schemas.v1.1.1.external.maec_4.1.maec_bundle_schema.xsd Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of stix Show documentation
Show all versions of stix Show documentation
The Java bindings for STIX v.1.2.0.2
The following is a description of the elements, types, and attributes that compose Malware Attribute Enumeration and Characterization (MAEC) Bundle schema.
The MAEC Bundle Schema is maintained by The Mitre Corporation. For more information, including how to get involved in the project, please visit the MAEC website at http://maec.mitre.org.
This schema imports the CyBOX schema and object schemas. More info on CybOX can be found at http://cybox.mitre.org.
MAEC Bundle Schema
4.1
02/11/2014
Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the MAEC License located at http://maec.mitre.org/about/termsofuse.html. See the MAEC License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the MAEC Schema, this license header must be included.
The MAEC_Bundle element is the root element of this schema, and is of type BundleType. As such, it represents the characterization of a single malware instance, characterized in the top-level Subject_Details element, via its MAEC entities.
The Action element enables description/specification of a single malware action.
The Behavior element enables description/specification of a single malware behavior.
The MalwareActionType is one of the foundational MAEC types, and serves as a method for the characterization of actions found or observed in malware. Actions can be thought of as system state changes and similar operations that represent the fundamental low-level operation of malware. Some examples include the creation of a file, deletion of a registry key, and the sending of some data on a socket. It imports and extends the CybOX ActionType. For MAEC, the id attribute is required.
The Implementation field is optional and serves to capture attributes that are relevant to how the Action is implemented in the malware, such as the specific API call that was used.
The BehaviorType is one of the foundational MAEC types, and serves as a method for the characterization of malicious behaviors found or observed in malware. Behaviors can be thought of as representing the purpose behind groups of MAEC Actions, and are therefore representative of distinct portions of higher-level malware functionality. Thus, while a malware instance may perform some multitude of Actions, it is likely that these Actions represent only a few distinct behaviors. Some examples include vulnerability exploitation, email address harvesting, the disabling of a security service, etc.
The Purpose field specifies the intended purpose of the Behavior. Since a Behavior is not always successful, and may not be fully observed, this is meant as way to state the nature of the Behavior apart from its constituent actions.
The Description field specifies a prose textual description of the Behavior.
The Discovery_Method field specifies the method used to discover the Behavior.
The Action_Composition field captures the Actions that compose the Behavior.
The Associated_Code field specifies any code snippets that may be associated with the Behavior.
The Relationships field specifies any relationships between this Behavior and any other Behaviors.
The required id field specifies a unique ID for this Behavior.
The ordinal_position field specifies the ordinal position of the Behavior with respect to the execution of the malware.
The status field specifies the execution status of the Behavior being characterized.
The duration field specifies the duration of the Behavior. One way to derive such a value may be to calculate the difference between the timestamps of the first and last actions that compose the behavior.
The BundleType serves as the high-level construct which encapsulates all Bundle elements, and represents some characterized analysis data (from any arbitrary set of analyses) for a single malware instance in terms of its MAEC Components (e.g., Behaviors, Actions, Objects, etc.).
The Malware_Instance_Object_Attributes field characterizes the attributes of the object (most typically a file) that represents the malware instance whose Behaviors, Actions, Objects, Process Tree, and Candidate Indicators are characterized in this Bundle. This is equivalent to the Malware_Instance_Object_Attributes inside of a Malware_Subject in the MAEC Package, and is therefore only required if this Bundle is to be used in a stand-alone fashion, i.e., without an accompanying MAEC Package and with the defined_subject field set to 'True'.
The AV_Classifications field contains 1-n AVClassificationType objects, which capture any Anti-Virus scanner tool classifications of the malware instance object.
The Process_Tree field specifies the observed process tree of execution for the malware instance, along with references to any corresponding actions that were initiated, if applicable.
The Capabilities field contains 1-n CapabilityType objects, which serve to describe the high-level capabilities and objectives of the malware instance.
The Behaviors field contains 1-n BehaviorType objects, which function as the MAEC representation for any behaviors that were observed for the malware instance.
The Actions field contains 1-n ActionType objects, which function as the MAEC representation for any lower-level actions that were observed for the malware instance.
The Objects field contains 1-n ObjectType objects, which function as the MAEC representation for any objects associated with the malware instance.
The Candidate_Indicators field contains 1-n CandidateIndicatorType objects, which function as the MAEC representation of any candidate indicators associated with the malware instance.
The Collections field contains the collection element types for Behaviors, Actions, Objects, and Candidate Indicators.
The required id field specifies a unique ID for this MAEC Bundle.
The required schema_version field specifies the version of the MAEC Bundle Schema that the document has been written in and that should be used for validation.
The required defined_subject field specifies whether the subject attributes of the characterized malware instance are included inside this Bundle (via the top-level Malware_Instance_Object_Attributes field) or elsewhere (such as a MAEC Subject in a MAEC Package).
The content_type field specifies the general type of content contained in this Bundle, e.g. static analysis tool output, dynamic analysis tool output, etc.
The timestamp field specifies the date/time that the bundle was generated.
The BehaviorCollectionType provides a Capability for characterizing collections of behaviors.
The Purpose field states the intended purpose of the collection of Behaviors. Since Behaviors are not always successful, and may not be fully observed, this is meant as way of absracting the nature of the collection of Behaviors away from its constituent Actions.
The Behavior_List field specifies a list of Behaviors that make up the collection.
The id field specifies a unique ID for this Behavior Collection.
The ActionCollectionType provides a method for characterizing collections of actions. This can be useful for organizing actions that may be related and where the exact relationship is unknown, as well as actions whose associated behavior has not yet been established.
The Action_List field specifies a list of Actions that make up the collection.
The id field specifies a unique ID for this Action Collection.
The APICallType provides a method for the characterization of API calls, including functions and their parameters.
The Address field contains the address of the API call in the binary.
The Return_Value field contains the return value of the API call.
The Parameter field captures any name/value pairs of the parameters passed into the API call.
The function_name field contains the exact name of the API function called, e.g. CreateFileEx.
The normalized_function_name field contains the normalized name of the API function called, e.g. CreateFile.
The ActionImplementationType serves as a method for the characterization of Action Implementations. Currently supported are implementations achieved through API function calls and abstractly defined code.
The Compatible_Platforms field specifies the specific platform(s) that the Action is compatible with, or in other words, capable of being successfully executed on.
The API_Call field allows for the characterization of a system-level API call that was used to implement the action. Software must make use of such calls to talk to hardware and perform system-specific functions.
The Code field contains any form of code that was used to implement the action.
The id field specifies a unique ID for this Action Implementation.
The required type field refers to the type of Action Implementation being characterized in this element.
The CVEVulnerabilityType provides a way of referencing specific vulnerabilities that malware exploits or attempts to exploit via a Common Vulnerabilities and Exposures (CVE) identifier. For more information on CVE please see http://cve.mitre.org.
The Description field specifies the textual description of the vulnerability referenced by the cve_id.
The cve_id attribute contains the ID of the CVE that is being referenced, e.g., CVE-1999-0002.
The ObjectCollectionType provides a Capability for characterizing collections of Objects. For instance, it can be used to group all of the Objects that are associated with a specific behavior.
The Object_List field specifies a list of Objects that make up the collection.
The id attribute specifies a unique ID for this Object Collection.
The BaseCollectionType is the base type for other MAEC collection types.
The Affinity_Type field provides an abstract way of characterizing how the objects in a collection are related.
The Affinity_Degree field is intended to provide an abstract way of characterizing the degree to which the objects in a collection are related.
The Description field contains a textual description of the collection.
The name field specifies the name of the collection.
The BehaviorRelationshipType provides a method for the characterization of relationships between Behaviors.
The Behavior_Reference field specifies a reference to a single Behavior in the relationship.
The type field specifies the nature of the relationship between Behaviors that is being captured.
The AVClassificationsType captures any Anti-Virus (AV) tool classifications for an Object.
The AV_Classification field captures a single AV classication of the malware instance object.
The ParameterType characterizes function parameters.
This field refers to the ordinal position of the parameter with respect to the function where it is used.
The name field specifies the name of the parameter.
The value field specifies the actual value of the parameter.
The ParametersType captures a list of function parameters.
The Parameter field specifies a single function parameter.
The AssociatedCodeType serves as generic way of specifying any code snippets associated with a MAEC entity, such as a Behavior.
The Code_Snippet field captures a single snippet of code, via the CybOX CodeObjectType.
The BehaviorPurposeType captures the purpose behind a malware Behavior.
The Description field contains a prose text description of the purpose of the Behavior, whether it was successful or not.
The Vulnerability_Exploit field characterizes any vulnerability that a Behavior may have attempted to exploit, whether or not the exploitation was successful (where success is not necessarily known).
The PlatformListType captures a list of software or hardware platforms.
The Platform field specifies a single Platform in the list via a common platform enumeration ID. It uses the PlatformSpecificationType type from the CybOX Common schema v2.0.1.
The ExploitType characterizes any exploitable weakness that may be targeted for exploitation by a malware instance through a Behavior. Most commonly, this refers to a known and identifiable vulnerability, but it may also refer to one or more weaknesses.
The CVE field specifies the CVE ID and description of the vulnerability targeted by the exploit, if available.
The CWE_ID field captures the ID of the Common Weakness Enumeration (CWE) entry that represents the type of weakness targeted by the exploit. More than one such CWE ID can be specified by using multiple occurrences of this field.
The Targeted_Platforms field specifies the platforms(s) targeted by the vulnerability exploit.
The known_vulnerability field specifies whether the vulnerability that the malware is exploiting has been previously identified. If so, it should be referenced via a CVE ID in the CVE element. If not, the platform(s) targeted by the vulnerability exploitation behavior may be specified in the Targeted_Platforms element.
The BehaviorRelationshipListType captures any relationships between a Behavior and other Behaviors.
The Relationship field specifies a single relationship between a single Behavior and one or more other Behaviors.
The BehavioralActionsType is intended to capture the Actions or Action Collections that make up a Behavior.
The Action_Collection field specifies an Action Collection that is part of the behavioral composition.
The Action field specifies a single Action that is part of the behavioral composition.
The Action_Reference field specifies a reference to a single Action that is part of the behavioral composition.
The Action_Equivalence_Reference field specifies a reference to a single Action Equivalence that is part of the behavioral composition.
The BehaviorListType captures a list of Behaviors.
The Behavior field specifies a single Behavior in the list.
The ActionListType captures a list of Actions.
The Action field specifies a single Action in the list.
The recommended syntax for Action IDs is a dash-delimited format that starts with the word maec, followed by a unique string, followed by the three letter code 'act', and ending with an integer. The regular expression validating these IDs is: maec-[A-Za-z0-9_\-\.]+-act-[1-9][0-9]*.
The ObjectListType captures a list of CybOX Objects.
The Object field specifies a single CybOX Object in the list. For use in MAEC, the id attribute at the top level of the Object must be utilized.
The BehaviorReferenceType serves as a method for referencing existing behaviors contained in the Bundle.
The behavior_idref field specifies the id of the Behavior being referenced; this Behavior must be present in the current Bundle.
The ObjectReferenceType serves as a method for linking to CybOX Objects embedded in the MAEC Bundle.
The object_idref field specifies the id of a CybOX Object being referenced in the current MAEC Bundle.
The BehavioralActionType type defines an Action field that can be used as part of a Behavior. It extends the MAEC MalwareActionType type, which in turn extends the CybOX ActionType type.
The behavioral_ordering field defines the ordering of the Action with respect to the other Actions that make up the behavior. So an action with a behavioral_ordering of "1" would come before an Action with a behavioral_ordering of "2", etc.
The BehavioralActionReferenceType defines an action reference that can be used as part of a Behavior.
The behavioral_ordering field defines the ordering of the Action with respect to the other Actions that make up the Behavior. For example, an Action with a behavioral_ordering of "1" would come before an Action with a behavioral_ordering of "2", etc.
The BehavioralActionEquivalenceReferenceType defines an Action Equivalence reference that can be used as part of a Behavior. Since the Action Equivalency equates two or more actions to a single one, this can be thought of as specifying one of the aforementioned Actions as part of the composition of the Behavior.
The action_equivalence_idref field specifies the ID of an Action Equivalence contained in the same MAEC document as the Behavior that utilizes it.
The behavioral_ordering field defines the ordering of the Action Equivalency with respect to the other actions that make up the behavior. So an action with a behavioral_ordering of "1" would come before an action with a behavioral_ordering of "2", etc.
The BehaviorReferenceListType captures a list of Behavior References.
The Behavior_Reference field specifies a reference to a single Behavior.
The ActionReferenceListType captures a list of Action References.
The Action_Reference field specifies a reference to a single Action.
The ObjectReferenceListType captures a list of references to CybOX Objects.
The Object_Reference field specifies a reference to a single CybOX Object.
The CandidateIndicatorType provides a way of defining a MAEC entity-based Candidate Indicator, which specifies the particular components that may signify the presence of the malware instance on a host system or network.
The Importance field specifies the relative importance of the Candidate Indicator.
This field is implemented through the xsi:type controlled vocabulary extension Capability. The default vocabulary type is ImportanceTypeVocab-1.0 in the http://maec.mitre.org/default_vocabularies-1 namespace. This type is defined in the maec_default_vocabularies.xsd file or at the URL http://maec.mitre.org/XMLSchema/default_vocabularies/1.0.0/maec_default_vocabularies.xsd.
The Numeric_Importance field specifies the specific numeric importance of the Candidate Indicator.
The Author field specifies the author of the Candidate Indicator.
The Description field provides a brief description of the Candidate Indicator.
The Malware_Entity field specifies the particular malware entity that the Candidate Indicator is written against, whether it be a malware instance, family, etc.
The Composition field specifies the actual observables that the Candidate Indicator is composed of, via a reference to a one or more MAEC entities contained in the Bundle.
The id field specifies a unique ID for this Candidate Indicator.
The creation_datetime field specifies the date/time that the Candidate Indicator was created.
The lastupdate_datetime field specifies the last date/time that the Candidate Indicator was updated.
The version field specifies the version of the Candidate Indicator.
The CandidateIndicatorListType captures a list of Candidate Indicators.
The Candidate_Indicator field specifies a single Candidate Indicator in the list.
The MalwareEntityType provides a Capability for characterizing the particular entity that an indicator or signature is written against, whether it is a particular malware instance, family, etc.
The Type field refers to the specific type of malware entity that the indicator or signature is written against.
This field is implemented through the xsi:type controlled vocabulary extension Capability. The default vocabulary type is MalwareEntityTypeVocab-1.0 in the http://maec.mitre.org/default_vocabularies-1 namespace. This type is defined in the maec_default_vocabularies.xsd file or at the URL http://maec.mitre.org/XMLSchema/default_vocabularies/1.0.0/maec_default_vocabularies.xsd.
The Name field refers to the name of the malware instance, malware family, or malware class that the indicator or signature is written against.
The Description field is intended to provide a brief description of the entity that the indicator or signature is written against.
The CollectionsType captures the various types of MAEC entity collections.
The Behavior_Collections field captures any collections of Behaviors in the Bundle.
The Action_Collections field captures any collections of Actions in the Bundle.
The Objects_Collections field captures any collections of CybOX Objects in the Bundle.
The Candidate_Indicator_Collections field captures any collections of Candidate Indicators in the Bundle.
The BundleReferenceType serves as a method for linking to Bundles embedded in other locations.
The bundle_idref field references the ID of a Bundle contained inside the current MAEC document.
The ProcessTreeType captures the process tree for the malware instance, including the parent process and processes spawned by it, along with any Actions initiated by each.
The Root_Process field captures the root process in the process tree.
The ProcessTreeNodeType captures a single process, or node, in the process tree. It imports and extends the ProcessObjectType from the CybOX Process Object.
The Initiated_Actions field captures, via references, the actions (found inside the top-level Actions element, or an Action Collection inside the top-level Collections element) initiated by the Process.
The Spawned_Process field captures a single child process spawned by this process.
The Injected_Process field captures a single process that was injected by this process.
The required id field specifies a unique ID for the Process Node.
The parent_action_idref field specifies the id of the action that created or injected this process.
The ordinal_position field specifies the ordinal position of the process with respect to the other processes spawned or injected by the malware.
The CandidateIndicatorCompositionType captures the composition of a Candidate Indicator, via references to any corresponding MAEC entities contained in the Bundle.
The Behavior_Reference field specifies a reference to a single Behavior in the Bundle that is part of the candidate indicator's composition.
The Action_Reference field specifies a reference to a single Action in the Bundle that is part of the candidate indicator's composition.
The Object_Reference field specifies a reference to a single Object in the Bundle that is part of the candidate indicator's composition.
The Sub_Composition field captures any sub-compositions in this Candidate Indicator, for expressing more complex Candidate Indicators.
The operator field specifies the Boolean operator for this level of the Candidate Indicator's composition.
The CandidateIndicatorCollectionType provides a Capability for characterizing collections of Candidate Indicators.
The Candidate_Indicator_List field specifies a list of Candidate Indicators that make up the collection.
The id field specifies a unique ID for this Candidate Indicator Collection.
The CandidateIndicatorCollectionListType captures a list of Candidate Indicators.
The Candidate_Indicator_Collection field specifies a single collection of Candidate Indicators.
The BehaviorCollectionListType captures a list of Behaviors Collections.
The Behavior_Collection field specifies a single collection of Behaviors in the Bundle.
The ActionCollectionListType captures a list of Actions Collections.
The Action_Collection field specifies a single collection of Actions in the Bundle.
The ObjectCollectionListType captures a list of Object Collections.
The Object_Collection field specifies a single collection of CybOX Objects.
The AVClassificationType captures information on AV scanner classifications for the malware instance object captured in the Bundle or Package.
The Engine_Version field captures the version of the AV engine used by the AV scanner tool that assigned the classification to the malware instance object.
The Definition_Version field captures the version of the AV definitions used by the AV scanner tool that assigned the classification to the malware instance object.
The Classification_Name field captures the classification assigned to the malware instance object by the AV scanner tool characterized in the Company_Name and Product_Name fields.
The ActionImplementationTypeEnum represents an enumeration of action implementation types.
The api call value specifies that the action was implemented using some particular API call, details of which may be captured in the API_Call element.
The Code value specifies that the action was implemented using some particular code snippet, details of which may be captured in the Code element
The BundleContentTypeEnum is a non-exhaustive enumeration of the general types of content that a Bundle can contain.
The dynamic analysis tool output value specifies that the Bundle primarily captures some form of dynamic analysis tool output, such as from a sandbox.
The static analysis tool output value specifies that the Bundle primarily captures some form of static analysis tool output, such as from a packer detection tool.
The manual analysis output value specifies that the Bundle primarily captures some form of manual analysis output, which may or may not involve the use of tools.
The extracted from subject value specifies that the Bundle primarily captures some data that extracted from the Malware Subject, such as some PE Header fields.
The mixed value specifies that the Bundle captures some mixed forms of analysis or tool output for the Malware Subject, such as both dynamic and static analysis tool output.
The other value specifies that the Bundle captures some other form of analysis or tool output that is not represented by the other enumeration values.
The CapabilityType captures details of a Capability that may be implemented in the malware instance, along with its child Strategic and Tactical Objectives.
The Description field captures a basic textual description of the Capability.
The Property field permits the capture of a single property of the Capability, as a key/value pair. More than one property can be specified via multiple occurrences of this field.
The Strategic_Objective field captures a single Strategic Objective that the Capability attempts to achieve. It can be considered as a more granular way of capturing the Capabilities present in the malware instance.
The Tactical_Objective field captures a single Tactical Objective that the Capability attempts to achieve, typically in the context of a broader Strategic Objective. It can be considered as a way of expounding upon Strategic Objectives to capture the Capabilities of the malware instance in more detail.
The Behavior_Reference field captures a reference to a Behavior that serves as an implementation of the Capability. For Behaviors that serve as implementations of specific Strategic or Tactical Objectives, the Behavior_Reference field under the Strategic_Objective or Tactical_Objective fields should be used, respectively.
The Relationship field captures a relationship from the Capability to one or more other Capabilities.
The required id field specifies a unique ID for this MAEC Capability.
The name field captures the name of the Capability. It uses the MalwareCapabilityEnum-1.0 enumeration from the MAEC Vocabularies schema.
The CapabilityListType captures a list of Capabilities.
The Capability field captures a single Capability in the list, and therefore represents a single Capability possessed by the malware instance.
The Capability_Reference field references a single Capability defined elsewhere in the MAEC document, and therefore represents a single Capability possessed by the malware instance.
The CapabilityReferenceType serves as a method for referencing existing Capabilities contained in the MAEC document.
The capability_idref field references the ID of a Capability contained inside the current MAEC document.
The CapabilityObjectiveType captures details of a Capability Strategic or Tactical Objective.
The Name field captures the name of the Capability Objective. There are several default vocabularies for this usage included in the MAEC Vocabularies schema. It uses the ControlledVocabularyStringType from the imported CybOX Common schema.
The Description field captures a basic textual description of the Capability Objective.
The Property field permits the capture of a single property of the Capability Objective, as a key/value pair. More than one property can be specified via multiple occurrences of this field.
The Behavior_Reference field captures a reference to a Behavior that functions as an implementation of the Capability Objective.
The Relationship field captures a relationship from the Capability Objective to one or more other Capability Objectives.
The required id field specifies a unique ID for this Capability Objective.
The CapabilityObjectiveRelationshipType captures a relationship between a Capability and one or more other Capabilitys.
The Relationship_Type field captures the type of relationship being expressed between Capabilities.
The Capability_Reference field references a single Capability in the relationship, via its ID.
The CapabilityObjectiveRelationshipType captures a relationship between a Strategic or Tactical Objective and one or more other Strategic or Tactical Objectives.
The Relationship_Type field captures the type of relationship being expressed between Objectives (either Strategic or Tactical).
The Objective_Reference field references a single Capability Objective (either Strategic or Objective) in the relationship.
The CapabilityObjectiveReferenceType serves as a method for referencing existing Capability Objectives (either Strategic or Tactical) contained in the Bundle.
The objective_idref field references the ID of a Capability Objective (either Strategic or Tactical) contained inside the current MAEC document.
The CapabilityPropertyType captures a single property of a Capability or Capability Objective.
The Name field specifies the name of the property being captured. The name can be either free form text or a standardized value from a vocabulary included in the MAEC Default Vocabularies schema. This field uses the ControlledVocabularyStringType from the imported CybOX Common schema.
The Value field specifies the value of the property being captured.