schemas.v1.2.0.external.maec_4.1.maec_default_vocabularies.xsd Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of stix Show documentation
Show all versions of stix Show documentation
The Java bindings for STIX v.1.2.0.2
The newest version!
This schema was originally developed by The MITRE Corporation. The MAEC XML Schema implementation is maintained by The MITRE Corporation and developed by the open MAEC Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the MAEC website at http://maec.mitre.org.
maec-default-vocabularies
1.1
02/11/2014
The following defines types for default controlled vocabularies used within MAEC. An individual vocabulary may be revised at any time. Revisions to vocabularies will result in the creation of new types with the new version number embedded in the name of those types. Vocabularies can be reference from MAEC elements through the use of xsi:Type. The individual elements where this may be done indicate the expected default vocabulary.
Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the MAEC License located at http://maec.mitre.org/about/termsofuse.html. See the MAEC License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the MAEC Schema, this license header must be included.
The ActionObjectAssocationVocab is the default MAEC vocabulary for Action-Object association types, captured via the AssociatedObjectType/Association_Type element in CybOX Core.
It should be used in place of the CybOX ActionObjectAssociationVocab-1.0.
ActionObjectAssociationTypeEnum is a (non-exhaustive) enumeration of types of action-object associations.
The 'input' value specifies that the associated object serves as an input to the action. This includes cases where an object is used by the action or an existing object is modified by the action.
The 'output' value specifies that the associated object serves as an output to the action. This includes cases where the object is created anew by the action or otherwise returned by the action.
The 'side-effect' value specifies that the associated object serves as a side-effect resulting from the action. This includes cases where the object is modified indirectly by the action.
The ImportanceTypeVocab is the default MAEC vocabulary for relative importance measures, captured via the CandidateIndicatorType/Importance element in the MAEC Bundle.
The ImportanceTypeEnum is a (non-exhaustive) enumeration of relative importance measures.
The 'high' value specifies that the field is of relative high importance.
The 'medium' value specifies that the field is of relative medium importance.
The 'low' value specifies that the field is of relative low importance.
The 'informational' value specifies that the field is only informational in its importance.
The 'numeric' value specifies that the field has a numeric importance value, which is defined in another attribute or element.
The 'unknown' value specifies that the relative importance for the field is unknown.
The MalwareEntityTypeVocab is the default MAEC vocabulary for malware entity types, captured via the CandidateIndicatorType/Malware_Entity/Type element in the MAEC Bundle.
The MalwareEntityTypeEnum is a (non-exhaustive) enumeration of the different types of entities that a malware indicator or signature may be written against.
The 'instance' value specifies that the particular malware entity being referred to is a single malware instance.
The 'family' value specifies that the particular malware entity being referred to is a single malware family.
The 'class' value specifies that the particular malware entity being referred to is a single class of malware.
The DeviceDriverActionNameVocab is the default MAEC vocabulary for device driver action names, captured via the ActionType/Name element in CybOX Core.
For device driver action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Deprecated as of MAEC 4.1.
The DeviceDriverActionNameEnum is a (non-exhaustive) enumeration of the different types of actions associated with device drivers.
Deprecated as of MAEC 4.1.
The 'load and call' value specifies the defined action of loading a driver into a system and then calling the loaded driver.
The 'load driver' value specifies the defined action of loading a driver into a system.
The 'unload driver' value specifies the defined action of unloading a driver from a system.
The DeviceDriverActionNameVocab is the default MAEC vocabulary for device driver action names, captured via the ActionType/Name element in CybOX Core.
For device driver action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Starting with MAEC 4.1, it should be used in place of the deprecated DeviceDriverActionNameVocab-1.0.
The DeviceDriverActionNameEnum is a (non-exhaustive) enumeration of the different types of actions associated with device drivers.
The 'load and call' value specifies the defined action of loading a driver into a system and then calling the loaded driver.
The 'load driver' value specifies the defined action of loading a driver into a system.
The 'unload driver' value specifies the defined action of unloading a driver from a system.
The 'emulate driver' value specifies the defined action of emulating an existing driver on a system.
The DebuggingActionNameVocab is the default MAEC vocabulary for debugging action names, captured via the ActionType/Name element in CybOX Core.
For debugging action names, it should be used in place of the CybOX ActionNameVocab-1.0.
The DebuggingActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with debugging.
The 'check for remote debugger' value specifies the defined action of checking for the presence of a remote debugger.
The 'check for kernel debugger' value specifies the defined action of checking for the presence of a kernel debugger.
The LibraryActionNameVocab is the default MAEC vocabulary for library action names, captured via the ActionType/Name element in CybOX Core.
For library action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Deprecated as of MAEC 4.1.
The LibraryActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with libraries.
Deprecated as of MAEC 4.1.
The 'enumerate libraries' value specifies the defined action of enumerating the libraries used by a process.
The 'free library' value specifies the defined action of freeing a library previously loaded into the address space of the calling process.
The 'load library' value specifies the defined action of loading a library into the address space of the calling process.
The 'get function address' value specifies the defined action of getting the address of an exported function or variable from a library.
The LibraryActionNameVocab is the default MAEC vocabulary for library action names, captured via the ActionType/Name element in CybOX Core.
For library action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Starting with MAEC 4.1, it should be used in place of the deprecated LibraryActionNameVocab-1.0.
The LibraryActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with libraries.
The 'enumerate libraries' value specifies the defined action of enumerating the libraries used by a process.
The 'free library' value specifies the defined action of freeing a library previously loaded into the address space of the calling process.
The 'load library' value specifies the defined action of loading a library into the address space of the calling process.
The 'get function address' value specifies the defined action of getting the address of an exported function or variable from a library.
The 'call library function' value specifies the defined action of calling a function exported by a library.
The DirectoryActionNameVocab is the default MAEC vocabulary for directory action names, captured via the ActionType/Name element in CybOX Core.
For directory action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Deprecated as of MAEC 4.1
The DirectoryActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with a file directories.
Deprecated as of MAEC 4.1
The 'create directory' value specifies the defined action of creating a new directory on the filesystem.
The 'delete directory' value specifies the defined action of deleting an existing directory on the filesystem.
The 'monitor directory' value specifies the defined action of monitoring an existing directory on the filesystem for changes.
The DirectoryActionNameVocab is the default MAEC vocabulary for directory action names, captured via the ActionType/Name element in CybOX Core.
For directory action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Starting with MAEC 4.1, it should be used in place of the deprecated DirectoryActionNameVocab-1.0.
The DirectoryActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with a file directories.
The 'create directory' value specifies the defined action of creating a new directory on the filesystem.
The 'delete directory' value specifies the defined action of deleting an existing directory on the filesystem.
The 'monitor directory' value specifies the defined action of monitoring an existing directory on the filesystem for changes.
The 'hide directory' value specifies the defined action of hiding an existing directory.
The DiskActionNameVocab is the default MAEC vocabulary for disk action names, captured via the ActionType/Name element in CybOX Core.
For disk action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Deprecated as of MAEC 4.1.
The DiskActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with hard disks.
Deprecated as of MAEC 4.1.
The 'get disk type' value specifies the defined action of getting the disk type.
The 'get disk attributes' value specifies the defined action of querying the attributes of a disk, such as the amount of available free space.
The 'mount disk' value specifies the defined action of mounting an existing file system to a mounting point.
The 'unmount disk' value specifies the defined action of unmounting an existing file system from a mounting point.
The DiskActionNameVocab is the default MAEC vocabulary for disk action names, captured via the ActionType/Name element in CybOX Core.
For disk action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Starting with MAEC 4.1, it should be used in place of the deprecated DiskActionNameVocab-1.0.
The DiskActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with hard disks.
The 'get disk type' value specifies the defined action of getting the disk type.
The 'get disk attributes' value specifies the defined action of querying the attributes of a disk, such as the amount of available free space.
The 'mount disk' value specifies the defined action of mounting an existing file system to a mounting point.
The 'unmount disk' value specifies the defined action of unmounting an existing file system from a mounting point.
The 'emulate disk' value specifies the defined action of emulating an existing disk.
The 'list disks' value specifies the defined action of listing all disks available on a system.
The 'monitor disk' value specifies the defined action of monitoring an existing disk for changes.
The FileActionNameVocab is the default MAEC vocabulary for file action names, captured via the ActionType/Name element in CybOX Core.
For file action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Deprecated as of MAEC 4.1.
The FileActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with a file.
Deprecated as of MAEC 4.1.
The 'create file' value specifies the defined action of creating a new file.
The 'delete file' value specifies the defined action of deleting an existing file.
The 'copy file' value specifies the defined action of copying an existing file from one location to another.
The 'create file symbolic link' value specifies the defined action of creating a symbolic link to an existing file.
The 'find file' value specifies the defined action of searching for an existing file.
The 'get file attributes' value specifies the defined action of getting the attributes of an existing file.
The 'set file attributes' value specifies the defined action of setting the file attributes for an existing file.
The 'lock file' value specifies the defined action of locking an existing file.
The 'unlock file' value specifies the defined action of unlocking an existing file.
The 'modify file' value specifies the defined action of modifying an existing file in some manner.
The 'move file' value specifies the defined action of moving an existing file from one location to another.
The 'open file' value specifies the defined action of opening an existing file for reading or writing.
The 'read from file' value specifies the defined action of reading from an existing file.
The 'write to file' value specifies the defined action of writing to an existing file.
The 'rename file' value specifies the defined action of renaming an existing file.
The 'create file alternate data stream' value specifies the defined action of creating an alternate data stream in an existing file.
Windows-specific.
The 'send control code to file' value specifies the defined action of sending a control code to a file.
Windows-specific.
The 'create file mapping' value specifies the defined action of creating a new file mapping object.
Windows-specific.
The 'open file mapping' value specifies the defined action of opening an existing file mapping object.
Windows-specific.
The FileActionNameVocab is the default MAEC vocabulary for file action names, captured via the ActionType/Name element in CybOX Core.
For file action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Starting with MAEC 4.1, it should be used in place of the deprecated FileActionNameVocab-1.0.
The FileActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with a file.
The 'create file' value specifies the defined action of creating a new file.
The 'delete file' value specifies the defined action of deleting an existing file.
The 'copy file' value specifies the defined action of copying an existing file from one location to another.
The 'create file symbolic link' value specifies the defined action of creating a symbolic link to an existing file.
The 'find file' value specifies the defined action of searching for an existing file.
The 'get file attributes' value specifies the defined action of getting the attributes of an existing file.
The 'set file attributes' value specifies the defined action of setting the file attributes for an existing file.
The 'lock file' value specifies the defined action of locking an existing file.
The 'unlock file' value specifies the defined action of unlocking an existing file.
The 'modify file' value specifies the defined action of modifying an existing file in some manner.
The 'move file' value specifies the defined action of moving an existing file from one location to another.
The 'open file' value specifies the defined action of opening an existing file for reading or writing.
The 'read from file' value specifies the defined action of reading from an existing file.
The 'write to file' value specifies the defined action of writing to an existing file.
The 'rename file' value specifies the defined action of renaming an existing file.
The 'create file alternate data stream' value specifies the defined action of creating an alternate data stream in an existing file.
Windows-specific.
The 'send control code to file' value specifies the defined action of sending a control code to a file.
Windows-specific.
The 'create file mapping' value specifies the defined action of creating a new file mapping object.
Windows-specific.
The 'open file mapping' value specifies the defined action of opening an existing file mapping object.
Windows-specific.
The 'execute file' value specifies the defined action of executing an existing file.
The 'hide file' value specifies the defined action of hiding an existing file.
The 'close file' value specifies the defined action of closing an existing file that previously opened for reading or writing.
The HookingActionNameVocab is the default MAEC vocabulary for hooking action names, captured via the ActionType/Name element in CybOX Core.
For hooking action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Deprecated as of MAEC 4.1.
The HookingActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with various kinds of hooking.
Deprecated as of MAEC 4.1.
The 'add system call hook' value specifies the defined action of adding a new system call hook.
The 'add windows hook' value specifies the defined action of adding a new Windows application-defined hook procedure.
Windows-specific.
The HookingActionNameVocab is the default MAEC vocabulary for hooking action names, captured via the ActionType/Name element in CybOX Core.
For hooking action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Starting with MAEC 4.1, it should be used in place of the deprecated HookingActionNameVocab-1.0.
The HookingActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with various kinds of hooking.
The 'add system call hook' value specifies the defined action of adding a new system call hook.
The 'add windows hook' value specifies the defined action of adding a new Windows application-defined hook procedure.
Windows-specific.
The 'hide hook' value specifies the defined action of hiding an existing hook.
The DNSActionNameVocab is the default MAEC vocabulary for DNS action names, captured via the ActionType/Name element in CybOX Core.
For DNS action names, it should be used in place of the CybOX ActionNameVocab-1.0.
The DNSActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with the Domain Name System (DNS).
The 'send dns query' value specifies the defined action of sending a DNS query.
The 'send reverse dns lookup' value specifies the defined action of sending a reverse DNS lookup.
The IRCActionNameVocab is the default MAEC vocabulary for IRC action names, captured via the ActionType/Name element in CybOX Core.
For IRC action names, it should be used in place of the CybOX ActionNameVocab-1.0.
The IRCActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with the Internet Relay Chat (IRC).
The 'connect to irc server' value specifies the defined action of connecting to an existing IRC server.
The 'disconnect from irc server' value specifies the defined action of disconnecting from an existing IRC server.
The 'set irc nickname' value specifies the defined action of setting an IRC nickname on an IRC server.
The 'join irc channel' value specifies the defined action of joining a channel on an IRC server.
The 'leave irc channel' value specifies the defined action of leaving a channel on an IRC server.
The 'send irc private message' value specifies the defined action of sending a private message to another user on an IRC server.
The 'receive irc private message' value specifies the defined action of receiving a private message from another user on an IRC server.
The FTPActionNameVocab is the default MAEC vocabulary for FTP action names, captured via the ActionType/Name element in CybOX Core.
For FTP action names, it should be used in place of the CybOX ActionNameVocab-1.0.
The FTPActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with the File Transfer Protocol (FTP).
The 'connect to ftp server' value specifies the defined action of connecting to an existing FTP server.
The 'disconnect from ftp server' value specifies the defined action of disconnecting from an existing FTP server.
The 'send ftp command' value specifies the defined action of sending a command on an FTP server connection.
The HTTPActionNameVocab is the default MAEC vocabulary for HTTP action names, captured via the ActionType/Name element in CybOX Core.
For HTTP action names, it should be used in place of the CybOX ActionNameVocab-1.0.
The HTTPActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with the Hypertext Transfer Protocol (HTTP).
Specifies the defined action of sending an HTTP GET client request to an existing server.
The 'send http head request' value specifies the defined action of sending an HTTP HEAD client request to an existing server.
The 'send http post request' value specifies the defined action of sending an HTTP HEAD client request to an existing server.
The 'send http put request' value specifies the defined action of sending an HTTP PUT client request to an existing server.
The 'send http delete request' value specifies the defined action of sending an HTTP DELETE client request to an existing server.
The 'send http trace request' value specifies the defined action of sending an HTTP TRACE client request to an existing server.
The 'send http options request' value specifies the defined action of sending an HTTP OPTIONS client request to an existing server.
The 'send http connect request' value specifies the defined action of sending an HTTP CONNECT client request to an existing server.
The 'send http patch request' value specifies the defined action of sending an HTTP PATCH client request to an existing server.
The 'receive http response' value specifies the defined action of receiving an HTTP server response for a prior HTTP request.
The NetworkActionNameVocab is the default MAEC vocabulary for network action names, captured via the ActionType/Name element in CybOX Core.
For network action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Deprecated as of MAEC 4.1.
The NetworkActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with networking.
Deprecated as of MAEC 4.1.
The 'open port' value specifies the defined action of opening a network port.
The 'close port' value specifies the defined action of closing a network port.
The 'connect to ip' value specifies the defined action of connecting to an IP address.
The 'disconnect from ip' value specifies the defined action of disconnecting from a previously established connection to an IP address.
The 'connect to url' value specifies the defined action of connecting to a URL.
The 'connect to socket address' value specifies the defined action of connecting to a socket address, consisting of an IP address and port number.
The 'download file' value specifies the defined action of downloading a file from a remote location.
The 'upload file' value specifies the defined action of uploading a file to a remote location.
The 'listen on port' value specifies the defined action of listening on a specific port.
The 'send email message' value specifies the defined action of sending an email message.
The 'send icmp request' value specifies the defined action of sending an ICMP request.
The NetworkActionNameVocab is the default MAEC vocabulary for network action names, captured via the ActionType/Name element in CybOX Core.
For network action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Starting with MAEC 4.1, it should be used in place of the deprecated NetworkActionNameVocab-1.0.
The NetworkActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with networking.
The 'open port' value specifies the defined action of opening a network port.
The 'close port' value specifies the defined action of closing a network port.
The 'connect to ip' value specifies the defined action of connecting to an IP address.
The 'disconnect from ip' value specifies the defined action of disconnecting from a previously established connection to an IP address.
The 'connect to url' value specifies the defined action of connecting to a URL.
The 'connect to socket address' value specifies the defined action of connecting to a socket address, consisting of an IP address and port number.
The 'download file' value specifies the defined action of downloading a file from a remote location.
The 'upload file' value specifies the defined action of uploading a file to a remote location.
The 'listen on port' value specifies the defined action of listening on a specific port.
The 'send email message' value specifies the defined action of sending an email message.
The 'send icmp request' value specifies the defined action of sending an ICMP request.
The 'send network packet' value specifies the defined action of sending a packet on a network.
The 'receive network packet' value specifies the defined action of receiving a packet on a network.
The NetworkShareActionNameVocab is the default MAEC vocabulary for Windows network share action names, captured via the ActionType/Name element in CybOX Core.
For network share action names, it should be used in place of the CybOX ActionNameVocab-1.0.
The NetworkShareActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with Windows network shares.
The 'add connection to network share' value specifies the defined action of adding a connection to an existing network share.
Windows-specific.
The 'add network share' value specifies the defined action of adding a new network share on a server.
Windows-specific.
The 'delete network share' value specifies the defined action of deleting an existing network share on a server.
Windows-specific.
The 'connect to network share' value specifies the defined action of connecting to an existing network share.
Windows-specific.
The 'disconnect from network share' value specifies the defined action of disconnecting from an existing network share.
Windows-specific.
The 'enumerate network shares' value specifies the defined action of enumerating the available shared resources on a server.
Windows-specific.
The SocketActionNameVocab is the default MAEC vocabulary for socket action names, captured via the ActionType/Name element in CybOX Core.
For socket action names, it should be used in place of the CybOX ActionNameVocab-1.0.
The SocketActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with network sockets.
The 'accept socket connection' value specifies the defined action of accepting a socket connection.
The 'bind address to socket' value specifies the defined action of binding a socket address to a socket.
The 'create socket' value specifies the defined action of creating a new socket.
The 'close socket' value specifies the defined action of closing an existing socket.
The 'connect to socket' value specifies the defined action of connecting to an existing socket.
The 'disconnect from socket' value specifies the defined action of disconnecting from an existing socket.
The 'listen on socket' value specifies the defined action of listening on an existing socket.
The 'send data on socket' value specifies the defined action of sending data on an existing, connected socket.
The 'receive data on socket' value specifies the defined action of receiving data on an existing socket.
The 'send data to address on socket' value specifies the defined action of sending data to a specified IP address on an existing, unconnected socket.
The 'get host by address' value specifies the defined action of getting information on a host from a local or remote host database by its IP address.
The 'get host by name' value specifies the defined action of getting information on a host from a local or remote host database by its name.
The RegistryActionNameVocab is the default MAEC vocabulary for registry action names, captured via the ActionType/Name element in CybOX Core.
For registry action names, it should be used in place of the CybOX ActionNameVocab-1.0.
The RegistryActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with the Windows registry.
The 'create registry key' value specifies the defined action of creating a new registry key.
Windows-specific.
The 'delete registry key' value specifies the defined action of deleting an existing registry key.
Windows-specific.
The 'open registry key' value specifies the defined action of opening an existing registry key.
Windows-specific.
The 'close registry key' value specifies the defined action of closing a handle to an existing registry key.
Windows-specific.
The 'create registry key value' value specifies the defined action of creating a new named value under an existing registry key.
Windows-specific.
The 'delete registry key value' value specifies the defined action of deleting an existing named value under an existing registry key.
Windows-specific.
The 'enumerate registry key subkeys' value specifies the defined action of enumerating the registry key subkeys under an existing registry key.
Windows-specific.
The 'enumerate registry key values' value specifies the defined action of enumerating the named values under an existing registry key.
Windows-specific.
The 'get registry key attributes' value specifies the defined action of getting the attributes of an existing registry key.
Windows-specific.
The 'read registry key value' value specifies the defined action of reading an existing named value of an existing registry key.
Windows-specific.
The 'modify registry key value' value specifies the defined action of modifying an existing named value of an existing registry key.
Windows-specific.
The 'modify registry key' value specifies the defined action of modifying an existing registry key.
Windows-specific.
The 'monitor registry key' value specifies the defined action of monitoring an existing registry key for changes.
Windows-specific.
The UserActionNameVocab is the default MAEC vocabulary for user action names, captured via the ActionType/Name element in CybOX Core.
For user action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Deprecated as of MAEC 4.1.
The UserActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with users.
Deprecated as of MAEC 4.1.
The 'add user' value specifies the defined action of adding a new user.
The 'delete user' value specifies the defined action of deleting an existing user.
The 'enumerate users' value specifies the defined action of enumerating all users.
The 'get user attributes' value specifies the defined action of getting the attributes of an existing user.
The 'logon as user' value specifies the defined action of logging on as a specific user.
The UserActionNameVocab is the default MAEC vocabulary for user action names, captured via the ActionType/Name element in CybOX Core.
For user action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Starting with MAEC 4.1, it should be used in place of the deprecated UserActionNameVocab-1.0.
The UserActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with users.
The 'add user' value specifies the defined action of adding a new user.
The 'delete user' value specifies the defined action of deleting an existing user.
The 'enumerate users' value specifies the defined action of enumerating all users.
The 'get user attributes' value specifies the defined action of getting the attributes of an existing user.
The 'logon as user' value specifies the defined action of logging on as a specific user.
The 'change password' value specifies the defined action of changing an existing user's password.
The 'add user to group' value specifies the defined action of adding an existing user to an existing group.
The 'remove user from group' value specifies the defined action of removing an existing user from existing group.
The 'invoke user privilege' value specifies the defined action of invoking a privilege given to an existing user.
The IPCActionNameVocab is the default MAEC vocabulary for inter-process communication action names, captured via the ActionType/Name element in CybOX Core.
For IPC action names, it should be used in place of the CybOX ActionNameVocab-1.0.
The IPCActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with entities related to Inter-Process Communication (IPC).
The 'create named pipe' value specifies the defined action of creating a new named pipe.
The 'delete named pipe' value specifies the defined action of deleting an existing named pipe.
The 'connected to named pipe' value specifies the defined action of connecting to an existing named pipe.
The 'disconnect from named pipe' value specifies the defined action of disconnecting from an existing named pipe.
The 'read from named pipe' value specifies the defined action of reading some data from an existing named pipe.
The 'write to named pipe' value specifies the defined action of writing some data to an existing named pipe.
The 'create mailslot' value specifies the defined action of creating a new named mailslot.
Windows-specific.
The 'read from mailslot' value specifies the defined action of reading some data from an existing named mailslot.
Windows-specific.
The 'write to mailslot' value specifies the defined action of writing some data to an existing named mailslot.
Windows-specific.
The ProcessMemoryActionNameVocab is the default MAEC vocabulary for process memory action names, captured via the ActionType/Name element in CybOX Core.
For process memory action names, it should be used in place of the CybOX ActionNameVocab-1.0.
The ProcessMemoryActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with the memory regions of a process.
The 'allocate process virtual memory' value specifies the defined action of allocating some virtual memory region in an existing process.
The 'free process virtual memory' value specifies the defined action of freeing some virtual memory region from an existing process.
The 'modify process virtual memory protection' value specifies the defined action of modifying the protection on a memory region in the virtual address space of an existing process.
The 'read from process memory' value specifies the defined action of reading from a memory region of an existing process.
The 'write to process memory' value specifies the defined action of writing to a memory region of an existing process.
The 'map file into process' value specifies the defined action of mapping an existing file into the address space of the calling process.
The 'unmap file from process' value specifies the defined action of unmapping an existing file from the address space of the calling process.
The 'map library into process' value specifies the defined action of mapping a library into the address space of the calling process.
The ProcessActionNameVocab is the default MAEC vocabulary for process action names, captured via the ActionType/Name element in CybOX Core.
For process action names, it should be used in place of the CybOX ActionNameVocab-1.0.
The ProcessActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with processes.
The 'create process' value specifies the defined action of creating a new process.
The 'kill process' value specifies the defined action of killing an existing process.
The 'create process as user' value specifies the defined action of creating a new process in the security context of a specified user.
The 'enumerate processes' value specifies the defined action of enumerating all of the running processes on a system.
The 'open process' value specifies the defined action of opening an existing process.
The 'flush process instruction cache' value specifies the defined action of flushing the instruction cache of an existing process.
The 'get process current directory' value specifies the defined action of getting the current directory of an existing process.
The 'set process current directory' value specifies the defined action of setting the current directory of an existing process.
The 'get process environment variable' value specifies the defined action of getting an environment variable used by an existing process.
The 'set process environment variable' value specifies the defined action of setting an environment variable used by an existing process.
The 'sleep process' value specifies the defined action of sleeping an existing process for some period of time.
The 'get process startupinfo' value specifies the defined action of getting the STARTUPINFO struct associated with an existing process.
Windows-specific.
The ProcessThreadActionNameVocab is the default MAEC vocabulary for process thread action names, captured via the ActionType/Name element in CybOX Core.
For process thread action names, it should be used in place of the CybOX ActionNameVocab-1.0.
The ProcessThreadActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with process threads.
The 'create thread' value specifies the defined action of creating a new thread in the virtual address space of the calling process.
The 'kill thread' value specifies the defined action of killing a thread existing in the virtual address space of the calling process.
The 'create remote thread in process' value specifies the defined action of creating a thread that runs in the virtual address space of another existing process.
The 'enumerate threads' value specifies the defined action of enumerating all threads in the calling process.
The 'get thread username' value specifies the defined action of getting the name or ID of the user associated with an existing thread.
The 'impersonate process' value specifies the defined action of a thread in the calling process impersonating the security context of another existing process.
Windows-specific.
The 'revert thread to self' value specifies the defined action of reverting an existing thread to its own security context.
Windows-specific.
The 'get thread context' value specifies the defined action of getting the context structure (containing processor-specific register data) of an existing thread.
Windows-specific.
The 'set thread context' value specifies the defined action of setting the context structure (containing processor-specific register data) for an existing thread.
Windows-specific.
The 'queue apc in thread' value specifies the defined action of queing a new Asynchronized Procedure Call (APC) in the context of an existing thread.
Windows-specific.
The ServiceActionNameVocab is the default MAEC vocabulary for service action names, captured via the ActionType/Name element in CybOX Core.
For service action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Deprecated as of MAEC 4.1.
The ServiceActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with services or daemons.
Deprecated as of MAEC 4.1.
The 'create service' value specifies the defined action of creating a new service.
The 'delete service' value specifies the defined action of deleting an existing service.
The 'start service' value specifies the defined action of starting an existing service.
The 'enumerate services' value specifies the defined action of enumerating a specific set of services on a system.
The 'modify service configuration' value specifies the defined action of modifying the configuration parameters of an existing service.
The 'open service' value specifies the defined action of opening an existing service.
The 'send control code to service' value specifies the defined action of sending a control code to an existing service.
Windows-specific.
The ServiceActionNameVocab is the default MAEC vocabulary for service action names, captured via the ActionType/Name element in CybOX Core.
For service action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Starting with MAEC 4.1, it should be used in place of the deprecated ServiceActionNameVocab-1.0.
The ServiceActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with services or daemons.
The 'create service' value specifies the defined action of creating a new service.
The 'delete service' value specifies the defined action of deleting an existing service.
The 'start service' value specifies the defined action of starting an existing service.
The 'stop service' value specifies the defined action of stopping an existing service.
The 'enumerate services' value specifies the defined action of enumerating a specific set of services on a system.
The 'modify service configuration' value specifies the defined action of modifying the configuration parameters of an existing service.
The 'open service' value specifies the defined action of opening an existing service.
The 'send control code to service' value specifies the defined action of sending a control code to an existing service.
Windows-specific.
The SynchronizationActionNameVocab is the default MAEC vocabulary for synchronization action names, captured via the ActionType/Name element in CybOX Core.
For synchronization action names, it should be used in place of the CybOX ActionNameVocab-1.0.
The SynchronizationActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with process and thread synchronization-related entities.
The 'create mutex' value specifies the defined action of creating a new named mutex.
The 'delete mutex' value specifies the defined action of deleting an existing named mutex.
The 'open mutex' value specifies the defined action of opening an existing named mutex.
The 'release mutex' value specifies the defined action of releasing ownership of an existing named mutex.
The 'create semaphore' value specifies the defined action of creating a new named semaphore.
The 'delete semaphore' value specifies the defined action of deleting an existing named semaphore.
The 'open semaphore' value specifies the defined action of opening an existing named semaphore.
The 'release semaphore' value specifies the defined action of releasing ownership of an existing named semaphore.
The 'create event' value specifies the defined action of creating a new named event object.
Windows-specific.
The 'delete event' value specifies the defined action of deleting an existing named event object.
Windows-specific.
The 'open event' value specifies the defined action of opening an existing named event object.
Windows-specific.
The 'reset event' value specifies the defined action of resetting an existing named event object to the non-signaled state.
Windows-specific.
The 'create critical section' value specifies the defined action of creating a new critical section.
Windows-specific.
The 'delete critical section' value specifies the defined action of deleting an existing critical section object.
Windows-specific.
The 'open critical section' value specifies the defined action of opening an existing critical section object.
Windows-specific.
The 'release critical section' value specifies the defined action of releasing an existing critical section object.
Windows-specific.
The SystemActionNameVocab is the default MAEC vocabulary for system action names, captured via the ActionType/Name element in CybOX Core.
For system action names, it should be used in place of the CybOX ActionNameVocab-1.0.
The SystemInfoActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with system-related entities.
The 'add scheduled task' value specifies the defined action of adding a scheduled task to a system.
The 'shutdown system' value specifies the defined action of shutting down a system.
The 'sleep system' value specifies the defined action of sleeping a system for some period of time.
The 'get elapsed system up time' value specifies the defined action of getting the elapsed up-time for a system.
The 'get netbios name' value specifies the defined action of getting the NetBIOS name of a system.
The 'set netbios name' value specifies the defined action of setting the NetBIOS name of a system.
The 'get system host name' value specifies the defined action of getting the host name of a system.
The 'set system host name' value specifies the defined action of setting the system host name of a system.
The 'get system time' value specifies the defined action of getting the system time of a system, represented in Coordinated Universal Time (UTC).
The 'set system time' value specifies the defined action of setting the system time for a system, represented in Coordinated Universal Time (UTC).
The 'get system local time' value specifies the defined action of getting the local time of a system.
The 'set system local time' value specifies the defined action of setting the local time of a system.
The 'get username' value specifies the defined action of getting the username of the currently logged in user of a system.
The 'enumerate system handles' value specifies the defined action of enumerating all open handles on a system.
Windows-specific.
The 'get system global flags' value specifies the defined action of getting the enabled global flags on a system.
Windows-specific.
The 'set system global flags' value specifies the defined action of setting system global flags on a system.
Windows-specific.
The 'get windows directory' value specifies the defined action of getting the Windows installation directory on a system.
Windows-specific.
The 'get windows system directory' value specifies the defined action of getting the Windows \System directory on a system.
Windows-specific.
The 'get windows temporary files directory' value specifies the defined action of getting the Windows Temporary Files Directory on a System.
Windows-specific.
The GUIActionNameVocab is the default MAEC vocabulary for GUI action names, captured via the ActionType/Name element in CybOX Core.
For GUI action names, it should be used in place of the CybOX ActionNameVocab-1.0.
The GUIActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with graphical user interfaces (GUIs).
The 'create window' value specifies the defined action of creating a new window.
The 'kill window' value specifies the defined action of killing an existing window.
The 'create dialog box' value specifies the defined action of creating a new dialog box.
The 'enumerate windows' value specifies the defined action of enumerating all open windows.
The 'find window' value specifies the defined action of search for a particular window.
The 'hide window' value specifies the defined action of hiding an existing window.
The 'show window' value specifies the defined action of showing an existing window.
The GroupingRelationshipTypeVocab is the default MAEC vocabulary for the grouping relatonships in a Package, captured via the GroupingRelationshipType/Type element in the MAEC Package.
The GroupingRelationshipEnum is a non-exhaustive enumeration of Malware Subject grouping relationships.
The 'same malware family' value indicates that the Malware Subjects in the Package are all part of the same malware family.
The 'clustered together' value indicates that the Malware Subjects in the Package were clustered together by some algorithm or other capability.
The 'observed together' value indicates that the Malware Subjects in the Package were abstractly observed together, such as on a host system, in some archive, etc.
The 'part of intrusion' set value indicates that the Malware Subjects in the Package were found as part of the same malware intrusion set.
The 'same malware toolkit' value indicates that the Malware Subjects in the Package were all created using the same malware toolkit, independent of toolkit version.
The MalwareConfigurationParameterVocab is the default MAEC vocabulary for malware configuration parameter names, captured via the MalwareConfigurationParameterType/Name element in the MAEC Package.
The MalwareConfigurationParameterEnum is a non-exhaustive enumeration of malware configuration parameter names.
The 'magic number' value refers to a configuration parameter that captures a file signature that may be used to identify or validate the content the malware instance.
The 'id' value refers to a configuration parameter that captures an identifier for the malware instance.
The 'group id' value refers to a configuration parameter that captures an identifier for a collection of malware instances.
The 'mutex' value refers to a configuration parameter that captures a unique mutex value associated the malware instance.
The 'filename' value refers to a configuration parameter that captures the name of a malicious binary such as one that is downloaded or embedded within the malware instance.
The 'installation path' value refers to a configuration parameter that captures a location on disk to which the malware instance is installed, copied, or moved.
The MalwareSubjectRelationshipTypeVocab is the default MAEC vocabulary for the Malware Subject relationships in a Package, captured via the MalwareSubjectRelationshipType/Type element in the MAEC Package.
Deprecated as of MAEC 4.1.
The MalwareSubjectRelationshipEnum is a non-exhaustive enumeration of relationships between Malware Subjects.
Deprecated as of MAEC 4.1.
The 'downloads' value specifies that the Malware Subject downloads one or more other Malware Subject(s).
The 'downloaded by' value specifies that the current Malware Subject was downloaded by one or more other Malware Subject(s).
The 'drops' value specifies that the Malware Subject drops (or writes to disk) one or more other Malware Subject(s).
The 'dropped by' value specifies that the current Malware Subject was dropped (or written to disk) by one or more other Malware Subject(s).
The 'extracts' value specifies that the Malware Subject extracts (from an embedded archive or another container) one or more other Malware Subject(s).
The 'extracted from' value specifies that the current Malware Subject was extracted from one or more other Malware Subject(s).
The MalwareSubjectRelationshipTypeVocab is the default MAEC vocabulary for the Malware Subject relationships in a Package, captured via the MalwareSubjectRelationshipType/Type element in the MAEC Package.
Starting with MAEC 4.1, this vocabulary should be used in place of the deprecated MalwareSubjectRelationshipTypeVocab-1.0.
The MalwareSubjectRelationshipEnum is a non-exhaustive enumeration of relationships between Malware Subjects.
The 'downloads' value specifies that the Malware Subject downloads one or more other Malware Subject(s).
The 'downloaded by' value specifies that the current Malware Subject was downloaded by one or more other Malware Subject(s).
The 'drops' value specifies that the Malware Subject drops (or writes to disk) one or more other Malware Subject(s).
The 'dropped by' value specifies that the current Malware Subject was dropped (or written to disk) by one or more other Malware Subject(s).
The 'extracts' value specifies that the Malware Subject extracts (from an embedded archive or another container) one or more other Malware Subject(s).
The 'extracted from' value specifies that the current Malware Subject was extracted from one or more other Malware Subject(s).
The 'direct descendant of' value specifies that the current Malware Subject is a direct descendant (i.e. in terms of development lineage) of one or more other Malware Subject(s).
The 'direct ancestor of' value specifies that the current Malware Subject is a direct ancestor (i.e. in terms of development lineage) of one or more other Malware Subject(s).
The 'memory image of' value specifies that the current Malware Subject represents a memory image associated with one or more other Malware Subject(s).
The 'contained in memory image' value specifies that the current Malware Subject is a malware binary or component contained in one or more other Malware Subject(s) that represent memory images.
The 'disk image of' value specifies that the current Malware Subject represents a disk image associated with one or more other Malware Subject(s).
The 'contained in disk image' value specifies that the current Malware Subject is a malware binary or component contained in one or more other Malware Subject(s) that represent disk images.
The 'network traffic capture of' value specifies that the current Malware Subject represents captured network traffic associated with one or more other Malware Subject(s).
The 'contained in network traffic capture' value specifies that the current Malware Subject is a malware binary or component contained in one or more other Malware Subject(s) that represent captures of network traffic.
The 'packed version of' value specifies that the current Malware Subject represents a packed version (in terms of executable binary packing) of one or more other Malware Subject(s).
The 'unpacked version of' value specifies that the current Malware Subject represents an unpacked version (in terms of executable binary packing) of one or more other Malware Subject(s).
The 'installs' value specifies that the current Malware Subject installs one or more other Malware Subject(s).
The 'installed by' value specifies that the current Malware Subject is installed by one or more other Malware Subject(s).
The '64-bit version of' value specifies that the current Malware Subject is a 64-bit version of one or more other Malware Subject(s).
The '32-bit version of' value specifies that the current Malware Subject is a 32-bit version of one or more other Malware Subject(s).
The 'encrypted version of' value specifies that the current Malware Subject is an encrypted version of one or more other Malware Subject(s).
The 'decrypted version of' value specifies that the current Malware Subject is a decrypted version of one or more other Malware Subject(s).
The MalwareDevelopmentToolVocab is the default MAEC vocabulary for the Type field in the CybOX ToolInformationType, as used in the Development_Environment/Tools/Tool field in the Malware Subject.
The GroupingRelationshipEnum is a non-exhaustive enumeration tools used in the development of malware.
The 'builder' value specifies a malware builder tool (commonly used to mass-produce malware) that was used to generate the malware instance.
The 'compiler' value specifies a compiler tool that was used to compile the code composing the malware instance.
The 'linker' value specifies a linker tool that was used to link the object files associated with the malware instance.
The 'packer' value specifies a packer tool that was used to shrink the size of the executable binary associated with the malware instance. Packers are also sometimes referred to as 'compressors'.
The 'crypter' value specifies a crypter tool that was used to encrypt the executable binary associated with the malware instance.
The 'protector' value specifies a protector tool that was used to obfuscate the executable binary associated with the malware instance to make it more difficult to reverse engineer.
The MalwareLabelVocab-1.0 is the default MAEC Vocabulary for common malware labels.
The MalwareLabelEnum-1.0 is a non-exhaustive enumeration of common malware labels.
The 'adware' value specifies any software that is funded by advertising. Some adware may install itself in such a manner as to become difficult to remove, hiding components and disabling removal techniques. Adware may also gather sensitive user information from a system.
The 'appender' value specifies a file-infecting virus that places its code at the end of the files it infects, adjusting the file's entry point to cause its code to be executed before that of the original file.
The 'backdoor' value specifies a piece of software which, once running on a system, opens a communication vector to the outside so that the computer can be accessed remotely by an attacker.
The 'boot sector virus' value specifies a virus that infects the master boot record of a storage device.
The 'bot' value specifies a program which resides on an infected system, communicating with and forming part of a botnet. The bot may be implanted by a worm or trojan, which opens a backdoor. The bot then monitors the backdoor for further instructions.
The 'clicker' value specifies a trojan that makes a system visit a specific web page, often very frequently and usually with the aim of increasing the traffic recorded by the site and thus increasing revenue from advertising. Clickers may also be used to carry out DDoS attacks.
The 'companion virus' value specifies a virus that takes the place of a particular file on a system instead of injecting code into it.
The 'cavity filler' value specifies a type of file-infecting virus which seeks out unused space within the files it infects, inserting its code into these gaps to avoid changing the size of the file and thus not alerting integrity-checking software to its presence.
The 'data diddler' value specifies a type of malware that makes small, random changes to data, such as data in a spreadsheet, to render the data contained in a document inaccurate and in some cases worthless.
The 'downloader' value specifies a small trojan file programmed to download and execute other files, usually more complex malware.
The 'dropper file' value specifies a type of Trojan that deposits an enclosed payload onto a destination host computer by loading itself into memory, extracting the malicious payload, and then writing it to the file system.
The 'file infector virus' value specifies a virus that infects a system by inserting itself somewhere in existing files; this is the "classic" form of virus.
The 'fork bomb' value specifies a very simple form of malware, a type of rabbit which simply launches more copies of itself. Once a fork bomb is executed, it will attempt to run several identical processes, which will do the same, the number growing exponentially until the system resources are overwhelmed by the number of identical processes running, which may in some cases bring the system down and cause a denial of service.
The 'greyware' value specifies software that, while not definitely malicious, has a suspicious or potentially unwanted aspect.
The 'implant' value specifies code inserted into an existing program using a code patcher or other tool.
The 'infector' value specifies a function of malware that alters target files for the purpose of persisting and hiding the injected malware.
The 'keylogger' value specifies a type of program implanted on a system to monitor the keys pressed and thus record any sensitive data, such as passwords, entered by the user.
The 'kleptographic worm' value specifies a worm that encrypts information assets on compromised systems so they can only be decrypted by the worm's author, also known as information-stealing worm.
The 'macro virus' value specifies a virus that uses a macro language, for example in Microsoft Office documents.
The 'malcode' value is short for malicious code, also known as malware.
The 'mass-mailer' value specifies a worm that uses email to propagate across the internet.
The 'metamorphic virus' value specifies a virus that changes its own code with each infection.
The 'mid-infector' value specifies a type of file-infecting virus which places its code in the middle of files it infects. It may move a section of the original code to the end of the file, or simply push the code aside to make space for its own code.
The 'mobile code' value specifies 1. Code received from remote, possibly untrusted systems, but executed on a local system. 2. Software transferred between systems (e.g across a network) and executed on a local system without explicit installation or execution by the recipient.
The 'multipartite virus' value specifies malware that infects boot records, boot sectors, and files.
The 'password stealer' value specifies a type of trojan designed to steal passwords, personal data and details, or other sensitive information from the infected system.
The 'polymorphic virus' value specifies a type of virus that encrypts its code differently with each infection, or generation of infections.
The 'premium dialer/smser' value specifies a piece of malware whose primary aim is to dial or send SMS messages to premium rate numbers..
The 'prepender' value specifies a file-infecting virus which inserts code at the beginning of the files it infects.
The 'ransomware' value specifies a type of malware that encrypts files on a victim's system, demanding payment of ransom in return for the access codes required to unlock files.
The 'rat' value specifies a remote access trojan or RAT, which is a trojan horse capable of controlling a machine through commands issue by a remote attacker.
The 'rogue anti-malware' value specifies a fake security product that demands money to clean phony infections.
The 'rootkit' value generally refers to a method of hiding files or processes from normal methods of monitoring, and is often used by malware to conceal its presence and activities. Originally, the term applied to UNIX-based operating systems - a root kit was a collection of tools to enable a user to obtain root (administrator-level) access to a system and conceal any changes they might make. Such tools often included trojanized versions of standard monitoring software which would hide the root kit operators' activities. More recently the term has generally been applied to malware using stealth techniques. Rootkits can operate at a number of levels, from the application level - simply replacing or adjusting the settings of system software to prevent the display of certain information - through hooking certain functions or inserting modules or drivers into the operating system kernel, to the deeper level of firmware or virtualization rook kits, which are activated before the operating system and thus even harder to detect while the system is running.
The 'shellcode' value specifies 1. A small piece of code that activates a command-line interface to a system that can be used to disable security measures, open a backdoor, or download further malicious code. 2. A small piece of code that opens a system up for exploitation, sometimes by not necessarily involving a command-line shell.
A packer that obfuscates programs by emitting "spaghetti" code with a complex and tangled control structure.
The 'spyware' value specifies software that gathers information and passes it to a third-party without adequate permission from the owner of the data. It may also be used in a wider sense, to include software that makes changes to a system or any of its component software, or which makes use of system resources without the full understanding and consent of the system owner.
The 'trojan horse' value specifies a piece of malicious code disguised as something inert or benign.
The 'variant' value refers to the fact that types of malware can be subdivided into a number of families, or groups sharing many similarities, generally based on the same blocks of code and sharing similar behaviours. Within a family, a variant signifies a single individual item that is uniquely different from other members of the same family.
The 'virus' value specifies 1. A self-replicating malicious program that requires human interaction to replicate. 2. A self-replicating program that runs and spreads by modifying other programs or files.
The 'wabbit' value specifies a form of self-replicating malware that makes copies of itself on the local system. Unlike worms, rabbits do not attempt to spread across networks.
The 'web bug' value specifies a piece of code, generally a small file such as a tiny, transparent GIF image, which is used to track data on those viewing the page or mail in which it is hidden.
The 'wiper' value specifies a piece of malware whose primary aim is to delete files or entire disks on a machine.
The 'worm' value specifies 1. A self-replicating malicious program that replicates using a network and does not require human interaction. 2. A self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread itself.
The 'zip bomb' value specifies a file compressed into some archive format and that expands to an enormous size when uncompressed, often by looping over the extraction code until the system's resources are exhausted.
The CapabilityObjectiveRelationshipTypeVocab is the default MAEC vocabulary for relationships between Malware Capability Objectives.
The CapabilityObjectiveRelationshipEnum is a non-exhaustive enumeration of relationships between Malware Capability Objectives.
The 'child of' value indicates that the Objective is a child of the Objective being referenced.
The 'parent of' value indicates that the Objective is a parent of the Objective being referenced.
The 'incorporates' value indicates that the Objective incorporates the Objective being referenced in a supporting or enabling role.
The 'incorporated by' value indicates that the Objective is incorporated in a supporting or enabling role by the Objective being referenced.
The AntiBehavioralAnalysisPropertiesVocab-1.0 is the default MAEC Vocabulary for Anti-Behavioral Analysis Capability/Strategic Objective/Tactical Objective Properties.
The AntiBehavioralAnalysisStrategicObjectivesEnum-1.0 is an enumeration of Anti-Behavioral Analysis Capability/Strategic Objective/Tactical Objective Properties.
The 'targeted vm' value refers to the name of a virtual machine (VM) targeted by the Anti-Behavioral Analysis Capability or one of its child Objectives.
The 'targeted sandbox' value refers to the name of a sandbox targeted by the Anti-Behavioral Analysis Capability or one of its child Objectives.
The InfectionPropagationPropertiesVocab-1.0 is the default MAEC Vocabulary for Infection/Propagation Capability/Strategic Objective/Tactical Objective Properties.
The InfectionPropagationPropertiesEnum-1.0 is an enumeration of Infection/Propagation Capability/Strategic Objective/Tactical Objective Properties.
The 'scope' value refers to the scope of the infection or propagation performed by the malware instance via the Infection/Propagation Capability, i.e. whether it infects just the local machine or actively propagates to other machines as well.
Recommended values are: 'local', or 'remote'.
The 'targeting' value refers to the type of targeting employed by the Infect Remote Machine Strategic Objective, i.e. whether the targeted machines are randomly selected, or chosen from some particular set.
Recommended values are: 'targeted', 'semi-targeted', or 'untargeted'.
The 'autonomy' value refers to the type of autonomy emplyed by the Infect Remote Machine Strategic Objective, i.e. whether the remote infection is performed autonomously.
Recommended values are: 'semi-autonomous', 'autonomous'.
The 'targeted file type' value refers to the types of files targeted by the Infect File Strategic Objective.
It is recommended that files be specified via their extension, e.g. "exe", "pdf", etc.
The 'targeted file architecture' value refers to type of file architecture targeted by the Infect File Strategic Objective.
>Recommended values are: '32 bit', or '64 bit'.
The 'file infection type' value refers to the type of file infection employed by the Infect File Strategic Objective.
Recommended values are: 'appending', 'prepending', 'overwriting', 'companion', 'variable key', 'polymorphic', or 'metamorphic'.
The DataTheftPropertiesVocab-1.0 is the default MAEC Vocabulary for Data Theft Capability/Strategic Objective/Tactical Objective Properties.
The DataTheftPropertiesEnum-1.0 is an enumeration of Data Theft Capability/Strategic Objective/Tactical Objective Properties.
The 'targeted application' value refers to the name of an application targeted by the Steal Authentication Credentials Strategic Objective.
The 'targeted website' value refers to the domain name of a website targeted by the Steal Web/Network Credential Tactical Objective.
The CommandandControlPropertiesVocab-1.0 is the default MAEC Vocabulary for Command and Control Capability/Strategic Objective/Tactical Objective Properties.
The CommandandControlPropertiesEnum-1.0 is an enumeration of Command and Control Capability/Strategic Objective/Tactical Objective Properties.
The 'frequency' value refers to a description of the frequency that the Receive Data from C2 Server and Send Data to C2 Server Strategic Objectives, as well as their child Tactical Objectives, are employed.
It is recommended that the description follow the format of "every x [units]", e.g. "every 5 minutes".
The PrivilegeEscalationPropertiesVocab-1.0 is the default MAEC Vocabulary for Privilege Escalation Capability/Strategic Objective/Tactical Objective Properties.
The PrivilegeEscalationPropertiesEnum-1.0 is an enumeration of Privilege Escalation Capability/Strategic Objective/Tactical Objective Properties.
The 'user privilege escalation type' value refers to the type of user privilege escalation employed by the Escalate User Privilege Strategic Objective.
Recommended values are: 'horizontal', or 'vertical'.
The PrivilegeEscalationPropertiesVocab-1.0 is the default MAEC Vocabulary for Persistence Capability/Strategic Objective/Tactical Objective Properties.
The PersistencePropertiesEnum-1.0 is an enumeration of Persistence Capability/Strategic Objective/Tactical Objective Properties.
The 'scope' value refers to the scope of persistence employed by the Persistence Capability, i.e. whether the malware instance make itself persist, or whether it makes other malware components persist.
Recommended values are: 'self', or 'other malware/components'.
The DestructionPropertiesVocab-1.0 is the default MAEC Vocabulary for Destruction Capability/Strategic Objective/Tactical Objective Properties.
The DestructionPropertiesEnum-1.0 is an enumeration of Destruction Capability/Strategic Objective/Tactical Objective Properties.
The 'erasure scope' value refers to the scope of the erasure performed by the Erase Data Tactical Objective.
Recommended values are: 'whole disk', or 'targeted files'.
The SecurityDegradationPropertiesVocab-1.0 is the default MAEC Vocabulary for Security Degradation Capability/Strategic Objective/Tactical Objective Properties.
The SecurityDegradationPropertiesEnum-1.0 is an enumeration of Security Degradation Capability/Strategic Objective/Tactical Objective Properties.
The 'targeted program' value refers to the name of a program targeted by the Degrade Security Programs Strategic Objective or one of its child Tactical Objectives.
The SecondaryOperationPropertiesVocab-1.0 is the default MAEC Vocabulary for Secondary Operation Capability/Strategic Objective/Tactical Objective Properties.
The SecondaryOperationPropertiesEnum-1.0 is an enumeration of Secondary Operation Capability/Strategic Objective/Tactical Objective Properties.
The 'trigger type' value refers to a description of the trigger used to wake or terminate the malware instance in the Lie Dormant or Suicide Exit Strategic Objectives, respectively.
The MachineAccessControlPropertiesVocab-1.0 is the default MAEC Vocabulary for Machine Access/Control Capability/Strategic Objective/Tactical Objective Properties.
The MachineAccessControlPropertiesEnum-1.0 is an enumeration of Machine Access/Control Capability/Strategic Objective/Tactical Objective Properties.
The 'backdoor type' value refers to the type of backdoor, e.g. reverse shell, employed by the Install Backdoor Strategic Objective.
The DataExfiltrationPropertiesVocab-1.0 is the default MAEC Vocabulary for Data Exfiltration Capability/Strategic Objective/Tactical Objective Properties.
The DataExfiltrationPropertiesEnum-1.0 is an enumeration of Data Exfiltration Capability/Strategic Objective/Tactical Objective Properties.
The 'archive type' value refers to the name of the file archive format used in the Stage Data for Exfiltration Strategic Objective and/or its Package Data Tactical Objective.
The 'file type' value refers to the name of the file format used for storing data to be exfiltrated as part of the Data Exfiltration Capability or its child Objectives.
The AvailabilityViolationPropertiesVocab-1.0 is the default MAEC Vocabulary for Availability Violation Capability/Strategic Objective/Tactical Objective Properties.
The AvailabilityViolationPropertiesEnum-1.0 is an enumeration of Availability Violation Capability/Strategic Objective/Tactical Objective Properties.
The 'cryptocurrency type' value refers to the type of cryptocurrency targeted by the Mine for CryptoCurrency Strategic Objective.
The CommonCapabilityPropertiesVocab-1.0 is the a MAEC Vocabulary of properties common to many Capabilities and their child Objectives.
The CommonCapabilityPropertiesEnum-1.0 is an enumeration of properties common to many Capability/Strategic Objective/Tactical Objective Properties.
The 'encryption algorithm' value refers to the name of the encryption algorithm used in the Capability or Objective.
The 'protocol used' value refers to the name of the network protocol used in the Capability or Objective.
It is recommended that protocols be specified by their acronym or abbreviated name, e.g. "IRC", "HTTP".
The MalwareCapabilyVocab-1.0 is the default MAEC Vocabulary for Malware Capabilities.
The MalwareCapabilityEnum-1.0 is an enumeration of Malware Capabilities.
The 'command and control' (C2) Capability indicates that the malware instance is able to receive and execute remotely submitted commands.
The 'remote machine manipulation' Capability indicates that the malware instance is able to manipulate or access other remote machines.
The 'privilege escalation' Capability indicates that the malware instance is able to elevate the privileges under which it executes.
The 'data theft' Capability indicates that the malware instance is able to steal data from the system on which it executes. This includes data stored in some form, e.g. in a file, as well as data that may be entered into some application such as a web-browser.
The 'spying' Capability indicates that the malware instance is able to capture information from a system related to user or system activity (e.g., from a system's peripheral devices).
The 'secondary operation' Capability indicates that the malware instance is able to achieve secondary objectives in conjunction with or after achieving its primary objectives.
The 'anti-detection' Capability indicates that the malware instance is able to prevent itself and its components from being detected on a system.
The 'anti-code analysis' Capability indicates that the malware instance is able to prevent code analysis or make it more difficult.
The 'infection/propagation' Capability indicates that the malware instance is able to propagate through the infection of a machine or is able to infect a file after executing on a system. The malware instance may infect actively (e.g., gain access to a machine directly) or passively (e.g., send malicious email). This Capability does not encompass any aspects of the initial infection that is done independently of the malware instance itself.
The 'anti-behavioral analysis' Capability indicates that the malware instance is able to prevent behavioral analysis or make it more difficult.
The 'integrity violation' Capability indicates that the malware instance is able to compromise the integrity of a system.
The 'data exfiltration' Capability indicates that the malware instance is able to exfiltrate stolen data or perform tasks related to the exfiltration of stolen data.
The 'probing' Capability indicates that the malware instance is able to probe its host system or network environment; most often this is done to support other Capabilities and their Objectives.
The 'anti-removal' Capability indicates that the malware instance is able to prevent itself and its components from being removed from a system.
The �security degradation� Capability indicates that the malware instance is able to bypass or disable security features and/or controls.
The 'availability violation' Capability indicates that the malware instance is able to compromise the availability of a system or some aspect of the system.
The 'destruction' Capability indicates that the malware instance is able to destroy some aspect of a system.
The 'fraud' Capability indicates that the malware instance is able to defraud a user or a system.
The 'persistence' Capability indicates that the malware instance is able to persist and remain on a system regardless of system events.
The 'machine access/control' Capability indicates that the malware instance is able to provide the means to access or control the machine on which it is resident.
The CommandandControlStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Command and Control Capability Strategic Objectives.
The CommandandControlStrategicObjectivesEnum-1.0 is an enumeration of Command and Control Capability Strategic Objectives.
The 'determine c2 server' value indicates that the malware instance is able to identify one or more command and control (C2) servers with which to communicate.
The 'control behavior' value indicates that the malware instance is able to control its behavior through some external stimulus (e.g., a remotely submitted command).
The 'send data to c2 server' value indicates that the malware instance is able to send some data to a command and control server.
The CommandandControlTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Command and Control Capability Tactical Objectives.
The CommandandControlTacticalObjectivesEnum-1.0 is an enumeration of Command and Control Capability Tactical Objectives.
The 'check for payload' value indicates that the mawlare instance is able to query a command and control server to check whether a new malicious payload is available for download.
The 'validate data' value indicates that the malware instance is able to validate the integrity of the data it receives from a command and control server.
The 'control malware via remote command' value indicates that the malware instance is able to execute commands issued to it from a remote source such as a command and control server, for the purpose of controlling its behavior.
The 'send system information' value indicates that the malware instance is able to send data regarding the system on which it is executing to a command and control server.
The 'send heartbeat data' value indicates that the malware instance is able to send heartbeat data to a command and control server, indicating that it is still active on the host system and able to communicate.
The 'generate c2 domain name(s)' value indicates that the malware instance is able to generate the domain name of the command and control server to which it connects to.
The 'update configuration' value indicates that the malware instance is able to update its configuration using data received from a command and control server.
The RemoteMachineManipulationStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Remote Machine Manipulation Capability Strategic Objectives.
The RemoteMachineManipulationStrategicObjectivesEnum-1.0 is an enumeration of Remote Machine Manipulation Capability Strategic Objectives.
The 'access remote machine' value indicates that the malware instance is able to access a remote machine.
The 'search' for remote machines' value indicates that the malware instance is able to search for remote machines to target.
The RemoteMachineManipulationTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Remote Machine Manipulation Capability Tactical Objectives.
The RemoteMachineManipulationTacticalObjectivesEnum-1.0 is an enumeration of Remote Machine Manipulation Capability Tactical Objectives.
The 'compromise remote machine' value indicates that the malware instance is able to gain control of a remote machine through compromise.
The PrivilegeEscalationStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Privilege Escalation Capability Strategic Objectives.
The PrivilegeEscalationStrategicObjectivesEnum-1.0 is an enumeration of Privilege Escalation Capability Strategic Objectives.
The 'impersonate user' value indicates that the malware instance is able to impersonate another user to operate within a different security context (also known as horizontal privilege escalation).
The 'escalate user privilege' indicates that the malware instance is able to obtain a higher level of access than intended by the system (also known as vertical privilege escalation).
The PrivilegeEscalationTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Privilege Escalation Capability Tactical Objectives.
The PrivilegeEscalationTacticalObjectivesEnum-1.0 is an enumeration of Privilege Escalation Capability Tactical Objectives.
The 'elevate cpu mode' value indicates that the malware instance is able to elevate the CPU (processor) mode under which it executes.
The DataTheftStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Data Theft Capability Strategic Objectives.
The DataTheftStrategicObjectivesEnum-1.0 is an enumeration of Data Theft Capability Strategic Objectives.
The 'steal stored information' value indicates that the malware instance is able to steal information stored on a system (e.g., files).
The 'steal user data' value indicates that the malware instance is able to steal user data (e.g., email).
The 'steal system information' value indicates that the malware instance is able to steal information about a system (e.g., network address data).
The 'steal authentication credentials' value indicates that the malware instance is able to steal authentication credentials.
The DataTheftTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Data Theft Capability Tactical Objectives.
The DataTheftTacticalObjectivesEnum-1.0 is an enumeration of Data Theft Capability Tactical Objectives.
The 'steal dialed phone numbers' value indicates that the malware instance is able to steal the list of phone numbers that a user has dialed.
The 'steal email data' value indicates that the malware instance is able to steal a user's email data.
The 'steal referer urls' value indicates that the malware instance is able to steal HTTP referrer information (URL of the webpage that linked to the resource being requested).
The 'steal cryptocurrency data' value indicates that the malware instance is able to steal cryptocurrency data (e.g., Bitcoin wallets).
The 'steal pki software certificate' value indicates that the malware instance is able to steal one or more public key infrastructure (PKI) software certficates.
The 'steal browser cache' value indicates that the malware instance is able to steal a user's browser cache.
The 'steal serial numbers' values indicates that the malware instance is able to steal serial numbers stored on a system.
The 'steal sms database' value indicates that the malware instance is able to steal a user's short message service (SMS) (text messaging) database.
The 'steal cookie' value indicates that the malware instance is able to steal cookies.
The 'steal password hashes' value indicates that the malware instance is able to steal password hashes.
The 'steal make/model' value indicates that the malware instance is able to steal the information on the make and/or model of a system.
The 'steal documents' value indicates that the malware instance is able to steal document files stored on a system.
The 'steal network address' value indicates that the malware instance is able to steal information about the network addresses used by a system.
The 'steal open port' value indicates that the malware instance is able to steal information about the open ports on a system.
The 'steal images' value indicates that the malware instance is able to steal image files stored on a system.
The 'steal browser history' value indicates that the malware instance is able to steal a user's browser history.
The 'steal web/network credential' value indicates that the malware instance is able to steal usernames, passwords, or other forms of network credentials.
The 'steal pki key' value indicates that the malware instance is able to steal one or more public key infrastructure (PKI) keys.
The 'steal contact list data' value indicates that the malware instance is able to steal a user's contact list.
The 'steal database content' value indicates that the malware instance is able to steal database content.
The SpyingStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Spying Capability Strategic Objectives.
The SpyingStrategicObjectivesEnum-1.0 is an enumeration of Spying Capability Strategic Objectives.
The 'capture system input peripheral data' value indicates that the malware instance is able to capture data from a system's input peripheral devices.
The 'capture system state data' value indicates that the malware instance is able to capture information about a system's state (e.g., from its RAM).
The 'capture system interface data' value indicates that the malware instance is able to capture data from a system's interfaces.
The 'capture system output peripheral data' value indicates that the malware instance is able to capture data sent to a system's output peripheral devices.
The SpyingTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Spying Capability Tactical Objectives.
The SpyingTacticalObjectivesEnum-1.0 is an enumeration of Spying Capability Tactical Objectives.
The 'capture system screenshot' value indicates that the malware instance is able to capture images of what is currently being displayed on a system's screen, either locally or remotely via a remote desktop protocol.
The 'capture camera input' value indicates that the malware instance is able to capture data from a system's camera.
The 'capture file system' value indicates that the malware instance is able to capture data from a system's file system.
The 'capture printer output' value indicates that the malware instance is able to capture data sent to a system's printer.
The 'capture gps data' value indicates that the malware instance is able to capture system GPS data.
The 'capture keyboard input' value indicates that the malware instance is able to capture data from a system's keyboard.
The 'capture mouse input' value indicates that the malware instance is able to capture data from a system's mouse.
The 'capture microphone input' value indicates that the malware instance is able to capture data from a system's microphone.
The 'capture system network traffic' value indicates that the malware instance is able to capture system network traffic.
The 'capture touchscreen input' value indicates that the malware instance is able to capture data from a system's touchscreen.
The 'capture system memory' value indicates that the malware instance is able to capture data from a system's RAM.
The SecondaryOperationStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Secondary Operation Capability Strategic Objectives.
The SecondaryOperationStrategicObjectivesEnum-1.0 is an enumeration of Secondary Operation Capability Strategic Objectives.
The 'patch operating system file(s)' value indicates that the malware instance is able to patch or modify the critical system files of the operating system under which it executes.
The 'remove traces of infection' value indicates that the malware instance is able to remove traces of its infection of a system.
The 'log activity' value indicates that the malware instance is able to log its own activity.
The 'lay dormant' value indicates that the malware instance is able to lay dormant on a system for some period of time.
The 'install other components' value indicates that the malware instance is able to install additional components. This encompasses the dropping/downloading of other malicious components such as libraries, other malware, and tools.
The 'suicide exit' value indicates that the malware instance is able to terminate itself based on some condition or value.
The SecondaryOperationTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Secondary Operation Capability Tactical Objectives.
The SecondaryOperationTacticalObjectivesEnum-1.0 is an enumeration of Secondary Operation Capability Tactical Objectives.
The 'install secondary module' value indicates that the malware instance is able to install a secondary module (typically related to itself).
The 'install secondary malware' value indicates that the malware instance is able to install another malware instance.
The 'install legitimate software' value indicates that the malware instance is able to install legitimate software.
The 'remove self' value indicates that the malware instance is able to remove itself from the system.
The 'remove system artifacts' value indicates that the malware instance is able to remove its artifacts from a system.
The AntiDetectionStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Anti-Detection Capability Strategic Objectives.
The AntiDetectionStrategicObjectivesEnum-1.0 is an enumeration of Anti-Detection Capability Strategic Objectives.
The 'security software evasion' value indicates that the malware instance is able to evade security software (e.g., anti-virus tools).
The 'hide executing code' value indicates that the malware instance is able to hide its executing code.
The 'self-modification' value indicates that the malware instance is able to modify itself.
The 'anti-memory forensics' value indicates that the malware instance is able to prevent or make memory forensics more difficult.
The 'hide non-executing code' value indicates that the malware instance is able to hide its non-executing code.
The 'hide malware artifacts' value indicates that the malware instance is able to hide its artifacts.
The AntiDetectionTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Anti-Detection Capability Tactical Objectives.
The AntiDetectionTacticalObjectivesEnum-1.0 is an enumeration of Anti-Detection Capability Tactical Objectives.
The 'hide open network ports' value indicates that the malware instance is able to hide its open network ports.
The 'execute before/external to kernel/hypervisor' value indicates that the malware instance is able to execute some or all of its code before or external to the system's kernel or hypervisor (e.g., through the BIOS).
The 'encrypt self' value indicates that the malware is able to encrypt itself.
The 'hide processes' value indicates that the malware instance is able to hide its processes.
The 'hide network traffic' value indicates that the malware instance is able to hide its network traffic.
The 'change/add content' value indicates that the malware instance is able to change or add to its content.
The 'execute stealthy code' value indicates that the malware instance is able to execute some or all of its code in a hidden manner (e.g., by injecting it into a benign process).
The 'hide registry artifacts' value indicates that the malware instance is able to hide its Windows registry artifacts.
The 'hide userspace libraries' value indicates that the malware instance is able to hide its usage of userspace libraries.
The 'hide arbitrary virtual memory' value indicates that the malware instance is able to hide arbitrary virtual memory to prevent retrieval.
The 'execute non-main cpu code' value indicates that the malware instance is able to execute some or all of its code on a secondary, non CPU processor (e.g., a GPU).
The 'feed misinformation during physical memory acquisition' value indicates that the malware instance is able to report inaccurate data when the content of physical memory is retrieved.
The 'prevent physical memory acquisition' value indicates that the malware instance is able to prevent the contents of a system's physical memory from being retrieved.
The 'prevent native api hooking' value indicates that the malware instance is able to prevent other software from hooking native APIs.
The 'obfuscate artifact properties' value indicates that the malware instance is able to hide the properties of its artifacts (e.g., by altering timestamps).
The 'hide kernel modules' value indicates that the malware instance is able to hide its usage of kernel modules.
The 'hide code in file' value indicates that the malware instance is able to hide its code in a file.
The 'hide services' value indicates that the malware instance is able to hide any system services it creates or injects itself into.
The 'hide file system artifacts' value indicates that the malware instance is able to hide its file system artifacts.
The 'hide threads' value indicates that the malware instance is able to hide its threads.
The AntiCodeAnalysisStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Anti-Code Analysis Capability Strategic Objectives.
The AntiCodeAnalysisStrategicObjectivesEnum-1.0 is an enumeration of Anti-Code Analysis Capability Strategic Objectives.
The 'anti-debugging' value indicates that the malware instance is able to prevent itself from being debugged and/or from being run in a debugger or is able to make debugging more difficult.
The 'code obfuscation' value indicates that the malware instance is able to obfuscate its code.
The 'anti-disassembly' value indicates that the malware instance is able to prevent itself from being disassembled or make disassembly more difficult.
The AntiCodeAnalysisTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Anti-Code Analysis Capability Tactical Objectives.
The AntiCodeAnalysisTacticalObjectivesEnum-1.0 is an enumeration of Anti-Code Analysis Capability Tactical Objectives.
The 'transform control flow' value indicates that the malware instance is able to transform its control flow.
The 'restructure arrays' value indicates that the malware instance is able to restructure its arrays, making disassembly more difficult.
The 'detect debugging' value indicates that the malware instance is able to detect its execution in a debugger.
The 'prevent debugging' value indicates that the malware instance is able to prevent its execution in a debugger.
The 'defeat flow-oriented disassembler' value indicates that the malware instance is able to defeat its disassembly in a flow-oriented (recursive traversal) disassembler.
The 'defeat linear disassembler' value indicates that the malware instance is able to prevent its disassembly in a linear disassembler.
The 'obfuscate instructions' value indicates that the malware instance obfuscates its instructions.
The 'obfuscate imports' value indicates that the malware instance is able to obfuscate its import table, making disassembly more difficult.
The 'defeat call graph generation' value indicates that the malware instance is able to defeat accurate call graph generation during disassembly.
The 'obfuscate runtime code' value indicates that the malware instance is able to obfuscate its runtime code.
The InfectionPropagationStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Infection/Propagation Capability Strategic Objectives.
The InfectionPropagationStrategicObjectivesEnum-1.0 is an enumeration of Infection/Propagation Capability Strategic Objectives.
The 'prevent duplicate infection' value indicates that the malware instance is able to prevent itself from infecting a machine multiple times.
The 'infect file' value denotes that the malware instance is able to infect a file.
The 'infect remote machine' value indicates that the malware instance is able to self-propagate or infect a machine with malware that is different than itself.
The InfectionPropagationTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Infection/Propagation Capability Tactical Objectives.
The InfectionPropagationTacticalObjectivesEnum-1.0 is an enumeration of Infection/Propagation Capability Tactical Objectives.
The 'identify file' value indicates that the malware instance is able to identify a file or files on a local, removable, and/or network drive for infection.
The 'perform autonomous remote infection' value indicates that the malware instance is able to infect a remote machine autonomously, without the involvement of any end user (e.g., through the exploitation of a remote procedure call vulnerability).
The 'identify target machine(s)' value indicates that the malware instance is able to identify one or more machines to be targeted for infection via some remote means (e.g., via email or the network).
The 'perform social-engineering based remote infection' value indicates that the malware instance is able to infect remote machines via some method that involves social engineering (e.g., sending an email with a malicious attachment).
The 'inventory victims' value indicates that the malware instance is able to keep an inventory of the victims that it remotely infects.
The 'write code into file' value indicates that the malware instance is able to write code into a file.
The 'modify file' value indicates that the malware instance is able to modify a file in some other manner than writing code to it, such as packing it (in terms of binary executable packing).
The AntiBehavioralAnalysisStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Anti-Behavioral Analysis Capability Strategic Objectives.
The AntiBehavioralAnalysisStrategicObjectivesEnum-1.0 is an enumeration of Anti-Behavioral Analysis Capability Strategic Objectives.
The 'anti-vm' value indicates that the malware instance is able to prevent virtual machine (VM) based behavioral analysis or make it more difficult.
The 'anti-sandbox' value specifies that the malware instance is able to prevent sandbox-based behavioral analysis or make it more difficult.
The AntiBehavioralAnalysisTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Anti-Behavioral Analysis Capability Tactical Objectives.
The AntiBehavioralAnalysisTacticalObjectivesEnum-1.0 is an enumeration of Anti-Behavioral Analysis Capability Tactical Objectives.
The 'detect vm environment' value indicates that the malware instance is able to detect whether it is being executed in a virtual machine (VM).
The 'overload sandbox' value indicates that the malware instance is able to overload a sandbox (e.g., by generating a flood of meaningless behavioral data).
The 'prevent execution in sandbox' value indicates that the malware instance is able to prevent its execution in a sandbox.
The 'detect sandbox environment' value indicates that the malware instance is able to detect whether it is being executed in a sandbox environment.
The 'prevent execution in wm' value indicates that the malware instance is able to prevent its execution in a virtual machine (VM).
The IntegrityViolationStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Integrity Violation Capability Strategic Objectives.
The IntegrityViolationStrategicObjectivesEnum-1.0 is an enumeration of Integrity Violation Capability Strategic Objectives.
The 'compromise system operational integrity' value indicates that the malware instance is able to compromise the operational integrity of a system.
The 'compromise user data integrity' value indicates that the malware instance is able to compromise a system's user data.
The 'annoy user' value indicates that the malware instance is able to annoy the users of a system.
The 'compromise network operational integrity' value indicates that the malware instance is able to compromise the operational integrity of a network.
The 'compromise system data integrity' value indicates that the malware instance is able to compromise the integrity of a system's data.
The IntegrityViolationTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Integrity Violation Capability Tactical Objectives.
The IntegrityViolationTacticalObjectivesEnum-1.0 is an enumeration of Integrity Violation Capability Tactical Objectives.
The 'subvert system' value indicates that the malware instance is able to subvert a system to perform beyond its operational boundaries or to perform tasks for which it was not originally intended.
The 'corrupt system data' value indicates that the malware instance is able to corrupt a system's data.
The 'annoy local system user' value indicates that the malware instance is able to annoy local system users.
The 'intercept/manipulate network traffic' value indicates that the malware is able to intercept and/or manipulate traffic on a network.
The 'annoy remote user' value indicates that the malware instance is able to annoy a remote user.
The 'corrupt user data' value indicates that the malware instance is able to corrupt a system's user data.
The DataExfiltrationStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Data Exfiltration Capability Strategic Objectives.
The DataExfiltrationStrategicObjectivesEnum-1.0 is an enumeration of Data Exfiltration Capability Strategic Objectives.
The 'perform data exfiltration' value indicates that the malware instance is able to perform data exfiltration via some physical or virtual means.
The 'obfuscate data for exfiltration' value indicates that the malware is able to obfuscate data that will be exfiltrated.
The 'stage data for exfiltration' value indicates that the malware instance is able to gather and prepare data for exfiltration.
The DataExfiltrationTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Data Exfiltration Capability Tactical Objectives.
The DataExfiltrationTacticalObjectivesEnum-1.0 is an enumeration of Data Exfiltration Capability Tactical Objectives.
The 'exfiltrate via covert channel' value indicates that the malware instance is able to exfiltrate data using a covert channel.
The 'exfiltrate via fax' value indicates that the malware instance is able to exfiltrate data using a fax system.
The 'exfiltrate via physical media' value indicates that the malware instance is able to exfiltrate data using physical media (e.g., a USB drive).
The 'encrypt data' value indicates that the malware instance is able to encrypt data that will be exfiltrated.
The 'exfiltrate via network' value indicates that the malware instance is able to exfiltrate data across the network.
The 'hide data in other formats' value indicates that the malware instance is able to hide data that will be exfiltrated in other formats (also known as steganography).
The 'package data' value indicates that the malware instance is able to package data for exfiltration.
The 'exfiltrate via dumpster dive' value indicates that the malware instance is able to exfiltrate data via dumpster dive (i.e., encoded data printed by malware is viewed as garbage and thrown away to then be physically picked up).
The 'move data to staging server' value indicates that the malware instance is able to move data to be exfiltrated to a particular server to prepare for exfiltration.
The 'exfiltrate via VoIP/phone' value indicates that the malware instance is able to exfiltrate data (encoded as audio) using a phone system.
The AntiRemovalStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Anti-Removal Capability Strategic Objectives.
The AntiRemovalStrategicObjectivesEnum-1.0 is an enumeration of Anti-Removal Capability Strategic Objectives.
The 'prevent malware artifact access' value indicates that the malware instance is able to prevent its artifacts from being accessed.
The 'prevent malware artifact deletion' value indicates that the malware instance is able to prevent its artifacts from being deleted from a system.
The AntiRemovalTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Anti-Removal Capability Tactical Objectives.
The AntiRemovalTacticalObjectivesEnum-1.0 is an enumeration of Anti-Removal Capability Tactical Objectives.
The 'prevent registry deletion' value indicates that the malware instance is able to prevent its Windows registry entries from being deleted from a system.
The 'prevent api unhooking' value indicates that the malware instance is able to prevent its API hooks from being removed.
The 'prevent file access' value indicates that the malware instance is able to prevent access to the file system.
The 'prevent memory access' value indicates that the malware instance is able to prevent access to system memory where it may be storing code or data.
The 'prevent registry access' value indicates that the malware instance is able to prevent access to the Windows registry.
The 'prevent file deletion' value indicates that the malware instance is able to prevent its files from being deleted from a system.
The SecurityDegradationStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Security Degradation Capability Strategic Objectives.
The SecurityDegradationStrategicObjectivesEnum-1.0 is an enumeration of Security Degradation Capability Strategic Objectives.
The 'disable service provider security features' value indicates that the malware instance is able to bypass or disable third-party security features that would otherwise identify or notify users of its presence.
The 'degrade security programs' value indicates that the malware instance is able to degrade security programs running on a system, either by stopping them from executing or by making changes to their code or configuration parameters.
The 'disable system updates' values indicates that the malware instance is able to disable the downloading and installation of system updates.
The 'disable os security features' value indicates that the malware instance is able to bypass inherent operating system security mechanisms that typically involve elevated privileges.
The 'disable access controls' value indicates that the malware instance is able to bypass access control mechanisms designed to prevent unauthorized or unprivileged use or execution of applications or files.
The SecurityDegradationTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Security Degradation Capability Tactical Objectives.
The SecurityDegradationTacticalObjectivesEnum-1.0 is an enumeration of Security Degradation Capability Tactical Objectives.
The 'stop execution of security program' value indicates that the malware instance is able to stop one or more security programs that may already be executing on a system.
The 'disable firewall' value indicates that the malware instance is able to evade or disable the host-based firewall or otherwise prevent the blocking of network communications.
The 'disable access right checking' value indicates that the malware instance is able to bbypass, disable, or modify the access tokens or access control lists, thereby enabling the malware to read, write, or execute a file with one or more of these controls set.
The 'disable kernel patch protection' value indicates that the malware instance is able to bypass or disable PatchGuard; thus it is capable of operating at the same level as the kernel and kernel mode drivers (KMD).
The 'prevent access to security websites' value indicates that the malware instance is able to prevent access from a system to one or more security vendor or security-related websites.
The 'remove sms warning messages' value indicates that the malware instance is able to capture the message body of incoming SMS messages and abort the broadcasting of a message that meets a certain criteria.
The 'modify security program configuration' value indicates that the malware instance is able to modify the configuration of one or more security programs running on a system in order to hamper their usefulness and ability to detect the malware instance.
The 'prevent security program from running' value indicates that the malware instance is able to prevent one or more security programs from running on a system.
The 'disable system update services/daemons' value indicates that the malware instance is able to disable system update services or daemons that may be running on a system.
The 'disable system service pack/patch installation' value indicates that the malware instance is able to disable the system's ability to install service packs or patches.
The 'disable system file overwrite protection' value indicates that the malware instance is able to bypass or disable the Windows file protection feature; thus, enabling system files to be modified or replaced.
The 'disable privilege limiting' value indicates that the malware instance is able to bypass controls that limit the privileges that can be granted to a user or entity.
The 'gather security product info' value indicates that the malware instance is able to gather information about the security products installed or running on a system.
The 'disable os security alerts' value indicates that the malware instance is able to evade or disable identification and/or notification of its presence by inherent features of the operating system.
The 'disable user account control' value indicates that the malware instance is able to bypass or disable user account control (UAC); thus, enabling a user to run an application with elevated privileges.
The AvailabilityViolationStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Availability Violation Capability Strategic Objectives.
The AvailabilityViolationStrategicObjectivesEnum-1.0 is an enumeration of Availability Violation Capability Strategic Objectives.
The 'compromise data availabilty' value indicates that the malware instance is able to compromise the availability of data on a system.
The 'compromise system availability' value indicates that the malware instance compromises the availability of the system.
The 'consume system resources' value indicates that the malware instance is able to consume system resources for its own purposes.
The AvailabilityViolationTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Availability Violation Capability Tactical Objectives.
The AvailabilityViolationTacticalObjectivesEnum-1.0 is an enumeration of Availability Violation Capability Tactical Objectives.
The 'denial of service' value indicates that the malware instance is able to cause a server to be unavailable, otherwise known as a denial of service (DOS).
The 'compromise local system availability' value indicates that the malware instance is able to cause the local system to be unavailable.
The 'crack passwords' value indicates that the malware instance is able to consume system resources for password cracking.
The 'mine for cryptocurrency' value indicates that the malware instance is able to consume system resources for cryptocurrency mining.
The 'compromise access to information assets' value indicates that the malware instance is able to prevent data from being accessed (e.g., by encrypting user data on a compromised system).
The DestructionStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Destruction Capability Strategic Objectives.
The DestructionStrategicObjectivesEnum-1.0 is an enumeration of Destruction Capability Strategic Objectives.
The 'destroy physical entity' value indicates that the malware instance is able to destroy a physical entity.
The 'destroy virtual entity' value indicates that the malware instance is able to destroy a virtual entity.
The DestructionTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Destruction Capability Tactical Objectives.
The DestructionTacticalObjectivesEnum-1.0 is an enumeration of Destruction Capability Tactical Objectives.
The 'erase data' value indicates that the malware instance is able to destroy data by erasure.
The 'destroy firmware' value indicates that the malware instance is able to destroy a system's firmware.
The 'destroy hardware' value indicates that the malware instance is able to destroy a system's hardware.
The FraudStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Fraud Capability Strategic Objectives.
The FraudStrategicObjectivesEnum-1.0 is an enumeration of Fraud Capability Strategic Objectives.
The 'perform premium rate fraud' value indicates that the malware instance is able to send text messages or dial phone numbers that are charged at premium rates.
The 'perform click fraud' value indicates that the malware instance is able to simulate clicks on website advertisements for the purpose of revenue generation.
The FraudTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Fraud Capability Tactical Objectives.
The FraudTacticalObjectivesEnum-1.0 is an enumeration of Fraud Capability Tactical Objectives.
The 'access premium service' value indicates that the malware instance is able to access a premium service.
The PersistenceStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Persistence Capability Strategic Objectives.
The PersistenceStrategicObjectivesEnum-1.0 is an enumeration of Persistence Capability Strategic Objectives.
The 'persist to re-infect system' value indicates that the malware instance is able to re-infect a system after some of its components have been removed.
The 'gather information for improvement' value indicates that the malware instance is able to gather information from its environment to make itself less likely to be detected.
The 'ensure compatibility' value indicates that the malware instance is able to manipulate or modify the system on which it executes to ensure that it is able to continue executing.
The 'persist to continuously execute on system' value indicates that the malware instance is able to continue to execute on a system after significant system events (e.g., after a reboot).
The PersistenceTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Persistence Capability Tactical Objectives.
The PersistenceTacticalObjectivesEnum-1.0 is an enumeration of Persistence Capability Tactical Objectives.
The 'reinstantiate self after initial detection' value indicates that the malware instance is able to re-establish itself on the system after it is initially detected.
The 'limit application type/version' value indicates that the malware instance is able to limit the type or version of an application that runs on a system in order to ensure that it is able to continue executing.
The 'persist after os install/reinstall' value indicates that the malware instance is able to continue to execute after the operating system is installed or reinstalled.
The 'drop/retrieve debug log file' value indicates that the malware instance is able to generate and retrieve a log file of errors associated with the malware.
The 'persist independent of hard disk/os changes' value indicates that the malware instance is able to continue to execute after changes to the hard disk or the operating system have been made.
The 'persist after system reboot' value indicates that the malware instance is able to continue to execute after a system reboot.
The MachineAccessControlStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Machine Access/Control Capability Strategic Objectives.
The MachineAccessControlStrategicObjectivesEnum-1.0 is an enumeration of Machine Access/Control Capability Strategic Objectives.
The 'control local machine' value indicates that the malware instance is able to control the machine on which it is resident. Examples of malware with this capability include bots, backdoors, and RATs.
The 'install backdoor' value indicates that the malware instance is able to install a backdoor, capable of providing covert remote access to the machine on which it is resident.
The MachineAccessControlTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Machine Access/Control Capability Tactical Objectives.
The MachineAccessControlTacticalObjectivesEnum-1.0 is an enumeration of Machine Access/Control Capability Tactical Objectives.
The 'control machine via remote command' value indicates that the malware instance is able to execute commands issued to it from a remote source, for the purpose of controlling the machine on which it is resident.
The ProbingStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Probing Capability Strategic Objectives.
The ProbingStrategicObjectivesEnum-1.0 is an enumeration of Probing Capability Strategic Objectives.
The 'probe host configuration' value indicates that the malware instance is able to probe the configuration of the host system on which it executes.
The 'probe network environment' value indicates that the malware instance is able to probe the properties of its network environment, e.g. to determine whether it funnels traffic through a proxy.
The ProbingTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Probing Capability Tactical Objectives.
The ProbingTacticalObjectivesEnum-1.0 is an enumeration of Probing Capability Tactical Objectives.
The 'identify os' value indicates that the malware instance is able to identify the operating system under which it executes.
The 'check for proxy' value indicates that the malware instance is able to check whether the network environment in which it executes contains a hardware or software proxy.
The 'check for firewall' value indicates that the malware instance is able to check whether the network environment in which it executes contains a hardware or software firewall.
The 'check for shared drive' value indicates that the malware instance is able to check for network drives that may be present in the network environment.
The 'map local network' value indicates that the malware instance is able to map the layout of the local network environment in which it executes.
The 'inventory system applications' value indicates that the malware instance is able to inventory the applications installed on the system on which it executes.
The 'check language' value indicates that the malware instance is able to check the language of the host system on which it executes.
The 'check for internet connectivity' value indicates that the malware instance is able to check whether the network environment in which it executes is connected to the internet.