ANTI-STATIC ANALYSIS	none
B0032	Executable Code Obfuscation	ANTI-STATIC ANALYSIS	none
B0034	Executable Code Optimization	ANTI-STATIC ANALYSIS	none
B0008	Executable Code Virtualization	ANTI-BEHAVIORAL ANALYSIS, ANTI-STATIC ANALYSIS	none
B0045	Data Flow Analysis Evasion	ANTI-STATIC ANALYSIS	none
B0012	Disassembler Evasion	ANTI-STATIC ANALYSIS	none
B0014	SMTP Connection Discovery	DISCOVERY	none
B0046	Code Discovery	DISCOVERY	none
B0038	Self Discovery	DISCOVERY	none
B0013	Analysis Tool Discovery	DISCOVERY	none
B0043	Taskbar Discovery	DISCOVERY	none
B0028	Cryptocurrency	COLLECTION, CREDENTIAL ACCESS	none
B0030	C2 Communication	COMMAND AND CONTROL	none
B0031	Domain Name Generation	COMMAND AND CONTROL	Dynamic Resolution: Domain Generation Algorithms (T1568.002)
B0024	Prevent Concurrent Execution	EXECUTION	none
B0044	Execution Dependency	EXECUTION	none
B0023	Install Additional Program	EXECUTION	none
B0020	Send Email	EXECUTION, LATERAL MOVEMENT	Phishing (T1566)
B0011	Remote Commands	EXECUTION	none
B0025	Conditional Execution	EXECUTION, ANTI-BEHAVIORAL ANALYSIS, DEFENSE EVASION	Execution Guardrails (T1480)
B0021	Send Poisoned Text Message	EXECUTION, LATERAL MOVEMENT	none
B0026	Malicious Network Driver	LATERAL MOVEMENT, PERSISTENCE	none
B0035	Shutdown Event	PERSISTENCE	none
B0018	Resource Hijacking	IMPACT	Resource Hijacking (T1496)
B0022	Remote Access	IMPACT, PERSISTENCE	none
B0017	Destroy Hardware	IMPACT	none
B0016	Compromise Data Integrity	IMPACT	Data Manipulation: Stored Data Manipulation (T1565.001)
B0033	Denial of Service	IMPACT	Network Denial of Service (T1498)
B0019	Manipulate Network Traffic	IMPACT	Data Manipulation: Transmitted Data Manipulation (T1565.002)
B0042	Modify Hardware	IMPACT	none
B0039	Spamming	IMPACT	none
B0006	Memory Dump Evasion	ANTI-BEHAVIORAL ANALYSIS	none
B0036	Capture Evasion	ANTI-BEHAVIORAL ANALYSIS	none
B0009	Virtual Machine Detection	ANTI-BEHAVIORAL ANALYSIS	Virtualization/Sandbox Evasion (T1497,T1633)
B0007	Sandbox Detection	ANTI-BEHAVIORAL ANALYSIS	Virtualization/Sandbox Evasion: System Checks (T1497.001,T1633.001); Virtualization/Sandbox Evasion: User Activity Based Checks (T1497.002)
B0005	Emulator Evasion	ANTI-BEHAVIORAL ANALYSIS	none
B0002	Debugger Evasion	ANTI-BEHAVIORAL ANALYSIS	Debugger Evasion (T1622)
B0001	Debugger Detection	ANTI-BEHAVIORAL ANALYSIS	none
B0004	Emulator Detection	ANTI-BEHAVIORAL ANALYSIS	none
B0003	Dynamic Analysis Evasion	ANTI-BEHAVIORAL ANALYSIS	Virtualization/Sandbox Evasion (T1497,T1633)
B0037	Bypass Data Execution Prevention	DEFENSE EVASION	none
B0047	Install Insecure or Malicious Configuration	DEFENSE EVASION, PERSISTENCE	none
B0040	Covert Location	DEFENSE EVASION	none
B0029	Polymorphic Code	DEFENSE EVASION	none
B0027	Alternative Installation Location	DEFENSE EVASION	none

Malware Micro-behaviors

ID	Micro-behavior	Objective(s)
C0007	Allocate Memory	MEMORY
C0040	Allocate Thread Local Storage	PROCESS
C0015	Alter File Extension	FILE SYSTEM
C0008	Change Memory Protection	MEMORY
C0043	Check Mutex	PROCESS
C0019	Check String	DATA
C0032	Checksum	DATA
C0024	Compress Data	DATA
C0060	Compression Library	DATA
C0033	Console	OPERATING SYSTEM
C0045	Copy File	FILE SYSTEM
C0046	Create Directory	FILE SYSTEM
C0016	Create File	FILE SYSTEM
C0042	Create Mutex	PROCESS
C0017	Create Process	PROCESS
C0038	Create Thread	PROCESS
C0068	Crypto Algorithm	CRYPTOGRAPHY
C0069	Crypto Constant	CRYPTOGRAPHY
C0059	Crypto Library	CRYPTOGRAPHY
C0029	Cryptographic Hash	CRYPTOGRAPHY
C0011	DNS Communication	COMMUNICATION
C0053	Decode Data	DATA
C0025	Decompress Data	DATA
C0031	Decrypt Data	CRYPTOGRAPHY
C0048	Delete Directory	FILE SYSTEM
C0047	Delete File	FILE SYSTEM
C0026	Encode Data	DATA
C0027	Encrypt Data	CRYPTOGRAPHY
C0028	Encryption Key	CRYPTOGRAPHY
C0064	Enumerate Threads	PROCESS
C0034	Environment Variable	OPERATING SYSTEM
C0004	FTP Communication	COMMUNICATION
C0044	Free Memory	MEMORY
C0021	Generate Pseudo-random Sequence	CRYPTOGRAPHY
C0049	Get File Attributes	FILE SYSTEM
C0002	HTTP Communication	COMMUNICATION
C0061	Hashed Message Authentication Code	CRYPTOGRAPHY
C0006	Heap Spray	MEMORY
C0014	ICMP Communication	COMMUNICATION
C0037	Install Driver	HARDWARE
C0003	Interprocess Communication	COMMUNICATION
C0023	Load Driver	HARDWARE
C0058	Modulo	DATA
C0063	Move File	FILE SYSTEM
C0030	Non-Cryptographic Hash	DATA
C0065	Open Process	PROCESS
C0066	Open Thread	PROCESS
C0010	Overflow Buffer	MEMORY
C0051	Read File	FILE SYSTEM
C0056	Read Virtual Disk	FILE SYSTEM
C0036	Registry	OPERATING SYSTEM
C0054	Resume Thread	PROCESS
C0012	SMTP Communication	COMMUNICATION
C0050	Set File Attributes	FILE SYSTEM
C0072	Set Thread Context	PROCESS
C0041	Set Thread Local Storage Value	PROCESS
C0057	Simulate Hardware	HARDWARE
C0001	Socket Communication	COMMUNICATION
C0009	Stack Pivot	MEMORY
C0055	Suspend Thread	PROCESS
C0018	Terminate Process	PROCESS
C0039	Terminate Thread	PROCESS
C0070	Unmap Section View	PROCESS
C0020	Use Constant	DATA
C0035	Wallpaper	OPERATING SYSTEM
C0005	WinINet	COMMUNICATION
C0071	Write Process Memory	PROCESS
C0052	Writes File	FILE SYSTEM

Enhanced Malware ATT&CK Techniques

ID	Technique	Objective(s)
E1010	Application Window Discovery	DISCOVERY
E1560	Archive Collected Data	COLLECTION
E1020	Automated Exfiltration	EXFILTRATION
E1510	Clipboard Modification	IMPACT
E1059	Command and Scripting Interpreter	EXECUTION
E1485	Data Destruction	IMPACT
E1486	Data Encrypted for Impact	IMPACT
E1190	Exploit Kit	IMPACT
E1203	Exploitation for Client Execution	EXECUTION, IMPACT
E1083	File and Directory Discovery	DISCOVERY
E1643	Generate Traffic from Victim	IMPACT
E1564	Hide Artifacts	DEFENSE EVASION, PERSISTENCE
E1105	Ingress Tool Transfer	COMMAND AND CONTROL, LATERAL MOVEMENT, PERSISTENCE
E1056	Input Capture	COLLECTION, CREDENTIAL ACCESS
E1112	Modify Registry	DEFENSE EVASION, PERSISTENCE
E1027	Obfuscated Files or Information	ANTI-STATIC ANALYSIS, DEFENSE EVASION
E1055	Process Injection	DEFENSE EVASION, PRIVILEGE ESCALATION
E1014	Rootkit	DEFENSE EVASION
E1113	Screen Capture	COLLECTION, CREDENTIAL ACCESS
E1195	Supply Chain Compromise	LATERAL MOVEMENT
E1082	System Information Discovery	DISCOVERY
E1569	System Services	EXECUTION
E1204	User Execution	EXECUTION

Enhanced Malware ATT&CK Sub-techniques

ID	Sub-technique	Objective(s)
F0013	Bootkit	DEFENSE EVASION, PERSISTENCE
F0009	Component Firmware	IMPACT, PERSISTENCE, DEFENSE EVASION
F0004	Disable or Evade Security Tools	DEFENSE EVASION
F0014	Disk Wipe	IMPACT
F0005	Hidden Files and Directories	DEFENSE EVASION, PERSISTENCE
F0015	Hijack Execution Flow	ANTI-BEHAVIORAL ANALYSIS, COLLECTION, CREDENTIAL ACCESS, DEFENSE EVASION, PERSISTENCE, PRIVILEGE ESCALATION
F0006	Indicator Blocking	DEFENSE EVASION
F0016	Install Certificate	PRIVILEGE ESCALATION
F0010	Kernel Modules and Extensions	PERSISTENCE, PRIVILEGE ESCALATION
F0002	Keylogging	COLLECTION, CREDENTIAL ACCESS
F0011	Modify Existing Service	PERSISTENCE, PRIVILEGE ESCALATION
F0012	Registry Run Keys / Startup Folder	PERSISTENCE
F0007	Self Deletion	DEFENSE EVASION
F0001	Software Packing	ANTI-BEHAVIORAL ANALYSIS, ANTI-STATIC ANALYSIS, DEFENSE EVASION