From dbf98ecfb7de55ea1b4b079ae88dcba73f412093 Mon Sep 17 00:00:00 2001 From: Dez Beck Date: Thu, 8 Sep 2022 12:42:21 -0400 Subject: [PATCH 1/9] add newsletters --- README.md | 2 +- yfaq/README.md | 1 + ynewsletters/09092022.md | 16 ++++++++++++++++ ynewsletters/README.md | 3 +++ 4 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 ynewsletters/09092022.md create mode 100644 ynewsletters/README.md diff --git a/README.md b/README.md index ebba3183..abcaef24 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ # Malware Behavior Catalog v2.2 # -The Malware Behavior Catalog (MBC) is a catalog of malware objectives and behaviors, created to support malware analysis-oriented use cases, such as labeling, similarity analysis, and standardized reporting. Please see the [FAQ](./yfaq/README.md) page for answers to common questions. +The Malware Behavior Catalog (MBC) is a catalog of malware objectives and behaviors, created to support malware analysis-oriented use cases, such as labeling, similarity analysis, and standardized reporting. Please see the [FAQ](./yfaq/README.md) page for answers to common questions, and read the [newsletters](./ynewsletters/README.md) for information on the most recent MBC updates and activity. Check out the MBC presentations: diff --git a/yfaq/README.md b/yfaq/README.md index 2879f978..c73e7175 100644 --- a/yfaq/README.md +++ b/yfaq/README.md @@ -23,6 +23,7 @@ - MBC v2.0 was released in September 2020 and includes micro-behaviors and changes associated with [ATT&CK sub-techniques](https://attack.mitre.org/resources/updates/updates-july-2020/index.html). - MBC v2.1 was released in February 2021 and includes additional micro-behaviors and behavior methods. - MBC v2.2 was released in February 2022 and includes additional micro-behaviors and behavior methods. Added code snippets to certain methods. + - MBC v2.3 was released in September 2022 and aligns with ATT&CK v11 and includes an updated malware corpus. * **MBC Website** - An MBC website will eventually replace markdown documents. diff --git a/ynewsletters/09092022.md b/ynewsletters/09092022.md new file mode 100644 index 00000000..eb4fd690 --- /dev/null +++ b/ynewsletters/09092022.md @@ -0,0 +1,16 @@ +# Malware Behavior Catalog Newsletter # +9/9/2022 + +Hello all! + +Highlights of recent MBC development include: + +* Released MBC v2.3, which aligns MBC with ATT&CK v11 +* Released v22.09 of the STIX 2 representation for MBC v2.3 ([mbc-stix2](https://github.com/MBCProject/mbc-stix2)) +* Updated [capa](https://github.com/fireeye/capa) rules to map to MBC v2.3 +* Expanded the [malware corpus](./xample-malware/README.md) of mapped malware examples +* Began meeting with MBC users to understand their use cases + +Please let us know if you're interested in meeting with our team. We'd love to get your feedback and understand your MBC use cases! + +Next, we'll be considering whether the MBC's terminology should more closely match ATT&CK's. For example, should MBC "behaviors" instead be referred to as "techniques"? Please email us at mbc@mitre.org to let us know what you think. diff --git a/ynewsletters/README.md b/ynewsletters/README.md new file mode 100644 index 00000000..77803ee7 --- /dev/null +++ b/ynewsletters/README.md @@ -0,0 +1,3 @@ +## Malware Behavior Catalog Newsletters ## + +September 2022 \ No newline at end of file From 503105dcd0920f858ab9ab0b3da8687a7eb13ec2 Mon Sep 17 00:00:00 2001 From: Dez Beck Date: Thu, 8 Sep 2022 12:51:51 -0400 Subject: [PATCH 2/9] add newsletters --- ynewsletters/09092022.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ynewsletters/09092022.md b/ynewsletters/09092022.md index eb4fd690..1e3217ae 100644 --- a/ynewsletters/09092022.md +++ b/ynewsletters/09092022.md @@ -5,12 +5,12 @@ Hello all! Highlights of recent MBC development include: -* Released MBC v2.3, which aligns MBC with ATT&CK v11 +* Released MBC v2.3, which aligns MBC with ATT&CK v11 (plus enhanced descriptions and formatting updates) * Released v22.09 of the STIX 2 representation for MBC v2.3 ([mbc-stix2](https://github.com/MBCProject/mbc-stix2)) * Updated [capa](https://github.com/fireeye/capa) rules to map to MBC v2.3 -* Expanded the [malware corpus](./xample-malware/README.md) of mapped malware examples +* Expanded the [malware corpus](../xample-malware/README.md) of mapped malware examples * Began meeting with MBC users to understand their use cases -Please let us know if you're interested in meeting with our team. We'd love to get your feedback and understand your MBC use cases! +Next, we'll be considering questions such as whether the MBC's terminology should more closely match ATT&CK's. For example, should MBC "behaviors" instead be referred to as "techniques"? We'll also be adding to the malware corpus, as well as adding code snippets to MBC behavior pages. Please email us at mbc@mitre.org to let us know what you think. -Next, we'll be considering whether the MBC's terminology should more closely match ATT&CK's. For example, should MBC "behaviors" instead be referred to as "techniques"? Please email us at mbc@mitre.org to let us know what you think. +**Please let us know if you're interested in meeting with our team. We'd love to get your feedback and understand your MBC use cases!** \ No newline at end of file From 2f6093b0b9ec61c5aa14766f04842399541a0a2a Mon Sep 17 00:00:00 2001 From: Dez Beck Date: Thu, 8 Sep 2022 13:00:59 -0400 Subject: [PATCH 3/9] newsletter update --- anti-behavioral-analysis/sandbox-detection.md | 2 +- ynewsletters/09092022.md | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/anti-behavioral-analysis/sandbox-detection.md b/anti-behavioral-analysis/sandbox-detection.md index 0e2e2039..0ae29748 100644 --- a/anti-behavioral-analysis/sandbox-detection.md +++ b/anti-behavioral-analysis/sandbox-detection.md @@ -47,7 +47,7 @@ Malware Examples |[**Rombertik**](../xample-malware/rombertik.md)|2015|The malware check for sandboxes that suppress errors returned from API routine calls the using ZwGetWriteWatch routine. [[6]](#6)| -Code Snippets +Code Snippets ------------- **Sandbox Detection::Product Key/ID Testing** (B0007.005) - the value 55274-640-2673064-23950 corresponds to Joe Sandbox. ```asm diff --git a/ynewsletters/09092022.md b/ynewsletters/09092022.md index 1e3217ae..bba121e2 100644 --- a/ynewsletters/09092022.md +++ b/ynewsletters/09092022.md @@ -1,16 +1,16 @@ # Malware Behavior Catalog Newsletter # -9/9/2022 +**September 9, 2022** Hello all! Highlights of recent MBC development include: -* Released MBC v2.3, which aligns MBC with ATT&CK v11 (plus enhanced descriptions and formatting updates) -* Released v22.09 of the STIX 2 representation for MBC v2.3 ([mbc-stix2](https://github.com/MBCProject/mbc-stix2)) +* Released **MBC v2.3**, which aligns MBC with ATT&CK v11 (plus enhanced descriptions and formatting updates) +* Released [v22.09](https://github.com/MBCProject/mbc-stix2) of the STIX 2 representation for MBC v2.3 * Updated [capa](https://github.com/fireeye/capa) rules to map to MBC v2.3 -* Expanded the [malware corpus](../xample-malware/README.md) of mapped malware examples +* Expanded MBC's [malware corpus](../xample-malware/README.md) of mapped malware examples * Began meeting with MBC users to understand their use cases -Next, we'll be considering questions such as whether the MBC's terminology should more closely match ATT&CK's. For example, should MBC "behaviors" instead be referred to as "techniques"? We'll also be adding to the malware corpus, as well as adding code snippets to MBC behavior pages. Please email us at mbc@mitre.org to let us know what you think. +Next, we'll be considering questions, such as whether the MBC's terminology should more closely match ATT&CK's. For example, should MBC "behaviors" instead be referred to as "techniques"? We'll also be adding to the malware corpus, as well as adding [code snippets](../anti-behavioral-analysis/sandbox-detection.md/#snippet) to MBC behavior pages. Please email us at mbc@mitre.org to let us know what you think. **Please let us know if you're interested in meeting with our team. We'd love to get your feedback and understand your MBC use cases!** \ No newline at end of file From a6096cb8df03d67b7f0bc319f82fd1b18668707b Mon Sep 17 00:00:00 2001 From: Dez Beck Date: Thu, 8 Sep 2022 13:05:24 -0400 Subject: [PATCH 4/9] newsletter update --- ynewsletters/09092022.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ynewsletters/09092022.md b/ynewsletters/09092022.md index bba121e2..c0a12c91 100644 --- a/ynewsletters/09092022.md +++ b/ynewsletters/09092022.md @@ -6,11 +6,11 @@ Hello all! Highlights of recent MBC development include: * Released **MBC v2.3**, which aligns MBC with ATT&CK v11 (plus enhanced descriptions and formatting updates) -* Released [v22.09](https://github.com/MBCProject/mbc-stix2) of the STIX 2 representation for MBC v2.3 +* Released [v22.09](https://github.com/MBCProject/mbc-stix2/tree/v22.09) of the STIX 2 representation for MBC v2.3 * Updated [capa](https://github.com/fireeye/capa) rules to map to MBC v2.3 -* Expanded MBC's [malware corpus](../xample-malware/README.md) of mapped malware examples +* Expanded MBC's [malware corpus](../../xample-malware/README.md) of mapped malware examples * Began meeting with MBC users to understand their use cases -Next, we'll be considering questions, such as whether the MBC's terminology should more closely match ATT&CK's. For example, should MBC "behaviors" instead be referred to as "techniques"? We'll also be adding to the malware corpus, as well as adding [code snippets](../anti-behavioral-analysis/sandbox-detection.md/#snippet) to MBC behavior pages. Please email us at mbc@mitre.org to let us know what you think. +Next, we'll be considering questions, such as whether the MBC's terminology should more closely match ATT&CK's. For example, should MBC "behaviors" instead be referred to as "techniques"? We'll also be adding to the malware corpus, as well as adding [code snippets](../../anti-behavioral-analysis/sandbox-detection.md/#snippet) to MBC behavior pages. Please email us at mbc@mitre.org to let us know what you think. **Please let us know if you're interested in meeting with our team. We'd love to get your feedback and understand your MBC use cases!** \ No newline at end of file From d5791ce5fe2a5ad1725a985232b9d600c9407c8d Mon Sep 17 00:00:00 2001 From: Dez Beck Date: Thu, 8 Sep 2022 13:15:21 -0400 Subject: [PATCH 5/9] newsletter update --- ynewsletters/09092022.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ynewsletters/09092022.md b/ynewsletters/09092022.md index c0a12c91..6a7ef252 100644 --- a/ynewsletters/09092022.md +++ b/ynewsletters/09092022.md @@ -11,6 +11,6 @@ Highlights of recent MBC development include: * Expanded MBC's [malware corpus](../../xample-malware/README.md) of mapped malware examples * Began meeting with MBC users to understand their use cases -Next, we'll be considering questions, such as whether the MBC's terminology should more closely match ATT&CK's. For example, should MBC "behaviors" instead be referred to as "techniques"? We'll also be adding to the malware corpus, as well as adding [code snippets](../../anti-behavioral-analysis/sandbox-detection.md/#snippet) to MBC behavior pages. Please email us at mbc@mitre.org to let us know what you think. +Next, we'll be considering questions, such as whether the MBC's terminology should more closely match ATT&CK's. For example, should MBC "behaviors" instead be referred to as "techniques"? We'll also be expanding the malware corpus, as well as adding [code snippets](../../anti-behavioral-analysis/sandbox-detection.md/#snippet) to MBC behavior pages. Please email us at mbc@mitre.org to let us know what you think. **Please let us know if you're interested in meeting with our team. We'd love to get your feedback and understand your MBC use cases!** \ No newline at end of file From 9937ebd631c2358bb20cabeb9a0299c910a8b7f2 Mon Sep 17 00:00:00 2001 From: Ryan Xu Date: Thu, 8 Sep 2022 15:09:06 -0400 Subject: [PATCH 6/9] Update 09092022.md --- ynewsletters/09092022.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ynewsletters/09092022.md b/ynewsletters/09092022.md index 6a7ef252..36e90200 100644 --- a/ynewsletters/09092022.md +++ b/ynewsletters/09092022.md @@ -8,9 +8,9 @@ Highlights of recent MBC development include: * Released **MBC v2.3**, which aligns MBC with ATT&CK v11 (plus enhanced descriptions and formatting updates) * Released [v22.09](https://github.com/MBCProject/mbc-stix2/tree/v22.09) of the STIX 2 representation for MBC v2.3 * Updated [capa](https://github.com/fireeye/capa) rules to map to MBC v2.3 -* Expanded MBC's [malware corpus](../../xample-malware/README.md) of mapped malware examples +* Expanded MBC's [malware corpus](../xample-malware/README.md) of mapped malware examples * Began meeting with MBC users to understand their use cases -Next, we'll be considering questions, such as whether the MBC's terminology should more closely match ATT&CK's. For example, should MBC "behaviors" instead be referred to as "techniques"? We'll also be expanding the malware corpus, as well as adding [code snippets](../../anti-behavioral-analysis/sandbox-detection.md/#snippet) to MBC behavior pages. Please email us at mbc@mitre.org to let us know what you think. +Next, we'll be considering questions, such as whether the MBC's terminology should more closely match ATT&CK's. For example, should MBC "behaviors" instead be referred to as "techniques"? We'll also be expanding the malware corpus, as well as adding [code snippets](../anti-behavioral-analysis/sandbox-detection.md/#snippet) to MBC behavior pages. Please email us at mbc@mitre.org to let us know what you think. -**Please let us know if you're interested in meeting with our team. We'd love to get your feedback and understand your MBC use cases!** \ No newline at end of file +**Please let us know if you're interested in meeting with our team. We'd love to get your feedback and understand your MBC use cases!** From 00afb1d6b0d92bda3532203d12f6542ca9acc853 Mon Sep 17 00:00:00 2001 From: Dez Beck Date: Fri, 9 Sep 2022 10:57:45 -0400 Subject: [PATCH 7/9] newsletter update --- ynewsletters/09092022.md | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/ynewsletters/09092022.md b/ynewsletters/09092022.md index 36e90200..8fadf217 100644 --- a/ynewsletters/09092022.md +++ b/ynewsletters/09092022.md @@ -5,7 +5,7 @@ Hello all! Highlights of recent MBC development include: -* Released **MBC v2.3**, which aligns MBC with ATT&CK v11 (plus enhanced descriptions and formatting updates) +* Released **MBC v2.3**, which aligns MBC with ATT&CK v11 (plus other updates*) * Released [v22.09](https://github.com/MBCProject/mbc-stix2/tree/v22.09) of the STIX 2 representation for MBC v2.3 * Updated [capa](https://github.com/fireeye/capa) rules to map to MBC v2.3 * Expanded MBC's [malware corpus](../xample-malware/README.md) of mapped malware examples @@ -14,3 +14,15 @@ Highlights of recent MBC development include: Next, we'll be considering questions, such as whether the MBC's terminology should more closely match ATT&CK's. For example, should MBC "behaviors" instead be referred to as "techniques"? We'll also be expanding the malware corpus, as well as adding [code snippets](../anti-behavioral-analysis/sandbox-detection.md/#snippet) to MBC behavior pages. Please email us at mbc@mitre.org to let us know what you think. **Please let us know if you're interested in meeting with our team. We'd love to get your feedback and understand your MBC use cases!** + +Other updates include: +* Behavior/method descriptions enhanced +* HTML tables fixed inside markdown +* Histograms added for capa mappings +* Malware corpus documentation expanded +* READMEs updated +* Markdown file names updated to match behavior names +* ATT&CK technique identifiers added to links +* MBC-only behavior table added +* Hashes updated to SHA256 +* Behavior page content (order and wording) updated for consistency From 1e42433220266c8c303981b8fd008a7f535c69b2 Mon Sep 17 00:00:00 2001 From: Dez Beck Date: Fri, 9 Sep 2022 13:46:19 -0400 Subject: [PATCH 8/9] newsletter update --- ynewsletters/09092022.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ynewsletters/09092022.md b/ynewsletters/09092022.md index 8fadf217..9be7ed6f 100644 --- a/ynewsletters/09092022.md +++ b/ynewsletters/09092022.md @@ -23,6 +23,5 @@ Other updates include: * READMEs updated * Markdown file names updated to match behavior names * ATT&CK technique identifiers added to links -* MBC-only behavior table added -* Hashes updated to SHA256 +* MBC behavior table added * Behavior page content (order and wording) updated for consistency From 949209d5973434a74a49075f46b4bbb0b536ab64 Mon Sep 17 00:00:00 2001 From: Dez Beck Date: Fri, 9 Sep 2022 13:52:09 -0400 Subject: [PATCH 9/9] newsletter update --- ynewsletters/09092022.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ynewsletters/09092022.md b/ynewsletters/09092022.md index 9be7ed6f..11042b71 100644 --- a/ynewsletters/09092022.md +++ b/ynewsletters/09092022.md @@ -23,5 +23,5 @@ Other updates include: * READMEs updated * Markdown file names updated to match behavior names * ATT&CK technique identifiers added to links -* MBC behavior table added +* Table of MBC behaviors added * Behavior page content (order and wording) updated for consistency