Skip to content

fixes issue #37, implemented the STIX malware capability vocabulary #55

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
May 7, 2025
Merged

fixes issue #37, implemented the STIX malware capability vocabulary #55

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
266 changes: 266 additions & 0 deletions ontologies/vocabs.ttl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,13 @@ gist:InfrastructureType
rdfs:subClassOf gist:StixCategoryObject ;
.

gist:MalwareCapability
a owl:Class ;
rdfs:subClassOf gist:StixCategoryObject ;
skos:definition "A Category class who's instances provide categorization by capability of malware. Describes categories of what a malware can do."^^xsd:string ;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

'''suggestion
skos:definition "A category indicating the nature of a malware capability i.e. what the malware can do."^^xsd:string ;

skos:prefLabel "Malware Capability"^^xsd:string ;
.

gist:MalwareResult
a owl:Class ;
rdfs:subClassOf gist:StixCategoryObject ;
Expand Down Expand Up @@ -1055,6 +1062,265 @@ Specifies an endpoint machine used for work by an organization that needs protec
skos:prefLabel "workstation"^^xsd:string ;
.

gist:_MalwareCapability_Accesses-Remote-Machines
a gist:MalwareCapability ;
skos:definition """STIX 2.1 description:
Indicates that the malware instance or family is able to access one or more remote machines."""^^xsd:string ;
skos:prefLabel "accesses-remote-machines"^^xsd:string ;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not very human readable, remove dashes? Maybe same case, e.g. "Accesses Remote Machines"

.

gist:_MalwareCapability_Anti-Debugging
a gist:MalwareCapability ;
skos:definition """STIX 2.1 description:
Indicates that the malware instance or family is able to prevent itself from being debugged and/or from being run in a debugger or is able to make debugging more difficult."""^^xsd:string ;
skos:prefLabel "anti-debugging"^^xsd:string ;
.

gist:_MalwareCapability_Anti-Disassembly
a gist:MalwareCapability ;
skos:definition """STIX 2.1 description:
Indicates that the malware instance or family is able to prevent itself from being disassembled or make disassembly more difficult."""^^xsd:string ;
skos:prefLabel "anti-disassembly"^^xsd:string ;
.

gist:_MalwareCapability_Anti-Emulation
a gist:MalwareCapability ;
skos:definition """STIX 2.1 description:
Indicates that the malware instance or family is able to prevent its execution inside of an emulator or is able to make emulation more difficult."""^^xsd:string ;
skos:prefLabel "anti-emulation"^^xsd:string ;
.

gist:_MalwareCapability_Anti-Memory-Forensics
a gist:MalwareCapability ;
skos:definition """STIX 2.1 description:
Indicates that the malware instance or family is able to prevent or make memory forensics more difficult."""^^xsd:string ;
skos:prefLabel "anti-memory-forensics"^^xsd:string ;
.

gist:_MalwareCapability_Anti-Sandbox
a gist:MalwareCapability ;
skos:definition """STIX 2.1 description:
Indicates that the malware instance or family is able to prevent sandbox-based behavioral analysis or make it more difficult."""^^xsd:string ;
skos:prefLabel "anti-sandbox"^^xsd:string ;
.

gist:_MalwareCapability_Anti-Vm
a gist:MalwareCapability ;
skos:definition """STIX 2.1 description:
Indicates that the malware instance or family is able to prevent virtual machine (VM) based behavioral analysis or make it more difficult."""^^xsd:string ;
skos:prefLabel "anti-vm"^^xsd:string ;
.

gist:_MalwareCapability_Captures-Input-Peripherals
a gist:MalwareCapability ;
skos:definition """STIX 2.1 description:
Indicates that the malware instance or family is able to capture data from a system's input peripheral devices, such as a keyboard or mouse. This includes things like keylogging."""^^xsd:string ;
skos:prefLabel "captures-input-peripherals"^^xsd:string ;
.

gist:_MalwareCapability_Captures-Output-Peripherals
a gist:MalwareCapability ;
skos:definition """STIX 2.1 description:
Indicates that the malware instance or family captures data sent to a system's output peripherals, such as a display. Examples include things like screen scraping."""^^xsd:string ;
skos:prefLabel "captures-output-peripherals"^^xsd:string ;
.

gist:_MalwareCapability_Captures-System-State-Data
a gist:MalwareCapability ;
skos:definition """STIX 2.1 description:
Indicates that the malware instance or family is able to capture information about a system's state (e.g., data currently in its RAM)."""^^xsd:string ;
skos:prefLabel "captures-system-state-data"^^xsd:string ;
.

gist:_MalwareCapability_Commits-Fraud
a gist:MalwareCapability ;
skos:definition """STIX 2.1 description:
Indicates that the malware instance or family commits fraud, such as click fraud (for example)."""^^xsd:string ;
skos:prefLabel "commits-fraud"^^xsd:string ;
.

gist:_MalwareCapability_Communicates-With-C2
a gist:MalwareCapability ;
skos:definition """STIX 2.1 description:
Indicates that the malware instance or family is able to communicate (i.e., send or receive data) with a command and control (C2) server."""^^xsd:string ;
skos:prefLabel "communicates-with-c2"^^xsd:string ;
.

gist:_MalwareCapability_Compromises-Data-Availability
a gist:MalwareCapability ;
skos:definition """STIX 2.1 description:
Indicates that the malware instance or family is able to compromise the availability of data on the local system on which it is executing and/or one or more remote systems. For example, encrypting data on disk, as done by ransomware."""^^xsd:string ;
skos:prefLabel "compromises-data-availability"^^xsd:string ;
.

gist:_MalwareCapability_Compromises-Data-Integrity
a gist:MalwareCapability ;
skos:definition """STIX 2.1 description:
Indicates that the malware instance or family is able to compromise the integrity of some data that resides on (e.g., in the case of files) or is received/transmitted (e.g., in the case of network traffic) by the system on which it is executing."""^^xsd:string ;
skos:prefLabel "compromises-data-integrity"^^xsd:string ;
.

gist:_MalwareCapability_Compromises-System-Availability
a gist:MalwareCapability ;
skos:definition """STIX 2.1 description:
Indicates that the malware instance or family is able to consume system resources for its malicious purposes, such as password cracking or participating in a DDoS botnet, thereby compromising the availability of the local system and/or one or more remote systems."""^^xsd:string ;
skos:prefLabel "compromises-system-availability"^^xsd:string ;
.

gist:_MalwareCapability_Controls-Local-Machine
a gist:MalwareCapability ;
skos:definition """STIX 2.1 description:
Indicates that the malware instance or family is able to control the machine on which it is executing (e.g., RATs)."""^^xsd:string ;
skos:prefLabel "controls-local-machine"^^xsd:string ;
.

gist:_MalwareCapability_Degrades-Security-Software
a gist:MalwareCapability ;
skos:definition """STIX 2.1 description:
Indicates that the malware instance or family is able to bypass or disable security programs or operating system security features on a system (including mobile devices), either by stopping them from executing or by making changes to their code or configuration parameters. For example, malware that blocks the local machine from accessing the websites of security vendors."""^^xsd:string ;
skos:prefLabel "degrades-security-software"^^xsd:string ;
.

gist:_MalwareCapability_Degrades-System-Updates
a gist:MalwareCapability ;
skos:definition """STIX 2.1 description:
Indicates that the malware instance or family is able to disable the downloading and installation of system updates and patches."""^^xsd:string ;
skos:prefLabel "degrades-system-updates"^^xsd:string ;
.

gist:_MalwareCapability_Determines-C2-Server
a gist:MalwareCapability ;
skos:definition """STIX 2.1 description:
Indicates that the malware instance or family is able to identify one or more command and control (C2) servers with which to communicate (e.g., DGA)."""^^xsd:string ;
skos:prefLabel "determines-c2-server"^^xsd:string ;
.

gist:_MalwareCapability_Evades-Av
a gist:MalwareCapability ;
skos:definition """STIX 2.1 description:
Indicates that the malware instance or family is able to evade detection by antivirus tools."""^^xsd:string ;
skos:prefLabel "evades-av"^^xsd:string ;
.

gist:_MalwareCapability_Exfiltrates-Data
a gist:MalwareCapability ;
skos:definition """STIX 2.1 description:
Indicates that the malware instance or family is able to gather, prepare, (possibly obfuscate) data and transmit it to exfiltration points."""^^xsd:string ;
skos:prefLabel "exfiltrates-data"^^xsd:string ;
.

gist:_MalwareCapability_Fingerprints-Host
a gist:MalwareCapability ;
skos:definition """STIX 2.1 description:
Indicates that the malware instance or family is able to fingerprint or probe the configuration of the host system on which it is executing for the purpose of altering its behavior based on this environment."""^^xsd:string ;
skos:prefLabel "fingerprints-host"^^xsd:string ;
.

gist:_MalwareCapability_Hides-Artifacts
a gist:MalwareCapability ;
skos:definition """STIX 2.1 description:
Indicates that the malware instance or family is able to hide its artifacts, such as files and open ports."""^^xsd:string ;
skos:prefLabel "hides-artifacts"^^xsd:string ;
.

gist:_MalwareCapability_Infects-Files
a gist:MalwareCapability ;
skos:definition """STIX 2.1 description:
Indicates that the malware instance or family is able to infect one or more files on the system on which it executes. For example, malware which injects a malicious payload into all PDFs on a host as a means of propagation."""^^xsd:string ;
skos:prefLabel "infects-files"^^xsd:string ;
.

gist:_MalwareCapability_Infects-Remote-Machines
a gist:MalwareCapability ;
skos:definition """STIX 2.1 description:
Indicates that the malware instance or family is able to self-propagate to a remote machine or infect a remote machine with malware that is different than itself."""^^xsd:string ;
skos:prefLabel "infects-remote-machines"^^xsd:string ;
.

gist:_MalwareCapability_Installs-Other-Components
a gist:MalwareCapability ;
skos:definition """STIX 2.1 description:
Indicates that the malware instance or family is able to install additional components. This encompasses the dropping/downloading of other malicious components such as libraries, other malware, and tools."""^^xsd:string ;
skos:prefLabel "installs-other-components"^^xsd:string ;
.

gist:_MalwareCapability_Persists-After-System-Reboot
a gist:MalwareCapability ;
skos:definition """STIX 2.1 description:
Indicates that the malware instance or family is able to continue executing after the reboot of the system on which it is resident."""^^xsd:string ;
skos:prefLabel "persists-after-system-reboot"^^xsd:string ;
.

gist:_MalwareCapability_Prevents-Artifact-Access
a gist:MalwareCapability ;
skos:definition """STIX 2.1 description:
Indicates that the malware instance or family is able to prevent its artifacts (e.g., files, registry keys, etc.) from being accessed."""^^xsd:string ;
skos:prefLabel "prevents-artifact-access"^^xsd:string ;
.

gist:_MalwareCapability_Prevents-Artifact-Deletion
a gist:MalwareCapability ;
skos:definition """STIX 2.1 description:
Indicates that the malware instance or family is able to prevent its artifacts (e.g., files, registry keys, etc.) from being deleted."""^^xsd:string ;
skos:prefLabel "prevents-artifact-deletion"^^xsd:string ;
.

gist:_MalwareCapability_Probes-Network-Environment
a gist:MalwareCapability ;
skos:definition """STIX 2.1 description:
Indicates that the malware instance or family is able to probe the properties of its network environment, e.g. to determine whether it funnels traffic through a proxy."""^^xsd:string ;
skos:prefLabel "probes-network-environment"^^xsd:string ;
.

gist:_MalwareCapability_Self-Modifies
a gist:MalwareCapability ;
skos:definition """STIX 2.1 description:
Indicates that the malware instance or family is able to modify itself."""^^xsd:string ;
skos:prefLabel "self-modifies"^^xsd:string ;
.

gist:_MalwareCapability_Steals-Authentication-Credentials
a gist:MalwareCapability ;
skos:definition """STIX 2.1 description:
Indicates that the malware instance is able to steal authentication credentials."""^^xsd:string ;
skos:prefLabel "steals-authentication-credentials"^^xsd:string ;
.

gist:_MalwareCapability_Violates-System-Operational-Integrity
a gist:MalwareCapability ;
skos:definition """STIX 2.1 description:
Indicates that the malware instance or family is able to compromise the operational integrity of the system on which it is executing and/or one or more remote systems, e.g., by causing them to operate beyond their set of specified operational parameters. For example, malware that causes the CPU fan on the machine that it is executing to spin at a higher than normal speed."""^^xsd:string ;
skos:prefLabel "violates-system-operational-integrity"^^xsd:string ;
.

gist:_MalwareCapability_cleans-traces-of-infection
a gist:MalwareCapability ;
skos:definition """STIX 2.1 description:
Indicates that the malware instance or family is able to clean traces of its infection (e.g., file system artifacts) from a system."""^^xsd:string ;
skos:prefLabel "cleans-traces-of-infection"^^xsd:string ;
.

gist:_MalwareCapability_eEails-Spam
a gist:MalwareCapability ;
skos:definition """STIX 2.1 description:
Indicates that the malware instance or family is able to send spam email messages."""^^xsd:string ;
skos:prefLabel "emails-spam"^^xsd:string ;
.

gist:_MalwareCapability_escalates-privileges
a gist:MalwareCapability ;
skos:definition """STIX 2.1 description:
Indicates that the malware instance or family is able to escalate the privileges under which it is executing."""^^xsd:string ;
skos:prefLabel "escalates-privileges"^^xsd:string ;
.

gist:_MalwareCapability_hides-executing-code
a gist:MalwareCapability ;
skos:definition """STIX 2.1 description:
Indicates that the malware instance or family is able to hide its code by compromising the bootloader, kernel modules, hypervisor, etc."""^^xsd:string ;
skos:prefLabel "hides-executing-code"^^xsd:string ;
.

gist:_MalwareResult_benign
a gist:MalwareResult ;
skos:definition """STIX 2.1 description:
Expand Down