VERIS action.malware Capability Group

All Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
action.malware.variety.Other Other related-to T1080 Taint Shared Content
action.malware.variety.Other Other related-to T1204 User Execution
action.malware.variety.Other Other related-to T1204.001 Malicious Link
action.malware.variety.Other Other related-to T1204.002 Malicious File
action.malware.variety.Other Other related-to T1204.003 Malicious Image
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1070.010 Relocate Malware
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1071.005 Publish/Subscribe Protocols
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1016.002 Wi-Fi Discovery
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1036.009 Break Process Trees
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1071.005 Publish/Subscribe Protocols
action.malware.variety.Scan network Enumerating the state of the network related-to T1016.002 Wi-Fi Discovery
action.malware.variety.Spyware/Keylogger Spyware, keylogger or form-grabber (capture user input or activity) related-to T1111 Multi-Factor Authentication Interception
action.malware.variety.Adminware System or network utilities (e.g., PsTools, Netcat) related-to T1072 Software Deployment Tools
action.malware.variety.Adware Adware related-to T1199 Trusted Relationship
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1037 Boot or Logon Initialization Scripts
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1098 Account Manipulation
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1133 External Remote Services
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1008 Fallback Channels
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1098 Account Manipulation
action.malware.variety.Brute force Brute force attack related-to T1110 Brute Force
action.malware.variety.Brute force Brute force attack related-to T1222.002 Linux and Mac File and Directory Permissions Modification
action.malware.variety.Brute force Brute force attack related-to T1565.001 Stored Data Manipulation
action.malware.variety.Brute force Brute force attack related-to T1021.003 Distributed Component Object Model
action.malware.variety.Brute force Brute force attack related-to T1531 Account Access Removal
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1102.001 Dead Drop Resolver
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1008 Fallback Channels
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1071 Application Layer Protocol
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1584.007 Serverless
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1055.014 VDSO Hijacking
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1021 Remote Services
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1561 Disk Wipe
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1090 Proxy
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1566.003 Spearphishing via Service
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1110.003 Password Spraying
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1070.005 Network Share Connection Removal
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1578.005 Modify Cloud Compute Configurations
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1095 Non-Application Layer Protocol
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1102 Web Service
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1216 System Script Proxy Execution
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1036.003 Rename System Utilities
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1546.014 Emond
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1104 Multi-Stage Channels
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1132 Data Encoding
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1583.007 Serverless
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1485 Data Destruction
action.malware.variety.Capture app data Capture data from application or system process related-to T1056 Input Capture
action.malware.variety.Capture app data Capture data from application or system process related-to T1596.003 Digital Certificates
action.malware.variety.Capture app data Capture data from application or system process related-to T1547.006 Kernel Modules and Extensions
action.malware.variety.Capture app data Capture data from application or system process related-to T1090.002 External Proxy
action.malware.variety.Capture app data Capture data from application or system process related-to T1546.017 Udev Rules
action.malware.variety.Capture app data Capture data from application or system process related-to T1113 Screen Capture
action.malware.variety.Capture app data Capture data from application or system process related-to T1114 Email Collection
action.malware.variety.Capture app data Capture data from application or system process related-to T1110.002 Password Cracking
action.malware.variety.Capture app data Capture data from application or system process related-to T1556.006 Multi-Factor Authentication
action.malware.variety.Capture app data Capture data from application or system process related-to T1546.009 AppCert DLLs
action.malware.variety.Capture app data Capture data from application or system process related-to T1123 Audio Capture
action.malware.variety.Capture app data Capture data from application or system process related-to T1125 Video Capture
action.malware.variety.Capture app data Capture data from application or system process related-to T1176 Browser Extensions
action.malware.variety.Capture app data Capture data from application or system process related-to T1185 Browser Session Hijacking
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1114 Email Collection
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1587 Develop Capabilities
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1558.003 Kerberoasting
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1565.002 Transmitted Data Manipulation
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1005 Data from Local System
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1010 Application Window Discovery
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1025 Data from Removable Media
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1033 System Owner/User Discovery
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1039 Data from Network Shared Drive
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1083 File and Directory Discovery
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1119 Automated Collection
action.malware.variety.Client-side attack Client-side or browser attack (e.g., redirection, XSS, AitB) related-to T1203 Exploitation for Client Execution
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1542.002 Component Firmware
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1092 Communication Through Removable Media
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1566.002 Spearphishing Link
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1600.001 Reduce Key Space
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1027.010 Command Obfuscation
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1496.001 Compute Hijacking
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1218 System Binary Proxy Execution
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1006 Direct Volume Access
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1027 Obfuscated Files or Information
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1563 Remote Service Session Hijacking
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1111 Multi-Factor Authentication Interception
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1095 Non-Application Layer Protocol
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1499 Endpoint Denial of Service
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1059.011 Lua
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1036 Masquerading
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1505.004 IIS Components
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.007 Disable or Modify Cloud Firewall
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1195.002 Compromise Software Supply Chain
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1568 Dynamic Resolution
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1074.001 Local Data Staging
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1622 Debugger Evasion
action.malware.variety.Downloader Downloader (pull updates or other malware) related-to T1204 User Execution
action.malware.variety.Downloader Downloader (pull updates or other malware) related-to T1001.002 Steganography
action.malware.variety.Downloader Downloader (pull updates or other malware) related-to T1559.002 Dynamic Data Exchange
action.malware.variety.Downloader Downloader (pull updates or other malware) related-to T1027.005 Indicator Removal from Tools
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1014 Rootkit
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1036 Masquerading
action.malware.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1068 Exploitation for Privilege Escalation
action.malware.variety.Export data Export data to another site or system related-to T1558.003 Kerberoasting
action.malware.variety.Export data Export data to another site or system related-to T1011 Exfiltration Over Other Network Medium
action.malware.variety.Export data Export data to another site or system related-to T1021.006 Windows Remote Management
action.malware.variety.Export data Export data to another site or system related-to T1020 Automated Exfiltration
action.malware.variety.Export data Export data to another site or system related-to T1055.004 Asynchronous Procedure Call
action.malware.variety.Export data Export data to another site or system related-to T1029 Scheduled Transfer
action.malware.variety.Export data Export data to another site or system related-to T1030 Data Transfer Size Limits
action.malware.variety.Export data Export data to another site or system related-to T1072 Software Deployment Tools
action.malware.variety.Export data Export data to another site or system related-to T1048 Exfiltration Over Alternative Protocol
action.malware.variety.Export data Export data to another site or system related-to T1070 Indicator Removal
action.malware.variety.Export data Export data to another site or system related-to T1552.006 Group Policy Preferences
action.malware.variety.Export data Export data to another site or system related-to T1213.005 Messaging Applications
action.malware.variety.Export data Export data to another site or system related-to T1052 Exfiltration Over Physical Medium
action.malware.variety.Export data Export data to another site or system related-to T1588.002 Tool
action.malware.variety.Export data Export data to another site or system related-to T1074 Data Staged
action.malware.variety.Export data Export data to another site or system related-to T1218.013 Mavinject
action.malware.variety.Export data Export data to another site or system related-to T1574.014 AppDomainManager
action.malware.variety.Export data Export data to another site or system related-to T1197 BITS Jobs
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1115 Clipboard Data
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1055 Process Injection
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1053.002 At
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1612 Build Image on Host
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1560.002 Archive via Library
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1036.004 Masquerade Task or Service
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1538 Cloud Service Dashboard
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1548.006 TCC Manipulation
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1059.003 Windows Command Shell
action.malware.variety.In-memory (malware never stored to persistent storage) related-to None None
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1585.001 Social Media Accounts
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1125 Video Capture
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1546.001 Change Default File Association
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1115 Clipboard Data
action.malware.variety.Modify data Malware which compromises a legitimate file rather than creating new filess related-to T1563.002 RDP Hijacking
action.malware.variety.Packet sniffer Packet sniffer (capture data from network) related-to T1007 System Service Discovery
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1003 OS Credential Dumping
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1222 File and Directory Permissions Modification
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1114 Email Collection
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1587 Develop Capabilities
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1547 Boot or Logon Autostart Execution
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1598.004 Spearphishing Voice
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1558.003 Kerberoasting
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1115 Clipboard Data
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1565.002 Transmitted Data Manipulation
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1546.017 Udev Rules
action.malware.variety.Profile host Enumerating the state of the current host related-to T1007 System Service Discovery
action.malware.variety.Profile host Enumerating the state of the current host related-to T1012 Query Registry
action.malware.variety.Profile host Enumerating the state of the current host related-to T1033 System Owner/User Discovery
action.malware.variety.Profile host Enumerating the state of the current host related-to T1082 System Information Discovery
action.malware.variety.Profile host Enumerating the state of the current host related-to T1083 File and Directory Discovery
action.malware.variety.RAM scraper RAM scraper or memory parser (capture data from volatile memory) related-to T1222 File and Directory Permissions Modification
action.malware.variety.RAM scraper RAM scraper or memory parser (capture data from volatile memory) related-to T1114 Email Collection
action.malware.variety.RAM scraper RAM scraper or memory parser (capture data from volatile memory) related-to T1547 Boot or Logon Autostart Execution
action.malware.variety.RAM scraper RAM scraper or memory parser (capture data from volatile memory) related-to T1598.004 Spearphishing Voice
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1014 Rootkit
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1195.002 Compromise Software Supply Chain
action.malware.variety.Scan network Enumerating the state of the network related-to T1016 System Network Configuration Discovery
action.malware.variety.Scan network Enumerating the state of the network related-to T1496.003 SMS Pumping
action.malware.variety.Scan network Enumerating the state of the network related-to T1018 Remote System Discovery
action.malware.variety.Scan network Enumerating the state of the network related-to T1007 System Service Discovery
action.malware.variety.Scan network Enumerating the state of the network related-to T1046 Network Service Discovery
action.malware.variety.Scan network Enumerating the state of the network related-to T1049 System Network Connections Discovery
action.malware.variety.Scan network Enumerating the state of the network related-to T1135 Network Share Discovery
action.malware.variety.Spyware/Keylogger Spyware, keylogger or form-grabber (capture user input or activity) related-to T1546.017 Udev Rules
action.malware.variety.Trojan An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor' related-to T1027.005 Indicator Removal from Tools
action.malware.variety.Unknown Unknown related-to T1140 Deobfuscate/Decode Files or Information
action.malware.variety.Worm Worm (propagate to other systems or devices) related-to T1080 Taint Shared Content
action.malware.variety.Worm Worm (propagate to other systems or devices) related-to T1091 Replication Through Removable Media
action.malware.vector.Direct install Directly installed or inserted by threat agent (after system access) related-to T1047 Windows Management Instrumentation
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' related-to T1036 Masquerading
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' related-to T1071.001 Web Protocols
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' related-to T1546.013 PowerShell Profile
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' related-to T1203 Exploitation for Client Execution
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' related-to T1559.002 Dynamic Data Exchange
action.malware.vector.Email link Email via embedded link. Child of 'Email' related-to T1598.004 Spearphishing Voice
action.malware.vector.Email link Email via embedded link. Child of 'Email' related-to T1001.002 Steganography
action.malware.vector.Network propagation Network propagation related-to T1021 Remote Services
action.malware.vector.Partner Partner connection or credential. (Indicates supply chain breach.) related-to T1195 Supply Chain Compromise
action.malware.vector.Partner Partner connection or credential. (Indicates supply chain breach.) related-to T1199 Trusted Relationship
action.malware.vector.Remote injection Remotely injected by agent (i.e. via SQLi) related-to T1133 External Remote Services
action.malware.vector.Removable media Removable storage media or devices related-to T1091 Replication Through Removable Media
action.malware.vector.Removable media Removable storage media or devices related-to T1092 Communication Through Removable Media
action.malware.vector.Software update Included in automated software update related-to T1072 Software Deployment Tools
action.malware.vector.Software update Included in automated software update related-to T1195 Supply Chain Compromise
action.malware.vector.Web application Web application. Parent of 'Web application - download' and 'Web application - drive-by. related-to T1133 External Remote Services
action.malware.vector.Web application - drive-by Web via auto-executed or "drive-by" infection. Child of 'Web application'. related-to T1176 Browser Extensions
action.malware.vector.Web application - drive-by Web via auto-executed or "drive-by" infection. Child of 'Web application'. related-to T1189 Drive-by Compromise
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1205 Traffic Signaling
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1205 Traffic Signaling
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1205.001 Port Knocking
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1205.001 Port Knocking
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1205.001 Port Knocking
action.malware.variety.Capture app data Capture data from application or system process related-to T1207 Rogue Domain Controller
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1211 Exploitation for Defense Evasion
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1212 Exploitation for Credential Access
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1212 Exploitation for Credential Access
action.malware.vector.Web application - drive-by Web via auto-executed or "drive-by" infection. Child of 'Web application'. related-to T1212 Exploitation for Credential Access
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1213 Data from Information Repositories
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1213.001 Confluence
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1213.002 Sharepoint
action.malware.variety.Adminware System or network utilities (e.g., PsTools, Netcat) related-to T1219 Remote Access Software
action.malware.variety.Client-side attack Client-side or browser attack (e.g., redirection, XSS, AitB) related-to T1221 Template Injection
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1222 File and Directory Permissions Modification
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1222.001 Windows File and Directory Permissions Modification
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1222.002 Linux and Mac File and Directory Permissions Modification
action.malware.variety.Scan network Enumerating the state of the network related-to T1482 Domain Trust Discovery
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1485 Data Destruction
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1485.001 Lifecycle-Triggered Deletion
action.malware.variety.Ransomware Ransomware (encrypt or seize stored data) related-to T1486 Data Encrypted for Impact
action.malware.variety.DoS DoS attack related-to T1489 Service Stop
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1490 Inhibit System Recovery
action.malware.variety.Ransomware Ransomware (encrypt or seize stored data) related-to T1490 Inhibit System Recovery
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1495 Firmware Corruption
action.malware.variety.Click fraud Click fraud, whether or not cryptocurrency mining. Also mark 'Click fraud or cryptocurrency mining'. Child of 'Click fraud and cryptocurrency mining'. related-to T1496 Resource Hijacking
action.malware.variety.Click fraud and cryptocurrency mining Click fraud or cryptocurrency mining. Parent of 'Click fraud' and 'Cryptocurrency mining'. related-to T1496 Resource Hijacking
action.malware.variety.Cryptocurrency mining Cryptocurrency mining, whether or not click fraud. Child of 'Click fraud and cryptocurrency mining'. related-to T1496 Resource Hijacking
action.malware.variety.Click fraud and cryptocurrency mining Click fraud or cryptocurrency mining. Parent of 'Click fraud' and 'Cryptocurrency mining'. related-to T1496.001 Compute Hijacking
action.malware.variety.Cryptocurrency mining Cryptocurrency mining, whether or not click fraud. Child of 'Click fraud and cryptocurrency mining'. related-to T1496.001 Compute Hijacking
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1497 Virtualization/Sandbox Evasion
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1497.001 System Checks
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1497.002 User Activity Based Checks
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1497.003 Time Based Evasion
action.malware.variety.DoS DoS attack related-to T1498 Network Denial of Service
action.malware.variety.DoS DoS attack related-to T1498.001 Direct Network Flood
action.malware.variety.DoS DoS attack related-to T1498.002 Reflection Amplification
action.malware.variety.DoS DoS attack related-to T1499 Endpoint Denial of Service
action.malware.variety.DoS DoS attack related-to T1499.001 OS Exhaustion Flood
action.malware.variety.DoS DoS attack related-to T1499.002 Service Exhaustion Flood
action.malware.variety.DoS DoS attack related-to T1499.003 Application Exhaustion Flood
action.malware.variety.DoS DoS attack related-to T1499.004 Application or System Exploitation
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1505 Server Software Component
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1505 Server Software Component
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1505.001 SQL Stored Procedures
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1505.001 SQL Stored Procedures
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1505.002 Transport Agent
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1505.002 Transport Agent
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1505.003 Web Shell
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1505.003 Web Shell
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1525 Implant Internal Image
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1525 Implant Internal Image
action.malware.variety.RAT Remote Access Trojan. Parent of 'Backdoor' and 'Trojan' related-to T1525 Implant Internal Image
action.malware.variety.Unknown Unknown related-to T1525 Implant Internal Image
action.malware.variety.Capture app data Capture data from application or system process related-to T1528 Steal Application Access Token
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1530 Data from Cloud Storage
action.malware.variety.Export data Export data to another site or system related-to T1537 Transfer Data to Cloud Account
action.malware.variety.Capture app data Capture data from application or system process related-to T1539 Steal Web Session Cookie
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1542 Pre-OS Boot
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1542.001 System Firmware
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1542.002 Component Firmware
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1542.003 Bootkit
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1542.004 ROMMONkit
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1542.005 TFTP Boot
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1543 Create or Modify System Process
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1543 Create or Modify System Process
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1543 Create or Modify System Process
action.malware.variety.RAT Remote Access Trojan. Parent of 'Backdoor' and 'Trojan' related-to T1543.003 Windows Service
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1546 Event Triggered Execution
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1546 Event Triggered Execution
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1547 Boot or Logon Autostart Execution
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1547 Boot or Logon Autostart Execution
action.malware.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1548.002 Bypass User Account Control
action.malware.variety.Client-side attack Client-side or browser attack (e.g., redirection, XSS, AitB) related-to T1548.003 Sudo and Sudo Caching
action.malware.variety.Pass-the-hash Pass-the-hash related-to T1550 Use Alternate Authentication Material
action.malware.vector.Network propagation Network propagation related-to T1550 Use Alternate Authentication Material
action.malware.variety.Pass-the-hash Pass-the-hash related-to T1550.002 Pass the Hash
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1550.002 Pass the Hash
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1552.001 Credentials In Files
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1552.002 Credentials in Registry
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1552.003 Bash History
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1552.004 Private Keys
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1552.005 Cloud Instance Metadata API
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1552.006 Group Policy Preferences
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1552.008 Chat Messages
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1553 Subvert Trust Controls
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1553 Subvert Trust Controls
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1553.001 Gatekeeper Bypass
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1553.002 Code Signing
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1553.003 SIP and Trust Provider Hijacking
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1553.004 Install Root Certificate
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1553.005 Mark-of-the-Web Bypass
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1553.006 Code Signing Policy Modification
action.malware.variety.Adminware System or network utilities (e.g., PsTools, Netcat) related-to T1554 Compromise Host Software Binary
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1554 Compromise Host Software Binary
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1554 Compromise Host Software Binary
action.malware.variety.Trojan An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor' related-to T1554 Compromise Host Software Binary
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1555 Credentials from Password Stores
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1555.001 Keychain
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1555.002 Securityd Memory
action.malware.variety.RAM scraper RAM scraper or memory parser (capture data from volatile memory) related-to T1555.002 Securityd Memory
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1555.003 Credentials from Web Browsers
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1555.004 Windows Credential Manager
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1555.005 Password Managers
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1555.006 Cloud Secrets Management Stores
action.malware.vector.Email link Email via embedded link. Child of 'Email' related-to T1566.002 Spearphishing Link
action.malware.variety.AiTM Man-in-the-middle attack. Child of 'Exploit vuln'. related-to T1557 Adversary-in-the-Middle
action.malware.variety.AiTM Man-in-the-middle attack. Child of 'Exploit vuln'. related-to T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay
action.malware.variety.AiTM Man-in-the-middle attack. Child of 'Exploit vuln'. related-to T1557.002 ARP Cache Poisoning
action.malware.variety.AiTM Man-in-the-middle attack. Child of 'Exploit vuln'. related-to T1557.003 DHCP Spoofing
action.hacking.variety.Disable controls Disable or interfere with security controls related-to T1562.011 Spoof Security Alerting
action.malware.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1558.004 AS-REP Roasting
action.malware.variety.Export data Export data to another site or system related-to T1560 Archive Collected Data
action.malware.variety.Export data Export data to another site or system related-to T1560.001 Archive via Utility
action.malware.variety.Export data Export data to another site or system related-to T1560.002 Archive via Library
action.malware.variety.Export data Export data to another site or system related-to T1560.003 Archive via Custom Method
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1561 Disk Wipe
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1561.001 Disk Content Wipe
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1561.002 Disk Structure Wipe
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562 Impair Defenses
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1562 Impair Defenses
action.malware.variety.Modify data Malware which compromises a legitimate file rather than creating new filess related-to T1562 Impair Defenses
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.001 Disable or Modify Tools
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.002 Disable Windows Event Logging
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.003 Impair Command History Logging
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.004 Disable or Modify System Firewall
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.006 Indicator Blocking
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.007 Disable or Modify Cloud Firewall
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.008 Disable or Modify Cloud Logs
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.011 Spoof Security Alerting
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.012 Disable or Modify Linux Audit System
action.malware.vector.Network propagation Network propagation related-to T1563 Remote Service Session Hijacking
action.malware.vector.Network propagation Network propagation related-to T1563.001 SSH Hijacking
action.malware.vector.Network propagation Network propagation related-to T1563.002 RDP Hijacking
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564 Hide Artifacts
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.001 Hidden Files and Directories
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.002 Hidden Users
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.003 Hidden Window
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.004 NTFS File Attributes
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.005 Hidden File System
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.006 Run Virtual Instance
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.007 VBA Stomping
action.malware.variety.Trojan An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor' related-to T1564.007 VBA Stomping
action.malware.vector.Instant messaging Instant Messaging related-to T1566 Phishing
action.malware.vector.Email Email. Parent to 'Email attachment', 'Email autoexecute', 'Email link', 'Email unknown' related-to T1566.001 Spearphishing Attachment
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' related-to T1566.001 Spearphishing Attachment
action.malware.variety.Export data Export data to another site or system related-to T1567 Exfiltration Over Web Service
action.malware.variety.Export data Export data to another site or system related-to T1567.001 Exfiltration to Code Repository
action.malware.variety.Export data Export data to another site or system related-to T1567.002 Exfiltration to Cloud Storage
action.malware.variety.Export data Export data to another site or system related-to T1567.003 Exfiltration to Text Storage Sites
action.malware.variety.Export data Export data to another site or system related-to T1567.004 Exfiltration Over Webhook
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1568 Dynamic Resolution
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1568 Dynamic Resolution
action.malware.vector.Download by malware Downloaded and installed by local malware related-to T1568 Dynamic Resolution
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1568.001 Fast Flux DNS
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1568.001 Fast Flux DNS
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1568.002 Domain Generation Algorithms
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1568.002 Domain Generation Algorithms
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1568.003 DNS Calculation
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1568.003 DNS Calculation
action.malware.vector.Direct install Directly installed or inserted by threat agent (after system access) related-to T1569.002 Service Execution
action.malware.vector.Network propagation Network propagation related-to T1570 Lateral Tool Transfer
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1571 Non-Standard Port
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1571 Non-Standard Port
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1572 Protocol Tunneling
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1572 Protocol Tunneling
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1573 Encrypted Channel
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1573 Encrypted Channel
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1573.001 Symmetric Cryptography
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1573.001 Symmetric Cryptography
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1573.002 Asymmetric Cryptography
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1573.002 Asymmetric Cryptography
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1574.012 COR_PROFILER
action.malware.vector.Web application - download Web via user-executed or downloaded content. Child of 'Web application'. related-to T1583 Acquire Infrastructure
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1583.001 Domains
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1583.001 Domains
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1583.002 DNS Server
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1583.002 DNS Server
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1583.006 Web Services
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1583.006 Web Services
action.malware.vector.Web application - download Web via user-executed or downloaded content. Child of 'Web application'. related-to T1584 Compromise Infrastructure
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1584.002 DNS Server
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1584.002 DNS Server
action.malware.variety.Unknown Unknown related-to T1587.001 Malware
action.malware.variety.Unknown Unknown related-to T1587.004 Exploits
action.malware.variety.Unknown Unknown related-to T1588.001 Malware
action.malware.variety.Unknown Unknown related-to T1588.005 Exploits
action.malware.variety.Unknown Unknown related-to T1588.006 Vulnerabilities
action.malware.variety.Unknown Unknown related-to T1588.007 Artificial Intelligence
action.malware.variety.Scan network Enumerating the state of the network related-to T1595 Active Scanning
action.malware.variety.Scan network Enumerating the state of the network related-to T1595.001 Scanning IP Blocks
action.malware.variety.Scan network Enumerating the state of the network related-to T1595.002 Vulnerability Scanning
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' related-to T1598.002 Spearphishing Attachment
action.malware.vector.Email link Email via embedded link. Child of 'Email' related-to T1598.003 Spearphishing Link
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1600 Weaken Encryption
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1600.001 Reduce Key Space
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1600.002 Disable Crypto Hardware
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1601 Modify System Image
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1601.001 Patch System Image
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1601.002 Downgrade System Image
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1602 Data from Configuration Repository
action.malware.variety.Unknown Unknown related-to T1608 Stage Capabilities
action.malware.variety.Unknown Unknown related-to T1608.001 Upload Malware
action.malware.variety.Unknown Unknown related-to T1608.002 Upload Tool
action.malware.variety.Unknown Unknown related-to T1608.003 Install Digital Certificate
action.malware.variety.Unknown Unknown related-to T1608.004 Drive-by Target
action.malware.variety.Unknown Unknown related-to T1608.005 Link Target
action.malware.variety.Downloader Downloader (pull updates or other malware) related-to T1610 Deploy Container
action.malware.variety.Unknown Unknown related-to T1610 Deploy Container
action.malware.variety.Unknown Unknown related-to T1612 Build Image on Host
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1622 Debugger Evasion
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1546.017 Udev Rules
action.malware.vector.Partner Partner connection or credential. (Indicates supply chain breach.) related-to T1584.008 Network Devices
action.malware.vector.remote injection None related-to T1659 Content Injection

Capabilities

Capability ID Capability Name Number of Mappings
action.malware.vector.Direct install Directly installed or inserted by threat agent (after system access) 2
action.malware.variety.Brute force Brute force attack 5
action.malware.variety.Profile host Enumerating the state of the current host 5
action.malware.variety.Ransomware Ransomware (encrypt or seize stored data) 2
action.malware.variety.Adminware System or network utilities (e.g., PsTools, Netcat) 3
action.malware.variety.Scan network Enumerating the state of the network 12
action.malware.variety.In-memory (malware never stored to persistent storage) 14
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. 16
action.malware.variety.Click fraud Click fraud, whether or not cryptocurrency mining. Also mark 'Click fraud or cryptocurrency mining'. Child of 'Click fraud and cryptocurrency mining'. 1
action.malware.vector.Partner Partner connection or credential. (Indicates supply chain breach.) 3
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. 14
action.malware.vector.Web application - download Web via user-executed or downloaded content. Child of 'Web application'. 2
action.malware.variety.Modify data Malware which compromises a legitimate file rather than creating new filess 2
action.malware.variety.Destroy data Destroy or corrupt stored data 13
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. 37
action.malware.variety.Click fraud and cryptocurrency mining Click fraud or cryptocurrency mining. Parent of 'Click fraud' and 'Cryptocurrency mining'. 2
action.malware.vector.Network propagation Network propagation 6
action.malware.variety.DoS DoS attack 9
action.malware.variety.Other Other 5
action.malware.vector.Web application - drive-by Web via auto-executed or "drive-by" infection. Child of 'Web application'. 3
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. 26
action.malware.vector.Remote injection Remotely injected by agent (i.e. via SQLi) 1
action.malware.vector.Software update Included in automated software update 2
action.malware.variety.Packet sniffer Packet sniffer (capture data from network) 1
action.malware.variety.AiTM Man-in-the-middle attack. Child of 'Exploit vuln'. 4
action.malware.vector.Email link Email via embedded link. Child of 'Email' 4
action.malware.variety.Disable controls Disable or interfere with security controls 47
action.malware.vector.Removable media Removable storage media or devices 2
action.malware.vector.Download by malware Downloaded and installed by local malware 1
action.malware.variety.Capture app data Capture data from application or system process 17
action.malware.vector.Email Email. Parent to 'Email attachment', 'Email autoexecute', 'Email link', 'Email unknown' 1
action.malware.vector.Instant messaging Instant Messaging 1
action.malware.variety.Export data Export data to another site or system 28
action.malware.variety.Downloader Downloader (pull updates or other malware) 5
action.malware.variety.Spyware/Keylogger Spyware, keylogger or form-grabber (capture user input or activity) 2
action.malware.variety.Trojan An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor' 3
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) 9
action.malware.variety.Capture stored data Capture data stored on system disk 17
action.malware.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) 3
action.malware.variety.Cryptocurrency mining Cryptocurrency mining, whether or not click fraud. Child of 'Click fraud and cryptocurrency mining'. 2
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' 7
action.malware.variety.RAT Remote Access Trojan. Parent of 'Backdoor' and 'Trojan' 2
action.malware.variety.RAM scraper RAM scraper or memory parser (capture data from volatile memory) 5
action.malware.variety.Worm Worm (propagate to other systems or devices) 2
action.malware.variety.Password dumper Password dumper (extract credential hashes) 26
action.malware.variety.Client-side attack Client-side or browser attack (e.g., redirection, XSS, AitB) 3
action.malware.vector.remote injection None 1
action.malware.variety.Pass-the-hash Pass-the-hash 2
action.malware.vector.Web application Web application. Parent of 'Web application - download' and 'Web application - drive-by. 1
action.malware.variety.Unknown Unknown 16
action.malware.variety.Adware Adware 1