Examples

MAEC examples can be extremely helpful for gaining a deeper understanding the MAEC Language. MAEC example content for MAEC Version 4.1 is provided below.

IMPORTANT: While the examples on this page are sourced from real-world analysis reports, they should be considered illustrative examples only and should not be used in real-world operations.

MAEC Detailed Examples

The MAEC Detailed Examples Document (PDF, 2 MB) provides comprehensive guidance on the creation of MAEC Package and Bundle documents in the context of static triage, dynamic triage, and manual analysis. Accordingly, it provides a detailed walk-through and description of a notional MAEC document for each such use case. Currently, this document is written against MAEC Version 4.0.1, though the concepts are almost completely compatible with MAEC Version 4.1.

MAEC Current Release Examples

The examples below are included in the MAEC Version 4.1 release. The variety of examples illustrates the use of MAEC Bundles, Packages, and Containers, as well as the capture of specific malware-related attributes (e.g., clustering information, AV classifications, etc.).

File Name Description XML
All Files Archive of all v4.1 Release example files zip
Bundle Artifact Simple Bundle capturing network traffic information xml
Bundle AV Classifications Simple Bundle capturing Anti-Virus tool information xml
Bundle Candidate Indicator Demonstrates the basic construction of a Candidate Indicator entity within a Bundle xml
Bundle Dynamic Triage Tool Output Simple Bundle capturing dynamic analysis tool output xml
Bundle Network Behavior Simple Bundle capturing a network-based Behavior xml
Bundle Malicious Webpage Demonstrates the capture of the malicious aspects of a webpage xml
Bundle Object Re-use Demonstrates how Objects can be reused via ID references xml
Container Multiple Package Demonstrates the capture of multiple Packages using a Container xml
Package Action Equivalency Demonstrates the composition and use of an Action Equivalency entity in a Package xml
Package Capability Demonstrates the usage of Capabilities and Objectives in a Package, along with how they link up to Behaviors and Actions xml
Package Capability Snifula Provides a more detailed view of Capabilities and Objectives and their usage in characterizing a complex malware instance xml
Package Clustering Demonstrates how a Package can be used to capture a malware cluster (set of related malware) xml
Package Configuration Parameters Demonstrates how the configuration parameters of a Malware Subject can be characterized in a Package xml
Package Development Environment Demonstrates how the development environment of a Malware Subject entity can be characterized in a Package xml
Package Dynamic Triage Demonstrates how a Malware Subject entity in a Package can be used to capture multiple dynamic analysis tool outputs xml
Package Manual Analysis Demonstrates how a Malware Subject entity in a Package can be used to capture manual analysis tool output xml
Package Multi-Partite Malware Demonstrates how multi-partite malware may be captured as unique Malware Subject entities in a Package xml
Package Multiple Analysis Demonstrates how multiple analyses for the same Malware Subject (a Zeus binary) can be combined in a single Package using multiple Analysis entities xml
Package Static Triage Simple Package capturing basic static triage results xml
Back to top

GitHub Repository Examples

The MAEC release examples, as well as examples provided by the MAEC Community, are provided in the MAECProject GitHub repository at https://github.com/MAECProject/schemas/tree/master/examples.

STIX Examples

The Structured Threat Information eXpression (STIX™) Language can describe malware using MAEC characterizations through the use of a MAEC schema extension for the STIX TTP schema. Refer to the "Malware Sample" on the STIX Samples page for an explicit example.

Please see Ties to Existing Specifications for further information about how MAEC is related to such efforts as STIX, Cyber Observable eXpression (CybOX™), etc.

Cuckoobox Outputs

The MAEC release examples in the MAECProject GitHub repository contains example Cuckoobox outputs that were automatically generated and illustrate many of MAEC's features.

Back to top

Page Last Updated: February 27, 2014