Showing:

Annotations
Facets
Attribute maecPackage:MalwareConfigurationObfuscationAlgorithmType / @ordinal_position
Namespace No namespace
Annotations
 
The ordinal_position field specifies the explicit ordering of the usage of the algorithm with respect to the other algorithms used to encrypt or encode the malware configuration parameters, for cases where more than one algorithm was used.
Type xs:positiveInteger
Attribute maecPackage:MalwareConfigurationObfuscationDetailsType / @is_encoded
Namespace No namespace
Annotations
 
The is_encoded field specifies that the malware configuration parameters are encoded with the algorithm captured in the Algorithm_Details field.
Type xs:boolean
Attribute maecPackage:MalwareConfigurationObfuscationDetailsType / @is_encrypted
Namespace No namespace
Annotations
 
The is_encrypted field specifies that the malware configuration parameters are encrypted with the algorithm captured in the Algorithm_Details field.
Type xs:boolean
Attribute maecPackage:CommentType / @author
Namespace No namespace
Annotations
 
The author field specifies the name of the author that added the comment.
Type xs:string
Attribute maecPackage:CommentType / @timestamp
Namespace No namespace
Annotations
 
The timestamp field specifies the date/time that the comment was added.
Type xs:dateTime
Attribute maecPackage:CommentType / @observation_name
Namespace No namespace
Annotations
 
The observation_name field captures the name, type, or identifier of an observation, for comments that refer to the observation of particular entities. For example, a comment that refers to a command and control (C2) encryption key could have an observation_name of "C2 Encryption Key".
Type xs:string
Attribute maecPackage:MalwareExceptionType / @is_fatal
Namespace No namespace
Annotations
 
The is_fatal field specifies whether the exception is fatal; that is, whether it caused the malware instance to terminate.
Type xs:boolean
Attribute maecPackage:CapturedProtocolType / @layer7_protocol
Namespace No namespace
Annotations
 
The layer7_protocol field specifies the name of the Layer 7 network protocol (OSI model) captured or manipulated by the analysis environment.
Type maecPackage:Layer7ProtocolEnum
Facets
enumeration http 
The http value specifies the Hypertext Transfer Protocol (HTTP).
enumeration https 
The https value specifies the Hypertext Transfer Protocol Secure (HTTPS).
enumeration ftp 
The ftp value specifies the File Transfer Protocol (FTP).
enumeration ftps 
The ftps value specifies the File Transfer Protocol Secure (FTPS).
enumeration smtp 
The smtp value specifies the Simple Mail Transfer Protocol (SMTP).
enumeration smtps 
The smtps value specifies the Simple Mail Transfer Protocol Secure (SMTPS).
enumeration pop3 
The pop3 value specifies the Post Office Protocol version 3 (POP3).
enumeration pop3s 
The pop3s value specifies the Post Office Protocol version 3 Secure (POP3S).
enumeration irc 
The irc value specifies the Internet Relay Chat (IRC) protocol.
enumeration dns 
The dns value specifies the Domain Name System (DNS) protocol.
enumeration rdp 
The rdp value specifies the Remote Desktop Protocol (RDP).
enumeration rpc 
The rpc value specifies some Remote Procedure Call (RPC) protocol, such as MSRPC.
enumeration ssh 
The ssh value specifies the Secure Shell (SSH) protocol.
enumeration telnet 
The telnet value specifies the Telnet protocol.
Attribute maecPackage:CapturedProtocolType / @layer4_protocol
Namespace No namespace
Annotations
 
The layer4_protocol field specifies the name of the Layer 4 network protocol (OSI model) captured or manipulated by the analysis environment.
Type maecPackage:Layer4ProtocolEnum
Facets
enumeration tcp 
The tcp value specifies the Transport Control Protocol (TCP).
enumeration udp 
The udp value specifies the User Datagram Protocol (UDP).
Attribute maecPackage:CapturedProtocolType / @port_number
Namespace No namespace
Annotations
 
The port_number field specifies the port number for this network protocol that is captured or manipulated by the analysis environment.
Type xs:positiveInteger
Attribute maecPackage:CapturedProtocolType / @interaction_level
Namespace No namespace
Annotations
 
The interaction_level field specifies the relative level of interaction that the analysis environment has with the specified network protocol.
Type maecPackage:InteractionLevelEnum
Facets
enumeration high 
The high value specifies that, for the specified protocol, the analysis environment will establish the connection and attempt to decode/identify any common protocols used by the malware. The level of decode/protocol support can be subjective and dependent on the particular environment.
enumeration low 
The low value specifies that, for the specified protocol, the analysis environment will accept the packets and will identify the initial connection request. No further interaction is performed.
enumeration honeytrap 
The honeytrap value specifies that, for the specified protocol, the analysis environment will establish the connection and attempt to interact with outgoing requests. The level of interaction can be subjective and dependent on the particular environment.
enumeration live 
The live value specifies that, for the specified protocol, the analysis environment allows the malware to connect out to the real (unemulated) IP.
enumeration none 
The none value specifies that, for the specified protocol, the analysis environment does not support or perform any level of interaction.
Attribute maecPackage:AnalysisType / @id
Namespace No namespace
Annotations
 
The required id field specifies a unique ID for this Analysis.
Type xs:QName
Attribute maecPackage:AnalysisType / @type
Namespace No namespace
Annotations
 
The type field specifies the type of malware analysis being performed.
Type maecPackage:AnalysisTypeEnum
Facets
enumeration triage 
The Triage value specifies an cursory, or triage type of malware analysis, commonly automated in conjunction with one or more tools.
enumeration in-depth 
The in-depth value specifies a detailed type of malware analysis that is typically performed by a human analyst.
Attribute maecPackage:AnalysisType / @method
Namespace No namespace
Annotations
 
The method field specifies the analysis method used in the analysis.
Type maecPackage:AnalysisMethodEnum
Facets
enumeration static 
The static value specifies a static malware analysis method, which is achieved by inspecting but not executing the malware instance.
enumeration dynamic 
The dynamic value specifies a dynamic malware analysis method, which is achieved by executing but not inspecting the malware instance.
enumeration combination 
The combination value specifies a combination of dynamic and static malware analysis, achieved by both inspecting and executing the malware instance.
Attribute maecPackage:AnalysisType / @ordinal_position
Namespace No namespace
Annotations
 
The ordinal_position field specifies the ordering of the analysis with respect to the other analyses performed on the Malware Subject.
Type xs:positiveInteger
Attribute maecPackage:AnalysisType / @start_datetime
Namespace No namespace
Annotations
 
The start_datetime field specifies the date/time the analysis was started.
Type xs:dateTime
Attribute maecPackage:AnalysisType / @complete_datetime
Namespace No namespace
Annotations
 
The complete_datetime field specifies the date/time the analysis was completed.
Type xs:dateTime
Attribute maecPackage:AnalysisType / @lastupdate_datetime
Namespace No namespace
Annotations
 
The lastupdate_datetime field specifies the date/time the analysis was last updated.
Type xs:dateTime
Attribute maecPackage:ActionEquivalenceType / @id
Namespace No namespace
Annotations
 
The required id field specifies a unique ID for the Action Equivalence.
Type xs:QName
Attribute maecPackage:ObjectEquivalenceType / @id
Namespace No namespace
Annotations
 
The required id field specifies a unique ID for the Object Equivalence.
Type xs:QName
Attribute maecPackage:MalwareSubjectReferenceType / @malware_subject_idref
Namespace No namespace
Annotations
 
The malware_subject_idref field provides a reference to a Malware Subject contained in the Package, via its ID.
Type xs:QName
Attribute maecPackage:MalwareSubjectType / @id
Namespace No namespace
Annotations
 
The required id field specifies a unique ID for this Malware Subject.
Type xs:QName
Attribute maecPackage:ClusterEdgeNodePairType / @similarity_index
Namespace No namespace
Annotations
 
The similarity_index field specifies the similarity index  between the two Malware Subjects being referenced (indicating how similar they are), as a decimal value. This value should be equivalent to 1 minus the similarity distance value (if included).
Type xs:decimal
Attribute maecPackage:ClusterEdgeNodePairType / @similarity_distance
Namespace No namespace
Annotations
 
The similarity_index field specifies the similarity distance between the two Malware Subjects being referenced (indicating how dissimilar they are), as a decimal value. This value should be equivalent to 1 minus the similarity index value (if included).
Type xs:decimal
Attribute maecPackage:ClusterCompositionType / @score_type
Namespace No namespace
Annotations
 
For clustering algorithms that may capture different types of scores, the score_type attribute specifies the type of score used to define the composition of this malware cluster.
Type xs:string
Attribute maecPackage:PackageType / @id
Namespace No namespace
Annotations
 
The required id field specifies a unique ID for this Package.
Type xs:QName
Attribute maecPackage:PackageType / @schema_version
Namespace No namespace
Annotations
 
The required schema_version field specifies the version of the MAEC Package schema that the document has been written in and that should be used for validation.
Type xs:string
Attribute maecPackage:PackageType / @timestamp
Namespace No namespace
Annotations
 
The timestamp field specifies the date/time that the Package was generated.
Type xs:dateTime
XML Schema documentation generated by ® XML Editor.