The MalwareActionType is one of the foundational MAEC types, and serves as a method for the characterization of actions found or observed in malware. Actions can be thought of as system state changes and similar operations that represent the fundamental low-level operation of malware. Some examples include the creation of a file, deletion of a registry key, and the sending of some data on a socket. It imports and extends the CybOX ActionType. For MAEC, the id attribute is required.
Field Name | Type | Description |
---|---|---|
@idoptional | QName |
The id field specifies a unique id for this Action. |
@idrefoptional | QName |
The idref field specifies a unique id reference to an Action defined elsewhere. When idref is specified, the id attribute must not be specified, and any instance of this Action should not hold content unless an extension of the Action allows it. |
@ordinal_positionoptional | positiveInteger |
The ordinal_position field is intended to reference the ordinal position of the action with within a series of actions. |
@action_statusoptional | ActionStatusTypeEnum |
The action_status field enables description of the status of the action being described. |
@contextoptional | ActionContextTypeEnum |
The context field is optional and enables simple characterization of the broad operational context in which the Action is relevant. |
@timestampoptional | dateTime |
The timestamp field represents the local or relative time at which the action occurred or was observed. In order to avoid ambiguity, it is strongly suggest that all timestamps in this field include a specification of the timezone if it is known. |
@timestamp_precisionoptional | DateTimePrecisionEnum |
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out. |
Type0..1 | ControlledVocabularyStringType |
The Type field is optional and utilizes a standardized controlled vocabulary to specify the basic type of the action that was performed. This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ActionTypeVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd. Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field. |
Name0..1 | ControlledVocabularyStringType |
The Name field is optional and utilizes a standardized controlled vocabulary to identify/characterize the specific name of the action that was performed. This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ActionNameVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd. Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field. |
Description0..1 | StructuredTextType |
The Description field contains a textual description of the action. |
Action_Aliases0..1 | ActionAliasesType |
The Action_Aliases field is optional and enables identification of other potentially used names for this Action. |
Action_Arguments0..1 | ActionArgumentsType |
The Action_Arguments field is optional and enables the specification of relevant arguments/parameters for this Action. |
Location0..1 | LocationType |
The Location field specifies a relevant physical location. This field is implemented through the xsi:type extension mechanism. The default type is CIQAddressInstanceType in the http://cybox.mitre.org/extensions/Identity#CIQAddress-1 namespace. This type is defined in the extensions/location/ciq_address_3.0.xsd file or at the URL http://cybox.mitre.org/XMLSchema/extensions/location/ciq_address/1.0/ciq_address_3.0.xsd. Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field. |
Discovery_Method0..1 | MeasureSourceType |
The Discovery_Method field is optional and enables descriptive specification of how this Action was observed (in the case of a Cyber Observable Action instance) or could potentially be observed (in the case of a Cyber Observable Action pattern). |
Associated_Objects0..1 | AssociatedObjectsType |
The Associated_Objects construct is optional and enables the description/specification of cyber Objects relevant (either initiating or affected by) this Action. |
Relationships0..1 | ActionRelationshipsType |
The Relationships construct is optional and enables description of other cyber observable actions that are related to this Action. |
Frequency0..1 | FrequencyType |
The Frequency field conveys a targeted observation pattern of the frequency of the associated event or action. |
Implementation0..1 | ActionImplementationType |
The Implementation field is optional and serves to capture attributes that are relevant to how the Action is implemented in the malware, such as the specific API call that was used. |