VERIS action.malware Capability Group

All Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
action.malware.vector.Direct install Directly installed or inserted by threat agent (after system access) related-to T1047 Windows Management Instrumentation
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' related-to T1059.005 Command and Scripting Interpreter: Visual Basic
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' related-to T1059.007 Command and Scripting Interpreter: JavaScript
action.malware.variety.Adminware System or network utilities (e.g., PsTools, Netcat) related-to T1072 Software Deployment Tools
action.malware.vector.Software update Included in automated software update related-to T1072 Software Deployment Tools
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1505.001 Server Software Component: SQL Stored Procedures
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1505.001 Server Software Component: SQL Stored Procedures
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1505.002 Server Software Component: Transport Agent
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1505.002 Server Software Component: Transport Agent
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1543 Create or Modify System Process
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1543 Create or Modify System Process
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1543 Create or Modify System Process
action.malware.variety.RAT Remote Access Trojan. Parent of 'Backdoor' and 'Trojan' related-to T1543.003 Create or Modify System Process: Windows Service
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1547 Boot or Logon Autostart Execution
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1547 Boot or Logon Autostart Execution
action.malware.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control
action.malware.variety.Client-side attack Client-side or browser attack (e.g., redirection, XSS, MitB) related-to T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching
action.malware.vector.Network propagation Network propagation related-to T1563 Remote Service Session Hijacking
action.malware.vector.Network propagation Network propagation related-to T1563.001 Remote Service Session Hijacking: SSH Hijacking
action.malware.vector.Network propagation Network propagation related-to T1563.002 Remote Service Session Hijacking: RDP Hijacking
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564 Hide Artifacts
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.001 Hide Artifacts: Hidden Files and Directories
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.002 Hide Artifacts: Hidden Users
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.003 Hide Artifacts: Hidden Window
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.004 Hide Artifacts: NTFS File Attributes
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.005 Hide Artifacts: Hidden File System
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.006 Hide Artifacts: Run Virtual Instance
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.007 Hide Artifacts: VBA Stomping
action.malware.variety.Trojan An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor' related-to T1564.007 Hide Artifacts: VBA Stomping
action.malware.vector.Direct install Directly installed or inserted by threat agent (after system access) related-to T1569.002 System Services: Service Execution
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1098 Account Manipulation
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1098 Account Manipulation
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1037 Boot or Logon Initialization Scripts
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1037 Boot or Logon Initialization Scripts
action.malware.variety.Adminware System or network utilities (e.g., PsTools, Netcat) related-to T1554 Compromise Client Software Binary
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1554 Compromise Client Software Binary
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1554 Compromise Client Software Binary
action.malware.variety.Trojan An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor' related-to T1554 Compromise Client Software Binary
action.malware.variety.Modify data Malware which compromises a legitimate file rather than creating new filess related-to T1136 Create Accounts
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1546 Event Triggered Execution
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1546 Event Triggered Execution
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1133 External Remote Services
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1133 External Remote Services
action.malware.vector.Remote injection Remotely injected by agent (i.e. via SQLi) related-to T1133 External Remote Services
action.malware.vector.Web application Web application. Parent of 'Web application - download' and 'Web application - drive-by. related-to T1133 External Remote Services
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1525 Implant Internal Image
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1525 Implant Internal Image
action.malware.variety.RAT Remote Access Trojan. Parent of 'Backdoor' and 'Trojan' related-to T1525 Implant Internal Image
action.malware.variety.Unknown Unknown related-to T1525 Implant Internal Image
action.malware.variety.Brute force Brute force attack related-to T1110 Brute Force
action.malware.variety.Brute force Brute force attack related-to T1110.001 Brute Force: Password Guessing
action.malware.variety.Brute force Brute force attack related-to T1110.002 Brute Force: Password Cracking
action.malware.variety.Brute force Brute force attack related-to T1110.003 Brute Force: Password Spraying
action.malware.variety.Brute force Brute force attack related-to T1110.004 Brute Force: Credential Stuffing
action.malware.variety.Client-side attack Client-side or browser attack (e.g., redirection, XSS, MitB) related-to T1203 Exploitation for Client Execution
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' related-to T1203 Exploitation for Client Execution
action.malware.variety.MitM Man-in-the-middle attack. Child of 'Exploit vuln'. related-to T1557.002 Adversary-in-the-Middle: ARP Cache Poisoning
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1600 Weaken Encryption
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562 Impair Defenses
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1562 Impair Defenses
action.malware.variety.Modify data Malware which compromises a legitimate file rather than creating new filess related-to T1562 Impair Defenses
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.001 Disable or Modify Tools
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.002 Disable Windows Event Logging
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.003 Impair Command History Logging
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.004 Disable or Modify System Firewall
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.007 Disable or Modify Cloud Firewall
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.008 Disable Cloud Logs
action.malware.variety.DoS DoS attack related-to T1489 Service Stop
action.malware.variety.DoS DoS attack related-to T1498 Network Denial of Service
action.malware.variety.DoS DoS attack related-to T1498.001 Network Denial of Service: Direct Network Flood
action.malware.variety.DoS DoS attack related-to T1498.002 Network Denial of Service: Reflection Amplification
action.malware.variety.DoS DoS attack related-to T1499 Endpoint Denial of Service
action.malware.variety.DoS DoS attack related-to T1499.001 Endpoint Denial of Service: OS Exhaustion Flood
action.malware.variety.DoS DoS attack related-to T1499.002 Endpoint Denial of Service: Service Exhaustion Flood
action.malware.variety.DoS DoS attack related-to T1499.003 Endpoint Denial of Service: Application Exhaustion Flood
action.malware.variety.DoS DoS attack related-to T1499.004 Endpoint Denial of Service: Application or System Exploitation
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1622 Debugger Evasion
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1211 Exploitation for Defense Evasion
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1036 Masquerading
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1036 Masquerading
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' related-to T1036 Masquerading
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1014 Rootkit
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1014 Rootkit
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1553 Subvert Trust Controls
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1553 Subvert Trust Controls
action.malware.variety.Unknown Unknown related-to T1001 Data Obfuscation
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1001.001 Data Obfuscation: Junk Data
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1001.001 Data Obfuscation: Junk Data
action.malware.variety.Unknown Unknown related-to T1001.001 Data Obfuscation: Junk Data
action.malware.variety.Unknown Unknown related-to T1001.002 Data Obfuscation: Steganography
action.malware.variety.Unknown Unknown related-to T1001.003 Data Obfuscation: Protocol Impersonation
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1071 Application Layer Protocol
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1071 Application Layer Protocol
action.malware.variety.Unknown Unknown related-to T1071 Application Layer Protocol
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1132 Data Encoding
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1132 Data Encoding
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1132.001 Data Encoding: Standard Encoding
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1132.001 Data Encoding: Standard Encoding
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1132.002 Data Encoding: Non-Standard Encoding
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1132.002 Data Encoding: Non-Standard Encoding
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1568 Dynamic Resolution
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1568 Dynamic Resolution
action.malware.vector.Download by malware Downloaded and installed by local malware related-to T1568 Dynamic Resolution
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1568.001 Dynamic Resolution: Fast Flux DSN
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1568.001 Dynamic Resolution: Fast Flux DSN
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1568.002 Dynamic Resolution: Domain Generation Algorithms
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1568.002 Dynamic Resolution: Domain Generation Algorithms
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1568.003 Dynamic Resolution: DNS Calculation
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1568.003 Dynamic Resolution: DNS Calculation
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1573 Encrypted Channels
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1573 Encrypted Channels
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1573.002 Encrypted Channels: Asymmetric Cryptography
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1573.002 Encrypted Channels: Asymmetric Cryptography
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1573.001 Encrypted Channels: Symmetric Cryptography
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1573.001 Encrypted Channels: Symmetric Cryptography
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1008 Fallback Channels
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1008 Fallback Channels
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1104 Multi-Stage Channels
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1104 Multi-Stage Channels
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1572 Protocol Tunneling
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1572 Protocol Tunneling
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1090 Proxy
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1090 Proxy
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1205 Traffic Signaling
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1205 Traffic Signaling
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1205.001 Traffic Signaling: Port Knocking
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1205.001 Traffic Signaling: Port Knocking
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1205.001 Traffic Signaling: Port Knocking
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1102 Web Service
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1102 Web Service
action.malware.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1068 Exploitation for Privilege Escalation
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1212 Exploitation for Credential Access
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1212 Exploitation for Credential Access
action.malware.vector.Web application - drive-by Web via auto-executed or "drive-by" infection. Child of 'Web application'. related-to T1212 Exploitation for Credential Access
action.malware.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting
action.malware.variety.Scan network Enumerating the state of the network related-to T1595.002 Active Scanning: Vulnerability Scanning
action.malware.variety.Capture app data Capture data from application or system process related-to T1539 Steal Web Session Cookie
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1583.006 Acquire Infrastructure: Web Services
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1583.006 Acquire Infrastructure: Web Services
action.malware.variety.Capture app data Capture data from application or system process related-to T1185 Browser Session Hijacking
action.malware.variety.Click fraud Click fraud, whether or not cryptocurrency mining. Also mark 'Click fraud or cryptocurrency mining'. Child of 'Click fraud and cryptocurrency mining'. related-to T1496 Resource Hijacking
action.malware.variety.Click fraud and cryptocurrency mining Click fraud or cryptocurrency mining. Parent of 'Click fraud' and 'Cryptocurrency mining'. related-to T1496 Resource Hijacking
action.malware.variety.Cryptocurrency mining Cryptocurrency mining, whether or not click fraud. Child of 'Click fraud and cryptocurrency mining'. related-to T1496 Resource Hijacking
action.malware.variety.MitM Man-in-the-middle attack. Child of 'Exploit vuln'. related-to T1557 Man-in-the-Middle
action.malware.variety.MitM Man-in-the-middle attack. Child of 'Exploit vuln'. related-to T1557.001 Man-in-the-Middle: LLMNR/NBT-NS Poisoning and Relay
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1027 Obfuscated Files or Information
action.malware.variety.Pass-the-hash Pass-the-hash related-to T1550.002 Use Alternate Authentication Material: Pass the Hash
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1550.002 Use Alternate Authentication Material: Pass the Hash
action.malware.variety.Profile host Enumerating the state of the current host related-to T1082 System Information Discovery
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1033 System Owner/User Discovery
action.malware.variety.Profile host Enumerating the state of the current host related-to T1033 System Owner/User Discovery
action.malware.variety.Profile host Enumerating the state of the current host related-to T1007 System Service Discovery
action.malware.variety.Profile host Enumerating the state of the current host related-to T1012 Query Registry
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1083 File and Directory Discovery
action.malware.variety.Profile host Enumerating the state of the current host related-to T1083 File and Directory Discovery
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1119 Automated Collection
action.malware.variety.Scan network Enumerating the state of the network related-to T1046 Network Service Discovery
action.malware.variety.Scan network Enumerating the state of the network related-to T1135 Network Share Discovery
action.malware.variety.Packet sniffer Packet sniffer (capture data from network) related-to T1040 Network Sniffing
action.malware.variety.Scan network Enumerating the state of the network related-to T1040 Network Sniffing
action.malware.variety.Scan network Enumerating the state of the network related-to T1018 Remote System Discovery
action.malware.variety.Scan network Enumerating the state of the network related-to T1049 System Network Connections Discovery
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1602 Data from Configuration Repository
action.malware.vector.Network propagation Network propagation related-to T1021 Remote Services
action.malware.variety.Pass-the-hash Pass-the-hash related-to T1550 Use Alternate Authentication Material
action.malware.vector.Network propagation Network propagation related-to T1550 Use Alternate Authentication Material
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1213 Data from Information Repository
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1010 Application Window Discovery
action.malware.vector.Web application - download Web via user-executed or downloaded content. Child of 'Web application'. related-to T1583 Acquire Infrastructure
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1583.001 Acquire Infrastructure: Domains
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1583.001 Acquire Infrastructure: Domains
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1583.002 Acquire Infrastructure: DNS Server
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1583.002 Acquire Infrastructure: DNS Server
action.malware.vector.Web application - download Web via user-executed or downloaded content. Child of 'Web application'. related-to T1584 Compromise Infrastructure
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1584.002 Compromise Infrastructure: DNS Server
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1584.002 Compromise Infrastructure: DNS Server
action.malware.variety.Unknown Unknown related-to T1587.001 Develop Capabilities: Malware
action.malware.variety.Unknown Unknown related-to T1587.004 Develop Capabilities: Exploits
action.malware.variety.Unknown Unknown related-to T1588.001 Obtain Capabilities: Malware
action.malware.variety.Unknown Unknown related-to T1588.005 Obtain Capabilities: Exploits
action.malware.variety.Unknown Unknown related-to T1588.006 Obtain Capabilities: Vulnerabilities
action.malware.variety.Adminware System or network utilities (e.g., PsTools, Netcat) related-to T1219 Remote Access Software
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1497 Virtualization/Sandbox Evasion
action.malware.variety.Adware Adware related-to T1199 Trusted Relationship
action.malware.vector.Partner Partner connection or credential. (Indicates supply chain breach.) related-to T1199 Trusted Relationship
action.malware.vector.Partner Partner connection or credential. (Indicates supply chain breach.) related-to T1195 Supply Chain Compromise
action.malware.vector.Software update Included in automated software update related-to T1195 Supply Chain Compromise
action.malware.variety.Capture app data Capture data from application or system process related-to T1056.003 Input Capture: Web Portal Capture
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1095 Non-Application Layer Protocol
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1095 Non-Application Layer Protocol
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1571 Non-Standard Port
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1571 Non-Standard Port
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1505 Server Software Component
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1505 Server Software Component
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1505.003 Server Software Component: Web Shell
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1505.003 Server Software Component: Web Shell
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1071.001 Application Layer Protocol: Web Protocols
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1071.001 Application Layer Protocol: Web Protocols
action.malware.variety.Unknown Unknown related-to T1071.001 Application Layer Protocol: Web Protocols
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1071.002 Application Layer Protocol: File Transfer Protocol
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1071.002 Application Layer Protocol: File Transfer Protocol
action.malware.variety.Unknown Unknown related-to T1071.002 Application Layer Protocol: File Transfer Protocol
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1071.003 Application Layer Protocol: Mail Protocols
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1071.003 Application Layer Protocol: Mail Protocols
action.malware.variety.Unknown Unknown related-to T1071.003 Application Layer Protocol: Mail Protocols
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1071.004 Application Layer Protocol: DNS
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1071.004 Application Layer Protocol: DNS
action.malware.variety.Unknown Unknown related-to T1071.004 Application Layer Protocol: DNS
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1090.001 Proxy: Internal Proxy
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1090.001 Proxy: Internal Proxy
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1090.002 Proxy: External Proxy
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1090.002 Proxy: External Proxy
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1090.003 Proxy: Multi-hop Proxy
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1090.003 Proxy: Multi-hop Proxy
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1090.004 Proxy: Domain Fronting
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1090.004 Proxy: Domain Fronting
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1102.001 Web Service: Dead Drop Resolver
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1102.001 Web Service: Dead Drop Resolver
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1102.002 Web Service: Bidirectional Communication
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1102.002 Web Service: Bidirectional Communication
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1102.003 Web Service: One-Way Communication
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1102.003 Web Service: One-Way Communication
action.malware.variety.Capture app data Capture data from application or system process related-to T1056 Input Capture
action.malware.variety.Capture app data Capture data from application or system process related-to T1056.001 Input Capture: Keylogging
action.malware.variety.Capture app data Capture data from application or system process related-to T1056.002 Input Capture: GUI Input Capture
action.malware.variety.Capture app data Capture data from application or system process related-to T1056.004 Input Capture: Credential API Hooking
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1056.004 Input Capture: Credential API Hooking
action.malware.variety.Spyware/Keylogger Spyware, keylogger or form-grabber (capture user input or activity) related-to T1056.004 Input Capture: Credential API Hooking
action.malware.variety.Capture app data Capture data from application or system process related-to T1113 Screen Capture
action.malware.variety.Capture app data Capture data from application or system process related-to T1114 Email Collection
action.malware.variety.Capture app data Capture data from application or system process related-to T1114.001 Email Collection: Local Email Collection
action.malware.variety.Capture app data Capture data from application or system process related-to T1114.002 Email Collection: Remote Email Collection
action.malware.variety.Capture app data Capture data from application or system process related-to T1114.003 Email Collection: Email Forwarding Rule
action.malware.variety.Capture app data Capture data from application or system process related-to T1123 Audio Capture
action.malware.variety.Capture app data Capture data from application or system process related-to T1125 Video Capture
action.malware.variety.Capture app data Capture data from application or system process related-to T1176 Browser Extensions
action.malware.vector.Web application - drive-by Web via auto-executed or "drive-by" infection. Child of 'Web application'. related-to T1176 Browser Extensions
action.malware.variety.Capture app data Capture data from application or system process related-to T1207 Rogue Domain Controller
action.malware.variety.Capture app data Capture data from application or system process related-to T1217 Browser Bookmark Discovery
action.malware.variety.Capture app data Capture data from application or system process related-to T1528 Steal Application Access Token
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1003.002 OS Credential Dumping: Security Account Manager
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1003.002 OS Credential Dumping: Security Account Manager
action.malware.variety.RAM scraper RAM scraper or memory parser (capture data from volatile memory) related-to T1003.002 OS Credential Dumping: Security Account Manager
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1003.003 OS Credential Dumping: NTDS
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1003.003 OS Credential Dumping: NTDS
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1003.006 OS Credential Dumping: DCSync
action.malware.variety.Export data Export data to another site or system related-to T1003.006 OS Credential Dumping: DCSync
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1003.006 OS Credential Dumping: DCSync
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1005 Data from Local System
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1025 Data from Removable Media
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1039 Data from Network Shared Drive
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1213.001 Data from Information Repositories: Confluence
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1213.002 Data from Information Repositories: Sharepoint
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1530 Data from Cloud Storage
action.malware.variety.Client-side attack Client-side or browser attack (e.g., redirection, XSS, MitB) related-to T1221 Template Injection
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1070 Indicator Removal on Host
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1070.001 Indicator Removal on Host: Clear Windows Event Logs
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1070.003 Indicator Removal on Host: Clear Command History
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1070.004 Indicator Removal on Host: File Deletion
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1070.005 Indicator Removal on Host: Network Share Connection Removal
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1070.006 Indicator Removal on Host: Timestomp
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1485 Data Destruction
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1495 Firmware Corruption
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1561 Disk Wipe
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1561.001 Disk Wipe: Disk Content Wipe
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1561.002 Disk Wipe: Disk Structure Wipe
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1006 Direct Volume Access
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1027.001 Obfuscated Files or Information: Binary Padding
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1027.002 Obfuscated Files or Information: Software Packaging
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1027.003 Obfuscated Files or Information: Steganography
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1027.004 Obfuscated Files or Information: Compile After Dilevery
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1027.005 Obfuscated Files or Information: Indicator Removal from Tools
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1036.001 Masquerading: Invalid Code Signature
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1036.002 Masquerading: Right-to-Left Override
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1036.003 Masquerading: Rename System Utilities
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1036.003 Masquerading: Rename System Utilities
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1036.004 Masquerading: Masquerade Task or Service
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1036.005 Masquerading: Match Legitimate Name or Location
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1036.006 Masquerading: Space after Filename
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1222 File and Directory Permissions Modification
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1490 Inhibit System Recovery
action.malware.variety.Ransomware Ransomware (encrypt or seize stored data) related-to T1490 Inhibit System Recovery
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1497.001 Virtualization/Sandbox Evasion: System Checks
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1497.002 Virtualization/Sandbox Evasion: User Activity Based Checks
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1497.003 Virtualization/Sandbox Evasion: Time Based Evasion
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1553.001 Subvert Trust Contols: Gatekeeper Bypass
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1553.002 Subvert Trust Contols: Code Signing
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1553.003 Subvert Trust Contols: SIP and Trust Provider Hijacking
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1553.004 Subvert Trust Contols: Install Root Certificate
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1553.005 Subvert Trust Contols: Mark-of-the-Web Bypass
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1553.006 Subvert Trust Contols: Code Signing Policy Modification
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.006 Impair Defenses: Indicator Blocking
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1574.012 Hijack Execution Flow: COR_PROFILER
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1600.001 Weaken Encryption: Reduce Key Space
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1600.002 Weaken Encryption: Disable Crypto Hardware
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1601 Modify System Image
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1601.001 Modify System Image: Patch System Image
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1601.002 Modify System Image: Downgrade System Image
action.malware.variety.Downloader Downloader (pull updates or other malware) related-to T1610 Deploy Container
action.malware.variety.Unknown Unknown related-to T1610 Deploy Container
action.malware.variety.Downloader Downloader (pull updates or other malware) related-to T1204 User Execution
action.malware.variety.Unknown Unknown related-to T1204 User Execution
action.malware.variety.Downloader Downloader (pull updates or other malware) related-to T1204.001 User Execution: Malicious Link
action.malware.variety.Unknown Unknown related-to T1204.001 User Execution: Malicious Link
action.malware.vector.Email link Email via embedded link. Child of 'Email' related-to T1204.001 User Execution: Malicious Link
action.malware.variety.Downloader Downloader (pull updates or other malware) related-to T1204.002 User Execution: Malicious File
action.malware.variety.Unknown Unknown related-to T1204.002 User Execution: Malicious File
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' related-to T1204.002 User Execution: Malicious File
action.malware.variety.Downloader Downloader (pull updates or other malware) related-to T1204.003 User Execution: Malicious Image
action.malware.variety.Trojan An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor' related-to T1204.003 User Execution: Malicious Image
action.malware.variety.Unknown Unknown related-to T1204.003 User Execution: Malicious Image
action.malware.variety.Export data Export data to another site or system related-to T1011 Exfiltration Over Other Network Medium
action.malware.variety.Export data Export data to another site or system related-to T1011.001 Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth
action.malware.variety.Export data Export data to another site or system related-to T1020 Automated Exfiltration
action.malware.variety.Export data Export data to another site or system related-to T1020.001 Automated Exfiltration: Traffic Duplication
action.malware.variety.Export data Export data to another site or system related-to T1029 Scheduled Transfer
action.malware.variety.Export data Export data to another site or system related-to T1030 Data Transfer Size Limits
action.malware.variety.Export data Export data to another site or system related-to T1041 Exfiltration Over C2 Channels
action.malware.variety.Export data Export data to another site or system related-to T1048 Exfiltration Over Alternative Protocol
action.malware.variety.Export data Export data to another site or system related-to T1048.001 Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol
action.malware.variety.Export data Export data to another site or system related-to T1048.002 Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
action.malware.variety.Export data Export data to another site or system related-to T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protcol
action.malware.variety.Export data Export data to another site or system related-to T1052 Exfiltration Over Physical Medium
action.malware.variety.Export data Export data to another site or system related-to T1052.001 Exfiltration Over Physical Medium: Exfiltration over USB
action.malware.variety.Export data Export data to another site or system related-to T1074 Data Staged
action.malware.variety.Export data Export data to another site or system related-to T1074.001 Data Staged: Local Data Staging
action.malware.variety.Export data Export data to another site or system related-to T1074.002 Data Staged: Remote Data Staging
action.malware.variety.Export data Export data to another site or system related-to T1197 BITS Jobs
action.malware.variety.Export data Export data to another site or system related-to T1537 Transfer Data to Cloud Account
action.malware.variety.Export data Export data to another site or system related-to T1560 Archive Collected Data
action.malware.variety.Export data Export data to another site or system related-to T1560.001 Archive Collected Data: Archive via Utility
action.malware.variety.Export data Export data to another site or system related-to T1560.002 Archive Collected Data: Archive via Library
action.malware.variety.Export data Export data to another site or system related-to T1560.003 Archive Collected Data: Archive via Custom Method
action.malware.variety.Export data Export data to another site or system related-to T1567 Exfiltration Over Web Service
action.malware.variety.Export data Export data to another site or system related-to T1567.001 Exfiltration Over Web Service: Exfiltration to Code Repository
action.malware.variety.Export data Export data to another site or system related-to T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1003.007 OS Credential Dumping: Proc Filesystem
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1003.007 OS Credential Dumping: Proc Filesystem
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1055 Process Injection
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1055.001 Process Injection: Dynamic-link Library Injection
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1055.002 Process Injection: Portable Executable Injection
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1055.003 Process Injection: Thread Execution Hijacking
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1055.004 Process Injection: Asynchronous Procedure Call
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1055.005 Process Injection: Thread Local Storage
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1055.008 Process Injection: Ptrace System Calls
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1055.009 Process Injection: Proc Memory
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1055.011 Process Injection: Extra Window Memory Injection
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1055.012 Process Injection: Process Hollowing
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1055.013 Process Injection: Process Doppelganging
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1055.014 Process Injection: VDSO Hijacking
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1115 Clipboard Data
action.malware.variety.MitM Man-in-the-middle attack. Child of 'Exploit vuln'. related-to T1557.003 DHCP Spoofing
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1003 OS Credential Dumping
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1003.001 OS Credential Dumping: LSASS Memory
action.malware.variety.RAM scraper RAM scraper or memory parser (capture data from volatile memory) related-to T1003.001 OS Credential Dumping: LSASS Memory
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1003.004 OS Credential Dumping: LSA Secrets
action.malware.variety.RAM scraper RAM scraper or memory parser (capture data from volatile memory) related-to T1003.004 OS Credential Dumping: LSA Secrets
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1003.005 OS Credential Dumping: Cached Domain Credentials
action.malware.variety.RAM scraper RAM scraper or memory parser (capture data from volatile memory) related-to T1003.005 OS Credential Dumping: Cached Domain Credentials
action.malware.vector.Email link Email via embedded link. Child of 'Email' related-to T1003.005 OS Credential Dumping: Cached Domain Credentials
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1552.001 Unsecured Credentials: Credentials in Files
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1552.002 Unsecured Credentials: Credentials in Registry
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1552.003 Unsecured Credentials: Bash History
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1552.004 Unsecured Credentials: Private Keys
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1552.005 Unsecured Credentials: Cloud Instance Metadata API
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1552.006 Unsecured Credentials: Group Policy Preferences
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1555 Credentials from Password Stores
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1555.001 Credentials from Password Stores: Keychain
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1555.002 Credentials from Password Stores: Securityd Memory
action.malware.variety.RAM scraper RAM scraper or memory parser (capture data from volatile memory) related-to T1555.002 Credentials from Password Stores: Securityd Memory
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1555.003 Credentials from Password Stores: Credentials from Web Browser
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1555.004 Credentials from Password Stores: Windows Credential Manager
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1555.005 Credentials from Password Stores: Password Managers
action.malware.variety.Ransomware Ransomware (encrypt or seize stored data) related-to T1486 Data Encrypted for Impact
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1542 Pre-OS Boot
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1542.001 Pre-OS Boot: System Firmware
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1542.002 Pre-OS Boot: Component Firmware
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1542.003 Pre-OS Boot: Bootkit
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1542.004 Pre-OS Boot: ROMMONkit
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1542.005 Pre-OS Boot: TFTP Boot
action.malware.variety.Scan network Enumerating the state of the network related-to T1016 System Network Configuration Discovery
action.malware.variety.Scan network Enumerating the state of the network related-to T1016.001 System Network Configuration Discovery: Internet Connection Discovery
action.malware.variety.Scan network Enumerating the state of the network related-to T1482 Domain Trust Discovery
action.malware.variety.Scan network Enumerating the state of the network related-to T1595 Active Scanning
action.malware.variety.Scan network Enumerating the state of the network related-to T1595.001 Active Scanning: Scanning IP Blocks
action.malware.variety.Unknown Unknown related-to T1080 Taint Shared Content
action.malware.variety.Worm Worm (propagate to other systems or devices) related-to T1080 Taint Shared Content
action.malware.variety.Worm Worm (propagate to other systems or devices) related-to T1091 Replication Through Removable Media
action.malware.vector.Removable media Removable storage media or devices related-to T1091 Replication Through Removable Media
action.malware.variety.Unknown Unknown related-to T1140 Deobfuscate/Decode Files or Information
action.malware.variety.Unknown Unknown related-to T1608 Stage Capabilities
action.malware.variety.Unknown Unknown related-to T1608.001 Stage Capabilities: Upload Malware
action.malware.variety.Unknown Unknown related-to T1608.002 Stage Capabilities: Upload Tools
action.malware.variety.Unknown Unknown related-to T1608.003 Stage Capabilities: Install Digital Certificate
action.malware.variety.Unknown Unknown related-to T1608.004 Stage Capabilities: Drive-by Target
action.malware.variety.Unknown Unknown related-to T1608.005 Stage Capabilities: Link Target
action.malware.variety.Unknown Unknown related-to T1612 Build Image on Host
action.malware.vector.Email Email. Parent to 'Email attachment', 'Email autoexecute', 'Email link', 'Email unknown' related-to T1566.001 Phishing: Spearphishing Attachment
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' related-to T1566.001 Phishing: Spearphishing Attachment
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' related-to T1598.002 Phishing for Information: Spearphishing Attachment
action.malware.vector.Email link Email via embedded link. Child of 'Email' related-to T1556.002 Phishing: Spearphishing Link
action.malware.vector.Email link Email via embedded link. Child of 'Email' related-to T1598.003 Phishing for Information: Spearphishing Link
action.malware.vector.Instant messaging Instant Messaging related-to T1566 Phishing
action.malware.vector.Network propagation Network propagation related-to T1570 Lateral Tool Transfer
action.malware.vector.Removable media Removable storage media or devices related-to T1092 Communication Through Removable Media
action.malware.vector.Web application - drive-by Web via auto-executed or "drive-by" infection. Child of 'Web application'. related-to T1189 Drive-by Compromise

Capabilities

Capability ID Capability Name Number of Mappings
action.malware.variety.Capture stored data Capture data stored on system disk 16
action.malware.variety.Worm Worm (propagate to other systems or devices) 2
action.malware.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) 3
action.malware.vector.Web application Web application. Parent of 'Web application - download' and 'Web application - drive-by. 1
action.malware.variety.Ransomware Ransomware (encrypt or seize stored data) 2
action.malware.variety.Spyware/Keylogger Spyware, keylogger or form-grabber (capture user input or activity) 1
action.malware.variety.DoS DoS attack 9
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. 14
action.malware.variety.Click fraud and cryptocurrency mining Click fraud or cryptocurrency mining. Parent of 'Click fraud' and 'Cryptocurrency mining'. 1
action.malware.vector.Web application - drive-by Web via auto-executed or "drive-by" infection. Child of 'Web application'. 3
action.malware.variety.Profile host Enumerating the state of the current host 5
action.malware.vector.Instant messaging Instant Messaging 1
action.malware.vector.Network propagation Network propagation 6
action.malware.variety.Brute force Brute force attack 5
action.malware.variety.RAT Remote Access Trojan. Parent of 'Backdoor' and 'Trojan' 2
action.malware.vector.Email Email. Parent to 'Email attachment', 'Email autoexecute', 'Email link', 'Email unknown' 1
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. 36
action.malware.variety.Trojan An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor' 3
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' 7
action.malware.variety.Cryptocurrency mining Cryptocurrency mining, whether or not click fraud. Child of 'Click fraud and cryptocurrency mining'. 1
action.malware.variety.Password dumper Password dumper (extract credential hashes) 24
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. 13
action.malware.variety.Modify data Malware which compromises a legitimate file rather than creating new filess 2
action.malware.vector.Direct install Directly installed or inserted by threat agent (after system access) 2
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. 48
action.malware.vector.Email link Email via embedded link. Child of 'Email' 4
action.malware.variety.Scan network Enumerating the state of the network 11
action.malware.vector.Download by malware Downloaded and installed by local malware 1
action.malware.vector.Partner Partner connection or credential. (Indicates supply chain breach.) 2
action.malware.variety.In-memory (malware never stored to persistent storage) 14
action.malware.variety.Packet sniffer Packet sniffer (capture data from network) 1
action.malware.vector.Removable media Removable storage media or devices 2
action.malware.variety.Export data Export data to another site or system 26
action.malware.vector.Remote injection Remotely injected by agent (i.e. via SQLi) 1
action.malware.vector.Software update Included in automated software update 2
action.malware.variety.Unknown Unknown 29
action.malware.variety.Adminware System or network utilities (e.g., PsTools, Netcat) 3
action.malware.variety.Disable controls Disable or interfere with security controls 45
action.malware.variety.Downloader Downloader (pull updates or other malware) 5
action.malware.vector.Web application - download Web via user-executed or downloaded content. Child of 'Web application'. 2
action.malware.variety.Destroy data Destroy or corrupt stored data 12
action.malware.variety.Adware Adware 1
action.malware.variety.MitM Man-in-the-middle attack. Child of 'Exploit vuln'. 4
action.malware.variety.RAM scraper RAM scraper or memory parser (capture data from volatile memory) 5
action.malware.variety.Capture app data Capture data from application or system process 18
action.malware.variety.Pass-the-hash Pass-the-hash 2
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) 9
action.malware.variety.Client-side attack Client-side or browser attack (e.g., redirection, XSS, MitB) 3
action.malware.variety.Click fraud Click fraud, whether or not cryptocurrency mining. Also mark 'Click fraud or cryptocurrency mining'. Child of 'Click fraud and cryptocurrency mining'. 1