Malware Attribute Enumeration and Characterization (MAEC™) is a structured language for encoding and communicating high fidelity information about malware based upon attributes such as behaviors, artifacts, and relationships between malware samples.
MAEC is pronounced as “mike.” This pronunciation stems from classical Latin, in which the diphthong ‘ae’ is pronounced as a long ‘i’. Examples of other words that use the same pronunciation are maestro and alumnae.
MAEC was developed to eliminate the ambiguity and inaccuracy that currently exists in malware descriptions. By reducing reliance on signatures, MAEC aims to improve human-to-tool, tool-to-tool, and tool-to-human communication about malware; allow for faster development of countermeasures by enabling the ability to leverage responses to previously observed malware instances; and reduce potential duplication of malware analysis efforts by researchers.
MAEC is a community-developed effort and has received input from members of various communities, including those from industry, academia, and government. The MITRE Corporation maintains MAEC and its public website presence and provides impartial technical guidance to the MAEC Community throughout the process to ensure MAEC serves the public interest. MAEC is sponsored by the office of Cybersecurity and Communications at the U.S. Department of Homeland Security.
MAEC is not currently being pursued in a formal standards body. However, once an appropriate level of maturity, stability, and use is achieved, international standardization may be sought.
See the “License” section of the Terms of Use.
There are several opportunities to get involved. See the MAEC Community page for details, or contact us directly at maec@mitre.org.
The current version of the Malware Attribute Enumeration and Characterization (MAEC™) Language is available on the Current Release page. In addition, non-normative JSON schemas and examples are available in the MAECProject GitHub repository.
See the Specifications section on the Current Release page.
Examples can be found in the MAECProject repository on GitHub.com. Additional examples are given in the MAEC 5.0 Core Specification.
MAEC can be manipulated manually or programmatically. If using MAEC manually, such as to capture malware analysis results, no tools are provided. Use of a JSON editor is recommended.
For programmatic development and use, some MAEC scripts and translator utilities are hosted in separate MAECProject GitHub repositories.
Also see MAEC Supporters for a list of vendors that have implemented MAEC in their products or services.
A GUI is not available, however, such a tool could be available in the future.
No. Rather than producing additional MAEC serializations or a formal implementation-independent specification, MAEC concepts will likely be migrated into the Structured Threat Information Expression (STIX™) 2.x Malware Object.
Visit the Current Release page for additional information.
At present, there are no public repositories of MAEC data, nor are there plans by MITRE to establish one. However, community members interested in hosting a MAEC data repository are encouraged to do so.
MAEC 5.0 includes two specification documents (core concepts and vocabularies) and a corresponding set of non-normative JSON schemas and examples.
Some of the FAQs in this section are somewhat technical in nature. Please refer to the MAEC Language Specifications for further information.
Many properties are optional in MAEC to make the language as flexible as possible, enabling users to capture exactly what they want and nothing more.
MAEC cannot be directly customized, but because a MAEC Package can include relevant Structured Threat Information Expression (STIX™) Observable Objects, custom STIX Properties and Objects can be used to capture some content that is not defined in MAEC.
In addition, the MAEC development team encourages the community to engage in the ongoing discussion so that new properties can be defined and integrated into future versions of MAEC as necessary. Please consider participating in the MAEC Community to help with the development of MAEC.
In earlier versions of MAEC, it was possible to express the same concept in multiple ways, but rather than being a feature, the flexibility led to confusion. MAEC 5.0 recognizes the need for flexibility, but also recognizes the importance of simplicity, standardization, and reduced optionality. Therefore, MAEC 5.0 aims to have a single way of capturing any particular facet of malware information.
The MAEC Language directly imports and uses components of the OASIS Structured Threat Information eXpression (STIX™) language. More specifically, MAEC’s malware characterization relies on the common implementation (structure and content) that STIX Cyber Observables provide for expressing cyber observables. Thus, whereas MAEC provides coverage of malware analysis context, behaviors, and capabilities, STIX Cyber Observables provide the underpinnings necessary to broadly cover objects, such as files and network connections, used in the context of malware.
MAEC is targeted toward malware analysts, and therefore provides a comprehensive, structured way of capturing detailed information about malware samples. By contrast, STIX targets a more diverse audience by capturing a broad spectrum of cyber-threat related information, including basic malware information. Consequently, an organization performing cyber threat analysis must consider their specific use case to determine whether the extensive malware characterization ability of MAEC or the more basic STIX Malware Object is most appropriate.
The OASIS Trusted Automated eXchange of Indicator Information (TAXII™) defines a set of services and message exchanges for securely sharing automated cyber threat information. Most commonly, TAXII uses STIX to represent cyber threat information where STIX characterizes what is being shared and TAXII defines how the STIX payload is shared. However, TAXII could use MAEC as its payload instead of STIX.
The MAEC Community includes representatives from antivirus vendors, operating system vendors, software vendors, IT users, security services providers, and others from across the international cyber security community who have come together to help build this growing, open-source industry effort.
There are multiple options available for involvement including participating in the conversations on our dedicated email discussion list, contributing to the Encyclopedia of Malware Attributes on MITRE’s collaboration website, and/or contributing to the development of MAEC tools and utilities on GitHub.
Visit the MAEC Community page to learn more or to join the MAEC effort.
The MITRE Corporation (MITRE) manages and maintains the development of the MAEC Language, MAEC website, community engagement, and discussion lists to enable open and public collaboration with all stakeholders and provides neutral guidance throughout the process to ensure that MAEC serves the public interest.
In accordance with its mission, MITRE has traditionally acted in the public interest. Its unique role allows it to provide an objective perspective to this effort. MITRE will maintain MAEC as long as it serves the community to do so.
MAEC is a DHS-led and sponsored effort of the office of Cybersecurity and Communications at the U.S. Department of Homeland Security (DHS). MITRE, operating as DHS’s Federally Funded Research and Development Center (FFRDC), manages the development of the MAEC Language, this MAEC website, community engagement, and discussion lists to enable open and public collaboration with all stakeholders.