MalChain Detections GitHub

Mappings

MalChain techniques cross-referenced to MITRE ATT&CK, representative CVEs, and MalwareBazaar samples. Open a technique for its full mapping, including sample links.

ATT&CK

Every technique is mapped to MITRE ATT&CK technique and sub-technique IDs.

CVEs

Representative real-world CVEs where a capability is commonly enabled by a vulnerability.

MalwareBazaar

Each technique links to live samples on abuse.ch; run the enrichment script to embed hashes.

ATT&CK & CVE coverage

CVEs are representative examples, not exhaustive; behavioural techniques are marked —. Verify against your own threat model.

TechniqueNameMITRE ATT&CKCVE examplesMalwareBazaar
ING-01Removable Media & File TransferT1091 T1200CVE-2010-2568 CVE-2017-8464Raspberry Robin worm
ING-02Malvertising & Drive-By DownloadsT1189 T1583.008CVE-2023-4863 CVE-2021-30551SocGholish FakeUpdates
ING-03Supply Chain CompromiseT1195.002 T1195.001CVE-2020-10148 CVE-2024-3094 CVE-2021-442283CX supply-chain
ING-04Credential AbuseT1078 T1110RedLine Stealer Vidar
ING-05Malicious or Compromised USB DevicesT1200 T1091CVE-2010-2568Raspberry Robin usb
ING-06Watering Hole AttacksT1189 T1608.004CVE-2021-30551ScanBox
ING-07External Remote ServicesT1133 T1078CVE-2021-26855 CVE-2019-19781 CVE-2018-13379 CVE-2019-11510Cobalt Strike webshell
ACT-01User-Executed FilesT1204.002 T1204.001CVE-2017-11882 CVE-2021-40444 CVE-2022-30190maldoc Emotet
ACT-02Script-Based ExecutionT1059 T1059.001 T1059.003ps1 AsyncRAT
ACT-03Service-Based ExecutionT1569.002 T1543.003Cobalt Strike
ACT-04DLL Side-Loading or HijackingT1574.002 T1574.001PlugX QakBot
ACT-05WMI-Based ExecutionT1047Cobalt Strike
ACT-06Browser Extension ExecutionT1176ViperSoftX
ACT-07Boot / Firmware ExecutionT1542 T1542.001 T1542.003CVE-2022-21894 CVE-2020-10713BlackLotus MoonBounce
ANC-01Startup & Logon ExecutionT1547.001 T1037AgentTesla
ANC-02Scheduled & Triggered ExecutionT1053.005QakBot
ANC-03Service & Daemon PersistenceT1543.003 T1543.002Cobalt Strike
ANC-04Registry-Based PersistenceT1547 T1112Formbook
ANC-05Browser-Based PersistenceT1176ViperSoftX
ANC-06WMI & Event Subscription PersistenceT1546.003Turla
ANC-07Fileless & In-Memory PersistenceT1027.011 T1547GootLoader fileless
ANC-08Boot & Pre-OS PersistenceT1542.003 T1542.001CVE-2022-21894 CVE-2020-10713BlackLotus
CON-01Obfuscation & PackingT1027.002 T1027UPX Formbook
CON-02Fileless Malware ExecutionT1620 T1027.011fileless GootLoader
CON-03Security Tool TamperingT1562.001 T1211CVE-2021-21551 CVE-2015-2291BYOVD AuKill
CON-04Masquerading & ImpersonationT1036 T1036.005AgentTesla
CON-05Environment & Sandbox EvasionT1497 T1480GuLoader
CON-06Process InjectionT1055 T1055.012Formbook AgentTesla
CON-07Polymorphism & MetamorphismT1027Emotet
CON-08Log & Artifact ManipulationT1070.001 T1070Cobalt Strike
CON-09Living-off-the-Land for EvasionT1218 T1127lolbin QakBot
CON-10Anti-Forensics & CleanupT1070.004 T1490 T1070.006LockBit
EXP-01Living-off-the-Land Lateral MovementT1021 T1570Cobalt Strike
EXP-02Credential Reuse & RelayT1550 T1557Mimikatz
EXP-03Pass-the-Hash / Pass-the-TicketT1550.002 T1550.003Mimikatz
EXP-04Remote Service & Protocol AbuseT1021.001 T1021.002 T1021.006CVE-2019-0708 CVE-2017-0144Cobalt Strike
EXP-05Network Share PropagationT1021.002 T1080CVE-2017-0144QakBot
EXP-06Worm-like Self-PropagationT1210 T1091CVE-2017-0144 CVE-2008-4250Raspberry Robin worm
EXP-07Privilege Escalation Across HostsT1068 T1548.002 T1134CVE-2021-34527 CVE-2021-36934Cobalt Strike
EXP-08Identity & Trust Relationship AbuseT1558 T1558.001 T1484CVE-2020-1472 CVE-2021-42287Mimikatz
EXP-09Directory Services TargetingT1003.006 T1087.002CVE-2020-1472 CVE-2021-42278Mimikatz
EXP-10Cloud & Hybrid Lateral MovementT1078.004 T1552.005 T1021.007cloud
EXT-01HTTP / HTTPS Data ExfiltrationT1567 T1048 T1041RedLine Stealer
EXT-02DNS TunnelingT1071.004 T1572Cobalt Strike
EXT-03Cloud Storage AbuseT1567.002Vidar
EXT-04Messaging and Social Platform ChannelsT1102 T1567.003telegram AgentTesla
EXT-05FTP / SFTP / FTPS TransferT1048 T1048.003Snake Keylogger AgentTesla
EXT-06Tor / Proxy / VPN Anonymization ChannelsT1090.003 T1572tor LockBit
EXT-07Encrypted Command-and-Control ChannelsT1573 T1071Cobalt Strike
EXT-08Removable Media Data ExtractionT1052.001 T1025usb
EXT-09Steganographic Data TransferT1027.003 T1001.002IcedID steganography
EXT-10Multi-Channel Redundant ExfiltrationT1008 T1104AgentTesla