Version 1.1 (Archive)

This page provides information on the current release of the MAEC Language. All information about the current release is included in this centralized location. The major highlights of the release so far are listed below:

  • The primary focus of this release was adding support for characterizing the results of static analysis. As such, we added attributes specific to PE (Portable Executable) binaries, under ObjectType/File_System_Object_Attributes/File_Type_Attributes/PE_Binary_Attributes.
  • Added schema versioning through namespaces, the ‘version’ xs:schema attribute, and the ‘schema_version’ MAEC_Bundle attribute. The major version is specified through the namespace while the specific (minor) version is in the ‘version’ attribute. We are using ‘’ as the namespace for the ‘core’ schema, and will utilize similar namespaces for the elements that get split off in future releases, such as the objects and enumerations.
  • Added new HashType complextype for use in specifying the hash of a particular attribute.
  • Added ID specifications (via simpleTypes) for each MAEC element that uses an ID. Currently these follow the OVAL model, e.g. MAEC:<some namespace>:<some entity identifier>:<an integer>. For example, a valid action ID would be: MAEC:test:act:1.
  • Made APICall/Code elements optional under ActionImplementationType.
  • Added processor family class attribute for CodeType. Uses enumerated list of architectures that includes x86-32, x86-64, ARM, PowerPC, etc.
  • Added support for characterizing handles of process objects, through new ‘Handles’ element under ObjectType/Process_Object_Attributes.
  • Added support for differentiating between locally & externally bound sockets, through new ‘internal_IP_address’ and ‘external_IP_address’ and port elements under ObjectType/Network_Object_Attributes.
  • Added a Code_Segment_XOR element (hexBinary datatype) and an ‘xorpattern’ attribute under CodeType. Thus, any code encapsulated in this element should be XOR encoded with the 16-hexadecimal character pattern specified in ‘xorpattern’ (55AA55AA55AA55BB by default, per IETF RFC 5901). This was done so that any code contained in the pattern does not trigger IDS, AV, or other signature-based scanners.
  • Moved all non-exhaustive enumerations (action types, object types, packer types, effect types, hash types) from their parent element to a separate simpletype enumeration element.
  • Changed several attribute and element names for terseness and to be more consistent with the rest of the naming convention used throughout the rest of the schema. E.g.: ‘effect_reference_type’ attribute under EffectReferenceType was renamed as ‘type’.

All items in this release remain open for discussion and any comments or feedback is greatly appreciated. Please see the schema or schema documentation for more information.


Includes downloads for the Version 1.1 Schema, and Version 1.1 Example Files.


  • Complete Schema — has all documentation embedded.
  • Documentation html — element dictionaries, which users can elect to view in a browser or save.
  • All files zip — all the files in a section zipped together to allow for one simple download.
  • xsd/xml — a user can either right click to download the file or left click to open the file in their default viewer.

MAEC Schema Downloads

File Name Complete Schema Documentation
MAEC Core xsd html

MAEC Example Content Downloads

File Name XML
All Files zip
Email Harvesting Behavior/Actions xml
Service Disabling Behavior/Actions xml
Malicious PDF Analysis (Wepawet) xml
Malicious URL Analysis (Wepawet) xml
Back to top

Page Last Updated: April 25, 2013