Skip to content
A taxonomy and dictionary of malware behaviors.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
anti-static-analysis update behaviors Jun 18, 2019
collection update objectives May 24, 2019
command-and-control fix links Jul 21, 2019
credential-access typo Jun 21, 2019
defense-evasion fix link Jul 24, 2019
discovery update objectives May 24, 2019
execution Update Jul 16, 2019
impact update text Jun 18, 2019
privilege-escalation combine hooking behs Jun 18, 2019
theoretical-behaviors update ids Jan 25, 2019
xample-malware add behs Jul 21, 2019
yfaq added items Aug 1, 2019 fix typo Jul 10, 2019

Malware Behavior Catalog

The Malware Behavior Catalog (MBC) is a catalog of malware Objectives and Behaviors, created to support malware analysis-oriented use cases, such as labeling, similarity analysis, and standardized reporting. Please see the FAQ page for answers to common questions.


As shown below, malware Objectives are based on ATT&CK Tactics, and are tailored for the malware analysis use case of characterizing malware based on known Objectives and Behaviors. Two malware analysis-specific Objectives (Anti-Behavioral Analysis and Anti-Static Analysis) not in ATT&CK are also defined.


Under each Objective, MBC captures all behaviors and code characteristics discovered during malware analysis, with links to ATT&CK Techniques as appropriate. Names of MBC Behaviors may or may not match related ATT&CK Techniques. Any content provided on Behavior pages is supplemental to ATT&CK content. In other words, ATT&CK content is not duplicated in MBC, and MBC users will want to reference ATT&CK while capturing malware Behaviors.


The first letter of a Behavior identifier indicates whether the Behavior is a stub referencing an ATT&CK Technique ("T", matching the ATT&CK identifier; e.g. T1234), whether it enhances an ATT&CK Technique with malware-specific details ("E"; e.g. E1234), or whether it is a newly defined Behavior in MBC ("M"; e.g. M1234).

When two or more MBC Behaviors refine the same ATT&CK Technique, they are given concatenated identifiers where the MBC portion distinguishes them (e.g. T1234:M0123, T1234:M0124). When a new ATT&CK Technique is defined after an MBC Behavior has been defined, the preexisting MBC identifier is preserved and the ATT&CK identifier is appended (e.g., M0123:T1234).

Example Malware

The MBC also contains a collection of example malware that are characterized with malware Behaviors.

Malware Objective Descriptions

Malware Objectives are defined below. Follow the links to view associated Behaviors. Please see the MBC Matrix to view all Behaviors.

Objective Description
Anti-Behavioral Analysis Malware aims to prevent, obstruct, or evade behavioral analysis done in a sandbox, debugger, etc.
Anti-Static Analysis Malware aims to prevent static analysis or make it more difficult. Simpler static analysis identifies features such as embedded strings, executable header information, hash values, and file metadata. More involved static analysis involves the disassembly of the binary code.
Collection Malware aims to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This Objective includes locations on a system or network where the malware may look for information to exfiltrate.
Command and Control Malware aims to communicate (receive and/or execute remotely submitted commands) with systems under its control within a target network or other systems (C2 servers, etc.).
Credential Access Malware aims to obtain credential access, allowing it or its underlying threat actor to assume control of an account, with the associated system and network permissions.
Defense Evasion Malware aims to evade detection or avoid other cybersecurity defenses.
Discovery Malware aims to gain knowledge about the system and internal network.
Execution Malware aims to execute its code on a system to achieve secondary objectives, in conjunction with its primary objectives.
Exfiltration Malware aims to steal data from the system on which it executes. This includes stored data (e.g., files) as well as data input into applications (e.g., web browser).
Impact Malware aims to execute its mission.
Lateral Movement Malware aims to propagate through the infection of a system or is able to infect a file after executing on a system. The malware may infect actively (e.g., gain access to a machine directly) or passively (e.g., send malicious email).
Persistence Malware aims to remain on a system regardless of system events.
Privilege Escalation Malware aims to obtain a higher level of privilege for execution.
You can’t perform that action at this time.