Where can I find more info on the Malware Behavior STIX 2.1 SDO?

Frameworks, Standards, and Tools
1

I recently saw a few malware-behaviour objects in a STIX bundle.

{
    "type": "bundle",
    "id": "bundle--6b32c658-f907-4a02-bd68-d971d0c83822",
    "objects": [
        {
            "type": "malware-behavior",
            "spec_version": "2.1",
            "id": "malware-behavior--0a11a488-9138-4341-a879-32a2c251e01f",
            "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf",
            "created": "2020-08-14T00:00:00.000Z",
            "modified": "2023-12-05T00:00:00.000Z",
            "name": "Heap Spray",
            "obj_defn": {
                "description": "Malware may use heap spraying to write a sequence of bytes on the heap section of a process.",
                "external_id": "C0006",
                "source_name": "mitre-mbc",
                "url": "https://github.com/MBCProject/mbc-markdown/blob/main/micro-behaviors/memory/heap-spray.md"
            },
            "objective_refs": [
                "malware-objective--dbe27c30-ea5f-44a0-9167-ead41fc8d420"
            ],
            "obj_version": "2.1",
            "object_marking_refs": [
                "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3"
            ],
            "extensions": {
                "extension-definition--d57b7c9c-7fa6-436b-b82c-8e6f69cdc3d0": {
                    "extension_type": "new-sdo"
                }
            }
        }
    ]
}

Using the url listed in the object, I found this repo

The MBC project looks very interesting. Is anyone using it with STIX? If so, do you have any guides to get started?

2

I’ll caveat this post by saying I’m no expert here, but have come across the Malware Behavior Catalog (MBC) STIX objects before.

This video was super useful as an introduction:

At 7:12 there is a good example of the structure.

That diagram will also explain the 4 main types of STIX objects in the repo

  1. malware: the actual malware classified by MBC which implements…
  2. malware-method: which refines…
  3. malware-behavior: which accomplishes…
  4. malware-objective

In that repo you’ll see the relationship STIX objects link them together using the relationships defined above.

You’ll also note that the relationships also link out to ATT&CK technique objects to describe the Malware.

Where I am still a little unsure is how the two live together. ATT&CK has its own knowledge-base of Malware (software in ATT&CK terms: Software | MITRE ATT&CK®).

I suspect the MBC includes new strings or strings with more information than the ATT&CK representation (because ATT&CK does not use the MBC framework).

3

Oh, I’d also recommend checking out the spec in the OASIS Open Repo.

Specifically the extension standard doc…

That doc contains all the schemas and some good examples.

One part I found particularly helpful in it was this diagram explaining the structure/content of the objects;

image

Which helps to explain the fact the malware-behaviour object can also contain a snippet of the malware relevant to the behaviour, and a detection for it, e.g.

{
    "type": "malware-behavior",
    "spec_version": "2.1",
    "id": "malware-behavior--7fd7253f-274e-4156-be58-7ac900fc221a",
    "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf",
    "created": "2019-08-01T00:00:00.000Z",
    "modified": "2022-11-21T00:00:00.000Z",
    "name": "Sandbox Detection",
    "obj_defn": {
        "source_name": "mbc",
        "description": "Detects whether the malware instance is being executed <snip>",
        "url": "https://github.com/MBCProject/mbc-markdown <snip> /sandbox-detection.md",
        "external_id": "B0007"
    },
    "obj_version": "2.0",
    "related_object_refs": [
        "attack-pattern--29be378d-262d-4e99-b00d-852d573628e6",
        "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad",
        "attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938"
    ],
    "tags": {"Anti-Analysis-Type": "Detection"},
    "objective_refs": ["malware-objective--a6de0a96-50b6-441f-8e62-06eb6db84183"],
    "detection_rules": [{
        "rule_type": "capa",
        "rule_name": "check for sandbox and av modules",
        "url": "https://github.com/capa-rules...check-for-sandbox-and-av-modules.yml",
        "api_fncs": ["GetModuleHandle"],
        "detect_ref": "malware-method--5650472c-6f90-44c3-8944-f763507e9220"
    }],
    "snippets": [{
        "snippet": "push ebx, \n add esp, \n 0FFFFFEF4h, \n xor ebx, \n ebx <snip>",
        "language": "asm",
        "exemplify_ref": "malware-method--5650472c-6f90-44c3-8944-f763507e9220"
    }],
    "external_references": [
        {
"source_name": "cisco",
"url": "https://blogs.cisco.com/security/talos/rombertik",
"description": "B. Baker and A. Chiu, \"Threat Spotlight: Rombertik - Gazing Past the Smoke, Mirrors, and Trapdoors,\" Cisco Threat Research, blog, May 4, 2013 [Online]."
        },
        {
"source_name": "lordnoteworthy"
"url": "https://github.com/LordNoteworthy/al-khaser"
"description": "A. Faouzi (LordNoteworthy), \"README.md,\" Al-Khaser v0.81. Accessed Apr. 29, 2023 [Online].
        }
    ],
    "extensions": {
        "extension-definition--d57b7c9c-7fa6-436b-b82c-8e6f69cdc3d0" : {
            "extension_type" : "new-sdo"
        }
    }
}