schemas.v1.2.0.external.maec_4.1.maec_package_schema.xsd Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of stix Show documentation
Show all versions of stix Show documentation
The Java bindings for STIX v.1.2.0.2
The newest version!
The following is a description of the elements, types, and attributes that compose the Malware Attribute Enumeration and Characterization (MAEC) package schema.
The MAEC Package Schema is maintained by The Mitre Corporation. For more information, including how to get involved in the project, please visit the MAEC website at http://maec.mitre.org.
The imported MMDEF v1.2 schema is copyright 2013 IEEE-SA.
MAEC Package Schema
2.1
02/11/2014
Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the MAEC License located at http://maec.mitre.org/about/termsofuse.html. See the MAEC License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the MAEC Schema, this license header must be included.
The root element of the MAEC Package schema is the MAEC_Package, which captures a single MAEC Package that encompasses one or more Malware Subjects and all of their associated MAEC entities.
The AnalysisEnvironmentType provides mechanisms for characterizing the particular hardware/software environment used in the analysis of a Malware Subject.
The Hypervisor_Host_System field characterizes the (physical) host system used in the analysis on which the VM Hypervisor runs. This element imports and extends the CybOX System Object.
The Analysis_Systems field characterizes the system(s) (real or virtual) on which the actual analysis was performed, including information about both the hardware and software, such as the properties of its BIOS, processor architecture, and operating system. This element imports and extends the CybOX System Object.
The Network_Infrastructure field captures details of the network infrastructure used in the analysis environment, such as any network protocols that are captured or manipulated.
The SourceType provides a way of characterizing the external source of a relevant MAEC entity, such as an Analysis.
The Name field refers to the name of the person linked to the source.
The Method field provides an abstract way of specifying the method used to obtain the data that the Source element refers to.
The Reference field provides an abstract way of specifying a reference name or ID for the source.
The Organization field specifies the name of the organization from which the source originated.
The URL field specifies the the Uniform Resource Locator (URL) of the external source, if applicable.
The CommentListType provides a simple way of capturing any comments relating to MAEC entities, such as Analyses.
The Comment field specifies a single comment pertaining to a particular MAEC entity.
The AnalysisSystemListType captures a list of the systems, physical or virtual, used in the analysis of a Malware Subject.
The Analysis_System field captures a single analysis system.
The ToolsType characterizes one or more tools, such as those used in the analysis of a Malware Subject.
The Tool field specifies a single tool in the list.
The CommentType captures a comment relating to some MAEC field.
The author field specifies the name of the author that added the comment.
The timestamp field specifies the date/time that the comment was added.
The observation_name field captures the name, type, or identifier of an observation, for comments that refer to the observation of particular entities. For example, a comment that refers to a command and control (C2) encryption key could have an observation_name of "C2 Encryption Key".
The AnalysisSystemType is intended to characterize any systems on which malware analysis is performed. It imports and extends version 2.0.1 of the CybOX System Object.
The Installed_Programs field specifies the programs installed on the OS that was used to perform the analysis. This can be useful for clarifying the nature of the analysis environment, for instance for determining whether an exploited piece of software was present, as well as for specifying any tools that may have been installed.
The HypervisorHostSystemType characterizes the VM Hypervisor host system used in the malware analysis environment.
The VM_Hypervisor field refers to the name of the VM Hypervisor that hosts the operating system(s) on which the analysis was performed, if applicable, via a Common Platform Enumeration (CPE) identifier. See http://cpe.mitre.org for more information on CPE.
The DynamicAnalysisMetadataType captures any metadata specific to the dynamic analysis of a malware instance.
The Command_Line field specifies the command line used to launch the subject binary.
The Analysis_Duration field specifies the duration of the overall dynamic analysis process, in seconds.
The Exit_Code field specifies the exit code with which the subject binary exited.
The Raised_Exception field captures a single exception that was raised (or thrown) during the execution of the malware instance. More than one exception may be captured through the use of multiple instances of this field.
The AnalysisType provides a way of capturing the information associated with the analysis of a malware instance, such as the subject, authors, start datetime, and other relevant data.
The Source field specifies information about the internal or external source of the analysis, if applicable.
The Analysts field specifies the analyst(s) who performed the analysis.
The Summary field specifies a summary of the analysis that was performed. It should be high-level and concise. It should summarize the contents of the Report field, if present, and otherwise should provide a brief synopsis of the analysis that was performed and any highlights.
The Comments field specifies any comments regarding the analysis that was performed. A comment should be attributable to a specific analyst and should reflect particular insights of the author that are significant from an analysis standpoint. The contents of comments are typically not contained in the Report.
The Findings_Bundle_Reference field specifies a reference to the Bundle which encompasses the results and output of the Analysis in terms of its corresponding MAEC entities, such as Behaviors and Actions. More than one Bundle may be referenced by using multiple occurrences of this field.
The Tools field specifies information about the tool(s) used in the analysis, via the CybOX ToolInformationType. If only a single Tool is specified, then this implies that this tool was responsible for all of the findings contained in the Bundle referenced by the Findings_Bundle_Reference element.
The Dynamic_Analysis_Metadata field specifies metadata pertaining to the dynamic analysis of the subject binary, such as the command line used, the duration of the analysis, etc.
The Analysis_Environment field specifies attributes for characterizing the analysis environment in which the analysis was performed.
The Report field specifies the textual report regarding the analysis performed on the malware. The Report should correspond to the human-readable prose document that captures key aspects and outcomes of the analysis.
The required id field specifies a unique ID for this Analysis.
The type field specifies the type of malware analysis being performed.
The method field specifies the analysis method used in the analysis.
The ordinal_position field specifies the ordering of the analysis with respect to the other analyses performed on the Malware Subject.
The start_datetime field specifies the date/time the analysis was started.
The complete_datetime field specifies the date/time the analysis was completed.
The lastupdate_datetime field specifies the date/time the analysis was last updated.
The AnalysisListType captures a list of analyses that were performed on a Malware Subject.
The Analysis field represents the metadata regarding a single analysis that was performed on a Malware Subject.
The InstalledProgramsType captures the programs installed on a particular operating system image.
The Program field specifies a single program that is installed on the system. It uses the PlatformSpecificationType from the CybOX Common schema.
The PackageType is the namesake type of the MAEC Package schema, and captures either a single Malware Subject, or a collection of Malware Subjects that are related in some way (even if exact details of the relationship are unknown). Unlike the MAEC Bundle, which captures only the MAEC-characterized analysis results for a malware instance, the Package permits the capture of additional metadata relating to the analysis, relationships between Malware Subjects, and similar types of entities.
The Malware_Subjects field captures each of the Malware Subjects contained in the Package.
The Grouping_Relationships field specifies the particular relationships that serve to group the Malware Subjects encompassed in this Package. This is solely for cases where more than one Malware Subject is contained within the Package.
The required id field specifies a unique ID for this Package.
The required schema_version field specifies the version of the MAEC Package schema that the document has been written in and that should be used for validation.
The timestamp field specifies the date/time that the Package was generated.
The MalwareSubjectType captures all of the details pertaining to a single malware instance, including any corresponding Analyses, Field Data, Findings Bundles, and relationships to other Malware Subjects.
The Malware_Instance_Object_Attributes field characterizes the attributes of the malware instance object (most commonly a file) that is encompassed in the Malware_Subject, via its corresponding CybOX Object. For example, a file would be represented via a CybOX File field of type FileObj:FileObjectType and may have a file name, MD5 hash, etc.
The Label field specifies a single commonly accepted label to describe the Malware Subject, e.g. "worm". The default vocabulary for this field is the MalwareLabelVocab-1.0 from the MAEC Default Vocabularies schema. More than one label may be specified through the use of multiple instances of this field.
The Configuration_Details field captures details of the configuration specified for the Malware Subject, such as configuration parameters.
The Development_Environment field captures details of the development environment used in the creation of the malware instance characterized by the Malware Subject.
The Minor_Variants field captures any minor variants of the malware instance object, such as the same file but with different filenames.
The Field_Data field captures field data and prevalance information relating to the Malware Subject. It uses the fieldDataEntry type from the MMDEF v1.2 schema.
The Analyses field captures any Analyses (including their associated metadata such as tools used, etc.) that were performed on the Malware Subject.
The Findings_Bundles field specifies any MAEC Bundles pertaining to the Malware Subject, thus capturing any observed or discovered Behaviors, Actions, or Objects. These Bundles can either be abstract, or referenced as the result of an analysis that was performed on the malware.
The Relationships field captures any relationships between the Malware Subject and other Malware Subjects.
The Compatible_Platform field specifies a single platform that the Malware Subject is compatible with (i.e. can execute on). It uses the PlatformSpecificationType from the imported CybOX Common schema. More than one compatible platform can be specified by using multiple occurrences of this field.
The required id field specifies a unique ID for this Malware Subject.
The MetaAnalysisType captures meta-analysis entities associated with the Bundles that were captured for a Malware Subject, such as Action Equivalencies.
The Action_Equivalences field captures any equivalences between Actions contained in one or more Bundles.
The Object_Equivalences field captures any equivalences between Objects contained in one or more Bundles.
The MalwareSubjectRelationshipType provides a mechanism for capturing the relationships between a Malware Subject and one or more other Malware Subjects.
The Type field specifies the type of relationship being captured.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is MalwareSubjectRelationshipTypeVocab-1.0 in the http://maec.mitre.org/default_vocabularies-1 namespace. This type is defined in the maec_default_vocabularies.xsd file or at the URL http://maec.mitre.org/XMLSchema/default_vocabularies/1.0.0/maec_default_vocabularies.xsd.
The Malware_Subject_Reference field provides a reference to a single Malware Subject that this relationship pertains to.
The MalwareSubjectRelationshipListType captures a list of relationships between a Malware Subject and other Malware Subjects.
The Relationship field specifies a relationship that relates the Malware Subject to one or more other Malware Subjects contained in the Package.
The MalwareSubjectReferenceType provides a mechanism for specifying a reference to a Malware Subject contained in the Package.
The malware_subject_idref field provides a reference to a Malware Subject contained in the Package, via its ID.
The MalwareSubjectListType captures a list of Malware Subjects.
The Malware_Subject field represents a single Malware Subject (most commonly a file) and its associated metadata, such as Analyses, Bundles, relationships to other Malware Subjects, etc.
The MinorVariantListType captures a list of minor variants of a Malware Subject's malware instance object. For example, the same binary with but with different filenames.
The Minor_Variant field captures a single minor variant of the malware instance object.
The FindingsBundleListType captures a list of Bundles or external references to Bundles, along with any related meta-analysis entities.
The Meta_Analysis field captures any meta-analysis related entities for the Bundles captured for a Malware Subject, such as equivalencies.
The Bundle field captures a single MAEC Bundle, representing some set of characterized entities resulting from analysis of the Malware Subject.
The Bundle_External_Reference field specifies a single externally located MAEC Bundle (such as a file or URL) via a URI, representing some set of results from analysis of the Malware Subject.
The GroupingRelationshipType provides a mechanism for specifying the relationship that groups together the Malware Subjects in a Package.
The Type field specifies the type of relationship that groups the Malware Subjects in the Package.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is GroupingRelationshipTypeVocab-1.0 in the http://maec.mitre.org/default_vocabularies-1 namespace. This type is defined in the maec_default_vocabularies.xsd file or at the URL http://maec.mitre.org/XMLSchema/default_vocabularies/1.0.0/maec_default_vocabularies.xsd.
The Malware_Family_Name field specifies the name of the malware family referred to by the 'same_malware_family' relationship type.
The Malware_Toolkit_Name field specifies the name of the malware toolkit referred to by the 'same_malware_toolkit' relationship type.
The Clustering_Metadata field specifies any metadata regarding the algorithm and/or methods used for cluster the Malware Subjects in this Package.
The GroupingRelationshipListType captures a list of grouping relationships relating the Malware Subjects in a Package.
The Grouping_Relationship field specifies a single grouping relationship in the list.
The ClusteringMetadataType specifies any metadata regarding the algorithm and/or methods used for clustering the Malware Subjects in this Package, for use in the ‘clustered together’ relationship type.
The Algorithm_Name field specifies the name of the clustering algorithm used to cluster the malware.
The Algorithm_Version field specifies the version of the algorithm used to cluster the malware.
The Algorithm_Parameters field specifies any parameters that may have been used in the clustering algorithm.
The Cluster_Size field specifies the size of the malware cluster.
The Cluster_Description field provides a textual description of the malware cluster, such as information about its composition, etc.
The Cluster_Composition field captures the composition of the malware cluster, including the similarity indices between its members, as a collection of edges and their corresponding nodes.
The ClusterEdgeNodePairType captures a single edge-node pair in a malware cluster, which is composed of the two Malware Subjects that correspond to the nodes connected to the edge (via references), and represents the similarity index between the two Malware Subjects.
The Malware_Subject_Node_A field represents a node connected to the edge via a reference to a Malware Subject that is part of a malware cluster.
The Malware_Subject_Node_B field represents a node connected to the edge via a reference to a Malware Subject that is part of a malware cluster.
The similarity_index field specifies the similarity index between the two Malware Subjects being referenced (indicating how similar they are), as a decimal value. This value should be equivalent to 1 minus the similarity distance value (if included).
The similarity_index field specifies the similarity distance between the two Malware Subjects being referenced (indicating how dissimilar they are), as a decimal value. This value should be equivalent to 1 minus the similarity index value (if included).
The ClusterCompositionType captures the composition of a malware cluster via its edges and their respective connected nodes, as in an undirected graph.
The Cluster_Edge_Node_Pair field specifies a single edge and its connected nodes in the malware cluster, representing the similarity index between two Malware Subjects.
For clustering algorithms that may capture different types of scores, the score_type attribute specifies the type of score used to define the composition of this malware cluster.
The ClusteringAlgorithmParametersType captures any parameters that may have been used in a malware clustering algorithm.
The Distance_Threshold field specifies the minimum distance threshold for the cluster, or the minimum distance between nodes in order for them to belong to the same cluster.
The Number_of_Iterations field specifies the number of times that the algorithm was executed in order to produce the cluster.
The NetworkInfrastructureType captures specific details about the network infrastructure used in the malware analysis environment.
The Captured_Protocols field specifies a list of network protocols, along with the particular level of interaction, that the malware analysis environment captures or interacts with in some fashion.
The ActionEquivalenceType relates any Actions that are equivalent to each other, e.g., those that were found for the same Malware Subject when using different analysis tools. It can be used as a way of referencing equivalent actions as a single unit, such as for specifying the Action composition of a Behavior.
The Action_Reference field specifies a reference to a single Action that is part of the Action Equivalency.
The required id field specifies a unique ID for the Action Equivalence.
The ActionEquivalenceListType captures a list of Action Equivalences.
The Action_Equivalence field captures a single Action Equivalence in the list.
The CapturedProtocolListType specifies a list of network protocols that a malware analysis environment may capture or interact with.
The Protocol field specifies a single layer 4 or layer 7 network protocol captured or interacted with by the analysis environment.
The CapturedProtocolType specifies the details of a network protocol that may be captured or otherwise manipulated in the malware analysis environment.
The layer7_protocol field specifies the name of the Layer 7 network protocol (OSI model) captured or manipulated by the analysis environment.
The layer4_protocol field specifies the name of the Layer 4 network protocol (OSI model) captured or manipulated by the analysis environment.
The port_number field specifies the port number for this network protocol that is captured or manipulated by the analysis environment.
The interaction_level field specifies the relative level of interaction that the analysis environment has with the specified network protocol.
The ObjectEquivalenceType relates the Objects that are equivalent to each other, e.g., those that were found for the same Malware Subject when using different analysis tools.
The required id field specifies a unique ID for the Object Equivalence.
The ObjectEquivalenceListType captures a list of Object Equivalences.
The Object_Equivalence field specifies a single Object Equivalence in the list.
The MalwareConfigurationParameterType captures a single configuration parameter that may be defined for a malware instance, as a name/value pair.
The Name field specifies the name of the malware configuration parameter. It uses the MalwareConfigurationParameterVocab vocabulary from the MAEC Default Vocabularies schemas as its default vocabulary. Parameters that are not included in this vocabulary may also be specified, in which case it is recommended to use the exact name of the parameter.
The Value field captures the value of the malware configuration parameter.
The MalwareConfigurationDetailsType captures details of malware configuration parameters and associated metadata.
The Storage field captures details of the how the malware configuration parameters may be stored, e.g. in a separate file, in memory, etc.
The Encryption field captures details of how the malware configuration parameters may be obfuscated, if applicable.
The Configuration_Parameter field captures a single configuration parameter that may be defined for the Malware Subject. More than one configuration parameter may be specified by using multiple occurrences of this field.
The MalwareConfigurationObfuscationDetailsType captures details relating to the obfuscation of malware configuration parameters.
The Algorithm_Details field captures an the details of the algorithm used to encode or encrypt the malware configuration parameters, including the name of the algorithm and its key. More than one encryption or encoding algorithm may be specified by using multiple occurrences of this field.
The is_encoded field specifies that the malware configuration parameters are encoded with the algorithm captured in the Algorithm_Details field.
The is_encrypted field specifies that the malware configuration parameters are encrypted with the algorithm captured in the Algorithm_Details field.
The MalwareConfigurationObfuscationDetailsType captures of an algorithm used to encode or encrypt malware configuration parameters.
The Key field captures the hexadecimal key used to decrypt the configuration parameters.
The Algorithm_Name field captures the name of the encoding or encryption algorithm used to obfuscate the malware configuration parameters.
The ordinal_position field specifies the explicit ordering of the usage of the algorithm with respect to the other algorithms used to encrypt or encode the malware configuration parameters, for cases where more than one algorithm was used.
The MalwareConfigurationStorageDetailsType captures details relating to the storage of malware configuration parameters.
The Malware_Binary field captures properties related to the storage of malware configuration parameters inside the malware binary captured in the Malware_Instance_Object_Attributes field.
The File field captures the properties of a configuration file, for cases where the Malware Subject stores its configuration parameters in a separate file.
This field uses the FileObjectType from the imported CybOX File Object.
The URL field captures a URL at which the configuration parameters for the Malware Subject may be stored. More than one such URL may be specified by using multiple occurrences of this field.
This field uses the URIObjectType from the import CybOX URI Object.
The MalwareBinaryConfigurationStorageDetailsType captures details relating to the storage of malware configuration parameters inside the malware binary itself.
The File_Offset field specifies the offset to the start of the malware configuration parameters in the malware binary.
The Section_Name field specifies the name of the PE section in the malware binary thta contains the malware configuration parameters, for PE file malware binaries.
The Section_Offset field specifies the offset in the PE section in the malware binary that contains the malware configuration parameters to the start of the parameters themselves, for PE file malware binaries.
The MalwareDevelopmentEnvironmentType captures details of the development environment used in developing the malware instance, such as information on any tools that were used.
The Tools field captures the properties of one or more tools used in the development of the malware instance. For the Type field in each Tool, the MAEC MalwareDevelopmentToolVocab (from the MAEC Default Vocabularies Schema) should be used as the default vocabulary.
The Debugging_File field captures the properties of a debugging file associated with the malware instance, such as a PDB file. It uses the FileObjectType from the imported File Object Schema. More than one Debugging_File can be specified by using multiple instances of this field.
The MalwareExceptionType captures details of exceptions that may be raised as a result of a malware instance executing on a system.
The Exception_Code field captures the particular code that identifies the type of exception that occurred.
The Faulting_Address field captures the memory address where the exception occurred.
The Description field captures the textual description of the exception.
The is_fatal field specifies whether the exception is fatal; that is, whether it caused the malware instance to terminate.
The AnalysisTypeEnum is an enumeration of types of malware analyses.
The Triage value specifies an cursory, or triage type of malware analysis, commonly automated in conjunction with one or more tools.
The in-depth value specifies a detailed type of malware analysis that is typically performed by a human analyst.
The AnalysisMethodEnum is an enumeration of malware analysis methods.
The static value specifies a static malware analysis method, which is achieved by inspecting but not executing the malware instance.
The dynamic value specifies a dynamic malware analysis method, which is achieved by executing but not inspecting the malware instance.
The combination value specifies a combination of dynamic and static malware analysis, achieved by both inspecting and executing the malware instance.
The InteractionLevelEnum is a non-exhaustive enumeration of interaction levels for network protocols in a malware analysis environment.
The high value specifies that, for the specified protocol, the analysis environment will establish the connection and attempt to decode/identify any common protocols used by the malware. The level of decode/protocol support can be subjective and dependent on the particular environment.
The low value specifies that, for the specified protocol, the analysis environment will accept the packets and will identify the initial connection request. No further interaction is performed.
The honeytrap value specifies that, for the specified protocol, the analysis environment will establish the connection and attempt to interact with outgoing requests. The level of interaction can be subjective and dependent on the particular environment.
The live value specifies that, for the specified protocol, the analysis environment allows the malware to connect out to the real (unemulated) IP.
The none value specifies that, for the specified protocol, the analysis environment does not support or perform any level of interaction.
The Layer7ProtocolEnum is a non-exhaustive enumeration of Layer 7 (OSI model) network protocols.
The http value specifies the Hypertext Transfer Protocol (HTTP).
The https value specifies the Hypertext Transfer Protocol Secure (HTTPS).
The ftp value specifies the File Transfer Protocol (FTP).
The ftps value specifies the File Transfer Protocol Secure (FTPS).
The smtp value specifies the Simple Mail Transfer Protocol (SMTP).
The smtps value specifies the Simple Mail Transfer Protocol Secure (SMTPS).
The pop3 value specifies the Post Office Protocol version 3 (POP3).
The pop3s value specifies the Post Office Protocol version 3 Secure (POP3S).
The irc value specifies the Internet Relay Chat (IRC) protocol.
The dns value specifies the Domain Name System (DNS) protocol.
The rdp value specifies the Remote Desktop Protocol (RDP).
The rpc value specifies some Remote Procedure Call (RPC) protocol, such as MSRPC.
The ssh value specifies the Secure Shell (SSH) protocol.
The telnet value specifies the Telnet protocol.
The Layer4ProtocolEnum is a non-exhaustive enumeration of Layer 4 (OSI model) network protocols.
The tcp value specifies the Transport Control Protocol (TCP).
The udp value specifies the User Datagram Protocol (UDP).