[MAEC] DataExfiltrationTacticalObjectivesEnum DNS Tunnel

classic Classic list List threaded Threaded
2 messages Options
JA
Reply | Threaded
Open this post in threaded view
|

[MAEC] DataExfiltrationTacticalObjectivesEnum DNS Tunnel

JA
Hi,

https://github.com/MAECProject/schemas/issues/92

could we consider to update a description in
DataExfiltrationTacticalObjectivesEnum
Backward compatibility: no change
Priority: low
Com-Vocabulary
Type: Enhancement



suggested is to better reflect exfiltration mechanisms
example: DNS tunneling

suggested change:

<xs:enumeration value="exfiltrate via covert channel">
                <xs:annotation>
                    <xs:documentation>The 'exfiltrate via covert
channel' value indicates that the malware instance is able to
exfiltrate data using a covert channel.</xs:documentation>
                </xs:annotation>
            </xs:enumeration>

<xs:enumeration value="exfiltrate via covert channel">
                <xs:annotation>
                    <xs:documentation>The 'exfiltrate via covert
channel' value indicates that the malware instance is able to
exfiltrate data using a covert channel. (e.g., a DNS tunnel, or
NTP)</xs:documentation>
                </xs:annotation>
            </xs:enumeration>


PS: that would potentialy add more context to DNSActionNameEnum
Reply | Threaded
Open this post in threaded view
|

Re: [MAEC] DataExfiltrationTacticalObjectivesEnum DNS Tunnel

Kirillov, Ivan A.
Hi Jerome,

Great suggestion - this adds some useful clarification. I think it's likely we'll make this change for the next MAEC release. Also, it would be interesting to see if we can begin compiling a list of types of covert channels, which we could make into a separate vocabulary.

Regards,
Ivan Kirillov
MITRE

-----Original Message-----
From: Jerome Athias [mailto:[hidden email]]
Sent: Friday, February 13, 2015 1:10 PM
To: maec-discussion-list Malware Attribute Enumeration Discussion
Subject: [MAEC] DataExfiltrationTacticalObjectivesEnum DNS Tunnel

Hi,

https://github.com/MAECProject/schemas/issues/92

could we consider to update a description in
DataExfiltrationTacticalObjectivesEnum
Backward compatibility: no change
Priority: low
Com-Vocabulary
Type: Enhancement



suggested is to better reflect exfiltration mechanisms
example: DNS tunneling

suggested change:

<xs:enumeration value="exfiltrate via covert channel">
                <xs:annotation>
                    <xs:documentation>The 'exfiltrate via covert
channel' value indicates that the malware instance is able to
exfiltrate data using a covert channel.</xs:documentation>
                </xs:annotation>
            </xs:enumeration>

<xs:enumeration value="exfiltrate via covert channel">
                <xs:annotation>
                    <xs:documentation>The 'exfiltrate via covert
channel' value indicates that the malware instance is able to
exfiltrate data using a covert channel. (e.g., a DNS tunnel, or
NTP)</xs:documentation>
                </xs:annotation>
            </xs:enumeration>


PS: that would potentialy add more context to DNSActionNameEnum