Note: MAEC Version 4.1 (Archive) is hosted on the MAEC Legacy Site, and all files linked to below will redirect there.
File Name | Version | Schema | Documentation |
---|---|---|---|
All Files | n/a | zip | n/a |
All Files (offline, with examples and documentation) | n/a | zip | n/a |
MAEC Bundle | 4.1 | xsd | html |
MAEC Package | 2.1 | xsd | html |
MAEC Container | 2.1 | xsd | html |
MAEC Default Vocabularies | 1.1 | xsd | html |
MAEC Capabilities Hierarchy Diagram | n/a | n/a |
The variety of examples below for MAEC Version 4.1 illustrate the use of MAEC Bundles, Packages, and Containers, as well as the capture of specific malware-related attributes (e.g., clustering information, AV classifications, etc.).
IMPORTANT: While the examples on this page are sourced from real-world analysis reports, they should be considered illustrative examples only and should not be used in real-world operations.
File Name | Description | XML |
---|---|---|
All Files | Archive of all v4.1 Release example files | zip |
Bundle Artifact | Simple Bundle capturing network traffic information | xml |
Bundle AV Classifications | Simple Bundle capturing Anti-Virus tool information | xml |
Bundle Candidate Indicator | Demonstrates the basic construction of a Candidate Indicator entity within a Bundle | xml |
Bundle Dynamic Triage Tool Output | Simple Bundle capturing dynamic analysis tool output | xml |
Bundle Network Behavior | Simple Bundle capturing a network-based Behavior | xml |
Bundle Malicious Webpage | Demonstrates the capture of the malicious aspects of a webpage | xml |
Bundle Object Re-use | Demonstrates how Objects can be reused via ID references | xml |
Container Multiple Package | Demonstrates the capture of multiple Packages using a Container | xml |
Package Action Equivalency | Demonstrates the composition and use of an Action Equivalency entity in a Package | xml |
Package Capability | Demonstrates the usage of Capabilities and Objectives in a Package, along with how they link up to Behaviors and Actions | xml |
Package Capability Snifula | Provides a more detailed view of Capabilities and Objectives and their usage in characterizing a complex malware instance | xml |
Package Clustering | Demonstrates how a Package can be used to capture a malware cluster (set of related malware) | xml |
Package Configuration Parameters | Demonstrates how the configuration parameters of a Malware Subject can be characterized in a Package | xml |
Package Development Environment | Demonstrates how the development environment of a Malware Subject entity can be characterized in a Package | xml |
Package Dynamic Triage | Demonstrates how a Malware Subject entity in a Package can be used to capture multiple dynamic analysis tool outputs | xml |
Package Manual Analysis | Demonstrates how a Malware Subject entity in a Package can be used to capture manual analysis tool output | xml |
Package Multi-Partite Malware | Demonstrates how multi-partite malware may be captured as unique Malware Subject entities in a Package | xml |
Package Multiple Analysis | Demonstrates how multiple analyses for the same Malware Subject (a Zeus binary) can be combined in a single Package using multiple Analysis entities | xml |
Package Static Triage | Simple Package capturing basic static triage results | xml |
GitHub Repository Examples
The MAEC release examples, as well as examples provided by the MAEC Community, are provided at https://github.com/MAECProject/schemas/tree/master/examples.
STIX Examples
The Structured Threat Information eXpression (STIX™) Language can describe malware using MAEC characterizations through the use of a MAEC schema extension for the STIX TTP schema. See the “Malware Sample” in the STIXProject GitHub repository for an explicit example.
Cuckoobox Outputs
The MAEC release examples in the MAECProject GitHub repository contains example Cuckoobox outputs that were automatically generated and illustrate many of MAEC’s features.
MAEC Detailed Examples Document
The MAEC Detailed Examples Document provides comprehensive guidance on the creation of MAEC Package and Bundle documents in the context of static triage, dynamic triage, and manual analysis. Accordingly, it provides a detailed walk-through and description of a notional MAEC document for each such use case. Currently, this document is written against MAEC Version 4.0.1, though the concepts are almost completely compatible with MAEC Version 4.1.