MalChain Detections GitHub

Framework Overview

MalChain is an open-source, behavior-centric malware analysis and detection framework designed to model real-world adversary operations across the full intrusion lifecycle. Unlike indicator-driven or tool-centric models, MalChain focuses on attacker capabilities, trust abuse, and operational chaining.

Purpose and Scope

The purpose of MalChain is to provide defenders, analysts, and researchers with a structured, high-fidelity model for understanding malware behavior beyond individual tools or campaigns. MalChain abstracts attacker actions into reusable operational capabilities that remain stable even as malware tooling evolves. This framework is intended for:

  • Security Operations Centers (SOC)
  • Detection engineering teams
  • Incident responders
  • Malware researchers
  • Red and purple teams
  • Academic and open-source research

MalChain is platform-agnostic and applies to endpoint, network, cloud, and hybrid environments.

MalChain Attack Chain Overview

MalChain organizes adversary behavior into six primary phases:

Phase Techniques Focus
Ingress 7 How malware enters systems
Activation 7 Running malicious code
Anchoring 8 Maintaining presence
Concealment 10 Avoiding detection
Expansion 10 Spreading within networks
Extraction 10 Stealing data
Total 52 Full intrusion lifecycle

Each phase represents a set of attacker objectives and capabilities rather than specific techniques.

Using MalChain in Practice

Organizations can apply MalChain to:

  • Threat modeling exercises
  • SOC alert design
  • Incident response playbooks
  • Purple-team validation
  • Malware research documentation

The six phases

MC-ING - Ingress - Initial Access Capability

Ingress represents the attacker's first successful interaction with the target environment. This phase is primarily focused on abusing human trust, software trust, or hardware trust. Ingress mechanisms include removable media, malvertising, supply chain compromise, credential abuse, malicious USB devices, and watering hole attacks.

Key outputs of this phase include:

  • Initial execution context
  • Trust boundary penetration
  • User or service privilege level

Ingress methods includes:

  • Removable Media & File Transfer
  • Malvertising & Drive-By Downloads
  • Supply Chain Compromise
  • Credential Abuse
  • Malicious or Compromised USB Devices
  • Watering Hole Attacks
  • External Remote Services

Ingress decisions heavily influence the attacker's stealth and options in later phases.

MC-ACT - Activation - Execution Capability

Activation converts access into action. This phase determines how and where attacker-controlled logic is executed within the target environment.

Activation includes user-executed files, script-based activation, service execution, DLL side-loading, WMI execution, boot or firmware execution, and browser extension abuse.

Activation outputs include:

  • Running malicious logic
  • Memory residency
  • Privilege escalation opportunities

Activation methods includes:

  • User-Executed Files
  • Script-Based Execution
  • Service-Based Execution
  • DLL Side-Loading
  • WMI-Based Execution
  • Browser Extension Execution
  • Boot / Firmware Execution

Activation is often chained with concealment techniques to minimize detection.

MC-ANC - Anchoring - Persistence Capability

Anchoring ensures that attacker access survives reboots, logouts, and routine system maintenance. Persistence is not a single technique but a reliability strategy. Anchoring methods include:

  • Startup & Logon Execution
  • Scheduled & Triggered Execution
  • Service & Daemon Persistence
  • Registry-Based Persistence
  • Browser-Based Persistence
  • WMI & Event Subscription Persistence
  • Fileless & In-Memory Persistence
  • Boot & Pre-OS Persistence

The primary output of anchoring is long-term operational presence with minimal reinfection cost.

MC-CON - Concealment - Defense Evasion Capability

Concealment reduces the likelihood that malicious activity will be detected, analyzed, or responded to. This phase actively degrades defender visibility and confidence.

Concealment techniques include:

  • Obfuscation & Packing
  • Fileless Malware Execution
  • Security Tool Tampering
  • Masquerading & Impersonation
  • Environment & Sandbox Evasion
  • Process Injection
  • Polymorphism & Metamorphism
  • Log & Artifact Manipulation
  • Living-off-the-Land for Evasion
  • Anti-Forensics & Cleanup

Concealment enables extended dwell time and increases the success of expansion and extraction.

MC-EXP - Expansion - Lateral Movement Capability

Expansion focuses on increasing the attacker's control surface inside the environment. This phase transforms a single compromised system into organizational compromise.

Expansion techniques include:

  • Living-off-the-Land Lateral Movement
  • Credential Reuse & Relay
  • Pass-the-Hash / Pass-the-Ticket
  • Remote Service & Protocol Abuse
  • Network Share Propagation
  • Worm-like Self-Propagation
  • Privilege Escalation Across Hosts
  • Identity & Trust Relationship Abuse
  • Directory Services Targeting
  • Cloud & Hybrid Lateral Movement

Outputs include additional hosts, elevated privileges, and increased operational resilience.

MC-EXT - Extraction - Exfiltration & Control Capability

Extraction is where attackers realize value from their intrusion. This includes data theft, continuous command and control, and operational leverage.

Extraction channels include:

  • HTTP / HTTPS Data Exfiltration
  • DNS Tunneling
  • Cloud Storage Abuse
  • Messaging and Social Platform Channels
  • FTP / SFTP / FTPS Transfer
  • Tor / Proxy / VPN Anonymization Channels
  • Encrypted Command-and-Control Channels
  • Removable Media Data Extraction
  • Steganographic Data Transfer
  • Multi-Channel Redundant Exfiltration

Extraction may occur incrementally throughout the intrusion rather than only at the end.

Unified Sub Phases table

Ingress Activation Anchoring Concealment Expansion Extraction
Removable Media & File Transfer User-Executed Files Startup & Logon Execution Obfuscation & Packing Living-off-the-Land Lateral Movement HTTP / HTTPS Data Exfiltration
Malvertising & Drive-By Downloads Script-Based Execution Scheduled & Triggered Execution Fileless Malware Execution Credential Reuse & Relay DNS Tunneling
Supply Chain Compromise Service-Based Execution Service & Daemon Persistence Security Tool Tampering Pass-the-Hash / Pass-the-Ticket Cloud Storage Abuse
Credential Abuse DLL Side-Loading Registry-Based Persistence Masquerading & Impersonation Remote Service & Protocol Abuse Messaging and Social Platform Channels
Malicious or Compromised USB Devices WMI-Based Execution Browser-Based Persistence Environment & Sandbox Evasion Network Share Propagation FTP / SFTP / FTPS Transfer
Watering Hole Attacks Browser Extension Execution WMI & Event Subscription Persistence Process Injection Worm-like Self-Propagation Tor / Proxy / VPN Anonymization Channels
External Remote Services Boot / Firmware Execution Fileless & In-Memory Persistence Polymorphism & Metamorphism Privilege Escalation Across Hosts Encrypted Command-and-Control Channels
Boot & Pre-OS Persistence Log & Artifact Manipulation Identity & Trust Relationship Abuse Removable Media Data Extraction
Living-off-the-Land for Evasion Directory Services Targeting Steganographic Data Transfer
Anti-Forensics & Cleanup Cloud & Hybrid Lateral Movement Multi-Channel Redundant Exfiltration