开源软件名称（OpenSource Name）：

开源软件地址(OpenSource Url)：

开源编程语言(OpenSource Language)：

开源软件介绍(OpenSource Introduction)：

Malware Behavior Catalog v2.2

The Malware Behavior Catalog (MBC) is a catalog of malware objectives and behaviors, created to support malware analysis-oriented use cases, such as labeling, similarity analysis, and standardized reporting. Please see the FAQ page for answers to common questions.

Check out the MBC presentations:

• Standardized Reporting with the Malware Behavior Catalog, VB2020 localhost (October 2020)
• Malware Behavior Catalog, BSides DC (October 2019)

We've also mapped MBC (and ATT&CK) to two open-source malware analysis tools:

• Cuckoo community signatures
• capa rules - see the mapping distribution

To join the MBC mailing list, please send a request to [email protected].

Objectives

As shown below, malware objectives are based on ATT&CK tactics, and are tailored for the malware analysis use case of characterizing malware based on known objectives and behaviors. Two malware analysis-specific objectives not in ATT&CK are also defined (ANTI-BEHAVIORAL ANALYSIS and ANTI-STATIC ANALYSIS).

Behaviors

Under each objective, MBC captures all behaviors and code characteristics discovered during malware analysis, with links to ATT&CK techniques as appropriate. Names of MBC behaviors may or may not match related ATT&CK techniques. Any content provided on behavior pages is supplemental to ATT&CK content. In other words, ATT&CK content is not duplicated in MBC, and MBC users will reference ATT&CK while capturing malware behaviors.

Methods

Methods are associated with behaviors and serve different roles, depending on the behavior. In some cases, a method further refines a behavior (i.e., sub-behavior); in other cases, a method is an implementation of a behavior. Previously, methods had no ATT&CK counterpart, but beginning in April 2020, ATT&CK defines sub-techniques, which are similar to methods.

Note that a method cannot be used without a behavior.

Micro-behaviors

Some malware behaviors are low-level, support many objectives and other behaviors, and aren't necessarily malicious. For example, a TCP socket may be created, or a string may be checked for some condition. Because such behaviors are often noted in malware analysis, they are captured in MBC. See Micro-behaviors for details.

Identifiers

As shown below, the letter of an identifier relays information about a behavior. Note that letters used in MBC 2.0 are changed from previous versions.

Two letters of an identifier relay information about an objective.

Identifiers of methods are formatted in the same way as ATT&CK sub-techniques. If MBC defines a new method for an existing ATT&CK technique, the identifier is changed from "T" to "E" and an "m" identifier is added (e.g., a method added to T1234 would be denoted E1234.m01 and is different than T1234.001, although both refer to the T1234 ATT&CK technique). Method identifiers of "B", "C", and "F" behaviors are defined without the "m" (e.g., B0008.009; C0005.002; F0001.005).

When two or more MBC behaviors refine the same ATT&CK technique, each is given an MBC identifier and each references the ATT&CK identifier. When a new ATT&CK technique is defined after an MBC behavior has been defined, the preexisting MBC identifier is preserved and the new ATT&CK identifier is referenced.

Canonical Representation

The canonical representation for MBC content is OBJECTIVE::Behavior::Method. For example, ANTI-BEHAVIORAL ANALYSIS::Debugger Detection::Process Environment Block.

Objectives and behaviors can be used alone, but a method must be associated with a behavior.

Malware Corpus

The MBC contains a malware corpus where each malware entry is decomposed into behaviors that are mapped to ATT&CK and MBC. The mappings are based on open source malware analysis reports.

Micro-behavior Objectives

Micro-behaviors and their associated objectives are under development.

Malware Objective Descriptions

Malware objectives are defined in the table below. Follow the links to view associated behaviors.

Navigator View

This visual representation of the MBC Matrix is based on the ATT&CK Navigator (opens in a new window).

MBC Behaviors

The table below lists MBC behaviors and related ATT&CK techniques. In most cases, related ATT&CK techniques were defined after the MBC behavior was defined.

Copyright 2022 The MITRE Corporation. Terms of Use.