The following is a description of the elements, types, and attributes that compose Malware Attribute Enumeration and Characterization (MAEC) Bundle schema.
The MAEC Bundle Schema is maintained by The Mitre Corporation. For more information, including how to get involved in the project, please visit the MAEC website at http://maec.mitre.org.
This schema imports the CyBOX schema and object schemas. More info on CybOX can be found at http://cybox.mitre.org.
Element maecBundle:MAEC_Bundle
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The MAEC_Bundle element is the root element of this schema, and is of type BundleType. As such, it represents the characterization of a single malware instance, characterized in the top-level Subject_Details element, via its MAEC entities.
The content_type field specifies the general type of content contained in this Bundle, e.g. static analysis tool output, dynamic analysis tool output, etc.
The required defined_subject field specifies whether the subject attributes of the characterized malware instance are included inside this Bundle (via the top-level Malware_Instance_Object_Attributes field) or elsewhere (such as a MAEC Subject in a MAEC Package).
The required schema_version field specifies the version of the MAEC Bundle Schema that the document has been written in and that should be used for validation.
The Malware_Instance_Object_Attributes field characterizes the attributes of the object (most typically a file) that represents the malware instance whose Behaviors, Actions, Objects, Process Tree, and Candidate Indicators are characterized in this Bundle. This is equivalent to the Malware_Instance_Object_Attributes inside of a Malware_Subject in the MAEC Package, and is therefore only required if this Bundle is to be used in a stand-alone fashion, i.e., without an accompanying MAEC Package and with the defined_subject field set to 'True'.
The has_changed field is optional and conveys a targeted observation pattern of whether the associated object specified has changed in some way without requiring further specific detail. This field would be leveraged within a pattern observable triggering on whether the value of an object specification has changed at all. This field is NOT intended to be used for versioning of CybOX content.
id
xs:QName
optional
The id field specifies a unique id for this Object.
idref
xs:QName
optional
The idref field specifies a unique id reference to an Object defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Object should not hold content unless an extension of the Object allows it.
The AV_Classifications field contains 1-n AVClassificationType objects, which capture any Anti-Virus scanner tool classifications of the malware instance object.
The idref field specifies reference to a unique ID for this Tool.
When idref is specified, the id attribute must not be specified, and any instance of this type should not hold content unless an extension of the type allows it.
The Engine_Version field captures the version of the AV engine used by the AV scanner tool that assigned the classification to the malware instance object.
The Definition_Version field captures the version of the AV definitions used by the AV scanner tool that assigned the classification to the malware instance object.
The Classification_Name field captures the classification assigned to the malware instance object by the AV scanner tool characterized in the Company_Name and Product_Name fields.
The Process_Tree field specifies the observed process tree of execution for the malware instance, along with references to any corresponding actions that were initiated, if applicable.
The required id field specifies a unique ID for the Process Node.
is_hidden
xs:boolean
optional
The is_hidden field specifies whether the process is hidden or not.
object_reference
xs:QName
optional
The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.
The Initiated_Actions field captures, via references, the actions (found inside the top-level Actions element, or an Action Collection inside the top-level Collections element) initiated by the Process.
The required id field specifies a unique ID for the Process Node.
is_hidden
xs:boolean
optional
The is_hidden field specifies whether the process is hidden or not.
object_reference
xs:QName
optional
The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.
The required id field specifies a unique ID for the Process Node.
is_hidden
xs:boolean
optional
The is_hidden field specifies whether the process is hidden or not.
object_reference
xs:QName
optional
The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.
The Capabilities field contains 1-n CapabilityType objects, which serve to describe the high-level capabilities and objectives of the malware instance.
The Property field permits the capture of a single property of the Capability, as a key/value pair. More than one property can be specified via multiple occurrences of this field.
The Name field specifies the name of the property being captured. The name can be either free form text or a standardized value from a vocabulary included in the MAEC Default Vocabularies schema. This field uses the ControlledVocabularyStringType from the imported CybOX Common schema.
Diagram
Type
cyboxCommon:ControlledVocabularyStringType
Attributes
QName
Type
Default
Use
Annotation
apply_condition
cyboxCommon:ConditionApplicationEnum
ANY
optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask
xs:hexBinary
optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition
cyboxCommon:ConditionTypeEnum
optional
This field is optional and defines the relevant condition to apply to the value.
delimiter
xs:string
##comma##
optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed
xs:boolean
optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive
xs:boolean
true
optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type
cyboxCommon:PatternTypeEnum
optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax
xs:string
optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend
xs:boolean
optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name
xs:string
optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference
xs:anyURI
optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
The Value field specifies the value of the property being captured.
Diagram
Type
cyboxCommon:StringObjectPropertyType
Attributes
QName
Type
Default
Use
Annotation
appears_random
xs:boolean
optional
This field is optional and conveys whether the associated object property value appears to somewhat random in nature. An object property with this field set to TRUE need not provide any further information including a value. If more is known about the particular variation of randomness, a regex value could be provided to outline what is known of the structure.
apply_condition
cyboxCommon:ConditionApplicationEnum
ANY
optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask
xs:hexBinary
optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition
cyboxCommon:ConditionTypeEnum
optional
This field is optional and defines the relevant condition to apply to the value.
datatype
cyboxCommon:DatatypeEnum
string
optional
This attribute is optional and specifies the type of the value of the specified property. If a type different than the default is used, it MUST be specified here.
defanging_algorithm_ref
xs:anyURI
optional
This field is optional and conveys a reference to a description of the algorithm used to defang (representation changed to prevent malicious effects of handling/processing) this Object property.
delimiter
xs:string
##comma##
optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed
xs:boolean
optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
id
xs:QName
optional
The id field specifies a unique ID for this Object Property.
idref
xs:QName
optional
The idref field specifies a unique ID reference for this Object Property.
When idref is specified, the id attribute must not be specified, and any instance of this property should not hold content unless an extension of the property allows it.
is_case_sensitive
xs:boolean
true
optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
is_defanged
xs:boolean
optional
This field is optional and conveys whether the associated Object property has been defanged (representation changed to prevent malicious effects of handling/processing).
is_obfuscated
xs:boolean
optional
This field is optional and conveys whether the associated Object property has been obfuscated.
obfuscation_algorithm_ref
xs:anyURI
optional
This field is optional and conveys a reference to a description of the algorithm used to obfuscate this Object property.
observed_encoding
xs:string
optional
This field is optional and specifies the encoding of the string when it is/was observed. This may be different from the encoding used to represent the string within this element.
It is strongly recommended that character set names should be taken from the IANA character set registry (https://www.iana.org/assignments/character-sets/character-sets.xhtml).
This field is intended to be applicable only to fields which contain string values.
pattern_type
cyboxCommon:PatternTypeEnum
optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
refanging_transform
xs:string
optional
This field is optional and specifies an automated transform that can be applied to the Object property content in order to refang it to its original format.
refanging_transform_type
xs:string
optional
This field is optional and specifies the type (e.g. RegEx) of refanging transform specified in the optional accompanying refangingTransform property.
regex_syntax
xs:string
optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend
xs:boolean
optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
The Strategic_Objective field captures a single Strategic Objective that the Capability attempts to achieve. It can be considered as a more granular way of capturing the Capabilities present in the malware instance.
The Name field captures the name of the Capability Objective. There are several default vocabularies for this usage included in the MAEC Vocabularies schema. It uses the ControlledVocabularyStringType from the imported CybOX Common schema.
Diagram
Type
cyboxCommon:ControlledVocabularyStringType
Attributes
QName
Type
Default
Use
Annotation
apply_condition
cyboxCommon:ConditionApplicationEnum
ANY
optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask
xs:hexBinary
optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition
cyboxCommon:ConditionTypeEnum
optional
This field is optional and defines the relevant condition to apply to the value.
delimiter
xs:string
##comma##
optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed
xs:boolean
optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive
xs:boolean
true
optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type
cyboxCommon:PatternTypeEnum
optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax
xs:string
optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend
xs:boolean
optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name
xs:string
optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference
xs:anyURI
optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
The Property field permits the capture of a single property of the Capability Objective, as a key/value pair. More than one property can be specified via multiple occurrences of this field.
The Relationship_Type field captures the type of relationship being expressed between Objectives (either Strategic or Tactical).
Diagram
Type
cyboxCommon:ControlledVocabularyStringType
Attributes
QName
Type
Default
Use
Annotation
apply_condition
cyboxCommon:ConditionApplicationEnum
ANY
optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask
xs:hexBinary
optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition
cyboxCommon:ConditionTypeEnum
optional
This field is optional and defines the relevant condition to apply to the value.
delimiter
xs:string
##comma##
optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed
xs:boolean
optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive
xs:boolean
true
optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type
cyboxCommon:PatternTypeEnum
optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax
xs:string
optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend
xs:boolean
optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name
xs:string
optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference
xs:anyURI
optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
The Tactical_Objective field captures a single Tactical Objective that the Capability attempts to achieve, typically in the context of a broader Strategic Objective. It can be considered as a way of expounding upon Strategic Objectives to capture the Capabilities of the malware instance in more detail.
The Behavior_Reference field captures a reference to a Behavior that serves as an implementation of the Capability. For Behaviors that serve as implementations of specific Strategic or Tactical Objectives, the Behavior_Reference field under the Strategic_Objective or Tactical_Objective fields should be used, respectively.
The Relationship_Type field captures the type of relationship being expressed between Capabilities.
Diagram
Type
cyboxCommon:ControlledVocabularyStringType
Attributes
QName
Type
Default
Use
Annotation
apply_condition
cyboxCommon:ConditionApplicationEnum
ANY
optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask
xs:hexBinary
optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition
cyboxCommon:ConditionTypeEnum
optional
This field is optional and defines the relevant condition to apply to the value.
delimiter
xs:string
##comma##
optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed
xs:boolean
optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive
xs:boolean
true
optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type
cyboxCommon:PatternTypeEnum
optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax
xs:string
optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend
xs:boolean
optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name
xs:string
optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference
xs:anyURI
optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
The Capability_Reference field references a single Capability defined elsewhere in the MAEC document, and therefore represents a single Capability possessed by the malware instance.
The Behaviors field contains 1-n BehaviorType objects, which function as the MAEC representation for any behaviors that were observed for the malware instance.
The duration field specifies the duration of the Behavior. One way to derive such a value may be to calculate the difference between the timestamps of the first and last actions that compose the behavior.
The Purpose field specifies the intended purpose of the Behavior. Since a Behavior is not always successful, and may not be fully observed, this is meant as way to state the nature of the Behavior apart from its constituent actions.
The Vulnerability_Exploit field characterizes any vulnerability that a Behavior may have attempted to exploit, whether or not the exploitation was successful (where success is not necessarily known).
The known_vulnerability field specifies whether the vulnerability that the malware is exploiting has been previously identified. If so, it should be referenced via a CVE ID in the CVE element. If not, the platform(s) targeted by the vulnerability exploitation behavior may be specified in the Targeted_Platforms element.
The CWE_ID field captures the ID of the Common Weakness Enumeration (CWE) entry that represents the type of weakness targeted by the exploit. More than one such CWE ID can be specified by using multiple occurrences of this field.
The Platform field specifies a single Platform in the list via a common platform enumeration ID. It uses the PlatformSpecificationType type from the CybOX Common schema v2.0.1.
The Action field specifies a single Action in the list.
The recommended syntax for Action IDs is a dash-delimited format that starts with the word maec, followed by a unique string, followed by the three letter code 'act', and ending with an integer. The regular expression validating these IDs is: maec-[A-Za-z0-9_\-\.]+-act-[1-9][0-9]*.
The action_status field enables description of the status of the action being described.
context
cybox:ActionContextTypeEnum
optional
The context field is optional and enables simple characterization of the broad operational context in which the Action is relevant.
id
xs:QName
optional
The id field specifies a unique id for this Action.
idref
xs:QName
optional
The idref field specifies a unique id reference to an Action defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Action should not hold content unless an extension of the Action allows it.
ordinal_position
xs:positiveInteger
optional
The ordinal_position field is intended to reference the ordinal position of the action with within a series of actions.
timestamp
xs:dateTime
optional
The timestamp field represents the local or relative time at which the action occurred or was observed. In order to avoid ambiguity, it is strongly suggest that all timestamps in this field include a specification of the timezone if it is known.
timestamp_precision
cyboxCommon:DateTimePrecisionEnum
second
optional
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
The Implementation field is optional and serves to capture attributes that are relevant to how the Action is implemented in the malware, such as the specific API call that was used.
The Compatible_Platforms field specifies the specific platform(s) that the Action is compatible with, or in other words, capable of being successfully executed on.
The API_Call field allows for the characterization of a system-level API call that was used to implement the action. Software must make use of such calls to talk to hardware and perform system-specific functions.
The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.
The behavioral_ordering field defines the ordering of the Action with respect to the other Actions that make up the behavior. So an action with a behavioral_ordering of "1" would come before an Action with a behavioral_ordering of "2", etc.
context
cybox:ActionContextTypeEnum
optional
The context field is optional and enables simple characterization of the broad operational context in which the Action is relevant.
id
xs:QName
optional
The id field specifies a unique id for this Action.
idref
xs:QName
optional
The idref field specifies a unique id reference to an Action defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Action should not hold content unless an extension of the Action allows it.
ordinal_position
xs:positiveInteger
optional
The ordinal_position field is intended to reference the ordinal position of the action with within a series of actions.
timestamp
xs:dateTime
optional
The timestamp field represents the local or relative time at which the action occurred or was observed. In order to avoid ambiguity, it is strongly suggest that all timestamps in this field include a specification of the timezone if it is known.
timestamp_precision
cyboxCommon:DateTimePrecisionEnum
second
optional
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
The behavioral_ordering field defines the ordering of the Action with respect to the other Actions that make up the Behavior. For example, an Action with a behavioral_ordering of "1" would come before an Action with a behavioral_ordering of "2", etc.
The behavioral_ordering field defines the ordering of the Action Equivalency with respect to the other actions that make up the behavior. So an action with a behavioral_ordering of "1" would come before an action with a behavioral_ordering of "2", etc.
The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.
The Actions field contains 1-n ActionType objects, which function as the MAEC representation for any lower-level actions that were observed for the malware instance.
The has_changed field is optional and conveys a targeted observation pattern of whether the associated object specified has changed in some way without requiring further specific detail. This field would be leveraged within a pattern observable triggering on whether the value of an object specification has changed at all. This field is NOT intended to be used for versioning of CybOX content.
id
xs:QName
optional
The id field specifies a unique id for this Object.
idref
xs:QName
optional
The idref field specifies a unique id reference to an Object defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Object should not hold content unless an extension of the Object allows it.
The Candidate_Indicators field contains 1-n CandidateIndicatorType objects, which function as the MAEC representation of any candidate indicators associated with the malware instance.
The Importance field specifies the relative importance of the Candidate Indicator.
This field is implemented through the xsi:type controlled vocabulary extension Capability. The default vocabulary type is ImportanceTypeVocab-1.0 in the http://maec.mitre.org/default_vocabularies-1 namespace. This type is defined in the maec_default_vocabularies.xsd file or at the URL http://maec.mitre.org/XMLSchema/default_vocabularies/1.0.0/maec_default_vocabularies.xsd.
Diagram
Type
cyboxCommon:ControlledVocabularyStringType
Attributes
QName
Type
Default
Use
Annotation
apply_condition
cyboxCommon:ConditionApplicationEnum
ANY
optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask
xs:hexBinary
optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition
cyboxCommon:ConditionTypeEnum
optional
This field is optional and defines the relevant condition to apply to the value.
delimiter
xs:string
##comma##
optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed
xs:boolean
optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive
xs:boolean
true
optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type
cyboxCommon:PatternTypeEnum
optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax
xs:string
optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend
xs:boolean
optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name
xs:string
optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference
xs:anyURI
optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
The Malware_Entity field specifies the particular malware entity that the Candidate Indicator is written against, whether it be a malware instance, family, etc.
The Type field refers to the specific type of malware entity that the indicator or signature is written against.
This field is implemented through the xsi:type controlled vocabulary extension Capability. The default vocabulary type is MalwareEntityTypeVocab-1.0 in the http://maec.mitre.org/default_vocabularies-1 namespace. This type is defined in the maec_default_vocabularies.xsd file or at the URL http://maec.mitre.org/XMLSchema/default_vocabularies/1.0.0/maec_default_vocabularies.xsd.
Diagram
Type
cyboxCommon:ControlledVocabularyStringType
Attributes
QName
Type
Default
Use
Annotation
apply_condition
cyboxCommon:ConditionApplicationEnum
ANY
optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask
xs:hexBinary
optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition
cyboxCommon:ConditionTypeEnum
optional
This field is optional and defines the relevant condition to apply to the value.
delimiter
xs:string
##comma##
optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed
xs:boolean
optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive
xs:boolean
true
optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type
cyboxCommon:PatternTypeEnum
optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax
xs:string
optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend
xs:boolean
optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name
xs:string
optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference
xs:anyURI
optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
The Composition field specifies the actual observables that the Candidate Indicator is composed of, via a reference to a one or more MAEC entities contained in the Bundle.
The Purpose field states the intended purpose of the collection of Behaviors. Since Behaviors are not always successful, and may not be fully observed, this is meant as way of absracting the nature of the collection of Behaviors away from its constituent Actions.
The action_status field enables description of the status of the action being described.
context
cybox:ActionContextTypeEnum
optional
The context field is optional and enables simple characterization of the broad operational context in which the Action is relevant.
id
xs:QName
optional
The id field specifies a unique id for this Action.
idref
xs:QName
optional
The idref field specifies a unique id reference to an Action defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Action should not hold content unless an extension of the Action allows it.
ordinal_position
xs:positiveInteger
optional
The ordinal_position field is intended to reference the ordinal position of the action with within a series of actions.
timestamp
xs:dateTime
optional
The timestamp field represents the local or relative time at which the action occurred or was observed. In order to avoid ambiguity, it is strongly suggest that all timestamps in this field include a specification of the timezone if it is known.
timestamp_precision
cyboxCommon:DateTimePrecisionEnum
second
optional
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Element maecBundle:Behavior
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Behavior element enables description/specification of a single malware behavior.
The duration field specifies the duration of the Behavior. One way to derive such a value may be to calculate the difference between the timestamps of the first and last actions that compose the behavior.
The object_idref field specifies the id of a CybOX Object being referenced in the current MAEC Bundle.
Complex Type maecBundle:BundleType
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BundleType serves as the high-level construct which encapsulates all Bundle elements, and represents some characterized analysis data (from any arbitrary set of analyses) for a single malware instance in terms of its MAEC Components (e.g., Behaviors, Actions, Objects, etc.).
The content_type field specifies the general type of content contained in this Bundle, e.g. static analysis tool output, dynamic analysis tool output, etc.
The required defined_subject field specifies whether the subject attributes of the characterized malware instance are included inside this Bundle (via the top-level Malware_Instance_Object_Attributes field) or elsewhere (such as a MAEC Subject in a MAEC Package).
The required schema_version field specifies the version of the MAEC Bundle Schema that the document has been written in and that should be used for validation.
The timestamp field specifies the date/time that the bundle was generated.
Complex Type maecBundle:AVClassificationsType
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The AVClassificationsType captures any Anti-Virus (AV) tool classifications for an Object.
Diagram
Complex Type maecBundle:AVClassificationType
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The AVClassificationType captures information on AV scanner classifications for the malware instance object captured in the Bundle or Package.
Diagram
Type
extension of cyboxCommon:ToolInformationType
Attributes
QName
Type
Use
Annotation
id
xs:QName
optional
The id field specifies a unique ID for this Tool.
idref
xs:QName
optional
The idref field specifies reference to a unique ID for this Tool.
When idref is specified, the id attribute must not be specified, and any instance of this type should not hold content unless an extension of the type allows it.
Complex Type maecBundle:ProcessTreeType
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ProcessTreeType captures the process tree for the malware instance, including the parent process and processes spawned by it, along with any Actions initiated by each.
Diagram
Complex Type maecBundle:ProcessTreeNodeType
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ProcessTreeNodeType captures a single process, or node, in the process tree. It imports and extends the ProcessObjectType from the CybOX Process Object.
The required id field specifies a unique ID for the Process Node.
is_hidden
xs:boolean
optional
The is_hidden field specifies whether the process is hidden or not.
object_reference
xs:QName
optional
The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.
The parent_action_idref field specifies the id of the action that created or injected this process.
Complex Type maecBundle:ActionReferenceListType
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ActionReferenceListType captures a list of Action References.
Diagram
Complex Type maecBundle:CapabilityListType
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The CapabilityListType captures a list of Capabilities.
Diagram
Complex Type maecBundle:CapabilityType
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The CapabilityType captures details of a Capability that may be implemented in the malware instance, along with its child Strategic and Tactical Objectives.
The behavior_idref field specifies the id of the Behavior being referenced; this Behavior must be present in the current Bundle.
Complex Type maecBundle:CapabilityObjectiveRelationshipType
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The CapabilityObjectiveRelationshipType captures a relationship between a Strategic or Tactical Objective and one or more other Strategic or Tactical Objectives.
Diagram
Complex Type maecBundle:CapabilityObjectiveReferenceType
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The CapabilityObjectiveReferenceType serves as a method for referencing existing Capability Objectives (either Strategic or Tactical) contained in the Bundle.
The capability_idref field references the ID of a Capability contained inside the current MAEC document.
Complex Type maecBundle:BehaviorListType
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BehaviorListType captures a list of Behaviors.
Diagram
Complex Type maecBundle:BehaviorType
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BehaviorType is one of the foundational MAEC types, and serves as a method for the characterization of malicious behaviors found or observed in malware. Behaviors can be thought of as representing the purpose behind groups of MAEC Actions, and are therefore representative of distinct portions of higher-level malware functionality. Thus, while a malware instance may perform some multitude of Actions, it is likely that these Actions represent only a few distinct behaviors. Some examples include vulnerability exploitation, email address harvesting, the disabling of a security service, etc.
The duration field specifies the duration of the Behavior. One way to derive such a value may be to calculate the difference between the timestamps of the first and last actions that compose the behavior.
The status field specifies the execution status of the Behavior being characterized.
Complex Type maecBundle:BehaviorPurposeType
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BehaviorPurposeType captures the purpose behind a malware Behavior.
Diagram
Complex Type maecBundle:ExploitType
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ExploitType characterizes any exploitable weakness that may be targeted for exploitation by a malware instance through a Behavior. Most commonly, this refers to a known and identifiable vulnerability, but it may also refer to one or more weaknesses.
The known_vulnerability field specifies whether the vulnerability that the malware is exploiting has been previously identified. If so, it should be referenced via a CVE ID in the CVE element. If not, the platform(s) targeted by the vulnerability exploitation behavior may be specified in the Targeted_Platforms element.
Complex Type maecBundle:CVEVulnerabilityType
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The CVEVulnerabilityType provides a way of referencing specific vulnerabilities that malware exploits or attempts to exploit via a Common Vulnerabilities and Exposures (CVE) identifier. For more information on CVE please see http://cve.mitre.org.
The cve_id attribute contains the ID of the CVE that is being referenced, e.g., CVE-1999-0002.
Complex Type maecBundle:PlatformListType
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The PlatformListType captures a list of software or hardware platforms.
Diagram
Complex Type maecBundle:BehavioralActionsType
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BehavioralActionsType is intended to capture the Actions or Action Collections that make up a Behavior.
Diagram
Complex Type maecBundle:ActionCollectionType
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ActionCollectionType provides a method for characterizing collections of actions. This can be useful for organizing actions that may be related and where the exact relationship is unknown, as well as actions whose associated behavior has not yet been established.
The name field specifies the name of the collection.
Complex Type maecBundle:ActionListType
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ActionListType captures a list of Actions.
Diagram
Complex Type maecBundle:MalwareActionType
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The MalwareActionType is one of the foundational MAEC types, and serves as a method for the characterization of actions found or observed in malware. Actions can be thought of as system state changes and similar operations that represent the fundamental low-level operation of malware. Some examples include the creation of a file, deletion of a registry key, and the sending of some data on a socket. It imports and extends the CybOX ActionType. For MAEC, the id attribute is required.
Diagram
Type
extension of cybox:ActionType
Attributes
QName
Type
Default
Use
Annotation
action_status
cybox:ActionStatusTypeEnum
optional
The action_status field enables description of the status of the action being described.
context
cybox:ActionContextTypeEnum
optional
The context field is optional and enables simple characterization of the broad operational context in which the Action is relevant.
id
xs:QName
optional
The id field specifies a unique id for this Action.
idref
xs:QName
optional
The idref field specifies a unique id reference to an Action defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Action should not hold content unless an extension of the Action allows it.
ordinal_position
xs:positiveInteger
optional
The ordinal_position field is intended to reference the ordinal position of the action with within a series of actions.
timestamp
xs:dateTime
optional
The timestamp field represents the local or relative time at which the action occurred or was observed. In order to avoid ambiguity, it is strongly suggest that all timestamps in this field include a specification of the timezone if it is known.
timestamp_precision
cyboxCommon:DateTimePrecisionEnum
second
optional
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Complex Type maecBundle:ActionImplementationType
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ActionImplementationType serves as a method for the characterization of Action Implementations. Currently supported are implementations achieved through API function calls and abstractly defined code.
The value field specifies the actual value of the parameter.
Simple Type maecBundle:ActionImplementationTypeEnum
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ActionImplementationTypeEnum represents an enumeration of action implementation types.
Diagram
Type
restriction of xs:string
Facets
enumeration
api call
The api call value specifies that the action was implemented using some particular API call, details of which may be captured in the API_Call element.
enumeration
code
The Code value specifies that the action was implemented using some particular code snippet, details of which may be captured in the Code element
Complex Type maecBundle:BehavioralActionType
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BehavioralActionType type defines an Action field that can be used as part of a Behavior. It extends the MAEC MalwareActionType type, which in turn extends the CybOX ActionType type.
The behavioral_ordering field defines the ordering of the Action with respect to the other Actions that make up the behavior. So an action with a behavioral_ordering of "1" would come before an Action with a behavioral_ordering of "2", etc.
context
cybox:ActionContextTypeEnum
optional
The context field is optional and enables simple characterization of the broad operational context in which the Action is relevant.
id
xs:QName
optional
The id field specifies a unique id for this Action.
idref
xs:QName
optional
The idref field specifies a unique id reference to an Action defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Action should not hold content unless an extension of the Action allows it.
ordinal_position
xs:positiveInteger
optional
The ordinal_position field is intended to reference the ordinal position of the action with within a series of actions.
timestamp
xs:dateTime
optional
The timestamp field represents the local or relative time at which the action occurred or was observed. In order to avoid ambiguity, it is strongly suggest that all timestamps in this field include a specification of the timezone if it is known.
timestamp_precision
cyboxCommon:DateTimePrecisionEnum
second
optional
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Complex Type maecBundle:BehavioralActionReferenceType
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BehavioralActionReferenceType defines an action reference that can be used as part of a Behavior.
Diagram
Type
extension of cybox:ActionReferenceType
Attributes
QName
Type
Use
Annotation
action_id
xs:QName
required
The action_id field refers to the id of the action being referenced.
The behavioral_ordering field defines the ordering of the Action with respect to the other Actions that make up the Behavior. For example, an Action with a behavioral_ordering of "1" would come before an Action with a behavioral_ordering of "2", etc.
Complex Type maecBundle:BehavioralActionEquivalenceReferenceType
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BehavioralActionEquivalenceReferenceType defines an Action Equivalence reference that can be used as part of a Behavior. Since the Action Equivalency equates two or more actions to a single one, this can be thought of as specifying one of the aforementioned Actions as part of the composition of the Behavior.
The behavioral_ordering field defines the ordering of the Action Equivalency with respect to the other actions that make up the behavior. So an action with a behavioral_ordering of "1" would come before an action with a behavioral_ordering of "2", etc.
Complex Type maecBundle:AssociatedCodeType
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The AssociatedCodeType serves as generic way of specifying any code snippets associated with a MAEC entity, such as a Behavior.
Diagram
Complex Type maecBundle:BehaviorRelationshipListType
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BehaviorRelationshipListType captures any relationships between a Behavior and other Behaviors.
Diagram
Complex Type maecBundle:BehaviorRelationshipType
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BehaviorRelationshipType provides a method for the characterization of relationships between Behaviors.
restriction of cyboxVocabs:ActionRelationshipTypeEnum-1.0
optional
The type field specifies the nature of the relationship between Behaviors that is being captured.
Complex Type maecBundle:ObjectListType
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ObjectListType captures a list of CybOX Objects.
Diagram
Complex Type maecBundle:CandidateIndicatorListType
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The CandidateIndicatorListType captures a list of Candidate Indicators.
Diagram
Complex Type maecBundle:CandidateIndicatorType
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The CandidateIndicatorType provides a way of defining a MAEC entity-based Candidate Indicator, which specifies the particular components that may signify the presence of the malware instance on a host system or network.
The version field specifies the version of the Candidate Indicator.
Complex Type maecBundle:MalwareEntityType
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The MalwareEntityType provides a Capability for characterizing the particular entity that an indicator or signature is written against, whether it is a particular malware instance, family, etc.
Diagram
Complex Type maecBundle:CandidateIndicatorCompositionType
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The CandidateIndicatorCompositionType captures the composition of a Candidate Indicator, via references to any corresponding MAEC entities contained in the Bundle.
The name field specifies the name of the collection.
Complex Type maecBundle:ActionCollectionListType
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ActionCollectionListType captures a list of Actions Collections.
Diagram
Complex Type maecBundle:ObjectCollectionListType
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ObjectCollectionListType captures a list of Object Collections.
Diagram
Complex Type maecBundle:ObjectCollectionType
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ObjectCollectionType provides a Capability for characterizing collections of Objects. For instance, it can be used to group all of the Objects that are associated with a specific behavior.
The name field specifies the name of the collection.
Simple Type maecBundle:BundleContentTypeEnum
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BundleContentTypeEnum is a non-exhaustive enumeration of the general types of content that a Bundle can contain.
Diagram
Type
restriction of xs:string
Facets
enumeration
dynamic analysis tool output
The dynamic analysis tool output value specifies that the Bundle primarily captures some form of dynamic analysis tool output, such as from a sandbox.
enumeration
static analysis tool output
The static analysis tool output value specifies that the Bundle primarily captures some form of static analysis tool output, such as from a packer detection tool.
enumeration
manual analysis output
The manual analysis output value specifies that the Bundle primarily captures some form of manual analysis output, which may or may not involve the use of tools.
enumeration
extracted from subject
The extracted from subject value specifies that the Bundle primarily captures some data that extracted from the Malware Subject, such as some PE Header fields.
enumeration
mixed
The mixed value specifies that the Bundle captures some mixed forms of analysis or tool output for the Malware Subject, such as both dynamic and static analysis tool output.
enumeration
other
The other value specifies that the Bundle captures some other form of analysis or tool output that is not represented by the other enumeration values.
Complex Type maecBundle:BehaviorReferenceListType
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BehaviorReferenceListType captures a list of Behavior References.
Diagram
Complex Type maecBundle:ObjectReferenceListType
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ObjectReferenceListType captures a list of references to CybOX Objects.
Diagram
Complex Type maecBundle:BundleReferenceType
Namespace
http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BundleReferenceType serves as a method for linking to Bundles embedded in other locations.
