Merge pull request #55 from semanticarts/issue-37-malware-capabilities-vocab

rhohimer · web-flow · commit f409e05a376d · 2025-05-07T11:36:07.000-07:00
fixes issue #37, implemented the STIX malware capability vocabulary
diff --git a/ontologies/vocabs.ttl b/ontologies/vocabs.ttl
@@ -84,6 +84,13 @@ gist:InfrastructureType
 	rdfs:subClassOf gist:StixCategoryObject ;
 	.
 
+gist:MalwareCapability
+	a owl:Class ;
+	rdfs:subClassOf gist:StixCategoryObject ;
+	skos:definition "A Category class who's instances provide categorization by capability of malware. Describes categories of what a malware can do."^^xsd:string ;
+	skos:prefLabel "Malware Capability"^^xsd:string ;
+	.
+
 gist:MalwareResult
 	a owl:Class ;
 	rdfs:subClassOf gist:StixCategoryObject ;
@@ -1062,6 +1069,265 @@ Specifies an endpoint machine used for work by an organization that needs protec
 	skos:prefLabel "workstation"^^xsd:string ;
 	.
 
+gist:_MalwareCapability_Accesses-Remote-Machines
+	a gist:MalwareCapability ;
+	skos:definition """STIX 2.1 description:
+Indicates that the malware instance or family is able to access one or more remote machines."""^^xsd:string ;
+	skos:prefLabel "accesses-remote-machines"^^xsd:string ;
+	.
+
+gist:_MalwareCapability_Anti-Debugging
+	a gist:MalwareCapability ;
+	skos:definition """STIX 2.1 description:
+Indicates that the malware instance or family is able to prevent itself from being debugged and/or from being run in a debugger or is able to make debugging more difficult."""^^xsd:string ;
+	skos:prefLabel "anti-debugging"^^xsd:string ;
+	.
+
+gist:_MalwareCapability_Anti-Disassembly
+	a gist:MalwareCapability ;
+	skos:definition """STIX 2.1 description:
+Indicates that the malware instance or family is able to prevent itself from being disassembled or make disassembly more difficult."""^^xsd:string ;
+	skos:prefLabel "anti-disassembly"^^xsd:string ;
+	.
+
+gist:_MalwareCapability_Anti-Emulation
+	a gist:MalwareCapability ;
+	skos:definition """STIX 2.1 description:
+Indicates that the malware instance or family is able to prevent its execution inside of an emulator or is able to make emulation more difficult."""^^xsd:string ;
+	skos:prefLabel "anti-emulation"^^xsd:string ;
+	.
+
+gist:_MalwareCapability_Anti-Memory-Forensics
+	a gist:MalwareCapability ;
+	skos:definition """STIX 2.1 description:
+Indicates that the malware instance or family is able to prevent or make memory forensics more difficult."""^^xsd:string ;
+	skos:prefLabel "anti-memory-forensics"^^xsd:string ;
+	.
+
+gist:_MalwareCapability_Anti-Sandbox
+	a gist:MalwareCapability ;
+	skos:definition """STIX 2.1 description:
+Indicates that the malware instance or family is able to prevent sandbox-based behavioral analysis or make it more difficult."""^^xsd:string ;
+	skos:prefLabel "anti-sandbox"^^xsd:string ;
+	.
+
+gist:_MalwareCapability_Anti-Vm
+	a gist:MalwareCapability ;
+	skos:definition """STIX 2.1 description:
+Indicates that the malware instance or family is able to prevent virtual machine (VM) based behavioral analysis or make it more difficult."""^^xsd:string ;
+	skos:prefLabel "anti-vm"^^xsd:string ;
+	.
+
+gist:_MalwareCapability_Captures-Input-Peripherals
+	a gist:MalwareCapability ;
+	skos:definition """STIX 2.1 description:
+Indicates that the malware instance or family is able to capture data from a system's input peripheral devices, such as a keyboard or mouse. This includes things like keylogging."""^^xsd:string ;
+	skos:prefLabel "captures-input-peripherals"^^xsd:string ;
+	.
+
+gist:_MalwareCapability_Captures-Output-Peripherals
+	a gist:MalwareCapability ;
+	skos:definition """STIX 2.1 description:
+Indicates that the malware instance or family captures data sent to a system's output peripherals, such as a display. Examples include things like screen scraping."""^^xsd:string ;
+	skos:prefLabel "captures-output-peripherals"^^xsd:string ;
+	.
+
+gist:_MalwareCapability_Captures-System-State-Data
+	a gist:MalwareCapability ;
+	skos:definition """STIX 2.1 description:
+Indicates that the malware instance or family is able to capture information about a system's state (e.g., data currently in its RAM)."""^^xsd:string ;
+	skos:prefLabel "captures-system-state-data"^^xsd:string ;
+	.
+
+gist:_MalwareCapability_Commits-Fraud
+	a gist:MalwareCapability ;
+	skos:definition """STIX 2.1 description:
+Indicates that the malware instance or family commits fraud, such as click fraud (for example)."""^^xsd:string ;
+	skos:prefLabel "commits-fraud"^^xsd:string ;
+	.
+
+gist:_MalwareCapability_Communicates-With-C2
+	a gist:MalwareCapability ;
+	skos:definition """STIX 2.1 description:
+Indicates that the malware instance or family is able to communicate (i.e., send or receive data) with a command and control (C2) server."""^^xsd:string ;
+	skos:prefLabel "communicates-with-c2"^^xsd:string ;
+	.
+
+gist:_MalwareCapability_Compromises-Data-Availability
+	a gist:MalwareCapability ;
+	skos:definition """STIX 2.1 description:
+Indicates that the malware instance or family is able to compromise the availability of data on the local system on which it is executing and/or one or more remote systems. For example, encrypting data on disk, as done by ransomware."""^^xsd:string ;
+	skos:prefLabel "compromises-data-availability"^^xsd:string ;
+	.
+
+gist:_MalwareCapability_Compromises-Data-Integrity
+	a gist:MalwareCapability ;
+	skos:definition """STIX 2.1 description:
+Indicates that the malware instance or family is able to compromise the integrity of some data that resides on (e.g., in the case of files) or is received/transmitted (e.g., in the case of network traffic) by the system on which it is executing."""^^xsd:string ;
+	skos:prefLabel "compromises-data-integrity"^^xsd:string ;
+	.
+
+gist:_MalwareCapability_Compromises-System-Availability
+	a gist:MalwareCapability ;
+	skos:definition """STIX 2.1 description:
+Indicates that the malware instance or family is able to consume system resources for its malicious purposes, such as password cracking or participating in a DDoS botnet, thereby compromising the availability of the local system and/or one or more remote systems."""^^xsd:string ;
+	skos:prefLabel "compromises-system-availability"^^xsd:string ;
+	.
+
+gist:_MalwareCapability_Controls-Local-Machine
+	a gist:MalwareCapability ;
+	skos:definition """STIX 2.1 description:
+Indicates that the malware instance or family is able to control the machine on which it is executing (e.g., RATs)."""^^xsd:string ;
+	skos:prefLabel "controls-local-machine"^^xsd:string ;
+	.
+
+gist:_MalwareCapability_Degrades-Security-Software
+	a gist:MalwareCapability ;
+	skos:definition """STIX 2.1 description:
+Indicates that the malware instance or family is able to bypass or disable security programs or operating system security features on a system (including mobile devices), either by stopping them from executing or by making changes to their code or configuration parameters. For example, malware that blocks the local machine from accessing the websites of security vendors."""^^xsd:string ;
+	skos:prefLabel "degrades-security-software"^^xsd:string ;
+	.
+
+gist:_MalwareCapability_Degrades-System-Updates
+	a gist:MalwareCapability ;
+	skos:definition """STIX 2.1 description:
+Indicates that the malware instance or family is able to disable the downloading and installation of system updates and patches."""^^xsd:string ;
+	skos:prefLabel "degrades-system-updates"^^xsd:string ;
+	.
+
+gist:_MalwareCapability_Determines-C2-Server
+	a gist:MalwareCapability ;
+	skos:definition """STIX 2.1 description:
+Indicates that the malware instance or family is able to identify one or more command and control (C2) servers with which to communicate (e.g., DGA)."""^^xsd:string ;
+	skos:prefLabel "determines-c2-server"^^xsd:string ;
+	.
+
+gist:_MalwareCapability_Evades-Av
+	a gist:MalwareCapability ;
+	skos:definition """STIX 2.1 description:
+Indicates that the malware instance or family is able to evade detection by antivirus tools."""^^xsd:string ;
+	skos:prefLabel "evades-av"^^xsd:string ;
+	.
+
+gist:_MalwareCapability_Exfiltrates-Data
+	a gist:MalwareCapability ;
+	skos:definition """STIX 2.1 description:
+Indicates that the malware instance or family is able to gather, prepare, (possibly obfuscate) data and transmit it to exfiltration points."""^^xsd:string ;
+	skos:prefLabel "exfiltrates-data"^^xsd:string ;
+	.
+
+gist:_MalwareCapability_Fingerprints-Host
+	a gist:MalwareCapability ;
+	skos:definition """STIX 2.1 description:
+Indicates that the malware instance or family is able to fingerprint or probe the configuration of the host system on which it is executing for the purpose of altering its behavior based on this environment."""^^xsd:string ;
+	skos:prefLabel "fingerprints-host"^^xsd:string ;
+	.
+
+gist:_MalwareCapability_Hides-Artifacts
+	a gist:MalwareCapability ;
+	skos:definition """STIX 2.1 description:
+Indicates that the malware instance or family is able to hide its artifacts, such as files and open ports."""^^xsd:string ;
+	skos:prefLabel "hides-artifacts"^^xsd:string ;
+	.
+
+gist:_MalwareCapability_Infects-Files
+	a gist:MalwareCapability ;
+	skos:definition """STIX 2.1 description:
+Indicates that the malware instance or family is able to infect one or more files on the system on which it executes. For example, malware which injects a malicious payload into all PDFs on a host as a means of propagation."""^^xsd:string ;
+	skos:prefLabel "infects-files"^^xsd:string ;
+	.
+
+gist:_MalwareCapability_Infects-Remote-Machines
+	a gist:MalwareCapability ;
+	skos:definition """STIX 2.1 description:
+Indicates that the malware instance or family is able to self-propagate to a remote machine or infect a remote machine with malware that is different than itself."""^^xsd:string ;
+	skos:prefLabel "infects-remote-machines"^^xsd:string ;
+	.
+
+gist:_MalwareCapability_Installs-Other-Components
+	a gist:MalwareCapability ;
+	skos:definition """STIX 2.1 description:
+Indicates that the malware instance or family is able to install additional components. This encompasses the dropping/downloading of other malicious components such as libraries, other malware, and tools."""^^xsd:string ;
+	skos:prefLabel "installs-other-components"^^xsd:string ;
+	.
+
+gist:_MalwareCapability_Persists-After-System-Reboot
+	a gist:MalwareCapability ;
+	skos:definition """STIX 2.1 description:
+Indicates that the malware instance or family is able to continue executing after the reboot of the system on which it is resident."""^^xsd:string ;
+	skos:prefLabel "persists-after-system-reboot"^^xsd:string ;
+	.
+
+gist:_MalwareCapability_Prevents-Artifact-Access
+	a gist:MalwareCapability ;
+	skos:definition """STIX 2.1 description:
+Indicates that the malware instance or family is able to prevent its artifacts (e.g., files, registry keys, etc.) from being accessed."""^^xsd:string ;
+	skos:prefLabel "prevents-artifact-access"^^xsd:string ;
+	.
+
+gist:_MalwareCapability_Prevents-Artifact-Deletion
+	a gist:MalwareCapability ;
+	skos:definition """STIX 2.1 description:
+Indicates that the malware instance or family is able to prevent its artifacts (e.g., files, registry keys, etc.) from being deleted."""^^xsd:string ;
+	skos:prefLabel "prevents-artifact-deletion"^^xsd:string ;
+	.
+
+gist:_MalwareCapability_Probes-Network-Environment
+	a gist:MalwareCapability ;
+	skos:definition """STIX 2.1 description:
+Indicates that the malware instance or family is able to probe the properties of its network environment, e.g. to determine whether it funnels traffic through a proxy."""^^xsd:string ;
+	skos:prefLabel "probes-network-environment"^^xsd:string ;
+	.
+
+gist:_MalwareCapability_Self-Modifies
+	a gist:MalwareCapability ;
+	skos:definition """STIX 2.1 description:
+Indicates that the malware instance or family is able to modify itself."""^^xsd:string ;
+	skos:prefLabel "self-modifies"^^xsd:string ;
+	.
+
+gist:_MalwareCapability_Steals-Authentication-Credentials
+	a gist:MalwareCapability ;
+	skos:definition """STIX 2.1 description:
+Indicates that the malware instance is able to steal authentication credentials."""^^xsd:string ;
+	skos:prefLabel "steals-authentication-credentials"^^xsd:string ;
+	.
+
+gist:_MalwareCapability_Violates-System-Operational-Integrity
+	a gist:MalwareCapability ;
+	skos:definition """STIX 2.1 description:
+Indicates that the malware instance or family is able to compromise the operational integrity of the system on which it is executing and/or one or more remote systems, e.g., by causing them to operate beyond their set of specified operational parameters. For example, malware that causes the CPU fan on the machine that it is executing to spin at a higher than normal speed."""^^xsd:string ;
+	skos:prefLabel "violates-system-operational-integrity"^^xsd:string ;
+	.
+
+gist:_MalwareCapability_cleans-traces-of-infection
+	a gist:MalwareCapability ;
+	skos:definition """STIX 2.1 description:
+Indicates that the malware instance or family is able to clean traces of its infection (e.g., file system artifacts) from a system."""^^xsd:string ;
+	skos:prefLabel "cleans-traces-of-infection"^^xsd:string ;
+	.
+
+gist:_MalwareCapability_eEails-Spam
+	a gist:MalwareCapability ;
+	skos:definition """STIX 2.1 description:
+Indicates that the malware instance or family is able to send spam email messages."""^^xsd:string ;
+	skos:prefLabel "emails-spam"^^xsd:string ;
+	.
+
+gist:_MalwareCapability_escalates-privileges
+	a gist:MalwareCapability ;
+	skos:definition """STIX 2.1 description:
+Indicates that the malware instance or family is able to escalate the privileges under which it is executing."""^^xsd:string ;
+	skos:prefLabel "escalates-privileges"^^xsd:string ;
+	.
+
+gist:_MalwareCapability_hides-executing-code
+	a gist:MalwareCapability ;
+	skos:definition """STIX 2.1 description:
+Indicates that the malware instance or family is able to hide its code by compromising the bootloader, kernel modules, hypervisor, etc."""^^xsd:string ;
+	skos:prefLabel "hides-executing-code"^^xsd:string ;
+	.
+
 gist:_MalwareResult_benign
 	a gist:MalwareResult ;
 	skos:definition """STIX 2.1 description:
