The following is a description of the elements, types, and attributes that compose the Malware Attribute Enumeration and Characterization (MAEC) package schema.
The MAEC Package Schema is maintained by The Mitre Corporation. For more information, including how to get involved in the project, please visit the MAEC website at http://maec.mitre.org.
The imported MMDEF v1.2 schema is copyright 2013 IEEE-SA.
Element maecPackage:MAEC_Package
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The root element of the MAEC Package schema is the MAEC_Package, which captures a single MAEC Package that encompasses one or more Malware Subjects and all of their associated MAEC entities.
The required schema_version field specifies the version of the MAEC Package schema that the document has been written in and that should be used for validation.
The Malware_Subject field represents a single Malware Subject (most commonly a file) and its associated metadata, such as Analyses, Bundles, relationships to other Malware Subjects, etc.
The Malware_Instance_Object_Attributes field characterizes the attributes of the malware instance object (most commonly a file) that is encompassed in the Malware_Subject, via its corresponding CybOX Object. For example, a file would be represented via a CybOX File field of type FileObj:FileObjectType and may have a file name, MD5 hash, etc.
The has_changed field is optional and conveys a targeted observation pattern of whether the associated object specified has changed in some way without requiring further specific detail. This field would be leveraged within a pattern observable triggering on whether the value of an object specification has changed at all. This field is NOT intended to be used for versioning of CybOX content.
id
xs:QName
optional
The id field specifies a unique id for this Object.
idref
xs:QName
optional
The idref field specifies a unique id reference to an Object defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Object should not hold content unless an extension of the Object allows it.
The Label field specifies a single commonly accepted label to describe the Malware Subject, e.g. "worm". The default vocabulary for this field is the MalwareLabelVocab-1.0 from the MAEC Default Vocabularies schema. More than one label may be specified through the use of multiple instances of this field.
Diagram
Type
cyboxCommon:ControlledVocabularyStringType
Attributes
QName
Type
Default
Use
Annotation
apply_condition
cyboxCommon:ConditionApplicationEnum
ANY
optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask
xs:hexBinary
optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition
cyboxCommon:ConditionTypeEnum
optional
This field is optional and defines the relevant condition to apply to the value.
delimiter
xs:string
##comma##
optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed
xs:boolean
optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive
xs:boolean
true
optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type
cyboxCommon:PatternTypeEnum
optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax
xs:string
optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend
xs:boolean
optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name
xs:string
optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference
xs:anyURI
optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
The Malware_Binary field captures properties related to the storage of malware configuration parameters inside the malware binary captured in the Malware_Instance_Object_Attributes field.
The Section_Name field specifies the name of the PE section in the malware binary thta contains the malware configuration parameters, for PE file malware binaries.
The Section_Offset field specifies the offset in the PE section in the malware binary that contains the malware configuration parameters to the start of the parameters themselves, for PE file malware binaries.
The File field captures the properties of a configuration file, for cases where the Malware Subject stores its configuration parameters in a separate file.
This field uses the FileObjectType from the imported CybOX File Object.
The is_masqueraded field specifies whether the file is masqueraded as another type of file; e.g., a PDF file that has had its extension changed to TXT to masquerade itself as a text file.
is_packed
xs:boolean
optional
The is_packed field is used to indicate whether the file is packed or not.
object_reference
xs:QName
optional
The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.
The URL field captures a URL at which the configuration parameters for the Malware Subject may be stored. More than one such URL may be specified by using multiple occurrences of this field.
This field uses the URIObjectType from the import CybOX URI Object.
The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.
type
URIObj:URITypeEnum
optional
The type field specifies the type of URI that is being defined.
The Algorithm_Details field captures an the details of the algorithm used to encode or encrypt the malware configuration parameters, including the name of the algorithm and its key. More than one encryption or encoding algorithm may be specified by using multiple occurrences of this field.
The ordinal_position field specifies the explicit ordering of the usage of the algorithm with respect to the other algorithms used to encrypt or encode the malware configuration parameters, for cases where more than one algorithm was used.
The Algorithm_Name field captures the name of the encoding or encryption algorithm used to obfuscate the malware configuration parameters.
Diagram
Type
cyboxCommon:ControlledVocabularyStringType
Attributes
QName
Type
Default
Use
Annotation
apply_condition
cyboxCommon:ConditionApplicationEnum
ANY
optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask
xs:hexBinary
optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition
cyboxCommon:ConditionTypeEnum
optional
This field is optional and defines the relevant condition to apply to the value.
delimiter
xs:string
##comma##
optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed
xs:boolean
optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive
xs:boolean
true
optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type
cyboxCommon:PatternTypeEnum
optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax
xs:string
optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend
xs:boolean
optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name
xs:string
optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference
xs:anyURI
optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
The Configuration_Parameter field captures a single configuration parameter that may be defined for the Malware Subject. More than one configuration parameter may be specified by using multiple occurrences of this field.
The Name field specifies the name of the malware configuration parameter. It uses the MalwareConfigurationParameterVocab vocabulary from the MAEC Default Vocabularies schemas as its default vocabulary. Parameters that are not included in this vocabulary may also be specified, in which case it is recommended to use the exact name of the parameter.
Diagram
Type
cyboxCommon:ControlledVocabularyStringType
Attributes
QName
Type
Default
Use
Annotation
apply_condition
cyboxCommon:ConditionApplicationEnum
ANY
optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask
xs:hexBinary
optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition
cyboxCommon:ConditionTypeEnum
optional
This field is optional and defines the relevant condition to apply to the value.
delimiter
xs:string
##comma##
optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed
xs:boolean
optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive
xs:boolean
true
optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type
cyboxCommon:PatternTypeEnum
optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax
xs:string
optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend
xs:boolean
optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name
xs:string
optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference
xs:anyURI
optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
The Development_Environment field captures details of the development environment used in the creation of the malware instance characterized by the Malware Subject.
The Tools field captures the properties of one or more tools used in the development of the malware instance. For the Type field in each Tool, the MAEC MalwareDevelopmentToolVocab (from the MAEC Default Vocabularies Schema) should be used as the default vocabulary.
The Debugging_File field captures the properties of a debugging file associated with the malware instance, such as a PDB file. It uses the FileObjectType from the imported File Object Schema. More than one Debugging_File can be specified by using multiple instances of this field.
The is_masqueraded field specifies whether the file is masqueraded as another type of file; e.g., a PDF file that has had its extension changed to TXT to masquerade itself as a text file.
is_packed
xs:boolean
optional
The is_packed field is used to indicate whether the file is packed or not.
object_reference
xs:QName
optional
The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.
The has_changed field is optional and conveys a targeted observation pattern of whether the associated object specified has changed in some way without requiring further specific detail. This field would be leveraged within a pattern observable triggering on whether the value of an object specification has changed at all. This field is NOT intended to be used for versioning of CybOX content.
id
xs:QName
optional
The id field specifies a unique id for this Object.
idref
xs:QName
optional
The idref field specifies a unique id reference to an Object defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Object should not hold content unless an extension of the Object allows it.
The Field_Data field captures field data and prevalance information relating to the Malware Subject. It uses the fieldDataEntry type from the MMDEF v1.2 schema.
The Summary field specifies a summary of the analysis that was performed. It should be high-level and concise. It should summarize the contents of the Report field, if present, and otherwise should provide a brief synopsis of the analysis that was performed and any highlights.
Diagram
Type
cyboxCommon:StructuredTextType
Attributes
QName
Type
Use
Annotation
structuring_format
xs:string
optional
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interfering with XML validation of the CybOX document. If this attribute is absent, the implication is that no markup is being used.
The Comments field specifies any comments regarding the analysis that was performed. A comment should be attributable to a specific analyst and should reflect particular insights of the author that are significant from an analysis standpoint. The contents of comments are typically not contained in the Report.
The observation_name field captures the name, type, or identifier of an observation, for comments that refer to the observation of particular entities. For example, a comment that refers to a command and control (C2) encryption key could have an observation_name of "C2 Encryption Key".
structuring_format
xs:string
optional
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interfering with XML validation of the CybOX document. If this attribute is absent, the implication is that no markup is being used.
The Findings_Bundle_Reference field specifies a reference to the Bundle which encompasses the results and output of the Analysis in terms of its corresponding MAEC entities, such as Behaviors and Actions. More than one Bundle may be referenced by using multiple occurrences of this field.
Diagram
Type
maecBundle:BundleReferenceType
Attributes
QName
Type
Use
Annotation
bundle_idref
xs:QName
required
The bundle_idref field references the ID of a Bundle contained inside the current MAEC document.
The Tools field specifies information about the tool(s) used in the analysis, via the CybOX ToolInformationType. If only a single Tool is specified, then this implies that this tool was responsible for all of the findings contained in the Bundle referenced by the Findings_Bundle_Reference element.
The idref field specifies reference to a unique ID for this Tool.
When idref is specified, the id attribute must not be specified, and any instance of this type should not hold content unless an extension of the type allows it.
The Dynamic_Analysis_Metadata field specifies metadata pertaining to the dynamic analysis of the subject binary, such as the command line used, the duration of the analysis, etc.
The Raised_Exception field captures a single exception that was raised (or thrown) during the execution of the malware instance. More than one exception may be captured through the use of multiple instances of this field.
The Hypervisor_Host_System field characterizes the (physical) host system used in the analysis on which the VM Hypervisor runs. This element imports and extends the CybOX System Object.
The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.
The VM_Hypervisor field refers to the name of the VM Hypervisor that hosts the operating system(s) on which the analysis was performed, if applicable, via a Common Platform Enumeration (CPE) identifier. See http://cpe.mitre.org for more information on CPE.
The Analysis_Systems field characterizes the system(s) (real or virtual) on which the actual analysis was performed, including information about both the hardware and software, such as the properties of its BIOS, processor architecture, and operating system. This element imports and extends the CybOX System Object.
The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.
The Installed_Programs field specifies the programs installed on the OS that was used to perform the analysis. This can be useful for clarifying the nature of the analysis environment, for instance for determining whether an exploited piece of software was present, as well as for specifying any tools that may have been installed.
The Network_Infrastructure field captures details of the network infrastructure used in the analysis environment, such as any network protocols that are captured or manipulated.
The Captured_Protocols field specifies a list of network protocols, along with the particular level of interaction, that the malware analysis environment captures or interacts with in some fashion.
The Report field specifies the textual report regarding the analysis performed on the malware. The Report should correspond to the human-readable prose document that captures key aspects and outcomes of the analysis.
Diagram
Type
cyboxCommon:StructuredTextType
Attributes
QName
Type
Use
Annotation
structuring_format
xs:string
optional
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interfering with XML validation of the CybOX document. If this attribute is absent, the implication is that no markup is being used.
The Findings_Bundles field specifies any MAEC Bundles pertaining to the Malware Subject, thus capturing any observed or discovered Behaviors, Actions, or Objects. These Bundles can either be abstract, or referenced as the result of an analysis that was performed on the malware.
The content_type field specifies the general type of content contained in this Bundle, e.g. static analysis tool output, dynamic analysis tool output, etc.
defined_subject
xs:boolean
required
The required defined_subject field specifies whether the subject attributes of the characterized malware instance are included inside this Bundle (via the top-level Malware_Instance_Object_Attributes field) or elsewhere (such as a MAEC Subject in a MAEC Package).
id
xs:QName
required
The required id field specifies a unique ID for this MAEC Bundle.
schema_version
xs:string
4.1
required
The required schema_version field specifies the version of the MAEC Bundle Schema that the document has been written in and that should be used for validation.
timestamp
xs:dateTime
optional
The timestamp field specifies the date/time that the bundle was generated.
The Bundle_External_Reference field specifies a single externally located MAEC Bundle (such as a file or URL) via a URI, representing some set of results from analysis of the Malware Subject.
The Type field specifies the type of relationship being captured.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is MalwareSubjectRelationshipTypeVocab-1.0 in the http://maec.mitre.org/default_vocabularies-1 namespace. This type is defined in the maec_default_vocabularies.xsd file or at the URL http://maec.mitre.org/XMLSchema/default_vocabularies/1.0.0/maec_default_vocabularies.xsd.
Diagram
Type
cyboxCommon:ControlledVocabularyStringType
Attributes
QName
Type
Default
Use
Annotation
apply_condition
cyboxCommon:ConditionApplicationEnum
ANY
optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask
xs:hexBinary
optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition
cyboxCommon:ConditionTypeEnum
optional
This field is optional and defines the relevant condition to apply to the value.
delimiter
xs:string
##comma##
optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed
xs:boolean
optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive
xs:boolean
true
optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type
cyboxCommon:PatternTypeEnum
optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax
xs:string
optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend
xs:boolean
optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name
xs:string
optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference
xs:anyURI
optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
The Compatible_Platform field specifies a single platform that the Malware Subject is compatible with (i.e. can execute on). It uses the PlatformSpecificationType from the imported CybOX Common schema. More than one compatible platform can be specified by using multiple occurrences of this field.
The Grouping_Relationships field specifies the particular relationships that serve to group the Malware Subjects encompassed in this Package. This is solely for cases where more than one Malware Subject is contained within the Package.
The Type field specifies the type of relationship that groups the Malware Subjects in the Package.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is GroupingRelationshipTypeVocab-1.0 in the http://maec.mitre.org/default_vocabularies-1 namespace. This type is defined in the maec_default_vocabularies.xsd file or at the URL http://maec.mitre.org/XMLSchema/default_vocabularies/1.0.0/maec_default_vocabularies.xsd.
Diagram
Type
cyboxCommon:ControlledVocabularyStringType
Attributes
QName
Type
Default
Use
Annotation
apply_condition
cyboxCommon:ConditionApplicationEnum
ANY
optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask
xs:hexBinary
optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition
cyboxCommon:ConditionTypeEnum
optional
This field is optional and defines the relevant condition to apply to the value.
delimiter
xs:string
##comma##
optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed
xs:boolean
optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive
xs:boolean
true
optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type
cyboxCommon:PatternTypeEnum
optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax
xs:string
optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend
xs:boolean
optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name
xs:string
optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference
xs:anyURI
optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
The Distance_Threshold field specifies the minimum distance threshold for the cluster, or the minimum distance between nodes in order for them to belong to the same cluster.
The Cluster_Composition field captures the composition of the malware cluster, including the similarity indices between its members, as a collection of edges and their corresponding nodes.
For clustering algorithms that may capture different types of scores, the score_type attribute specifies the type of score used to define the composition of this malware cluster.
The Cluster_Edge_Node_Pair field specifies a single edge and its connected nodes in the malware cluster, representing the similarity index between two Malware Subjects.
The similarity_index field specifies the similarity distance between the two Malware Subjects being referenced (indicating how dissimilar they are), as a decimal value. This value should be equivalent to 1 minus the similarity index value (if included).
The similarity_index field specifies the similarity index between the two Malware Subjects being referenced (indicating how similar they are), as a decimal value. This value should be equivalent to 1 minus the similarity distance value (if included).
The malware_subject_idref field provides a reference to a Malware Subject contained in the Package, via its ID.
Complex Type maecPackage:PackageType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The PackageType is the namesake type of the MAEC Package schema, and captures either a single Malware Subject, or a collection of Malware Subjects that are related in some way (even if exact details of the relationship are unknown). Unlike the MAEC Bundle, which captures only the MAEC-characterized analysis results for a malware instance, the Package permits the capture of additional metadata relating to the analysis, relationships between Malware Subjects, and similar types of entities.
The required schema_version field specifies the version of the MAEC Package schema that the document has been written in and that should be used for validation.
The timestamp field specifies the date/time that the Package was generated.
Complex Type maecPackage:MalwareSubjectListType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The MalwareSubjectListType captures a list of Malware Subjects.
Diagram
Complex Type maecPackage:MalwareSubjectType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The MalwareSubjectType captures all of the details pertaining to a single malware instance, including any corresponding Analyses, Field Data, Findings Bundles, and relationships to other Malware Subjects.
The required id field specifies a unique ID for this Malware Subject.
Complex Type maecPackage:MalwareConfigurationDetailsType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The MalwareConfigurationDetailsType captures details of malware configuration parameters and associated metadata.
Diagram
Complex Type maecPackage:MalwareConfigurationStorageDetailsType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The MalwareConfigurationStorageDetailsType captures details relating to the storage of malware configuration parameters.
Diagram
Complex Type maecPackage:MalwareBinaryConfigurationStorageDetailsType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The MalwareBinaryConfigurationStorageDetailsType captures details relating to the storage of malware configuration parameters inside the malware binary itself.
Diagram
Complex Type maecPackage:MalwareConfigurationObfuscationDetailsType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The MalwareConfigurationObfuscationDetailsType captures details relating to the obfuscation of malware configuration parameters.
The ordinal_position field specifies the explicit ordering of the usage of the algorithm with respect to the other algorithms used to encrypt or encode the malware configuration parameters, for cases where more than one algorithm was used.
Complex Type maecPackage:MalwareConfigurationParameterType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The MalwareConfigurationParameterType captures a single configuration parameter that may be defined for a malware instance, as a name/value pair.
Diagram
Complex Type maecPackage:MalwareDevelopmentEnvironmentType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The MalwareDevelopmentEnvironmentType captures details of the development environment used in developing the malware instance, such as information on any tools that were used.
Diagram
Complex Type maecPackage:MinorVariantListType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The MinorVariantListType captures a list of minor variants of a Malware Subject's malware instance object. For example, the same binary with but with different filenames.
Diagram
Complex Type maecPackage:AnalysisListType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The AnalysisListType captures a list of analyses that were performed on a Malware Subject.
Diagram
Complex Type maecPackage:AnalysisType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The AnalysisType provides a way of capturing the information associated with the analysis of a malware instance, such as the subject, authors, start datetime, and other relevant data.
The observation_name field captures the name, type, or identifier of an observation, for comments that refer to the observation of particular entities. For example, a comment that refers to a command and control (C2) encryption key could have an observation_name of "C2 Encryption Key".
structuring_format
xs:string
optional
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interfering with XML validation of the CybOX document. If this attribute is absent, the implication is that no markup is being used.
The is_fatal field specifies whether the exception is fatal; that is, whether it caused the malware instance to terminate.
Complex Type maecPackage:AnalysisEnvironmentType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The AnalysisEnvironmentType provides mechanisms for characterizing the particular hardware/software environment used in the analysis of a Malware Subject.
Diagram
Complex Type maecPackage:HypervisorHostSystemType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The HypervisorHostSystemType characterizes the VM Hypervisor host system used in the malware analysis environment.
Diagram
Type
extension of SystemObj:SystemObjectType
Attributes
QName
Type
Use
Annotation
object_reference
xs:QName
optional
The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.
Complex Type maecPackage:AnalysisSystemListType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The AnalysisSystemListType captures a list of the systems, physical or virtual, used in the analysis of a Malware Subject.
Diagram
Complex Type maecPackage:AnalysisSystemType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The AnalysisSystemType is intended to characterize any systems on which malware analysis is performed. It imports and extends version 2.0.1 of the CybOX System Object.
Diagram
Type
extension of SystemObj:SystemObjectType
Attributes
QName
Type
Use
Annotation
object_reference
xs:QName
optional
The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.
Complex Type maecPackage:InstalledProgramsType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The InstalledProgramsType captures the programs installed on a particular operating system image.
Diagram
Complex Type maecPackage:NetworkInfrastructureType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The NetworkInfrastructureType captures specific details about the network infrastructure used in the malware analysis environment.
Diagram
Complex Type maecPackage:CapturedProtocolListType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The CapturedProtocolListType specifies a list of network protocols that a malware analysis environment may capture or interact with.
Diagram
Complex Type maecPackage:CapturedProtocolType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The CapturedProtocolType specifies the details of a network protocol that may be captured or otherwise manipulated in the malware analysis environment.
The port_number field specifies the port number for this network protocol that is captured or manipulated by the analysis environment.
Simple Type maecPackage:Layer7ProtocolEnum
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Layer7ProtocolEnum is a non-exhaustive enumeration of Layer 7 (OSI model) network protocols.
Diagram
Type
restriction of xs:string
Facets
enumeration
http
The http value specifies the Hypertext Transfer Protocol (HTTP).
enumeration
https
The https value specifies the Hypertext Transfer Protocol Secure (HTTPS).
enumeration
ftp
The ftp value specifies the File Transfer Protocol (FTP).
enumeration
ftps
The ftps value specifies the File Transfer Protocol Secure (FTPS).
enumeration
smtp
The smtp value specifies the Simple Mail Transfer Protocol (SMTP).
enumeration
smtps
The smtps value specifies the Simple Mail Transfer Protocol Secure (SMTPS).
enumeration
pop3
The pop3 value specifies the Post Office Protocol version 3 (POP3).
enumeration
pop3s
The pop3s value specifies the Post Office Protocol version 3 Secure (POP3S).
enumeration
irc
The irc value specifies the Internet Relay Chat (IRC) protocol.
enumeration
dns
The dns value specifies the Domain Name System (DNS) protocol.
enumeration
rdp
The rdp value specifies the Remote Desktop Protocol (RDP).
enumeration
rpc
The rpc value specifies some Remote Procedure Call (RPC) protocol, such as MSRPC.
enumeration
ssh
The ssh value specifies the Secure Shell (SSH) protocol.
enumeration
telnet
The telnet value specifies the Telnet protocol.
Simple Type maecPackage:Layer4ProtocolEnum
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Layer4ProtocolEnum is a non-exhaustive enumeration of Layer 4 (OSI model) network protocols.
Diagram
Type
restriction of xs:string
Facets
enumeration
tcp
The tcp value specifies the Transport Control Protocol (TCP).
enumeration
udp
The udp value specifies the User Datagram Protocol (UDP).
Simple Type maecPackage:InteractionLevelEnum
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The InteractionLevelEnum is a non-exhaustive enumeration of interaction levels for network protocols in a malware analysis environment.
Diagram
Type
restriction of xs:string
Facets
enumeration
high
The high value specifies that, for the specified protocol, the analysis environment will establish the connection and attempt to decode/identify any common protocols used by the malware. The level of decode/protocol support can be subjective and dependent on the particular environment.
enumeration
low
The low value specifies that, for the specified protocol, the analysis environment will accept the packets and will identify the initial connection request. No further interaction is performed.
enumeration
honeytrap
The honeytrap value specifies that, for the specified protocol, the analysis environment will establish the connection and attempt to interact with outgoing requests. The level of interaction can be subjective and dependent on the particular environment.
enumeration
live
The live value specifies that, for the specified protocol, the analysis environment allows the malware to connect out to the real (unemulated) IP.
enumeration
none
The none value specifies that, for the specified protocol, the analysis environment does not support or perform any level of interaction.
Simple Type maecPackage:AnalysisTypeEnum
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The AnalysisTypeEnum is an enumeration of types of malware analyses.
Diagram
Type
restriction of xs:string
Facets
enumeration
triage
The Triage value specifies an cursory, or triage type of malware analysis, commonly automated in conjunction with one or more tools.
enumeration
in-depth
The in-depth value specifies a detailed type of malware analysis that is typically performed by a human analyst.
Simple Type maecPackage:AnalysisMethodEnum
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The AnalysisMethodEnum is an enumeration of malware analysis methods.
Diagram
Type
restriction of xs:string
Facets
enumeration
static
The static value specifies a static malware analysis method, which is achieved by inspecting but not executing the malware instance.
enumeration
dynamic
The dynamic value specifies a dynamic malware analysis method, which is achieved by executing but not inspecting the malware instance.
enumeration
combination
The combination value specifies a combination of dynamic and static malware analysis, achieved by both inspecting and executing the malware instance.
Complex Type maecPackage:FindingsBundleListType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The FindingsBundleListType captures a list of Bundles or external references to Bundles, along with any related meta-analysis entities.
Diagram
Complex Type maecPackage:MetaAnalysisType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The MetaAnalysisType captures meta-analysis entities associated with the Bundles that were captured for a Malware Subject, such as Action Equivalencies.
Diagram
Complex Type maecPackage:ActionEquivalenceListType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The ActionEquivalenceListType captures a list of Action Equivalences.
Diagram
Complex Type maecPackage:ActionEquivalenceType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The ActionEquivalenceType relates any Actions that are equivalent to each other, e.g., those that were found for the same Malware Subject when using different analysis tools. It can be used as a way of referencing equivalent actions as a single unit, such as for specifying the Action composition of a Behavior.
The required id field specifies a unique ID for the Action Equivalence.
Complex Type maecPackage:ObjectEquivalenceListType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The ObjectEquivalenceListType captures a list of Object Equivalences.
Diagram
Complex Type maecPackage:ObjectEquivalenceType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The ObjectEquivalenceType relates the Objects that are equivalent to each other, e.g., those that were found for the same Malware Subject when using different analysis tools.
The required id field specifies a unique ID for the Object Equivalence.
Complex Type maecPackage:MalwareSubjectRelationshipListType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The MalwareSubjectRelationshipListType captures a list of relationships between a Malware Subject and other Malware Subjects.
Diagram
Complex Type maecPackage:MalwareSubjectRelationshipType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The MalwareSubjectRelationshipType provides a mechanism for capturing the relationships between a Malware Subject and one or more other Malware Subjects.
Diagram
Complex Type maecPackage:MalwareSubjectReferenceType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The MalwareSubjectReferenceType provides a mechanism for specifying a reference to a Malware Subject contained in the Package.
The malware_subject_idref field provides a reference to a Malware Subject contained in the Package, via its ID.
Complex Type maecPackage:GroupingRelationshipListType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The GroupingRelationshipListType captures a list of grouping relationships relating the Malware Subjects in a Package.
Diagram
Complex Type maecPackage:GroupingRelationshipType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The GroupingRelationshipType provides a mechanism for specifying the relationship that groups together the Malware Subjects in a Package.
Diagram
Complex Type maecPackage:ClusteringMetadataType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The ClusteringMetadataType specifies any metadata regarding the algorithm and/or methods used for clustering the Malware Subjects in this Package, for use in the ‘clustered together’ relationship type.
Diagram
Complex Type maecPackage:ClusteringAlgorithmParametersType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The ClusteringAlgorithmParametersType captures any parameters that may have been used in a malware clustering algorithm.
Diagram
Complex Type maecPackage:ClusterCompositionType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The ClusterCompositionType captures the composition of a malware cluster via its edges and their respective connected nodes, as in an undirected graph.
For clustering algorithms that may capture different types of scores, the score_type attribute specifies the type of score used to define the composition of this malware cluster.
Complex Type maecPackage:ClusterEdgeNodePairType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The ClusterEdgeNodePairType captures a single edge-node pair in a malware cluster, which is composed of the two Malware Subjects that correspond to the nodes connected to the edge (via references), and represents the similarity index between the two Malware Subjects.
The similarity_index field specifies the similarity distance between the two Malware Subjects being referenced (indicating how dissimilar they are), as a decimal value. This value should be equivalent to 1 minus the similarity index value (if included).
The similarity_index field specifies the similarity index between the two Malware Subjects being referenced (indicating how similar they are), as a decimal value. This value should be equivalent to 1 minus the similarity distance value (if included).
