This schema was originally developed by The MITRE Corporation. The MAEC XML Schema implementation is maintained by The MITRE Corporation and developed by the open MAEC Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the MAEC website at http://maec.mitre.org.
Complex Type maecVocabs:ActionObjectAssociationTypeVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The ActionObjectAssocationVocab is the default MAEC vocabulary for Action-Object association types, captured via the AssociatedObjectType/Association_Type element in CybOX Core.
It should be used in place of the CybOX ActionObjectAssociationVocab-1.0.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:ActionObjectAssociationTypeEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
ActionObjectAssociationTypeEnum is a (non-exhaustive) enumeration of types of action-object associations.
Diagram
Type
restriction of xs:string
Facets
enumeration
input
The 'input' value specifies that the associated object serves as an input to the action. This includes cases where an object is used by the action or an existing object is modified by the action.
enumeration
output
The 'output' value specifies that the associated object serves as an output to the action. This includes cases where the object is created anew by the action or otherwise returned by the action.
enumeration
side-effect
The 'side-effect' value specifies that the associated object serves as a side-effect resulting from the action. This includes cases where the object is modified indirectly by the action.
Complex Type maecVocabs:ImportanceTypeVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The ImportanceTypeVocab is the default MAEC vocabulary for relative importance measures, captured via the CandidateIndicatorType/Importance element in the MAEC Bundle.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:ImportanceTypeEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The ImportanceTypeEnum is a (non-exhaustive) enumeration of relative importance measures.
Diagram
Type
restriction of xs:string
Facets
enumeration
high
The 'high' value specifies that the field is of relative high importance.
enumeration
medium
The 'medium' value specifies that the field is of relative medium importance.
enumeration
low
The 'low' value specifies that the field is of relative low importance.
enumeration
informational
The 'informational' value specifies that the field is only informational in its importance.
enumeration
numeric
The 'numeric' value specifies that the field has a numeric importance value, which is defined in another attribute or element.
enumeration
unknown
The 'unknown' value specifies that the relative importance for the field is unknown.
Complex Type maecVocabs:MalwareEntityTypeVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The MalwareEntityTypeVocab is the default MAEC vocabulary for malware entity types, captured via the CandidateIndicatorType/Malware_Entity/Type element in the MAEC Bundle.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:MalwareEntityTypeEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The MalwareEntityTypeEnum is a (non-exhaustive) enumeration of the different types of entities that a malware indicator or signature may be written against.
Diagram
Type
restriction of xs:string
Facets
enumeration
instance
The 'instance' value specifies that the particular malware entity being referred to is a single malware instance.
enumeration
family
The 'family' value specifies that the particular malware entity being referred to is a single malware family.
enumeration
class
The 'class' value specifies that the particular malware entity being referred to is a single class of malware.
Complex Type maecVocabs:DeviceDriverActionNameVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The DeviceDriverActionNameVocab is the default MAEC vocabulary for device driver action names, captured via the ActionType/Name element in CybOX Core.
For device driver action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Deprecated as of MAEC 4.1.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:DeviceDriverActionNameEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The DeviceDriverActionNameEnum is a (non-exhaustive) enumeration of the different types of actions associated with device drivers.
Deprecated as of MAEC 4.1.
Diagram
Type
restriction of xs:string
Facets
enumeration
load and call driver
The 'load and call' value specifies the defined action of loading a driver into a system and then calling the loaded driver.
enumeration
load driver
The 'load driver' value specifies the defined action of loading a driver into a system.
enumeration
unload driver
The 'unload driver' value specifies the defined action of unloading a driver from a system.
Complex Type maecVocabs:DeviceDriverActionNameVocab-1.1
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The DeviceDriverActionNameVocab is the default MAEC vocabulary for device driver action names, captured via the ActionType/Name element in CybOX Core.
For device driver action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Starting with MAEC 4.1, it should be used in place of the deprecated DeviceDriverActionNameVocab-1.0.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:DeviceDriverActionNameEnum-1.1
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The DeviceDriverActionNameEnum is a (non-exhaustive) enumeration of the different types of actions associated with device drivers.
Diagram
Type
restriction of xs:string
Facets
enumeration
load and call driver
The 'load and call' value specifies the defined action of loading a driver into a system and then calling the loaded driver.
enumeration
load driver
The 'load driver' value specifies the defined action of loading a driver into a system.
enumeration
unload driver
The 'unload driver' value specifies the defined action of unloading a driver from a system.
enumeration
emulate driver
The 'emulate driver' value specifies the defined action of emulating an existing driver on a system.
Complex Type maecVocabs:DebuggingActionNameVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The DebuggingActionNameVocab is the default MAEC vocabulary for debugging action names, captured via the ActionType/Name element in CybOX Core.
For debugging action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:DebuggingActionNameEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The DebuggingActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with debugging.
Diagram
Type
restriction of xs:string
Facets
enumeration
check for remote debugger
The 'check for remote debugger' value specifies the defined action of checking for the presence of a remote debugger.
enumeration
check for kernel debugger
The 'check for kernel debugger' value specifies the defined action of checking for the presence of a kernel debugger.
Complex Type maecVocabs:LibraryActionNameVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The LibraryActionNameVocab is the default MAEC vocabulary for library action names, captured via the ActionType/Name element in CybOX Core.
For library action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Deprecated as of MAEC 4.1.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:LibraryActionNameEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The LibraryActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with libraries.
Deprecated as of MAEC 4.1.
Diagram
Type
restriction of xs:string
Facets
enumeration
enumerate libraries
The 'enumerate libraries' value specifies the defined action of enumerating the libraries used by a process.
enumeration
free library
The 'free library' value specifies the defined action of freeing a library previously loaded into the address space of the calling process.
enumeration
load library
The 'load library' value specifies the defined action of loading a library into the address space of the calling process.
enumeration
get function address
The 'get function address' value specifies the defined action of getting the address of an exported function or variable from a library.
Complex Type maecVocabs:LibraryActionNameVocab-1.1
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The LibraryActionNameVocab is the default MAEC vocabulary for library action names, captured via the ActionType/Name element in CybOX Core.
For library action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Starting with MAEC 4.1, it should be used in place of the deprecated LibraryActionNameVocab-1.0.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:LibraryActionNameEnum-1.1
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The LibraryActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with libraries.
Diagram
Type
restriction of xs:string
Facets
enumeration
enumerate libraries
The 'enumerate libraries' value specifies the defined action of enumerating the libraries used by a process.
enumeration
free library
The 'free library' value specifies the defined action of freeing a library previously loaded into the address space of the calling process.
enumeration
load library
The 'load library' value specifies the defined action of loading a library into the address space of the calling process.
enumeration
get function address
The 'get function address' value specifies the defined action of getting the address of an exported function or variable from a library.
enumeration
call library function
The 'call library function' value specifies the defined action of calling a function exported by a library.
Complex Type maecVocabs:DirectoryActionNameVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The DirectoryActionNameVocab is the default MAEC vocabulary for directory action names, captured via the ActionType/Name element in CybOX Core.
For directory action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Deprecated as of MAEC 4.1
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:DirectoryActionNameEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The DirectoryActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with a file directories.
Deprecated as of MAEC 4.1
Diagram
Type
restriction of xs:string
Facets
enumeration
create directory
The 'create directory' value specifies the defined action of creating a new directory on the filesystem.
enumeration
delete directory
The 'delete directory' value specifies the defined action of deleting an existing directory on the filesystem.
enumeration
monitor directory
The 'monitor directory' value specifies the defined action of monitoring an existing directory on the filesystem for changes.
Complex Type maecVocabs:DirectoryActionNameVocab-1.1
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The DirectoryActionNameVocab is the default MAEC vocabulary for directory action names, captured via the ActionType/Name element in CybOX Core.
For directory action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Starting with MAEC 4.1, it should be used in place of the deprecated DirectoryActionNameVocab-1.0.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:DirectoryActionNameEnum-1.1
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The DirectoryActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with a file directories.
Diagram
Type
restriction of xs:string
Facets
enumeration
create directory
The 'create directory' value specifies the defined action of creating a new directory on the filesystem.
enumeration
delete directory
The 'delete directory' value specifies the defined action of deleting an existing directory on the filesystem.
enumeration
monitor directory
The 'monitor directory' value specifies the defined action of monitoring an existing directory on the filesystem for changes.
enumeration
hide directory
The 'hide directory' value specifies the defined action of hiding an existing directory.
Complex Type maecVocabs:DiskActionNameVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The DiskActionNameVocab is the default MAEC vocabulary for disk action names, captured via the ActionType/Name element in CybOX Core.
For disk action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Deprecated as of MAEC 4.1.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:DiskActionNameEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The DiskActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with hard disks.
Deprecated as of MAEC 4.1.
Diagram
Type
restriction of xs:string
Facets
enumeration
get disk type
The 'get disk type' value specifies the defined action of getting the disk type.
enumeration
get disk attributes
The 'get disk attributes' value specifies the defined action of querying the attributes of a disk, such as the amount of available free space.
enumeration
mount disk
The 'mount disk' value specifies the defined action of mounting an existing file system to a mounting point.
enumeration
unmount disk
The 'unmount disk' value specifies the defined action of unmounting an existing file system from a mounting point.
Complex Type maecVocabs:DiskActionNameVocab-1.1
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The DiskActionNameVocab is the default MAEC vocabulary for disk action names, captured via the ActionType/Name element in CybOX Core.
For disk action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Starting with MAEC 4.1, it should be used in place of the deprecated DiskActionNameVocab-1.0.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:DiskActionNameEnum-1.1
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The DiskActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with hard disks.
Diagram
Type
restriction of xs:string
Facets
enumeration
get disk type
The 'get disk type' value specifies the defined action of getting the disk type.
enumeration
get disk attributes
The 'get disk attributes' value specifies the defined action of querying the attributes of a disk, such as the amount of available free space.
enumeration
mount disk
The 'mount disk' value specifies the defined action of mounting an existing file system to a mounting point.
enumeration
unmount disk
The 'unmount disk' value specifies the defined action of unmounting an existing file system from a mounting point.
enumeration
emulate disk
The 'emulate disk' value specifies the defined action of emulating an existing disk.
enumeration
list disks
The 'list disks' value specifies the defined action of listing all disks available on a system.
enumeration
monitor disk
The 'monitor disk' value specifies the defined action of monitoring an existing disk for changes.
Complex Type maecVocabs:FileActionNameVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The FileActionNameVocab is the default MAEC vocabulary for file action names, captured via the ActionType/Name element in CybOX Core.
For file action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Deprecated as of MAEC 4.1.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:FileActionNameEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The FileActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with a file.
Deprecated as of MAEC 4.1.
Diagram
Type
restriction of xs:string
Facets
enumeration
create file
The 'create file' value specifies the defined action of creating a new file.
enumeration
delete file
The 'delete file' value specifies the defined action of deleting an existing file.
enumeration
copy file
The 'copy file' value specifies the defined action of copying an existing file from one location to another.
enumeration
create file symbolic link
The 'create file symbolic link' value specifies the defined action of creating a symbolic link to an existing file.
enumeration
find file
The 'find file' value specifies the defined action of searching for an existing file.
enumeration
get file attributes
The 'get file attributes' value specifies the defined action of getting the attributes of an existing file.
enumeration
set file attributes
The 'set file attributes' value specifies the defined action of setting the file attributes for an existing file.
enumeration
lock file
The 'lock file' value specifies the defined action of locking an existing file.
enumeration
unlock file
The 'unlock file' value specifies the defined action of unlocking an existing file.
enumeration
modify file
The 'modify file' value specifies the defined action of modifying an existing file in some manner.
enumeration
move file
The 'move file' value specifies the defined action of moving an existing file from one location to another.
enumeration
open file
The 'open file' value specifies the defined action of opening an existing file for reading or writing.
enumeration
read from file
The 'read from file' value specifies the defined action of reading from an existing file.
enumeration
write to file
The 'write to file' value specifies the defined action of writing to an existing file.
enumeration
rename file
The 'rename file' value specifies the defined action of renaming an existing file.
enumeration
create file alternate data stream
The 'create file alternate data stream' value specifies the defined action of creating an alternate data stream in an existing file.
enumeration
send control code to file
The 'send control code to file' value specifies the defined action of sending a control code to a file.
enumeration
create file mapping
The 'create file mapping' value specifies the defined action of creating a new file mapping object.
enumeration
open file mapping
The 'open file mapping' value specifies the defined action of opening an existing file mapping object.
Complex Type maecVocabs:FileActionNameVocab-1.1
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The FileActionNameVocab is the default MAEC vocabulary for file action names, captured via the ActionType/Name element in CybOX Core.
For file action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Starting with MAEC 4.1, it should be used in place of the deprecated FileActionNameVocab-1.0.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:FileActionNameEnum-1.1
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The FileActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with a file.
Diagram
Type
restriction of xs:string
Facets
enumeration
create file
The 'create file' value specifies the defined action of creating a new file.
enumeration
delete file
The 'delete file' value specifies the defined action of deleting an existing file.
enumeration
copy file
The 'copy file' value specifies the defined action of copying an existing file from one location to another.
enumeration
create file symbolic link
The 'create file symbolic link' value specifies the defined action of creating a symbolic link to an existing file.
enumeration
find file
The 'find file' value specifies the defined action of searching for an existing file.
enumeration
get file attributes
The 'get file attributes' value specifies the defined action of getting the attributes of an existing file.
enumeration
set file attributes
The 'set file attributes' value specifies the defined action of setting the file attributes for an existing file.
enumeration
lock file
The 'lock file' value specifies the defined action of locking an existing file.
enumeration
unlock file
The 'unlock file' value specifies the defined action of unlocking an existing file.
enumeration
modify file
The 'modify file' value specifies the defined action of modifying an existing file in some manner.
enumeration
move file
The 'move file' value specifies the defined action of moving an existing file from one location to another.
enumeration
open file
The 'open file' value specifies the defined action of opening an existing file for reading or writing.
enumeration
read from file
The 'read from file' value specifies the defined action of reading from an existing file.
enumeration
write to file
The 'write to file' value specifies the defined action of writing to an existing file.
enumeration
rename file
The 'rename file' value specifies the defined action of renaming an existing file.
enumeration
create file alternate data stream
The 'create file alternate data stream' value specifies the defined action of creating an alternate data stream in an existing file.
enumeration
send control code to file
The 'send control code to file' value specifies the defined action of sending a control code to a file.
enumeration
create file mapping
The 'create file mapping' value specifies the defined action of creating a new file mapping object.
enumeration
open file mapping
The 'open file mapping' value specifies the defined action of opening an existing file mapping object.
enumeration
execute file
The 'execute file' value specifies the defined action of executing an existing file.
enumeration
hide file
The 'hide file' value specifies the defined action of hiding an existing file.
enumeration
close file
The 'close file' value specifies the defined action of closing an existing file that previously opened for reading or writing.
Complex Type maecVocabs:HookingActionNameVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The HookingActionNameVocab is the default MAEC vocabulary for hooking action names, captured via the ActionType/Name element in CybOX Core.
For hooking action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Deprecated as of MAEC 4.1.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:HookingActionNameEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The HookingActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with various kinds of hooking.
Deprecated as of MAEC 4.1.
Diagram
Type
restriction of xs:string
Facets
enumeration
add system call hook
The 'add system call hook' value specifies the defined action of adding a new system call hook.
enumeration
add windows hook
The 'add windows hook' value specifies the defined action of adding a new Windows application-defined hook procedure.
Complex Type maecVocabs:HookingActionNameVocab-1.1
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The HookingActionNameVocab is the default MAEC vocabulary for hooking action names, captured via the ActionType/Name element in CybOX Core.
For hooking action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Starting with MAEC 4.1, it should be used in place of the deprecated HookingActionNameVocab-1.0.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:HookingActionNameEnum-1.1
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The HookingActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with various kinds of hooking.
Diagram
Type
restriction of xs:string
Facets
enumeration
add system call hook
The 'add system call hook' value specifies the defined action of adding a new system call hook.
enumeration
add windows hook
The 'add windows hook' value specifies the defined action of adding a new Windows application-defined hook procedure.
enumeration
hide hook
The 'hide hook' value specifies the defined action of hiding an existing hook.
Complex Type maecVocabs:DNSActionNameVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The DNSActionNameVocab is the default MAEC vocabulary for DNS action names, captured via the ActionType/Name element in CybOX Core.
For DNS action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:DNSActionNameEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The DNSActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with the Domain Name System (DNS).
Diagram
Type
restriction of xs:string
Facets
enumeration
send dns query
The 'send dns query' value specifies the defined action of sending a DNS query.
enumeration
send reverse dns lookup
The 'send reverse dns lookup' value specifies the defined action of sending a reverse DNS lookup.
Complex Type maecVocabs:IRCActionNameVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The IRCActionNameVocab is the default MAEC vocabulary for IRC action names, captured via the ActionType/Name element in CybOX Core.
For IRC action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:IRCActionNameEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The IRCActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with the Internet Relay Chat (IRC).
Diagram
Type
restriction of xs:string
Facets
enumeration
connect to irc server
The 'connect to irc server' value specifies the defined action of connecting to an existing IRC server.
enumeration
disconnect from irc server
The 'disconnect from irc server' value specifies the defined action of disconnecting from an existing IRC server.
enumeration
set irc nickname
The 'set irc nickname' value specifies the defined action of setting an IRC nickname on an IRC server.
enumeration
join irc channel
The 'join irc channel' value specifies the defined action of joining a channel on an IRC server.
enumeration
leave irc channel
The 'leave irc channel' value specifies the defined action of leaving a channel on an IRC server.
enumeration
send irc private message
The 'send irc private message' value specifies the defined action of sending a private message to another user on an IRC server.
enumeration
receive irc private message
The 'receive irc private message' value specifies the defined action of receiving a private message from another user on an IRC server.
Complex Type maecVocabs:FTPActionNameVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The FTPActionNameVocab is the default MAEC vocabulary for FTP action names, captured via the ActionType/Name element in CybOX Core.
For FTP action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:FTPActionNameEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The FTPActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with the File Transfer Protocol (FTP).
Diagram
Type
restriction of xs:string
Facets
enumeration
connect to ftp server
The 'connect to ftp server' value specifies the defined action of connecting to an existing FTP server.
enumeration
disconnect from ftp server
The 'disconnect from ftp server' value specifies the defined action of disconnecting from an existing FTP server.
enumeration
send ftp command
The 'send ftp command' value specifies the defined action of sending a command on an FTP server connection.
Complex Type maecVocabs:HTTPActionNameVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The HTTPActionNameVocab is the default MAEC vocabulary for HTTP action names, captured via the ActionType/Name element in CybOX Core.
For HTTP action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:HTTPActionNameEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The HTTPActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with the Hypertext Transfer Protocol (HTTP).
Diagram
Type
restriction of xs:string
Facets
enumeration
send http get request
Specifies the defined action of sending an HTTP GET client request to an existing server.
enumeration
send http head request
The 'send http head request' value specifies the defined action of sending an HTTP HEAD client request to an existing server.
enumeration
send http post request
The 'send http post request' value specifies the defined action of sending an HTTP HEAD client request to an existing server.
enumeration
send http put request
The 'send http put request' value specifies the defined action of sending an HTTP PUT client request to an existing server.
enumeration
send http delete request
The 'send http delete request' value specifies the defined action of sending an HTTP DELETE client request to an existing server.
enumeration
send http trace request
The 'send http trace request' value specifies the defined action of sending an HTTP TRACE client request to an existing server.
enumeration
send http options request
The 'send http options request' value specifies the defined action of sending an HTTP OPTIONS client request to an existing server.
enumeration
send http connect request
The 'send http connect request' value specifies the defined action of sending an HTTP CONNECT client request to an existing server.
enumeration
send http patch request
The 'send http patch request' value specifies the defined action of sending an HTTP PATCH client request to an existing server.
enumeration
receive http response
The 'receive http response' value specifies the defined action of receiving an HTTP server response for a prior HTTP request.
Complex Type maecVocabs:NetworkActionNameVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The NetworkActionNameVocab is the default MAEC vocabulary for network action names, captured via the ActionType/Name element in CybOX Core.
For network action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Deprecated as of MAEC 4.1.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:NetworkActionNameEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The NetworkActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with networking.
Deprecated as of MAEC 4.1.
Diagram
Type
restriction of xs:string
Facets
enumeration
open port
The 'open port' value specifies the defined action of opening a network port.
enumeration
close port
The 'close port' value specifies the defined action of closing a network port.
enumeration
connect to ip
The 'connect to ip' value specifies the defined action of connecting to an IP address.
enumeration
disconnect from ip
The 'disconnect from ip' value specifies the defined action of disconnecting from a previously established connection to an IP address.
enumeration
connect to url
The 'connect to url' value specifies the defined action of connecting to a URL.
enumeration
connect to socket address
The 'connect to socket address' value specifies the defined action of connecting to a socket address, consisting of an IP address and port number.
enumeration
download file
The 'download file' value specifies the defined action of downloading a file from a remote location.
enumeration
upload file
The 'upload file' value specifies the defined action of uploading a file to a remote location.
enumeration
listen on port
The 'listen on port' value specifies the defined action of listening on a specific port.
enumeration
send email message
The 'send email message' value specifies the defined action of sending an email message.
enumeration
send icmp request
The 'send icmp request' value specifies the defined action of sending an ICMP request.
Complex Type maecVocabs:NetworkActionNameVocab-1.1
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The NetworkActionNameVocab is the default MAEC vocabulary for network action names, captured via the ActionType/Name element in CybOX Core.
For network action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Starting with MAEC 4.1, it should be used in place of the deprecated NetworkActionNameVocab-1.0.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:NetworkActionNameEnum-1.1
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The NetworkActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with networking.
Diagram
Type
restriction of xs:string
Facets
enumeration
open port
The 'open port' value specifies the defined action of opening a network port.
enumeration
close port
The 'close port' value specifies the defined action of closing a network port.
enumeration
connect to ip
The 'connect to ip' value specifies the defined action of connecting to an IP address.
enumeration
disconnect from ip
The 'disconnect from ip' value specifies the defined action of disconnecting from a previously established connection to an IP address.
enumeration
connect to url
The 'connect to url' value specifies the defined action of connecting to a URL.
enumeration
connect to socket address
The 'connect to socket address' value specifies the defined action of connecting to a socket address, consisting of an IP address and port number.
enumeration
download file
The 'download file' value specifies the defined action of downloading a file from a remote location.
enumeration
upload file
The 'upload file' value specifies the defined action of uploading a file to a remote location.
enumeration
listen on port
The 'listen on port' value specifies the defined action of listening on a specific port.
enumeration
send email message
The 'send email message' value specifies the defined action of sending an email message.
enumeration
send icmp request
The 'send icmp request' value specifies the defined action of sending an ICMP request.
enumeration
send network packet
The 'send network packet' value specifies the defined action of sending a packet on a network.
enumeration
receive network packet
The 'receive network packet' value specifies the defined action of receiving a packet on a network.
Complex Type maecVocabs:NetworkShareActionNameVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The NetworkShareActionNameVocab is the default MAEC vocabulary for Windows network share action names, captured via the ActionType/Name element in CybOX Core.
For network share action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:NetworkShareActionNameEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The NetworkShareActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with Windows network shares.
Diagram
Type
restriction of xs:string
Facets
enumeration
add connection to network share
The 'add connection to network share' value specifies the defined action of adding a connection to an existing network share.
enumeration
add network share
The 'add network share' value specifies the defined action of adding a new network share on a server.
enumeration
delete network share
The 'delete network share' value specifies the defined action of deleting an existing network share on a server.
enumeration
connect to network share
The 'connect to network share' value specifies the defined action of connecting to an existing network share.
enumeration
disconnect from network share
The 'disconnect from network share' value specifies the defined action of disconnecting from an existing network share.
enumeration
enumerate network shares
The 'enumerate network shares' value specifies the defined action of enumerating the available shared resources on a server.
Complex Type maecVocabs:SocketActionNameVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The SocketActionNameVocab is the default MAEC vocabulary for socket action names, captured via the ActionType/Name element in CybOX Core.
For socket action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:SocketActionNameEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The SocketActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with network sockets.
Diagram
Type
restriction of xs:string
Facets
enumeration
accept socket connection
The 'accept socket connection' value specifies the defined action of accepting a socket connection.
enumeration
bind address to socket
The 'bind address to socket' value specifies the defined action of binding a socket address to a socket.
enumeration
create socket
The 'create socket' value specifies the defined action of creating a new socket.
enumeration
close socket
The 'close socket' value specifies the defined action of closing an existing socket.
enumeration
connect to socket
The 'connect to socket' value specifies the defined action of connecting to an existing socket.
enumeration
disconnect from socket
The 'disconnect from socket' value specifies the defined action of disconnecting from an existing socket.
enumeration
listen on socket
The 'listen on socket' value specifies the defined action of listening on an existing socket.
enumeration
send data on socket
The 'send data on socket' value specifies the defined action of sending data on an existing, connected socket.
enumeration
receive data on socket
The 'receive data on socket' value specifies the defined action of receiving data on an existing socket.
enumeration
send data to address on socket
The 'send data to address on socket' value specifies the defined action of sending data to a specified IP address on an existing, unconnected socket.
enumeration
get host by address
The 'get host by address' value specifies the defined action of getting information on a host from a local or remote host database by its IP address.
enumeration
get host by name
The 'get host by name' value specifies the defined action of getting information on a host from a local or remote host database by its name.
Complex Type maecVocabs:RegistryActionNameVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The RegistryActionNameVocab is the default MAEC vocabulary for registry action names, captured via the ActionType/Name element in CybOX Core.
For registry action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:RegistryActionNameEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The RegistryActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with the Windows registry.
Diagram
Type
restriction of xs:string
Facets
enumeration
create registry key
The 'create registry key' value specifies the defined action of creating a new registry key.
enumeration
delete registry key
The 'delete registry key' value specifies the defined action of deleting an existing registry key.
enumeration
open registry key
The 'open registry key' value specifies the defined action of opening an existing registry key.
enumeration
close registry key
The 'close registry key' value specifies the defined action of closing a handle to an existing registry key.
enumeration
create registry key value
The 'create registry key value' value specifies the defined action of creating a new named value under an existing registry key.
enumeration
delete registry key value
The 'delete registry key value' value specifies the defined action of deleting an existing named value under an existing registry key.
enumeration
enumerate registry key subkeys
The 'enumerate registry key subkeys' value specifies the defined action of enumerating the registry key subkeys under an existing registry key.
enumeration
enumerate registry key values
The 'enumerate registry key values' value specifies the defined action of enumerating the named values under an existing registry key.
enumeration
get registry key attributes
The 'get registry key attributes' value specifies the defined action of getting the attributes of an existing registry key.
enumeration
read registry key value
The 'read registry key value' value specifies the defined action of reading an existing named value of an existing registry key.
enumeration
modify registry key value
The 'modify registry key value' value specifies the defined action of modifying an existing named value of an existing registry key.
enumeration
modify registry key
The 'modify registry key' value specifies the defined action of modifying an existing registry key.
enumeration
monitor registry key
The 'monitor registry key' value specifies the defined action of monitoring an existing registry key for changes.
Complex Type maecVocabs:UserActionNameVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The UserActionNameVocab is the default MAEC vocabulary for user action names, captured via the ActionType/Name element in CybOX Core.
For user action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Deprecated as of MAEC 4.1.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:UserActionNameEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The UserActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with users.
Deprecated as of MAEC 4.1.
Diagram
Type
restriction of xs:string
Facets
enumeration
add user
The 'add user' value specifies the defined action of adding a new user.
enumeration
delete user
The 'delete user' value specifies the defined action of deleting an existing user.
enumeration
enumerate users
The 'enumerate users' value specifies the defined action of enumerating all users.
enumeration
get user attributes
The 'get user attributes' value specifies the defined action of getting the attributes of an existing user.
enumeration
logon as user
The 'logon as user' value specifies the defined action of logging on as a specific user.
Complex Type maecVocabs:UserActionNameVocab-1.1
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The UserActionNameVocab is the default MAEC vocabulary for user action names, captured via the ActionType/Name element in CybOX Core.
For user action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Starting with MAEC 4.1, it should be used in place of the deprecated UserActionNameVocab-1.0.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:UserActionNameEnum-1.1
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The UserActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with users.
Diagram
Type
restriction of xs:string
Facets
enumeration
add user
The 'add user' value specifies the defined action of adding a new user.
enumeration
delete user
The 'delete user' value specifies the defined action of deleting an existing user.
enumeration
enumerate users
The 'enumerate users' value specifies the defined action of enumerating all users.
enumeration
get user attributes
The 'get user attributes' value specifies the defined action of getting the attributes of an existing user.
enumeration
logon as user
The 'logon as user' value specifies the defined action of logging on as a specific user.
enumeration
change password
The 'change password' value specifies the defined action of changing an existing user's password.
enumeration
add user to group
The 'add user to group' value specifies the defined action of adding an existing user to an existing group.
enumeration
remove user from group
The 'remove user from group' value specifies the defined action of removing an existing user from existing group.
enumeration
invoke user privilege
The 'invoke user privilege' value specifies the defined action of invoking a privilege given to an existing user.
Complex Type maecVocabs:IPCActionNameVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The IPCActionNameVocab is the default MAEC vocabulary for inter-process communication action names, captured via the ActionType/Name element in CybOX Core.
For IPC action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:IPCActionNameEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The IPCActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with entities related to Inter-Process Communication (IPC).
Diagram
Type
restriction of xs:string
Facets
enumeration
create named pipe
The 'create named pipe' value specifies the defined action of creating a new named pipe.
enumeration
delete named pipe
The 'delete named pipe' value specifies the defined action of deleting an existing named pipe.
enumeration
connect to named pipe
The 'connected to named pipe' value specifies the defined action of connecting to an existing named pipe.
enumeration
disconnect from named pipe
The 'disconnect from named pipe' value specifies the defined action of disconnecting from an existing named pipe.
enumeration
read from named pipe
The 'read from named pipe' value specifies the defined action of reading some data from an existing named pipe.
enumeration
write to named pipe
The 'write to named pipe' value specifies the defined action of writing some data to an existing named pipe.
enumeration
create mailslot
The 'create mailslot' value specifies the defined action of creating a new named mailslot.
enumeration
read from mailslot
The 'read from mailslot' value specifies the defined action of reading some data from an existing named mailslot.
enumeration
write to mailslot
The 'write to mailslot' value specifies the defined action of writing some data to an existing named mailslot.
Complex Type maecVocabs:ProcessMemoryActionNameVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The ProcessMemoryActionNameVocab is the default MAEC vocabulary for process memory action names, captured via the ActionType/Name element in CybOX Core.
For process memory action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:ProcessMemoryActionNameEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The ProcessMemoryActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with the memory regions of a process.
Diagram
Type
restriction of xs:string
Facets
enumeration
allocate process virtual memory
The 'allocate process virtual memory' value specifies the defined action of allocating some virtual memory region in an existing process.
enumeration
free process virtual memory
The 'free process virtual memory' value specifies the defined action of freeing some virtual memory region from an existing process.
enumeration
modify process virtual memory protection
The 'modify process virtual memory protection' value specifies the defined action of modifying the protection on a memory region in the virtual address space of an existing process.
enumeration
read from process memory
The 'read from process memory' value specifies the defined action of reading from a memory region of an existing process.
enumeration
write to process memory
The 'write to process memory' value specifies the defined action of writing to a memory region of an existing process.
enumeration
map file into process
The 'map file into process' value specifies the defined action of mapping an existing file into the address space of the calling process.
enumeration
unmap file from process
The 'unmap file from process' value specifies the defined action of unmapping an existing file from the address space of the calling process.
enumeration
map library into process
The 'map library into process' value specifies the defined action of mapping a library into the address space of the calling process.
Complex Type maecVocabs:ProcessActionNameVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The ProcessActionNameVocab is the default MAEC vocabulary for process action names, captured via the ActionType/Name element in CybOX Core.
For process action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:ProcessActionNameEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The ProcessActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with processes.
Diagram
Type
restriction of xs:string
Facets
enumeration
create process
The 'create process' value specifies the defined action of creating a new process.
enumeration
kill process
The 'kill process' value specifies the defined action of killing an existing process.
enumeration
create process as user
The 'create process as user' value specifies the defined action of creating a new process in the security context of a specified user.
enumeration
enumerate processes
The 'enumerate processes' value specifies the defined action of enumerating all of the running processes on a system.
enumeration
open process
The 'open process' value specifies the defined action of opening an existing process.
enumeration
flush process instruction cache
The 'flush process instruction cache' value specifies the defined action of flushing the instruction cache of an existing process.
enumeration
get process current directory
The 'get process current directory' value specifies the defined action of getting the current directory of an existing process.
enumeration
set process current directory
The 'set process current directory' value specifies the defined action of setting the current directory of an existing process.
enumeration
get process environment variable
The 'get process environment variable' value specifies the defined action of getting an environment variable used by an existing process.
enumeration
set process environment variable
The 'set process environment variable' value specifies the defined action of setting an environment variable used by an existing process.
enumeration
sleep process
The 'sleep process' value specifies the defined action of sleeping an existing process for some period of time.
enumeration
get process startupinfo
The 'get process startupinfo' value specifies the defined action of getting the STARTUPINFO struct associated with an existing process.
Complex Type maecVocabs:ProcessThreadActionNameVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The ProcessThreadActionNameVocab is the default MAEC vocabulary for process thread action names, captured via the ActionType/Name element in CybOX Core.
For process thread action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:ProcessThreadActionNameEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The ProcessThreadActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with process threads.
Diagram
Type
restriction of xs:string
Facets
enumeration
create thread
The 'create thread' value specifies the defined action of creating a new thread in the virtual address space of the calling process.
enumeration
kill thread
The 'kill thread' value specifies the defined action of killing a thread existing in the virtual address space of the calling process.
enumeration
create remote thread in process
The 'create remote thread in process' value specifies the defined action of creating a thread that runs in the virtual address space of another existing process.
enumeration
enumerate threads
The 'enumerate threads' value specifies the defined action of enumerating all threads in the calling process.
enumeration
get thread username
The 'get thread username' value specifies the defined action of getting the name or ID of the user associated with an existing thread.
enumeration
impersonate process
The 'impersonate process' value specifies the defined action of a thread in the calling process impersonating the security context of another existing process.
enumeration
revert thread to self
The 'revert thread to self' value specifies the defined action of reverting an existing thread to its own security context.
enumeration
get thread context
The 'get thread context' value specifies the defined action of getting the context structure (containing processor-specific register data) of an existing thread.
enumeration
set thread context
The 'set thread context' value specifies the defined action of setting the context structure (containing processor-specific register data) for an existing thread.
enumeration
queue apc in thread
The 'queue apc in thread' value specifies the defined action of queing a new Asynchronized Procedure Call (APC) in the context of an existing thread.
Complex Type maecVocabs:ServiceActionNameVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The ServiceActionNameVocab is the default MAEC vocabulary for service action names, captured via the ActionType/Name element in CybOX Core.
For service action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Deprecated as of MAEC 4.1.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:ServiceActionNameEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The ServiceActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with services or daemons.
Deprecated as of MAEC 4.1.
Diagram
Type
restriction of xs:string
Facets
enumeration
create service
The 'create service' value specifies the defined action of creating a new service.
enumeration
delete service
The 'delete service' value specifies the defined action of deleting an existing service.
enumeration
start service
The 'start service' value specifies the defined action of starting an existing service.
enumeration
enumerate services
The 'enumerate services' value specifies the defined action of enumerating a specific set of services on a system.
enumeration
modify service configuration
The 'modify service configuration' value specifies the defined action of modifying the configuration parameters of an existing service.
enumeration
open service
The 'open service' value specifies the defined action of opening an existing service.
enumeration
send control code to service
The 'send control code to service' value specifies the defined action of sending a control code to an existing service.
Complex Type maecVocabs:ServiceActionNameVocab-1.1
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The ServiceActionNameVocab is the default MAEC vocabulary for service action names, captured via the ActionType/Name element in CybOX Core.
For service action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Starting with MAEC 4.1, it should be used in place of the deprecated ServiceActionNameVocab-1.0.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:ServiceActionNameEnum-1.1
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The ServiceActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with services or daemons.
Diagram
Type
restriction of xs:string
Facets
enumeration
create service
The 'create service' value specifies the defined action of creating a new service.
enumeration
delete service
The 'delete service' value specifies the defined action of deleting an existing service.
enumeration
start service
The 'start service' value specifies the defined action of starting an existing service.
enumeration
stop service
The 'stop service' value specifies the defined action of stopping an existing service.
enumeration
enumerate services
The 'enumerate services' value specifies the defined action of enumerating a specific set of services on a system.
enumeration
modify service configuration
The 'modify service configuration' value specifies the defined action of modifying the configuration parameters of an existing service.
enumeration
open service
The 'open service' value specifies the defined action of opening an existing service.
enumeration
send control code to service
The 'send control code to service' value specifies the defined action of sending a control code to an existing service.
Complex Type maecVocabs:SynchronizationActionNameVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The SynchronizationActionNameVocab is the default MAEC vocabulary for synchronization action names, captured via the ActionType/Name element in CybOX Core.
For synchronization action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:SynchronizationActionNameEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The SynchronizationActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with process and thread synchronization-related entities.
Diagram
Type
restriction of xs:string
Facets
enumeration
create mutex
The 'create mutex' value specifies the defined action of creating a new named mutex.
enumeration
delete mutex
The 'delete mutex' value specifies the defined action of deleting an existing named mutex.
enumeration
open mutex
The 'open mutex' value specifies the defined action of opening an existing named mutex.
enumeration
release mutex
The 'release mutex' value specifies the defined action of releasing ownership of an existing named mutex.
enumeration
create semaphore
The 'create semaphore' value specifies the defined action of creating a new named semaphore.
enumeration
delete semaphore
The 'delete semaphore' value specifies the defined action of deleting an existing named semaphore.
enumeration
open semaphore
The 'open semaphore' value specifies the defined action of opening an existing named semaphore.
enumeration
release semaphore
The 'release semaphore' value specifies the defined action of releasing ownership of an existing named semaphore.
enumeration
create event
The 'create event' value specifies the defined action of creating a new named event object.
enumeration
delete event
The 'delete event' value specifies the defined action of deleting an existing named event object.
enumeration
open event
The 'open event' value specifies the defined action of opening an existing named event object.
enumeration
reset event
The 'reset event' value specifies the defined action of resetting an existing named event object to the non-signaled state.
enumeration
create critical section
The 'create critical section' value specifies the defined action of creating a new critical section.
enumeration
delete critical section
The 'delete critical section' value specifies the defined action of deleting an existing critical section object.
enumeration
open critical section
The 'open critical section' value specifies the defined action of opening an existing critical section object.
enumeration
release critical section
The 'release critical section' value specifies the defined action of releasing an existing critical section object.
Complex Type maecVocabs:SystemActionNameVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The SystemActionNameVocab is the default MAEC vocabulary for system action names, captured via the ActionType/Name element in CybOX Core.
For system action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:SystemActionNameEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The SystemInfoActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with system-related entities.
Diagram
Type
restriction of xs:string
Facets
enumeration
add scheduled task
The 'add scheduled task' value specifies the defined action of adding a scheduled task to a system.
enumeration
shutdown system
The 'shutdown system' value specifies the defined action of shutting down a system.
enumeration
sleep system
The 'sleep system' value specifies the defined action of sleeping a system for some period of time.
enumeration
get elapsed system up time
The 'get elapsed system up time' value specifies the defined action of getting the elapsed up-time for a system.
enumeration
get netbios name
The 'get netbios name' value specifies the defined action of getting the NetBIOS name of a system.
enumeration
set netbios name
The 'set netbios name' value specifies the defined action of setting the NetBIOS name of a system.
enumeration
get system host name
The 'get system host name' value specifies the defined action of getting the host name of a system.
enumeration
set system host name
The 'set system host name' value specifies the defined action of setting the system host name of a system.
enumeration
get system time
The 'get system time' value specifies the defined action of getting the system time of a system, represented in Coordinated Universal Time (UTC).
enumeration
set system time
The 'set system time' value specifies the defined action of setting the system time for a system, represented in Coordinated Universal Time (UTC).
enumeration
get system local time
The 'get system local time' value specifies the defined action of getting the local time of a system.
enumeration
set system local time
The 'set system local time' value specifies the defined action of setting the local time of a system.
enumeration
get username
The 'get username' value specifies the defined action of getting the username of the currently logged in user of a system.
enumeration
enumerate system handles
The 'enumerate system handles' value specifies the defined action of enumerating all open handles on a system.
enumeration
get system global flags
The 'get system global flags' value specifies the defined action of getting the enabled global flags on a system.
enumeration
set system global flags
The 'set system global flags' value specifies the defined action of setting system global flags on a system.
enumeration
get windows directory
The 'get windows directory' value specifies the defined action of getting the Windows installation directory on a system.
enumeration
get windows system directory
The 'get windows system directory' value specifies the defined action of getting the Windows \System directory on a system.
enumeration
get windows temporary files directory
The 'get windows temporary files directory' value specifies the defined action of getting the Windows Temporary Files Directory on a System.
Complex Type maecVocabs:GUIActionNameVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The GUIActionNameVocab is the default MAEC vocabulary for GUI action names, captured via the ActionType/Name element in CybOX Core.
For GUI action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:GUIActionNameEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The GUIActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with graphical user interfaces (GUIs).
Diagram
Type
restriction of xs:string
Facets
enumeration
create window
The 'create window' value specifies the defined action of creating a new window.
enumeration
kill window
The 'kill window' value specifies the defined action of killing an existing window.
enumeration
create dialog box
The 'create dialog box' value specifies the defined action of creating a new dialog box.
enumeration
enumerate windows
The 'enumerate windows' value specifies the defined action of enumerating all open windows.
enumeration
find window
The 'find window' value specifies the defined action of search for a particular window.
enumeration
hide window
The 'hide window' value specifies the defined action of hiding an existing window.
enumeration
show window
The 'show window' value specifies the defined action of showing an existing window.
Complex Type maecVocabs:GroupingRelationshipTypeVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The GroupingRelationshipTypeVocab is the default MAEC vocabulary for the grouping relatonships in a Package, captured via the GroupingRelationshipType/Type element in the MAEC Package.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:GroupingRelationshipEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The GroupingRelationshipEnum is a non-exhaustive enumeration of Malware Subject grouping relationships.
Diagram
Type
restriction of xs:string
Facets
enumeration
same malware family
The 'same malware family' value indicates that the Malware Subjects in the Package are all part of the same malware family.
enumeration
clustered together
The 'clustered together' value indicates that the Malware Subjects in the Package were clustered together by some algorithm or other capability.
enumeration
observed together
The 'observed together' value indicates that the Malware Subjects in the Package were abstractly observed together, such as on a host system, in some archive, etc.
enumeration
part of intrusion set
The 'part of intrusion' set value indicates that the Malware Subjects in the Package were found as part of the same malware intrusion set.
enumeration
same malware toolkit
The 'same malware toolkit' value indicates that the Malware Subjects in the Package were all created using the same malware toolkit, independent of toolkit version.
Complex Type maecVocabs:MalwareConfigurationParameterVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The MalwareConfigurationParameterVocab is the default MAEC vocabulary for malware configuration parameter names, captured via the MalwareConfigurationParameterType/Name element in the MAEC Package.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:MalwareConfigurationParameterEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The MalwareConfigurationParameterEnum is a non-exhaustive enumeration of malware configuration parameter names.
Diagram
Type
restriction of xs:string
Facets
enumeration
magic number
The 'magic number' value refers to a configuration parameter that captures a file signature that may be used to identify or validate the content the malware instance.
enumeration
id
The 'id' value refers to a configuration parameter that captures an identifier for the malware instance.
enumeration
group id
The 'group id' value refers to a configuration parameter that captures an identifier for a collection of malware instances.
enumeration
mutex
The 'mutex' value refers to a configuration parameter that captures a unique mutex value associated the malware instance.
enumeration
filename
The 'filename' value refers to a configuration parameter that captures the name of a malicious binary such as one that is downloaded or embedded within the malware instance.
enumeration
installation path
The 'installation path' value refers to a configuration parameter that captures a location on disk to which the malware instance is installed, copied, or moved.
Complex Type maecVocabs:MalwareSubjectRelationshipTypeVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The MalwareSubjectRelationshipTypeVocab is the default MAEC vocabulary for the Malware Subject relationships in a Package, captured via the MalwareSubjectRelationshipType/Type element in the MAEC Package.
Deprecated as of MAEC 4.1.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:MalwareSubjectRelationshipEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The MalwareSubjectRelationshipEnum is a non-exhaustive enumeration of relationships between Malware Subjects.
Deprecated as of MAEC 4.1.
Diagram
Type
restriction of xs:string
Facets
enumeration
downloads
The 'downloads' value specifies that the Malware Subject downloads one or more other Malware Subject(s).
enumeration
downloaded by
The 'downloaded by' value specifies that the current Malware Subject was downloaded by one or more other Malware Subject(s).
enumeration
drops
The 'drops' value specifies that the Malware Subject drops (or writes to disk) one or more other Malware Subject(s).
enumeration
dropped by
The 'dropped by' value specifies that the current Malware Subject was dropped (or written to disk) by one or more other Malware Subject(s).
enumeration
extracts
The 'extracts' value specifies that the Malware Subject extracts (from an embedded archive or another container) one or more other Malware Subject(s).
enumeration
extracted from
The 'extracted from' value specifies that the current Malware Subject was extracted from one or more other Malware Subject(s).
Complex Type maecVocabs:MalwareSubjectRelationshipTypeVocab-1.1
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The MalwareSubjectRelationshipTypeVocab is the default MAEC vocabulary for the Malware Subject relationships in a Package, captured via the MalwareSubjectRelationshipType/Type element in the MAEC Package.
Starting with MAEC 4.1, this vocabulary should be used in place of the deprecated MalwareSubjectRelationshipTypeVocab-1.0.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:MalwareSubjectRelationshipEnum-1.1
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The MalwareSubjectRelationshipEnum is a non-exhaustive enumeration of relationships between Malware Subjects.
Diagram
Type
restriction of xs:string
Facets
enumeration
downloads
The 'downloads' value specifies that the Malware Subject downloads one or more other Malware Subject(s).
enumeration
downloaded by
The 'downloaded by' value specifies that the current Malware Subject was downloaded by one or more other Malware Subject(s).
enumeration
drops
The 'drops' value specifies that the Malware Subject drops (or writes to disk) one or more other Malware Subject(s).
enumeration
dropped by
The 'dropped by' value specifies that the current Malware Subject was dropped (or written to disk) by one or more other Malware Subject(s).
enumeration
extracts
The 'extracts' value specifies that the Malware Subject extracts (from an embedded archive or another container) one or more other Malware Subject(s).
enumeration
extracted from
The 'extracted from' value specifies that the current Malware Subject was extracted from one or more other Malware Subject(s).
enumeration
direct descendant of
The 'direct descendant of' value specifies that the current Malware Subject is a direct descendant (i.e. in terms of development lineage) of one or more other Malware Subject(s).
enumeration
direct ancestor of
The 'direct ancestor of' value specifies that the current Malware Subject is a direct ancestor (i.e. in terms of development lineage) of one or more other Malware Subject(s).
enumeration
memory image of
The 'memory image of' value specifies that the current Malware Subject represents a memory image associated with one or more other Malware Subject(s).
enumeration
contained in memory image
The 'contained in memory image' value specifies that the current Malware Subject is a malware binary or component contained in one or more other Malware Subject(s) that represent memory images.
enumeration
disk image of
The 'disk image of' value specifies that the current Malware Subject represents a disk image associated with one or more other Malware Subject(s).
enumeration
contained in disk image
The 'contained in disk image' value specifies that the current Malware Subject is a malware binary or component contained in one or more other Malware Subject(s) that represent disk images.
enumeration
network traffic capture of
The 'network traffic capture of' value specifies that the current Malware Subject represents captured network traffic associated with one or more other Malware Subject(s).
enumeration
contained in network traffic capture
The 'contained in network traffic capture' value specifies that the current Malware Subject is a malware binary or component contained in one or more other Malware Subject(s) that represent captures of network traffic.
enumeration
packed version of
The 'packed version of' value specifies that the current Malware Subject represents a packed version (in terms of executable binary packing) of one or more other Malware Subject(s).
enumeration
unpacked version of
The 'unpacked version of' value specifies that the current Malware Subject represents an unpacked version (in terms of executable binary packing) of one or more other Malware Subject(s).
enumeration
installs
The 'installs' value specifies that the current Malware Subject installs one or more other Malware Subject(s).
enumeration
installed by
The 'installed by' value specifies that the current Malware Subject is installed by one or more other Malware Subject(s).
enumeration
64-bit version of
The '64-bit version of' value specifies that the current Malware Subject is a 64-bit version of one or more other Malware Subject(s).
enumeration
32-bit version of
The '32-bit version of' value specifies that the current Malware Subject is a 32-bit version of one or more other Malware Subject(s).
enumeration
encrypted version of
The 'encrypted version of' value specifies that the current Malware Subject is an encrypted version of one or more other Malware Subject(s).
enumeration
decrypted version of
The 'decrypted version of' value specifies that the current Malware Subject is a decrypted version of one or more other Malware Subject(s).
Complex Type maecVocabs:MalwareDevelopmentToolVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The MalwareDevelopmentToolVocab is the default MAEC vocabulary for the Type field in the CybOX ToolInformationType, as used in the Development_Environment/Tools/Tool field in the Malware Subject.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:MalwareDevelopmentToolEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The GroupingRelationshipEnum is a non-exhaustive enumeration tools used in the development of malware.
Diagram
Type
restriction of xs:string
Facets
enumeration
builder
The 'builder' value specifies a malware builder tool (commonly used to mass-produce malware) that was used to generate the malware instance.
enumeration
compiler
The 'compiler' value specifies a compiler tool that was used to compile the code composing the malware instance.
enumeration
linker
The 'linker' value specifies a linker tool that was used to link the object files associated with the malware instance.
enumeration
packer
The 'packer' value specifies a packer tool that was used to shrink the size of the executable binary associated with the malware instance. Packers are also sometimes referred to as 'compressors'.
enumeration
crypter
The 'crypter' value specifies a crypter tool that was used to encrypt the executable binary associated with the malware instance.
enumeration
protector
The 'protector' value specifies a protector tool that was used to obfuscate the executable binary associated with the malware instance to make it more difficult to reverse engineer.
Complex Type maecVocabs:MalwareLabelVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The MalwareLabelVocab-1.0 is the default MAEC Vocabulary for common malware labels.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:MalwareLabelEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The MalwareLabelEnum-1.0 is a non-exhaustive enumeration of common malware labels.
Diagram
Type
restriction of xs:string
Facets
enumeration
adware
The 'adware' value specifies any software that is funded by advertising. Some adware may install itself in such a manner as to become difficult to remove, hiding components and disabling removal techniques. Adware may also gather sensitive user information from a system.
enumeration
appender
The 'appender' value specifies a file-infecting virus that places its code at the end of the files it infects, adjusting the file's entry point to cause its code to be executed before that of the original file.
enumeration
backdoor
The 'backdoor' value specifies a piece of software which, once running on a system, opens a communication vector to the outside so that the computer can be accessed remotely by an attacker.
enumeration
boot sector virus
The 'boot sector virus' value specifies a virus that infects the master boot record of a storage device.
enumeration
bot
The 'bot' value specifies a program which resides on an infected system, communicating with and forming part of a botnet. The bot may be implanted by a worm or trojan, which opens a backdoor. The bot then monitors the backdoor for further instructions.
enumeration
clicker
The 'clicker' value specifies a trojan that makes a system visit a specific web page, often very frequently and usually with the aim of increasing the traffic recorded by the site and thus increasing revenue from advertising. Clickers may also be used to carry out DDoS attacks.
enumeration
companion virus
The 'companion virus' value specifies a virus that takes the place of a particular file on a system instead of injecting code into it.
enumeration
cavity filler
The 'cavity filler' value specifies a type of file-infecting virus which seeks out unused space within the files it infects, inserting its code into these gaps to avoid changing the size of the file and thus not alerting integrity-checking software to its presence.
enumeration
data diddler
The 'data diddler' value specifies a type of malware that makes small, random changes to data, such as data in a spreadsheet, to render the data contained in a document inaccurate and in some cases worthless.
enumeration
downloader
The 'downloader' value specifies a small trojan file programmed to download and execute other files, usually more complex malware.
enumeration
dropper file
The 'dropper file' value specifies a type of Trojan that deposits an enclosed payload onto a destination host computer by loading itself into memory, extracting the malicious payload, and then writing it to the file system.
enumeration
file infector virus
The 'file infector virus' value specifies a virus that infects a system by inserting itself somewhere in existing files; this is the "classic" form of virus.
enumeration
fork bomb
The 'fork bomb' value specifies a very simple form of malware, a type of rabbit which simply launches more copies of itself. Once a fork bomb is executed, it will attempt to run several identical processes, which will do the same, the number growing exponentially until the system resources are overwhelmed by the number of identical processes running, which may in some cases bring the system down and cause a denial of service.
enumeration
greyware
The 'greyware' value specifies software that, while not definitely malicious, has a suspicious or potentially unwanted aspect.
enumeration
implant
The 'implant' value specifies code inserted into an existing program using a code patcher or other tool.
enumeration
infector
The 'infector' value specifies a function of malware that alters target files for the purpose of persisting and hiding the injected malware.
enumeration
keylogger
The 'keylogger' value specifies a type of program implanted on a system to monitor the keys pressed and thus record any sensitive data, such as passwords, entered by the user.
enumeration
kleptographic worm
The 'kleptographic worm' value specifies a worm that encrypts information assets on compromised systems so they can only be decrypted by the worm's author, also known as information-stealing worm.
enumeration
macro virus
The 'macro virus' value specifies a virus that uses a macro language, for example in Microsoft Office documents.
enumeration
malcode
The 'malcode' value is short for malicious code, also known as malware.
enumeration
mass-mailer
The 'mass-mailer' value specifies a worm that uses email to propagate across the internet.
enumeration
metamorphic virus
The 'metamorphic virus' value specifies a virus that changes its own code with each infection.
enumeration
mid-infector
The 'mid-infector' value specifies a type of file-infecting virus which places its code in the middle of files it infects. It may move a section of the original code to the end of the file, or simply push the code aside to make space for its own code.
enumeration
mobile code
The 'mobile code' value specifies 1. Code received from remote, possibly untrusted systems, but executed on a local system. 2. Software transferred between systems (e.g across a network) and executed on a local system without explicit installation or execution by the recipient.
enumeration
multipartite virus
The 'multipartite virus' value specifies malware that infects boot records, boot sectors, and files.
enumeration
password stealer
The 'password stealer' value specifies a type of trojan designed to steal passwords, personal data and details, or other sensitive information from the infected system.
enumeration
polymorphic virus
The 'polymorphic virus' value specifies a type of virus that encrypts its code differently with each infection, or generation of infections.
enumeration
premium dialer/smser
The 'premium dialer/smser' value specifies a piece of malware whose primary aim is to dial or send SMS messages to premium rate numbers..
enumeration
prepender
The 'prepender' value specifies a file-infecting virus which inserts code at the beginning of the files it infects.
enumeration
ransomware
The 'ransomware' value specifies a type of malware that encrypts files on a victim's system, demanding payment of ransom in return for the access codes required to unlock files.
enumeration
rat
The 'rat' value specifies a remote access trojan or RAT, which is a trojan horse capable of controlling a machine through commands issue by a remote attacker.
enumeration
rogue anti-malware
The 'rogue anti-malware' value specifies a fake security product that demands money to clean phony infections.
enumeration
rootkit
The 'rootkit' value generally refers to a method of hiding files or processes from normal methods of monitoring, and is often used by malware to conceal its presence and activities. Originally, the term applied to UNIX-based operating systems - a root kit was a collection of tools to enable a user to obtain root (administrator-level) access to a system and conceal any changes they might make. Such tools often included trojanized versions of standard monitoring software which would hide the root kit operators' activities. More recently the term has generally been applied to malware using stealth techniques. Rootkits can operate at a number of levels, from the application level - simply replacing or adjusting the settings of system software to prevent the display of certain information - through hooking certain functions or inserting modules or drivers into the operating system kernel, to the deeper level of firmware or virtualization rook kits, which are activated before the operating system and thus even harder to detect while the system is running.
enumeration
shellcode
The 'shellcode' value specifies 1. A small piece of code that activates a command-line interface to a system that can be used to disable security measures, open a backdoor, or download further malicious code. 2. A small piece of code that opens a system up for exploitation, sometimes by not necessarily involving a command-line shell.
enumeration
spaghetti packer
A packer that obfuscates programs by emitting "spaghetti" code with a complex and tangled control structure.
enumeration
spyware
The 'spyware' value specifies software that gathers information and passes it to a third-party without adequate permission from the owner of the data. It may also be used in a wider sense, to include software that makes changes to a system or any of its component software, or which makes use of system resources without the full understanding and consent of the system owner.
enumeration
trojan horse
The 'trojan horse' value specifies a piece of malicious code disguised as something inert or benign.
enumeration
variant
The 'variant' value refers to the fact that types of malware can be subdivided into a number of families, or groups sharing many similarities, generally based on the same blocks of code and sharing similar behaviours. Within a family, a variant signifies a single individual item that is uniquely different from other members of the same family.
enumeration
virus
The 'virus' value specifies 1. A self-replicating malicious program that requires human interaction to replicate. 2. A self-replicating program that runs and spreads by modifying other programs or files.
enumeration
wabbit
The 'wabbit' value specifies a form of self-replicating malware that makes copies of itself on the local system. Unlike worms, rabbits do not attempt to spread across networks.
enumeration
web bug
The 'web bug' value specifies a piece of code, generally a small file such as a tiny, transparent GIF image, which is used to track data on those viewing the page or mail in which it is hidden.
enumeration
wiper
The 'wiper' value specifies a piece of malware whose primary aim is to delete files or entire disks on a machine.
enumeration
worm
The 'worm' value specifies 1. A self-replicating malicious program that replicates using a network and does not require human interaction. 2. A self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread itself.
enumeration
zip bomb
The 'zip bomb' value specifies a file compressed into some archive format and that expands to an enormous size when uncompressed, often by looping over the extraction code until the system's resources are exhausted.
Complex Type maecVocabs:CapabilityObjectiveRelationshipTypeVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The CapabilityObjectiveRelationshipTypeVocab is the default MAEC vocabulary for relationships between Malware Capability Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:CapabilityObjectiveRelationshipEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The CapabilityObjectiveRelationshipEnum is a non-exhaustive enumeration of relationships between Malware Capability Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
child of
The 'child of' value indicates that the Objective is a child of the Objective being referenced.
enumeration
parent of
The 'parent of' value indicates that the Objective is a parent of the Objective being referenced.
enumeration
incorporates
The 'incorporates' value indicates that the Objective incorporates the Objective being referenced in a supporting or enabling role.
enumeration
incorporated by
The 'incorporated by' value indicates that the Objective is incorporated in a supporting or enabling role by the Objective being referenced.
Complex Type maecVocabs:AntiBehavioralAnalysisPropertiesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The AntiBehavioralAnalysisPropertiesVocab-1.0 is the default MAEC Vocabulary for Anti-Behavioral Analysis Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:AntiBehavioralAnalysisPropertiesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The AntiBehavioralAnalysisStrategicObjectivesEnum-1.0 is an enumeration of Anti-Behavioral Analysis Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Type
restriction of xs:string
Facets
enumeration
targeted vm
The 'targeted vm' value refers to the name of a virtual machine (VM) targeted by the Anti-Behavioral Analysis Capability or one of its child Objectives.
enumeration
targeted sandbox
The 'targeted sandbox' value refers to the name of a sandbox targeted by the Anti-Behavioral Analysis Capability or one of its child Objectives.
Complex Type maecVocabs:InfectionPropagationPropertiesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The InfectionPropagationPropertiesVocab-1.0 is the default MAEC Vocabulary for Infection/Propagation Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:InfectionPropagationPropertiesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The InfectionPropagationPropertiesEnum-1.0 is an enumeration of Infection/Propagation Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Type
restriction of xs:string
Facets
enumeration
scope
The 'scope' value refers to the scope of the infection or propagation performed by the malware instance via the Infection/Propagation Capability, i.e. whether it infects just the local machine or actively propagates to other machines as well.
enumeration
infection targeting
The 'targeting' value refers to the type of targeting employed by the Infect Remote Machine Strategic Objective, i.e. whether the targeted machines are randomly selected, or chosen from some particular set.
enumeration
autonomy
The 'autonomy' value refers to the type of autonomy emplyed by the Infect Remote Machine Strategic Objective, i.e. whether the remote infection is performed autonomously.
enumeration
targeted file type
The 'targeted file type' value refers to the types of files targeted by the Infect File Strategic Objective.
enumeration
targeted file architecture type
The 'targeted file architecture' value refers to type of file architecture targeted by the Infect File Strategic Objective.
enumeration
file infection type
The 'file infection type' value refers to the type of file infection employed by the Infect File Strategic Objective.
Complex Type maecVocabs:DataTheftPropertiesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The DataTheftPropertiesVocab-1.0 is the default MAEC Vocabulary for Data Theft Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:DataTheftPropertiesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The DataTheftPropertiesEnum-1.0 is an enumeration of Data Theft Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Type
restriction of xs:string
Facets
enumeration
targeted application
The 'targeted application' value refers to the name of an application targeted by the Steal Authentication Credentials Strategic Objective.
enumeration
targeted website
The 'targeted website' value refers to the domain name of a website targeted by the Steal Web/Network Credential Tactical Objective.
Complex Type maecVocabs:CommandandControlPropertiesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The CommandandControlPropertiesVocab-1.0 is the default MAEC Vocabulary for Command and Control Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:CommandandControlPropertiesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The CommandandControlPropertiesEnum-1.0 is an enumeration of Command and Control Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Type
restriction of xs:string
Facets
enumeration
frequency
The 'frequency' value refers to a description of the frequency that the Receive Data from C2 Server and Send Data to C2 Server Strategic Objectives, as well as their child Tactical Objectives, are employed.
Complex Type maecVocabs:PrivilegeEscalationPropertiesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The PrivilegeEscalationPropertiesVocab-1.0 is the default MAEC Vocabulary for Privilege Escalation Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:PrivilegeEscalationPropertiesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The PrivilegeEscalationPropertiesEnum-1.0 is an enumeration of Privilege Escalation Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Type
restriction of xs:string
Facets
enumeration
user privilege escalation type
The 'user privilege escalation type' value refers to the type of user privilege escalation employed by the Escalate User Privilege Strategic Objective.
Complex Type maecVocabs:PersistencePropertiesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The PrivilegeEscalationPropertiesVocab-1.0 is the default MAEC Vocabulary for Persistence Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:PersistencePropertiesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The PersistencePropertiesEnum-1.0 is an enumeration of Persistence Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Type
restriction of xs:string
Facets
enumeration
scope
The 'scope' value refers to the scope of persistence employed by the Persistence Capability, i.e. whether the malware instance make itself persist, or whether it makes other malware components persist.
Complex Type maecVocabs:DestructionPropertiesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The DestructionPropertiesVocab-1.0 is the default MAEC Vocabulary for Destruction Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:DestructionPropertiesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The DestructionPropertiesEnum-1.0 is an enumeration of Destruction Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Type
restriction of xs:string
Facets
enumeration
erasure scope
The 'erasure scope' value refers to the scope of the erasure performed by the Erase Data Tactical Objective.
Complex Type maecVocabs:SecurityDegradationPropertiesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The SecurityDegradationPropertiesVocab-1.0 is the default MAEC Vocabulary for Security Degradation Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:SecurityDegradationPropertiesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The SecurityDegradationPropertiesEnum-1.0 is an enumeration of Security Degradation Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Type
restriction of xs:string
Facets
enumeration
targeted program
The 'targeted program' value refers to the name of a program targeted by the Degrade Security Programs Strategic Objective or one of its child Tactical Objectives.
Complex Type maecVocabs:SecondaryOperationPropertiesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The SecondaryOperationPropertiesVocab-1.0 is the default MAEC Vocabulary for Secondary Operation Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:SecondaryOperationPropertiesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The SecondaryOperationPropertiesEnum-1.0 is an enumeration of Secondary Operation Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Type
restriction of xs:string
Facets
enumeration
trigger type
The 'trigger type' value refers to a description of the trigger used to wake or terminate the malware instance in the Lie Dormant or Suicide Exit Strategic Objectives, respectively.
Complex Type maecVocabs:MachineAccessControlPropertiesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The MachineAccessControlPropertiesVocab-1.0 is the default MAEC Vocabulary for Machine Access/Control Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:MachineAccessControlPropertiesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The MachineAccessControlPropertiesEnum-1.0 is an enumeration of Machine Access/Control Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Type
restriction of xs:string
Facets
enumeration
backdoor type
The 'backdoor type' value refers to the type of backdoor, e.g. reverse shell, employed by the Install Backdoor Strategic Objective.
Complex Type maecVocabs:DataExfiltrationPropertiesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The DataExfiltrationPropertiesVocab-1.0 is the default MAEC Vocabulary for Data Exfiltration Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:DataExfiltrationPropertiesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The DataExfiltrationPropertiesEnum-1.0 is an enumeration of Data Exfiltration Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Type
restriction of xs:string
Facets
enumeration
archive type
The 'archive type' value refers to the name of the file archive format used in the Stage Data for Exfiltration Strategic Objective and/or its Package Data Tactical Objective.
enumeration
file type
The 'file type' value refers to the name of the file format used for storing data to be exfiltrated as part of the Data Exfiltration Capability or its child Objectives.
Complex Type maecVocabs:AvailabilityViolationPropertiesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The AvailabilityViolationPropertiesVocab-1.0 is the default MAEC Vocabulary for Availability Violation Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:AvailabilityViolationPropertiesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The AvailabilityViolationPropertiesEnum-1.0 is an enumeration of Availability Violation Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Type
restriction of xs:string
Facets
enumeration
cryptocurrency type
The 'cryptocurrency type' value refers to the type of cryptocurrency targeted by the Mine for CryptoCurrency Strategic Objective.
Complex Type maecVocabs:CommonCapabilityPropertiesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The CommonCapabilityPropertiesVocab-1.0 is the a MAEC Vocabulary of properties common to many Capabilities and their child Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:CommonCapabilityPropertiesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The CommonCapabilityPropertiesEnum-1.0 is an enumeration of properties common to many Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Type
restriction of xs:string
Facets
enumeration
encryption algorithm
The 'encryption algorithm' value refers to the name of the encryption algorithm used in the Capability or Objective.
enumeration
protocol used
The 'protocol used' value refers to the name of the network protocol used in the Capability or Objective.
Complex Type maecVocabs:MalwareCapabilityVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The MalwareCapabilyVocab-1.0 is the default MAEC Vocabulary for Malware Capabilities.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:MalwareCapabilityEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The MalwareCapabilityEnum-1.0 is an enumeration of Malware Capabilities.
Diagram
Type
restriction of xs:string
Facets
enumeration
command and control
The 'command and control' (C2) Capability indicates that the malware instance is able to receive and execute remotely submitted commands.
enumeration
remote machine manipulation
The 'remote machine manipulation' Capability indicates that the malware instance is able to manipulate or access other remote machines.
enumeration
privilege escalation
The 'privilege escalation' Capability indicates that the malware instance is able to elevate the privileges under which it executes.
enumeration
data theft
The 'data theft' Capability indicates that the malware instance is able to steal data from the system on which it executes. This includes data stored in some form, e.g. in a file, as well as data that may be entered into some application such as a web-browser.
enumeration
spying
The 'spying' Capability indicates that the malware instance is able to capture information from a system related to user or system activity (e.g., from a system's peripheral devices).
enumeration
secondary operation
The 'secondary operation' Capability indicates that the malware instance is able to achieve secondary objectives in conjunction with or after achieving its primary objectives.
enumeration
anti-detection
The 'anti-detection' Capability indicates that the malware instance is able to prevent itself and its components from being detected on a system.
enumeration
anti-code analysis
The 'anti-code analysis' Capability indicates that the malware instance is able to prevent code analysis or make it more difficult.
enumeration
infection/propagation
The 'infection/propagation' Capability indicates that the malware instance is able to propagate through the infection of a machine or is able to infect a file after executing on a system. The malware instance may infect actively (e.g., gain access to a machine directly) or passively (e.g., send malicious email). This Capability does not encompass any aspects of the initial infection that is done independently of the malware instance itself.
enumeration
anti-behavioral analysis
The 'anti-behavioral analysis' Capability indicates that the malware instance is able to prevent behavioral analysis or make it more difficult.
enumeration
integrity violation
The 'integrity violation' Capability indicates that the malware instance is able to compromise the integrity of a system.
enumeration
data exfiltration
The 'data exfiltration' Capability indicates that the malware instance is able to exfiltrate stolen data or perform tasks related to the exfiltration of stolen data.
enumeration
probing
The 'probing' Capability indicates that the malware instance is able to probe its host system or network environment; most often this is done to support other Capabilities and their Objectives.
enumeration
anti-removal
The 'anti-removal' Capability indicates that the malware instance is able to prevent itself and its components from being removed from a system.
enumeration
security degradation
The �security degradation� Capability indicates that the malware instance is able to bypass or disable security features and/or controls.
enumeration
availability violation
The 'availability violation' Capability indicates that the malware instance is able to compromise the availability of a system or some aspect of the system.
enumeration
destruction
The 'destruction' Capability indicates that the malware instance is able to destroy some aspect of a system.
enumeration
fraud
The 'fraud' Capability indicates that the malware instance is able to defraud a user or a system.
enumeration
persistence
The 'persistence' Capability indicates that the malware instance is able to persist and remain on a system regardless of system events.
enumeration
machine access/control
The 'machine access/control' Capability indicates that the malware instance is able to provide the means to access or control the machine on which it is resident.
Complex Type maecVocabs:CommandandControlStrategicObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The CommandandControlStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Command and Control Capability Strategic Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:CommandandControlStrategicObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The CommandandControlStrategicObjectivesEnum-1.0 is an enumeration of Command and Control Capability Strategic Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
determine c2 server
The 'determine c2 server' value indicates that the malware instance is able to identify one or more command and control (C2) servers with which to communicate.
enumeration
receive data from c2 server
The 'control behavior' value indicates that the malware instance is able to control its behavior through some external stimulus (e.g., a remotely submitted command).
enumeration
send data to c2 server
The 'send data to c2 server' value indicates that the malware instance is able to send some data to a command and control server.
Complex Type maecVocabs:CommandandControlTacticalObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The CommandandControlTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Command and Control Capability Tactical Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:CommandandControlTacticalObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The CommandandControlTacticalObjectivesEnum-1.0 is an enumeration of Command and Control Capability Tactical Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
check for payload
The 'check for payload' value indicates that the mawlare instance is able to query a command and control server to check whether a new malicious payload is available for download.
enumeration
validate data
The 'validate data' value indicates that the malware instance is able to validate the integrity of the data it receives from a command and control server.
enumeration
control malware via remote command
The 'control malware via remote command' value indicates that the malware instance is able to execute commands issued to it from a remote source such as a command and control server, for the purpose of controlling its behavior.
enumeration
send system information
The 'send system information' value indicates that the malware instance is able to send data regarding the system on which it is executing to a command and control server.
enumeration
send heartbeat data
The 'send heartbeat data' value indicates that the malware instance is able to send heartbeat data to a command and control server, indicating that it is still active on the host system and able to communicate.
enumeration
generate c2 domain name(s)
The 'generate c2 domain name(s)' value indicates that the malware instance is able to generate the domain name of the command and control server to which it connects to.
enumeration
update configuration
The 'update configuration' value indicates that the malware instance is able to update its configuration using data received from a command and control server.
Complex Type maecVocabs:RemoteMachineManipulationStrategicObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The RemoteMachineManipulationStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Remote Machine Manipulation Capability Strategic Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:RemoteMachineManipulationStrategicObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The RemoteMachineManipulationStrategicObjectivesEnum-1.0 is an enumeration of Remote Machine Manipulation Capability Strategic Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
access remote machine
The 'access remote machine' value indicates that the malware instance is able to access a remote machine.
enumeration
search for remote machines
The 'search' for remote machines' value indicates that the malware instance is able to search for remote machines to target.
Complex Type maecVocabs:RemoteMachineManipulationTacticalObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The RemoteMachineManipulationTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Remote Machine Manipulation Capability Tactical Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:RemoteMachineManipulationTacticalObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The RemoteMachineManipulationTacticalObjectivesEnum-1.0 is an enumeration of Remote Machine Manipulation Capability Tactical Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
compromise remote machine
The 'compromise remote machine' value indicates that the malware instance is able to gain control of a remote machine through compromise.
Complex Type maecVocabs:PrivilegeEscalationStrategicObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The PrivilegeEscalationStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Privilege Escalation Capability Strategic Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:PrivilegeEscalationStrategicObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The PrivilegeEscalationStrategicObjectivesEnum-1.0 is an enumeration of Privilege Escalation Capability Strategic Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
impersonate user
The 'impersonate user' value indicates that the malware instance is able to impersonate another user to operate within a different security context (also known as horizontal privilege escalation).
enumeration
escalate user privilege
The 'escalate user privilege' indicates that the malware instance is able to obtain a higher level of access than intended by the system (also known as vertical privilege escalation).
Complex Type maecVocabs:PrivilegeEscalationTacticalObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The PrivilegeEscalationTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Privilege Escalation Capability Tactical Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:PrivilegeEscalationTacticalObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The PrivilegeEscalationTacticalObjectivesEnum-1.0 is an enumeration of Privilege Escalation Capability Tactical Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
elevate cpu mode
The 'elevate cpu mode' value indicates that the malware instance is able to elevate the CPU (processor) mode under which it executes.
Complex Type maecVocabs:DataTheftStrategicObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The DataTheftStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Data Theft Capability Strategic Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:DataTheftStrategicObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The DataTheftStrategicObjectivesEnum-1.0 is an enumeration of Data Theft Capability Strategic Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
steal stored information
The 'steal stored information' value indicates that the malware instance is able to steal information stored on a system (e.g., files).
enumeration
steal user data
The 'steal user data' value indicates that the malware instance is able to steal user data (e.g., email).
enumeration
steal system information
The 'steal system information' value indicates that the malware instance is able to steal information about a system (e.g., network address data).
enumeration
steal authentication credentials
The 'steal authentication credentials' value indicates that the malware instance is able to steal authentication credentials.
Complex Type maecVocabs:DataTheftTacticalObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The DataTheftTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Data Theft Capability Tactical Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:DataTheftTacticalObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The DataTheftTacticalObjectivesEnum-1.0 is an enumeration of Data Theft Capability Tactical Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
steal dialed phone numbers
The 'steal dialed phone numbers' value indicates that the malware instance is able to steal the list of phone numbers that a user has dialed.
enumeration
steal email data
The 'steal email data' value indicates that the malware instance is able to steal a user's email data.
enumeration
steal referrer urls
The 'steal referer urls' value indicates that the malware instance is able to steal HTTP referrer information (URL of the webpage that linked to the resource being requested).
enumeration
steal cryptocurrency data
The 'steal cryptocurrency data' value indicates that the malware instance is able to steal cryptocurrency data (e.g., Bitcoin wallets).
enumeration
steal pki software certificate
The 'steal pki software certificate' value indicates that the malware instance is able to steal one or more public key infrastructure (PKI) software certficates.
enumeration
steal browser cache
The 'steal browser cache' value indicates that the malware instance is able to steal a user's browser cache.
enumeration
steal serial numbers
The 'steal serial numbers' values indicates that the malware instance is able to steal serial numbers stored on a system.
enumeration
steal sms database
The 'steal sms database' value indicates that the malware instance is able to steal a user's short message service (SMS) (text messaging) database.
enumeration
steal cookie
The 'steal cookie' value indicates that the malware instance is able to steal cookies.
enumeration
steal password hash
The 'steal password hashes' value indicates that the malware instance is able to steal password hashes.
enumeration
steal make/model
The 'steal make/model' value indicates that the malware instance is able to steal the information on the make and/or model of a system.
enumeration
steal documents
The 'steal documents' value indicates that the malware instance is able to steal document files stored on a system.
enumeration
steal network address
The 'steal network address' value indicates that the malware instance is able to steal information about the network addresses used by a system.
enumeration
steal open port
The 'steal open port' value indicates that the malware instance is able to steal information about the open ports on a system.
enumeration
steal images
The 'steal images' value indicates that the malware instance is able to steal image files stored on a system.
enumeration
steal browser history
The 'steal browser history' value indicates that the malware instance is able to steal a user's browser history.
enumeration
steal web/network credential
The 'steal web/network credential' value indicates that the malware instance is able to steal usernames, passwords, or other forms of network credentials.
enumeration
steal pki key
The 'steal pki key' value indicates that the malware instance is able to steal one or more public key infrastructure (PKI) keys.
enumeration
steal contact list data
The 'steal contact list data' value indicates that the malware instance is able to steal a user's contact list.
enumeration
steal database content
The 'steal database content' value indicates that the malware instance is able to steal database content.
Complex Type maecVocabs:SpyingStrategicObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The SpyingStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Spying Capability Strategic Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:SpyingStrategicObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The SpyingStrategicObjectivesEnum-1.0 is an enumeration of Spying Capability Strategic Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
capture system input peripheral data
The 'capture system input peripheral data' value indicates that the malware instance is able to capture data from a system's input peripheral devices.
enumeration
capture system state data
The 'capture system state data' value indicates that the malware instance is able to capture information about a system's state (e.g., from its RAM).
enumeration
capture system interface data
The 'capture system interface data' value indicates that the malware instance is able to capture data from a system's interfaces.
enumeration
capture system output peripheral data
The 'capture system output peripheral data' value indicates that the malware instance is able to capture data sent to a system's output peripheral devices.
Complex Type maecVocabs:SpyingTacticalObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The SpyingTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Spying Capability Tactical Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:SpyingTacticalObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The SpyingTacticalObjectivesEnum-1.0 is an enumeration of Spying Capability Tactical Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
capture system screenshot
The 'capture system screenshot' value indicates that the malware instance is able to capture images of what is currently being displayed on a system's screen, either locally or remotely via a remote desktop protocol.
enumeration
capture camera input
The 'capture camera input' value indicates that the malware instance is able to capture data from a system's camera.
enumeration
capture file system
The 'capture file system' value indicates that the malware instance is able to capture data from a system's file system.
enumeration
capture printer output
The 'capture printer output' value indicates that the malware instance is able to capture data sent to a system's printer.
enumeration
capture gps data
The 'capture gps data' value indicates that the malware instance is able to capture system GPS data.
enumeration
capture keyboard input
The 'capture keyboard input' value indicates that the malware instance is able to capture data from a system's keyboard.
enumeration
capture mouse input
The 'capture mouse input' value indicates that the malware instance is able to capture data from a system's mouse.
enumeration
capture microphone input
The 'capture microphone input' value indicates that the malware instance is able to capture data from a system's microphone.
enumeration
capture system network traffic
The 'capture system network traffic' value indicates that the malware instance is able to capture system network traffic.
enumeration
capture touchscreen input
The 'capture touchscreen input' value indicates that the malware instance is able to capture data from a system's touchscreen.
enumeration
capture system memory
The 'capture system memory' value indicates that the malware instance is able to capture data from a system's RAM.
Complex Type maecVocabs:SecondaryOperationStrategicObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The SecondaryOperationStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Secondary Operation Capability Strategic Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:SecondaryOperationStrategicObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The SecondaryOperationStrategicObjectivesEnum-1.0 is an enumeration of Secondary Operation Capability Strategic Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
patch operating system file(s)
The 'patch operating system file(s)' value indicates that the malware instance is able to patch or modify the critical system files of the operating system under which it executes.
enumeration
remove traces of infection
The 'remove traces of infection' value indicates that the malware instance is able to remove traces of its infection of a system.
enumeration
log activity
The 'log activity' value indicates that the malware instance is able to log its own activity.
enumeration
lay dormant
The 'lay dormant' value indicates that the malware instance is able to lay dormant on a system for some period of time.
enumeration
install other components
The 'install other components' value indicates that the malware instance is able to install additional components. This encompasses the dropping/downloading of other malicious components such as libraries, other malware, and tools.
enumeration
suicide exit
The 'suicide exit' value indicates that the malware instance is able to terminate itself based on some condition or value.
Complex Type maecVocabs:SecondaryOperationTacticalObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The SecondaryOperationTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Secondary Operation Capability Tactical Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:SecondaryOperationTacticalObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The SecondaryOperationTacticalObjectivesEnum-1.0 is an enumeration of Secondary Operation Capability Tactical Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
install secondary module
The 'install secondary module' value indicates that the malware instance is able to install a secondary module (typically related to itself).
enumeration
install secondary malware
The 'install secondary malware' value indicates that the malware instance is able to install another malware instance.
enumeration
install legitimate software
The 'install legitimate software' value indicates that the malware instance is able to install legitimate software.
enumeration
remove self
The 'remove self' value indicates that the malware instance is able to remove itself from the system.
enumeration
remove system artifacts
The 'remove system artifacts' value indicates that the malware instance is able to remove its artifacts from a system.
Complex Type maecVocabs:AntiDetectionStrategicObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The AntiDetectionStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Anti-Detection Capability Strategic Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:AntiDetectionStrategicObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The AntiDetectionStrategicObjectivesEnum-1.0 is an enumeration of Anti-Detection Capability Strategic Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
security software evasion
The 'security software evasion' value indicates that the malware instance is able to evade security software (e.g., anti-virus tools).
enumeration
hide executing code
The 'hide executing code' value indicates that the malware instance is able to hide its executing code.
enumeration
self-modification
The 'self-modification' value indicates that the malware instance is able to modify itself.
enumeration
anti-memory forensics
The 'anti-memory forensics' value indicates that the malware instance is able to prevent or make memory forensics more difficult.
enumeration
hide non-executing code
The 'hide non-executing code' value indicates that the malware instance is able to hide its non-executing code.
enumeration
hide malware artifacts
The 'hide malware artifacts' value indicates that the malware instance is able to hide its artifacts.
Complex Type maecVocabs:AntiDetectionTacticalObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The AntiDetectionTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Anti-Detection Capability Tactical Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:AntiDetectionTacticalObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The AntiDetectionTacticalObjectivesEnum-1.0 is an enumeration of Anti-Detection Capability Tactical Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
hide open network ports
The 'hide open network ports' value indicates that the malware instance is able to hide its open network ports.
enumeration
execute before/external to kernel/hypervisor
The 'execute before/external to kernel/hypervisor' value indicates that the malware instance is able to execute some or all of its code before or external to the system's kernel or hypervisor (e.g., through the BIOS).
enumeration
encrypt self
The 'encrypt self' value indicates that the malware is able to encrypt itself.
enumeration
hide processes
The 'hide processes' value indicates that the malware instance is able to hide its processes.
enumeration
hide network traffic
The 'hide network traffic' value indicates that the malware instance is able to hide its network traffic.
enumeration
change/add content
The 'change/add content' value indicates that the malware instance is able to change or add to its content.
enumeration
execute stealthy code
The 'execute stealthy code' value indicates that the malware instance is able to execute some or all of its code in a hidden manner (e.g., by injecting it into a benign process).
enumeration
hide registry artifacts
The 'hide registry artifacts' value indicates that the malware instance is able to hide its Windows registry artifacts.
enumeration
hide userspace libraries
The 'hide userspace libraries' value indicates that the malware instance is able to hide its usage of userspace libraries.
enumeration
hide arbitrary virtual memory
The 'hide arbitrary virtual memory' value indicates that the malware instance is able to hide arbitrary virtual memory to prevent retrieval.
enumeration
execute non-main cpu code
The 'execute non-main cpu code' value indicates that the malware instance is able to execute some or all of its code on a secondary, non CPU processor (e.g., a GPU).
enumeration
feed misinformation during physical memory acquisition
The 'feed misinformation during physical memory acquisition' value indicates that the malware instance is able to report inaccurate data when the content of physical memory is retrieved.
enumeration
prevent physical memory acquisition
The 'prevent physical memory acquisition' value indicates that the malware instance is able to prevent the contents of a system's physical memory from being retrieved.
enumeration
prevent native api hooking
The 'prevent native api hooking' value indicates that the malware instance is able to prevent other software from hooking native APIs.
enumeration
obfuscate artifact properties
The 'obfuscate artifact properties' value indicates that the malware instance is able to hide the properties of its artifacts (e.g., by altering timestamps).
enumeration
hide kernel modules
The 'hide kernel modules' value indicates that the malware instance is able to hide its usage of kernel modules.
enumeration
hide code in file
The 'hide code in file' value indicates that the malware instance is able to hide its code in a file.
enumeration
hide services
The 'hide services' value indicates that the malware instance is able to hide any system services it creates or injects itself into.
enumeration
hide file system artifacts
The 'hide file system artifacts' value indicates that the malware instance is able to hide its file system artifacts.
enumeration
hide threads
The 'hide threads' value indicates that the malware instance is able to hide its threads.
Complex Type maecVocabs:AntiCodeAnalysisStrategicObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The AntiCodeAnalysisStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Anti-Code Analysis Capability Strategic Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:AntiCodeAnalysisStrategicObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The AntiCodeAnalysisStrategicObjectivesEnum-1.0 is an enumeration of Anti-Code Analysis Capability Strategic Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
anti-debugging
The 'anti-debugging' value indicates that the malware instance is able to prevent itself from being debugged and/or from being run in a debugger or is able to make debugging more difficult.
enumeration
code obfuscation
The 'code obfuscation' value indicates that the malware instance is able to obfuscate its code.
enumeration
anti-disassembly
The 'anti-disassembly' value indicates that the malware instance is able to prevent itself from being disassembled or make disassembly more difficult.
Complex Type maecVocabs:AntiCodeAnalysisTacticalObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The AntiCodeAnalysisTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Anti-Code Analysis Capability Tactical Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:AntiCodeAnalysisTacticalObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The AntiCodeAnalysisTacticalObjectivesEnum-1.0 is an enumeration of Anti-Code Analysis Capability Tactical Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
transform control flow
The 'transform control flow' value indicates that the malware instance is able to transform its control flow.
enumeration
restructure arrays
The 'restructure arrays' value indicates that the malware instance is able to restructure its arrays, making disassembly more difficult.
enumeration
detect debugging
The 'detect debugging' value indicates that the malware instance is able to detect its execution in a debugger.
enumeration
prevent debugging
The 'prevent debugging' value indicates that the malware instance is able to prevent its execution in a debugger.
The 'defeat flow-oriented disassembler' value indicates that the malware instance is able to defeat its disassembly in a flow-oriented (recursive traversal) disassembler.
enumeration
defeat linear disassembler
The 'defeat linear disassembler' value indicates that the malware instance is able to prevent its disassembly in a linear disassembler.
enumeration
obfuscate instructions
The 'obfuscate instructions' value indicates that the malware instance obfuscates its instructions.
enumeration
obfuscate imports
The 'obfuscate imports' value indicates that the malware instance is able to obfuscate its import table, making disassembly more difficult.
enumeration
defeat call graph generation
The 'defeat call graph generation' value indicates that the malware instance is able to defeat accurate call graph generation during disassembly.
enumeration
obfuscate runtime code
The 'obfuscate runtime code' value indicates that the malware instance is able to obfuscate its runtime code.
Complex Type maecVocabs:InfectionPropagationStrategicObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The InfectionPropagationStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Infection/Propagation Capability Strategic Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:InfectionPropagationStrategicObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The InfectionPropagationStrategicObjectivesEnum-1.0 is an enumeration of Infection/Propagation Capability Strategic Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
prevent duplicate infection
The 'prevent duplicate infection' value indicates that the malware instance is able to prevent itself from infecting a machine multiple times.
enumeration
infect file
The 'infect file' value denotes that the malware instance is able to infect a file.
enumeration
infect remote machine
The 'infect remote machine' value indicates that the malware instance is able to self-propagate or infect a machine with malware that is different than itself.
Complex Type maecVocabs:InfectionPropagationTacticalObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The InfectionPropagationTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Infection/Propagation Capability Tactical Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:InfectionPropagationTacticalObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The InfectionPropagationTacticalObjectivesEnum-1.0 is an enumeration of Infection/Propagation Capability Tactical Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
identify file
The 'identify file' value indicates that the malware instance is able to identify a file or files on a local, removable, and/or network drive for infection.
enumeration
perform autonomous remote infection
The 'perform autonomous remote infection' value indicates that the malware instance is able to infect a remote machine autonomously, without the involvement of any end user (e.g., through the exploitation of a remote procedure call vulnerability).
enumeration
identify target machine(s)
The 'identify target machine(s)' value indicates that the malware instance is able to identify one or more machines to be targeted for infection via some remote means (e.g., via email or the network).
enumeration
perform social-engineering based remote infection
The 'perform social-engineering based remote infection' value indicates that the malware instance is able to infect remote machines via some method that involves social engineering (e.g., sending an email with a malicious attachment).
enumeration
inventory victims
The 'inventory victims' value indicates that the malware instance is able to keep an inventory of the victims that it remotely infects.
enumeration
write code into file
The 'write code into file' value indicates that the malware instance is able to write code into a file.
enumeration
modify file
The 'modify file' value indicates that the malware instance is able to modify a file in some other manner than writing code to it, such as packing it (in terms of binary executable packing).
Complex Type maecVocabs:AntiBehavioralAnalysisStrategicObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The AntiBehavioralAnalysisStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Anti-Behavioral Analysis Capability Strategic Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:AntiBehavioralAnalysisStrategicObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The AntiBehavioralAnalysisStrategicObjectivesEnum-1.0 is an enumeration of Anti-Behavioral Analysis Capability Strategic Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
anti-vm
The 'anti-vm' value indicates that the malware instance is able to prevent virtual machine (VM) based behavioral analysis or make it more difficult.
enumeration
anti-sandbox
The 'anti-sandbox' value specifies that the malware instance is able to prevent sandbox-based behavioral analysis or make it more difficult.
Complex Type maecVocabs:AntiBehavioralAnalysisTacticalObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The AntiBehavioralAnalysisTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Anti-Behavioral Analysis Capability Tactical Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:AntiBehavioralAnalysisTacticalObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The AntiBehavioralAnalysisTacticalObjectivesEnum-1.0 is an enumeration of Anti-Behavioral Analysis Capability Tactical Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
detect vm environment
The 'detect vm environment' value indicates that the malware instance is able to detect whether it is being executed in a virtual machine (VM).
enumeration
overload sandbox
The 'overload sandbox' value indicates that the malware instance is able to overload a sandbox (e.g., by generating a flood of meaningless behavioral data).
enumeration
prevent execution in sandbox
The 'prevent execution in sandbox' value indicates that the malware instance is able to prevent its execution in a sandbox.
enumeration
detect sandbox environment
The 'detect sandbox environment' value indicates that the malware instance is able to detect whether it is being executed in a sandbox environment.
enumeration
prevent execution in vm
The 'prevent execution in wm' value indicates that the malware instance is able to prevent its execution in a virtual machine (VM).
Complex Type maecVocabs:IntegrityViolationStrategicObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The IntegrityViolationStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Integrity Violation Capability Strategic Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:IntegrityViolationStrategicObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The IntegrityViolationStrategicObjectivesEnum-1.0 is an enumeration of Integrity Violation Capability Strategic Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
compromise system operational integrity
The 'compromise system operational integrity' value indicates that the malware instance is able to compromise the operational integrity of a system.
enumeration
compromise user data integrity
The 'compromise user data integrity' value indicates that the malware instance is able to compromise a system's user data.
enumeration
annoy user
The 'annoy user' value indicates that the malware instance is able to annoy the users of a system.
enumeration
compromise network operational integrity
The 'compromise network operational integrity' value indicates that the malware instance is able to compromise the operational integrity of a network.
enumeration
compromise system data integrity
The 'compromise system data integrity' value indicates that the malware instance is able to compromise the integrity of a system's data.
Complex Type maecVocabs:IntegrityViolationTacticalObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The IntegrityViolationTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Integrity Violation Capability Tactical Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:IntegrityViolationTacticalObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The IntegrityViolationTacticalObjectivesEnum-1.0 is an enumeration of Integrity Violation Capability Tactical Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
subvert system
The 'subvert system' value indicates that the malware instance is able to subvert a system to perform beyond its operational boundaries or to perform tasks for which it was not originally intended.
enumeration
corrupt system data
The 'corrupt system data' value indicates that the malware instance is able to corrupt a system's data.
enumeration
annoy local system user
The 'annoy local system user' value indicates that the malware instance is able to annoy local system users.
enumeration
intercept/manipulate network traffic
The 'intercept/manipulate network traffic' value indicates that the malware is able to intercept and/or manipulate traffic on a network.
enumeration
annoy remote user
The 'annoy remote user' value indicates that the malware instance is able to annoy a remote user.
enumeration
corrupt user data
The 'corrupt user data' value indicates that the malware instance is able to corrupt a system's user data.
Complex Type maecVocabs:DataExfiltrationStrategicObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The DataExfiltrationStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Data Exfiltration Capability Strategic Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:DataExfiltrationStrategicObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The DataExfiltrationStrategicObjectivesEnum-1.0 is an enumeration of Data Exfiltration Capability Strategic Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
perform data exfiltration
The 'perform data exfiltration' value indicates that the malware instance is able to perform data exfiltration via some physical or virtual means.
enumeration
obfuscate data for exfiltration
The 'obfuscate data for exfiltration' value indicates that the malware is able to obfuscate data that will be exfiltrated.
enumeration
stage data for exfiltration
The 'stage data for exfiltration' value indicates that the malware instance is able to gather and prepare data for exfiltration.
Complex Type maecVocabs:DataExfiltrationTacticalObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The DataExfiltrationTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Data Exfiltration Capability Tactical Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:DataExfiltrationTacticalObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The DataExfiltrationTacticalObjectivesEnum-1.0 is an enumeration of Data Exfiltration Capability Tactical Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
exfiltrate via covert channel
The 'exfiltrate via covert channel' value indicates that the malware instance is able to exfiltrate data using a covert channel.
enumeration
exfiltrate via fax
The 'exfiltrate via fax' value indicates that the malware instance is able to exfiltrate data using a fax system.
enumeration
exfiltrate via physical media
The 'exfiltrate via physical media' value indicates that the malware instance is able to exfiltrate data using physical media (e.g., a USB drive).
enumeration
encrypt data
The 'encrypt data' value indicates that the malware instance is able to encrypt data that will be exfiltrated.
enumeration
exfiltrate via network
The 'exfiltrate via network' value indicates that the malware instance is able to exfiltrate data across the network.
enumeration
hide data
The 'hide data in other formats' value indicates that the malware instance is able to hide data that will be exfiltrated in other formats (also known as steganography).
enumeration
package data
The 'package data' value indicates that the malware instance is able to package data for exfiltration.
enumeration
exfiltrate via dumpster dive
The 'exfiltrate via dumpster dive' value indicates that the malware instance is able to exfiltrate data via dumpster dive (i.e., encoded data printed by malware is viewed as garbage and thrown away to then be physically picked up).
enumeration
move data to staging server
The 'move data to staging server' value indicates that the malware instance is able to move data to be exfiltrated to a particular server to prepare for exfiltration.
enumeration
exfiltrate via voip/phone
The 'exfiltrate via VoIP/phone' value indicates that the malware instance is able to exfiltrate data (encoded as audio) using a phone system.
Complex Type maecVocabs:AntiRemovalStrategicObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The AntiRemovalStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Anti-Removal Capability Strategic Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:AntiRemovalStrategicObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The AntiRemovalStrategicObjectivesEnum-1.0 is an enumeration of Anti-Removal Capability Strategic Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
prevent malware artifact access
The 'prevent malware artifact access' value indicates that the malware instance is able to prevent its artifacts from being accessed.
enumeration
prevent malware artifact deletion
The 'prevent malware artifact deletion' value indicates that the malware instance is able to prevent its artifacts from being deleted from a system.
Complex Type maecVocabs:AntiRemovalTacticalObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The AntiRemovalTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Anti-Removal Capability Tactical Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:AntiRemovalTacticalObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The AntiRemovalTacticalObjectivesEnum-1.0 is an enumeration of Anti-Removal Capability Tactical Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
prevent registry deletion
The 'prevent registry deletion' value indicates that the malware instance is able to prevent its Windows registry entries from being deleted from a system.
enumeration
prevent api unhooking
The 'prevent api unhooking' value indicates that the malware instance is able to prevent its API hooks from being removed.
enumeration
prevent file access
The 'prevent file access' value indicates that the malware instance is able to prevent access to the file system.
enumeration
prevent memory access
The 'prevent memory access' value indicates that the malware instance is able to prevent access to system memory where it may be storing code or data.
enumeration
prevent registry access
The 'prevent registry access' value indicates that the malware instance is able to prevent access to the Windows registry.
enumeration
prevent file deletion
The 'prevent file deletion' value indicates that the malware instance is able to prevent its files from being deleted from a system.
Complex Type maecVocabs:SecurityDegradationStrategicObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The SecurityDegradationStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Security Degradation Capability Strategic Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:SecurityDegradationStrategicObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The SecurityDegradationStrategicObjectivesEnum-1.0 is an enumeration of Security Degradation Capability Strategic Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
disable service provider security features
The 'disable service provider security features' value indicates that the malware instance is able to bypass or disable third-party security features that would otherwise identify or notify users of its presence.
enumeration
degrade security programs
The 'degrade security programs' value indicates that the malware instance is able to degrade security programs running on a system, either by stopping them from executing or by making changes to their code or configuration parameters.
enumeration
disable system updates
The 'disable system updates' values indicates that the malware instance is able to disable the downloading and installation of system updates.
enumeration
disable os security features
The 'disable os security features' value indicates that the malware instance is able to bypass inherent operating system security mechanisms that typically involve elevated privileges.
enumeration
disable [host-based or os] access controls
The 'disable access controls' value indicates that the malware instance is able to bypass access control mechanisms designed to prevent unauthorized or unprivileged use or execution of applications or files.
Complex Type maecVocabs:SecurityDegradationTacticalObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The SecurityDegradationTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Security Degradation Capability Tactical Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:SecurityDegradationTacticalObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The SecurityDegradationTacticalObjectivesEnum-1.0 is an enumeration of Security Degradation Capability Tactical Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
stop execution of security program
The 'stop execution of security program' value indicates that the malware instance is able to stop one or more security programs that may already be executing on a system.
enumeration
disable firewall
The 'disable firewall' value indicates that the malware instance is able to evade or disable the host-based firewall or otherwise prevent the blocking of network communications.
enumeration
disable access right checking
The 'disable access right checking' value indicates that the malware instance is able to bbypass, disable, or modify the access tokens or access control lists, thereby enabling the malware to read, write, or execute a file with one or more of these controls set.
enumeration
disable kernel patching protection
The 'disable kernel patch protection' value indicates that the malware instance is able to bypass or disable PatchGuard; thus it is capable of operating at the same level as the kernel and kernel mode drivers (KMD).
enumeration
prevent access to security websites
The 'prevent access to security websites' value indicates that the malware instance is able to prevent access from a system to one or more security vendor or security-related websites.
enumeration
remove sms warning messages
The 'remove sms warning messages' value indicates that the malware instance is able to capture the message body of incoming SMS messages and abort the broadcasting of a message that meets a certain criteria.
enumeration
modify security program configuration
The 'modify security program configuration' value indicates that the malware instance is able to modify the configuration of one or more security programs running on a system in order to hamper their usefulness and ability to detect the malware instance.
enumeration
prevent security program from running
The 'prevent security program from running' value indicates that the malware instance is able to prevent one or more security programs from running on a system.
enumeration
disable system update services/daemons
The 'disable system update services/daemons' value indicates that the malware instance is able to disable system update services or daemons that may be running on a system.
enumeration
disable system service pack/patch installation
The 'disable system service pack/patch installation' value indicates that the malware instance is able to disable the system's ability to install service packs or patches.
enumeration
disable system file overwrite protection
The 'disable system file overwrite protection' value indicates that the malware instance is able to bypass or disable the Windows file protection feature; thus, enabling system files to be modified or replaced.
enumeration
disable privilege limiting
The 'disable privilege limiting' value indicates that the malware instance is able to bypass controls that limit the privileges that can be granted to a user or entity.
enumeration
gather security product info
The 'gather security product info' value indicates that the malware instance is able to gather information about the security products installed or running on a system.
enumeration
disable os security alerts
The 'disable os security alerts' value indicates that the malware instance is able to evade or disable identification and/or notification of its presence by inherent features of the operating system.
enumeration
disable user account control
The 'disable user account control' value indicates that the malware instance is able to bypass or disable user account control (UAC); thus, enabling a user to run an application with elevated privileges.
Complex Type maecVocabs:AvailabilityViolationStrategicObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The AvailabilityViolationStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Availability Violation Capability Strategic Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:AvailabilityViolationStrategicObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The AvailabilityViolationStrategicObjectivesEnum-1.0 is an enumeration of Availability Violation Capability Strategic Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
compromise data availability
The 'compromise data availabilty' value indicates that the malware instance is able to compromise the availability of data on a system.
enumeration
compromise system availability
The 'compromise system availability' value indicates that the malware instance compromises the availability of the system.
enumeration
consume system resources
The 'consume system resources' value indicates that the malware instance is able to consume system resources for its own purposes.
Complex Type maecVocabs:AvailabilityViolationTacticalObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The AvailabilityViolationTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Availability Violation Capability Tactical Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:AvailabilityViolationTacticalObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The AvailabilityViolationTacticalObjectivesEnum-1.0 is an enumeration of Availability Violation Capability Tactical Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
denial of service
The 'denial of service' value indicates that the malware instance is able to cause a server to be unavailable, otherwise known as a denial of service (DOS).
enumeration
compromise local system availability
The 'compromise local system availability' value indicates that the malware instance is able to cause the local system to be unavailable.
enumeration
crack passwords
The 'crack passwords' value indicates that the malware instance is able to consume system resources for password cracking.
enumeration
mine for cryptocurrency
The 'mine for cryptocurrency' value indicates that the malware instance is able to consume system resources for cryptocurrency mining.
enumeration
compromise access to information assets
The 'compromise access to information assets' value indicates that the malware instance is able to prevent data from being accessed (e.g., by encrypting user data on a compromised system).
Complex Type maecVocabs:DestructionStrategicObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The DestructionStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Destruction Capability Strategic Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:DestructionStrategicObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The DestructionStrategicObjectivesEnum-1.0 is an enumeration of Destruction Capability Strategic Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
destroy physical entity
The 'destroy physical entity' value indicates that the malware instance is able to destroy a physical entity.
enumeration
destroy virtual entity
The 'destroy virtual entity' value indicates that the malware instance is able to destroy a virtual entity.
Complex Type maecVocabs:DestructionTacticalObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The DestructionTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Destruction Capability Tactical Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:DestructionTacticalObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The DestructionTacticalObjectivesEnum-1.0 is an enumeration of Destruction Capability Tactical Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
erase data
The 'erase data' value indicates that the malware instance is able to destroy data by erasure.
enumeration
destroy firmware
The 'destroy firmware' value indicates that the malware instance is able to destroy a system's firmware.
enumeration
destroy hardware
The 'destroy hardware' value indicates that the malware instance is able to destroy a system's hardware.
Complex Type maecVocabs:FraudStrategicObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The FraudStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Fraud Capability Strategic Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:FraudStrategicObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The FraudStrategicObjectivesEnum-1.0 is an enumeration of Fraud Capability Strategic Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
perform premium rate fraud
The 'perform premium rate fraud' value indicates that the malware instance is able to send text messages or dial phone numbers that are charged at premium rates.
enumeration
perform click fraud
The 'perform click fraud' value indicates that the malware instance is able to simulate clicks on website advertisements for the purpose of revenue generation.
Complex Type maecVocabs:FraudTacticalObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The FraudTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Fraud Capability Tactical Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:FraudTacticalObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The FraudTacticalObjectivesEnum-1.0 is an enumeration of Fraud Capability Tactical Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
access premium service
The 'access premium service' value indicates that the malware instance is able to access a premium service.
Complex Type maecVocabs:PersistenceStrategicObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The PersistenceStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Persistence Capability Strategic Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:PersistenceStrategicObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The PersistenceStrategicObjectivesEnum-1.0 is an enumeration of Persistence Capability Strategic Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
persist to re-infect system
The 'persist to re-infect system' value indicates that the malware instance is able to re-infect a system after some of its components have been removed.
enumeration
gather information for improvement
The 'gather information for improvement' value indicates that the malware instance is able to gather information from its environment to make itself less likely to be detected.
enumeration
ensure compatibility
The 'ensure compatibility' value indicates that the malware instance is able to manipulate or modify the system on which it executes to ensure that it is able to continue executing.
enumeration
persist to continuously execute on system
The 'persist to continuously execute on system' value indicates that the malware instance is able to continue to execute on a system after significant system events (e.g., after a reboot).
Complex Type maecVocabs:PersistenceTacticalObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The PersistenceTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Persistence Capability Tactical Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:PersistenceTacticalObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The PersistenceTacticalObjectivesEnum-1.0 is an enumeration of Persistence Capability Tactical Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
reinstantiate self after initial detection
The 'reinstantiate self after initial detection' value indicates that the malware instance is able to re-establish itself on the system after it is initially detected.
enumeration
limit application type/version
The 'limit application type/version' value indicates that the malware instance is able to limit the type or version of an application that runs on a system in order to ensure that it is able to continue executing.
enumeration
persist after os install/reinstall
The 'persist after os install/reinstall' value indicates that the malware instance is able to continue to execute after the operating system is installed or reinstalled.
enumeration
drop/retrieve debug log file
The 'drop/retrieve debug log file' value indicates that the malware instance is able to generate and retrieve a log file of errors associated with the malware.
enumeration
persist independent of hard disk/os changes
The 'persist independent of hard disk/os changes' value indicates that the malware instance is able to continue to execute after changes to the hard disk or the operating system have been made.
enumeration
persist after system reboot
The 'persist after system reboot' value indicates that the malware instance is able to continue to execute after a system reboot.
Complex Type maecVocabs:MachineAccessControlStrategicObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The MachineAccessControlStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Machine Access/Control Capability Strategic Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:MachineAccessControlStrategicObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The MachineAccessControlStrategicObjectivesEnum-1.0 is an enumeration of Machine Access/Control Capability Strategic Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
control local machine
The 'control local machine' value indicates that the malware instance is able to control the machine on which it is resident. Examples of malware with this capability include bots, backdoors, and RATs.
enumeration
install backdoor
The 'install backdoor' value indicates that the malware instance is able to install a backdoor, capable of providing covert remote access to the machine on which it is resident.
Complex Type maecVocabs:MachineAccessControlTacticalObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The MachineAccessControlTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Machine Access/Control Capability Tactical Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:MachineAccessControlTacticalObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The MachineAccessControlTacticalObjectivesEnum-1.0 is an enumeration of Machine Access/Control Capability Tactical Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
control machine via remote command
The 'control machine via remote command' value indicates that the malware instance is able to execute commands issued to it from a remote source, for the purpose of controlling the machine on which it is resident.
Complex Type maecVocabs:ProbingStrategicObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The ProbingStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Probing Capability Strategic Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:ProbingStrategicObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The ProbingStrategicObjectivesEnum-1.0 is an enumeration of Probing Capability Strategic Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
probe host configuration
The 'probe host configuration' value indicates that the malware instance is able to probe the configuration of the host system on which it executes.
enumeration
probe network environment
The 'probe network environment' value indicates that the malware instance is able to probe the properties of its network environment, e.g. to determine whether it funnels traffic through a proxy.
Complex Type maecVocabs:ProbingTacticalObjectivesVocab-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The ProbingTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Probing Capability Tactical Objectives.
Diagram
Type
restriction of cyboxCommon:ControlledVocabularyStringType
Simple Type maecVocabs:ProbingTacticalObjectivesEnum-1.0
Namespace
http://maec.mitre.org/default_vocabularies-1
Annotations
The ProbingTacticalObjectivesEnum-1.0 is an enumeration of Probing Capability Tactical Objectives.
Diagram
Type
restriction of xs:string
Facets
enumeration
identify os
The 'identify os' value indicates that the malware instance is able to identify the operating system under which it executes.
enumeration
check for proxy
The 'check for proxy' value indicates that the malware instance is able to check whether the network environment in which it executes contains a hardware or software proxy.
enumeration
check for firewall
The 'check for firewall' value indicates that the malware instance is able to check whether the network environment in which it executes contains a hardware or software firewall.
enumeration
check for network drives
The 'check for shared drive' value indicates that the malware instance is able to check for network drives that may be present in the network environment.
enumeration
map local network
The 'map local network' value indicates that the malware instance is able to map the layout of the local network environment in which it executes.
enumeration
inventory system applications
The 'inventory system applications' value indicates that the malware instance is able to inventory the applications installed on the system on which it executes.
enumeration
check language
The 'check language' value indicates that the malware instance is able to check the language of the host system on which it executes.
enumeration
check for internet connectivity
The 'check for internet connectivity' value indicates that the malware instance is able to check whether the network environment in which it executes is connected to the internet.
