Skip to content

Latest commit

 

History

History
68 lines (60 loc) · 4.34 KB

README.md

File metadata and controls

68 lines (60 loc) · 4.34 KB
Raw

Malware Corpus

The MBC malware corpus comprises a variety of malware where each entry is decomposed into behaviors that are mapped to ATT&CK and MBC. The mappings are based on open source malware analysis reports and are separated into three categories: "ATT&CK Techniques," "Enhanced ATT&CK Techniques," and "MBC Behaviors."

ATT&CK Techniques - If a malware entry is not included in ATT&CK's software collection, then all ATT&CK techniques to which its malware behaviors map are listed. If a malware entry is included in ATT&CK's software collection, then the corresponding software page is referenced under "ATT&CK Techniques" (individual mappings not captured in ATT&CK are still listed). These techniques have T identifiers (e.g., T1012).

Enhanced ATT&CK Techniques - Any ATT&CK techniques that would be listed under "ATT&CK Techniques" but have been enhanced in MBC are listed in this section instead. These techniques have E and F identifiers (e.g., E1560, F0008).

MBC Behaviors - This section lists all MBC behaviors to which an entry's malware behaviors map. These techniques have B and C identifiers (e.g., B0032, C0010).

Notes

  • Each entry is mapped to one or more malware types.

  • Poison-Ivy X0014 and Kovter X0009 are examples of malware samples included and not included in ATT&CK's collection, respectively.

  • The FAQ includes information about the malware used to illustrate the use of MBC in Attack Flow and CACAO.

The List