MAEC 4.1 (Archive)

Note: MAEC Version 4.1 (Archive) is hosted on the MAEC Legacy Site, and all files linked to below will redirect there.

Release Notes

• Added support for Cyber Observable eXpression (CybOX™) Version 2.1.
• Added implementation of MAEC Capabilities, for capturing the set of high-level abilities that a malware instance may possess (please see the detailed release notes for details).
• Added ability to “label” a Malware Subject with common terms, e.g., “worm”.
• Added ability to capture details of configuration parameters used by a malware instance.
• Added ability to capture details of the development environment used in the development of a malware instance.
• Made numerous vocabulary updates, tweaks, and changes.
• There are also full release notes available.

Specifications

• MAEC Bundle Specification, Version 4.1
• MAEC Package Specification, Version 4.1
• MAEC Container Specification, Version 4.1
• MAEC Default Vocabularies Specification, Version 4.1

Schema Downloads

File Name	Version	Schema	Documentation
All Files	n/a	zip	n/a
All Files (offline, with examples and documentation)	n/a	zip	n/a
MAEC Bundle	4.1	xsd	html
MAEC Package	2.1	xsd	html
MAEC Container	2.1	xsd	html
MAEC Default Vocabularies	1.1	xsd	html
MAEC Capabilities Hierarchy Diagram	n/a	n/a	pdf

Current Release Examples

The variety of examples below for MAEC Version 4.1 illustrate the use of MAEC Bundles, Packages, and Containers, as well as the capture of specific malware-related attributes (e.g., clustering information, AV classifications, etc.).

IMPORTANT: While the examples on this page are sourced from real-world analysis reports, they should be considered illustrative examples only and should not be used in real-world operations.

File Name	Description	XML
All Files	Archive of all v4.1 Release example files	zip
Bundle Artifact	Simple Bundle capturing network traffic information	xml
Bundle AV Classifications	Simple Bundle capturing Anti-Virus tool information	xml
Bundle Candidate Indicator	Demonstrates the basic construction of a Candidate Indicator entity within a Bundle	xml
Bundle Dynamic Triage Tool Output	Simple Bundle capturing dynamic analysis tool output	xml
Bundle Network Behavior	Simple Bundle capturing a network-based Behavior	xml
Bundle Malicious Webpage	Demonstrates the capture of the malicious aspects of a webpage	xml
Bundle Object Re-use	Demonstrates how Objects can be reused via ID references	xml
Container Multiple Package	Demonstrates the capture of multiple Packages using a Container	xml
Package Action Equivalency	Demonstrates the composition and use of an Action Equivalency entity in a Package	xml
Package Capability	Demonstrates the usage of Capabilities and Objectives in a Package, along with how they link up to Behaviors and Actions	xml
Package Capability Snifula	Provides a more detailed view of Capabilities and Objectives and their usage in characterizing a complex malware instance	xml
Package Clustering	Demonstrates how a Package can be used to capture a malware cluster (set of related malware)	xml
Package Configuration Parameters	Demonstrates how the configuration parameters of a Malware Subject can be characterized in a Package	xml
Package Development Environment	Demonstrates how the development environment of a Malware Subject entity can be characterized in a Package	xml
Package Dynamic Triage	Demonstrates how a Malware Subject entity in a Package can be used to capture multiple dynamic analysis tool outputs	xml
Package Manual Analysis	Demonstrates how a Malware Subject entity in a Package can be used to capture manual analysis tool output	xml
Package Multi-Partite Malware	Demonstrates how multi-partite malware may be captured as unique Malware Subject entities in a Package	xml
Package Multiple Analysis	Demonstrates how multiple analyses for the same Malware Subject (a Zeus binary) can be combined in a single Package using multiple Analysis entities	xml
Package Static Triage	Simple Package capturing basic static triage results	xml

GitHub Repository Examples
The MAEC release examples, as well as examples provided by the MAEC Community, are provided at https://github.com/MAECProject/schemas/tree/master/examples.

STIX Examples
The Structured Threat Information eXpression (STIX™) Language can describe malware using MAEC characterizations through the use of a MAEC schema extension for the STIX TTP schema. See the “Malware Sample” in the STIXProject GitHub repository for an explicit example.

Cuckoobox Outputs
The MAEC release examples in the MAECProject GitHub repository contains example Cuckoobox outputs that were automatically generated and illustrate many of MAEC’s features.

MAEC Detailed Examples Document
The MAEC Detailed Examples Document provides comprehensive guidance on the creation of MAEC Package and Bundle documents in the context of static triage, dynamic triage, and manual analysis. Accordingly, it provides a detailed walk-through and description of a notional MAEC document for each such use case. Currently, this document is written against MAEC Version 4.0.1, though the concepts are almost completely compatible with MAEC Version 4.1.