Showing:

Annotations
Attributes
Diagrams
Facets
Source
Used by
Imported schema maec_default_vocabularies.xsd
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
This schema was originally developed by The MITRE Corporation. The MAEC XML Schema implementation is maintained by The MITRE Corporation and developed by the open MAEC Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the MAEC website at http://maec.mitre.org.
Simple Type maecVocabs:MalwareCapabilityEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The MalwareCapabilityEnum-1.0 is an enumeration of Malware Capabilities.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration command and control
The 'command and control' (C2) Capability indicates that the malware instance is able to receive and execute remotely submitted commands.
enumeration remote machine manipulation
The 'remote machine manipulation' Capability indicates that the malware instance is able to manipulate or access other remote machines.
enumeration privilege escalation
The 'privilege escalation' Capability indicates that the malware instance is able to elevate the privileges under which it executes.
enumeration data theft
The 'data theft' Capability indicates that the malware instance is able to steal data from the system on which it executes. This includes data stored in some form, e.g. in a file, as well as data that may be entered into some application such as a web-browser.
enumeration spying
The 'spying' Capability indicates that the malware instance is able to capture information from a system related to user or system activity (e.g., from a system's peripheral devices).
enumeration secondary operation
The 'secondary operation' Capability indicates that the malware instance is able to achieve secondary objectives in conjunction with or after achieving its primary objectives.
enumeration anti-detection
The 'anti-detection' Capability indicates that the malware instance is able to prevent itself and its components from being detected on a system.
enumeration anti-code analysis
The 'anti-code analysis' Capability indicates that the malware instance is able to prevent code analysis or make it more difficult.
enumeration infection/propagation
The 'infection/propagation' Capability indicates that the malware instance is able to propagate through the infection of a machine or is able to infect a file after executing on a system.  The malware instance may infect actively (e.g., gain access to a machine directly) or passively (e.g., send malicious email).  This Capability does not encompass any aspects of the initial infection that is done independently of the malware instance itself.
enumeration anti-behavioral analysis
The 'anti-behavioral analysis' Capability indicates that the malware instance is able to prevent behavioral analysis or make it more difficult.
enumeration integrity violation
The 'integrity violation' Capability indicates that the malware instance is able to compromise the integrity of a system.
enumeration data exfiltration
The 'data exfiltration' Capability indicates that the malware instance is able to exfiltrate stolen data or perform tasks related to the exfiltration of stolen data.
enumeration probing
The 'probing' Capability indicates that the malware instance is able to probe its host system or network environment; most often this is done to support other Capabilities and their Objectives.
enumeration anti-removal
The 'anti-removal' Capability indicates that the malware instance is able to prevent itself and its components from being removed from a system.
enumeration security degradation
The �security degradation� Capability indicates that the malware instance is able to bypass or disable security features and/or controls.
enumeration availability violation
The 'availability violation' Capability indicates that the malware instance is able to compromise the availability of a system or some aspect of the system.
enumeration destruction
The 'destruction' Capability indicates that the malware instance is able to destroy some aspect of a system.
enumeration fraud
The 'fraud' Capability indicates that the malware instance is able to defraud a user or a system.
enumeration persistence
The 'persistence' Capability indicates that the malware instance is able to persist and remain on a system regardless of system events.
enumeration machine access/control
The 'machine access/control' Capability indicates that the malware instance is able to provide the means to access or control the machine on which it is resident.
Used by
Source
<xs:simpleType name="MalwareCapabilityEnum-1.0">
  <xs:annotation>
    <xs:documentation>The MalwareCapabilityEnum-1.0 is an enumeration of Malware Capabilities.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="command and control">
      <xs:annotation>
        <xs:documentation>The 'command and control' (C2) Capability indicates that the malware instance is able to receive and execute remotely submitted commands.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="remote machine manipulation">
      <xs:annotation>
        <xs:documentation>The 'remote machine manipulation' Capability indicates that the malware instance is able to manipulate or access other remote machines.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="privilege escalation">
      <xs:annotation>
        <xs:documentation>The 'privilege escalation' Capability indicates that the malware instance is able to elevate the privileges under which it executes.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="data theft">
      <xs:annotation>
        <xs:documentation>The 'data theft' Capability indicates that the malware instance is able to steal data from the system on which it executes. This includes data stored in some form, e.g. in a file, as well as data that may be entered into some application such as a web-browser.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="spying">
      <xs:annotation>
        <xs:documentation>The 'spying' Capability indicates that the malware instance is able to capture information from a system related to user or system activity (e.g., from a system's peripheral devices).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="secondary operation">
      <xs:annotation>
        <xs:documentation>The 'secondary operation' Capability indicates that the malware instance is able to achieve secondary objectives in conjunction with or after achieving its primary objectives.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="anti-detection">
      <xs:annotation>
        <xs:documentation>The 'anti-detection' Capability indicates that the malware instance is able to prevent itself and its components from being detected on a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="anti-code analysis">
      <xs:annotation>
        <xs:documentation>The 'anti-code analysis' Capability indicates that the malware instance is able to prevent code analysis or make it more difficult.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="infection/propagation">
      <xs:annotation>
        <xs:documentation>The 'infection/propagation' Capability indicates that the malware instance is able to propagate through the infection of a machine or is able to infect a file after executing on a system. The malware instance may infect actively (e.g., gain access to a machine directly) or passively (e.g., send malicious email). This Capability does not encompass any aspects of the initial infection that is done independently of the malware instance itself.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="anti-behavioral analysis">
      <xs:annotation>
        <xs:documentation>The 'anti-behavioral analysis' Capability indicates that the malware instance is able to prevent behavioral analysis or make it more difficult.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="integrity violation">
      <xs:annotation>
        <xs:documentation>The 'integrity violation' Capability indicates that the malware instance is able to compromise the integrity of a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="data exfiltration">
      <xs:annotation>
        <xs:documentation>The 'data exfiltration' Capability indicates that the malware instance is able to exfiltrate stolen data or perform tasks related to the exfiltration of stolen data.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="probing">
      <xs:annotation>
        <xs:documentation>The 'probing' Capability indicates that the malware instance is able to probe its host system or network environment; most often this is done to support other Capabilities and their Objectives.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="anti-removal">
      <xs:annotation>
        <xs:documentation>The 'anti-removal' Capability indicates that the malware instance is able to prevent itself and its components from being removed from a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="security degradation">
      <xs:annotation>
        <xs:documentation>The �security degradation� Capability indicates that the malware instance is able to bypass or disable security features and/or controls.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="availability violation">
      <xs:annotation>
        <xs:documentation>The 'availability violation' Capability indicates that the malware instance is able to compromise the availability of a system or some aspect of the system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="destruction">
      <xs:annotation>
        <xs:documentation>The 'destruction' Capability indicates that the malware instance is able to destroy some aspect of a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="fraud">
      <xs:annotation>
        <xs:documentation>The 'fraud' Capability indicates that the malware instance is able to defraud a user or a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="persistence">
      <xs:annotation>
        <xs:documentation>The 'persistence' Capability indicates that the malware instance is able to persist and remain on a system regardless of system events.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="machine access/control">
      <xs:annotation>
        <xs:documentation>The 'machine access/control' Capability indicates that the malware instance is able to provide the means to access or control the machine on which it is resident.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:ActionObjectAssociationTypeVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The ActionObjectAssocationVocab is the default MAEC vocabulary for Action-Object association types, captured via the AssociatedObjectType/Association_Type element in CybOX Core.
It should be used in place of the CybOX ActionObjectAssociationVocab-1.0.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#http___maec.mitre.org_default_vocabularies-1_ActionObjectAssociationTypeVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#http___maec.mitre.org_default_vocabularies-1_ActionObjectAssociationTypeVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Action-Object Association Names optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#ActionObjectAssociationTypeVocab-1.0 optional
Source
<xs:complexType name="ActionObjectAssociationTypeVocab-1.0">
  <xs:annotation>
    <xs:documentation>The ActionObjectAssocationVocab is the default MAEC vocabulary for Action-Object association types, captured via the AssociatedObjectType/Association_Type element in CybOX Core.</xs:documentation>
    <xs:documentation>It should be used in place of the CybOX ActionObjectAssociationVocab-1.0.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:ActionObjectAssociationTypeEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Action-Object Association Names" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#ActionObjectAssociationTypeVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:ActionObjectAssociationTypeEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
ActionObjectAssociationTypeEnum is a (non-exhaustive) enumeration of types of action-object associations.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration input
The 'input' value specifies that the associated object serves as an input to the action. This includes cases where an object is used by the action or an existing object is modified by the action.
enumeration output
The 'output' value specifies that the associated object serves as an output to the action. This includes cases where the object is created anew by the action or otherwise returned by the action.
enumeration side-effect
The 'side-effect' value specifies that the associated object serves as a side-effect resulting from the action. This includes cases where the object is modified indirectly by the action.
Source
<xs:simpleType name="ActionObjectAssociationTypeEnum-1.0">
  <xs:annotation>
    <xs:documentation>ActionObjectAssociationTypeEnum is a (non-exhaustive) enumeration of types of action-object associations.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="input">
      <xs:annotation>
        <xs:documentation>The 'input' value specifies that the associated object serves as an input to the action. This includes cases where an object is used by the action or an existing object is modified by the action.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="output">
      <xs:annotation>
        <xs:documentation>The 'output' value specifies that the associated object serves as an output to the action. This includes cases where the object is created anew by the action or otherwise returned by the action.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="side-effect">
      <xs:annotation>
        <xs:documentation>The 'side-effect' value specifies that the associated object serves as a side-effect resulting from the action. This includes cases where the object is modified indirectly by the action.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:ImportanceTypeVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The ImportanceTypeVocab is the default MAEC vocabulary for relative importance measures, captured via the CandidateIndicatorType/Importance element in the MAEC Bundle.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#ImportanceTypeVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#ImportanceTypeVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Importance Types optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#ImportanceTypeVocab-1.0 optional
Source
<xs:complexType name="ImportanceTypeVocab-1.0">
  <xs:annotation>
    <xs:documentation>The ImportanceTypeVocab is the default MAEC vocabulary for relative importance measures, captured via the CandidateIndicatorType/Importance element in the MAEC Bundle.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:ImportanceTypeEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Importance Types" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#ImportanceTypeVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:ImportanceTypeEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The ImportanceTypeEnum is a (non-exhaustive) enumeration of relative importance measures.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration high
The 'high' value specifies that the field is of relative high importance.
enumeration medium
The 'medium' value specifies that the field is of relative medium importance.
enumeration low
The 'low' value specifies that the field is of relative low importance.
enumeration informational
The 'informational' value specifies that the field is only informational in its importance.
enumeration numeric
The 'numeric' value specifies that the field has a numeric importance value, which is defined in another attribute or element.
enumeration unknown
The 'unknown' value specifies that the relative importance for the field is unknown.
Source
<xs:simpleType name="ImportanceTypeEnum-1.0">
  <xs:annotation>
    <xs:documentation>The ImportanceTypeEnum is a (non-exhaustive) enumeration of relative importance measures.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="high">
      <xs:annotation>
        <xs:documentation>The 'high' value specifies that the field is of relative high importance.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="medium">
      <xs:annotation>
        <xs:documentation>The 'medium' value specifies that the field is of relative medium importance.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="low">
      <xs:annotation>
        <xs:documentation>The 'low' value specifies that the field is of relative low importance.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="informational">
      <xs:annotation>
        <xs:documentation>The 'informational' value specifies that the field is only informational in its importance.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="numeric">
      <xs:annotation>
        <xs:documentation>The 'numeric' value specifies that the field has a numeric importance value, which is defined in another attribute or element.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="unknown">
      <xs:annotation>
        <xs:documentation>The 'unknown' value specifies that the relative importance for the field is unknown.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:MalwareEntityTypeVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The MalwareEntityTypeVocab is the default MAEC vocabulary for malware entity types, captured via the CandidateIndicatorType/Malware_Entity/Type element in the MAEC Bundle.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#MalwareEntityTypeVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#MalwareEntityTypeVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Malware Entity Types optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#MalwareEntityTypeVocab-1.0 optional
Source
<xs:complexType name="MalwareEntityTypeVocab-1.0">
  <xs:annotation>
    <xs:documentation>The MalwareEntityTypeVocab is the default MAEC vocabulary for malware entity types, captured via the CandidateIndicatorType/Malware_Entity/Type element in the MAEC Bundle.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:MalwareEntityTypeEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Malware Entity Types" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#MalwareEntityTypeVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:MalwareEntityTypeEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The MalwareEntityTypeEnum is a (non-exhaustive) enumeration of the different types of entities that a malware indicator or signature may be written against.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration instance
The 'instance' value specifies that the particular malware entity being referred to is a single malware instance.
enumeration family
The 'family' value specifies that the particular malware entity being referred to is a single malware family.
enumeration class
The 'class' value specifies that the particular malware entity being referred to is a single class of malware.
Source
<xs:simpleType name="MalwareEntityTypeEnum-1.0">
  <xs:annotation>
    <xs:documentation>The MalwareEntityTypeEnum is a (non-exhaustive) enumeration of the different types of entities that a malware indicator or signature may be written against.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="instance">
      <xs:annotation>
        <xs:documentation>The 'instance' value specifies that the particular malware entity being referred to is a single malware instance.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="family">
      <xs:annotation>
        <xs:documentation>The 'family' value specifies that the particular malware entity being referred to is a single malware family.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="class">
      <xs:annotation>
        <xs:documentation>The 'class' value specifies that the particular malware entity being referred to is a single class of malware.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:DeviceDriverActionNameVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The DeviceDriverActionNameVocab is the default MAEC vocabulary for device driver action names, captured via the ActionType/Name element in CybOX Core.
For device driver action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Deprecated as of MAEC 4.1.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#DeviceDriverActionNameVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#DeviceDriverActionNameVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Device Driver Action Names optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DeviceDriverActionNameVocab-1.0 optional
Source
<xs:complexType name="DeviceDriverActionNameVocab-1.0">
  <xs:annotation>
    <xs:documentation>The DeviceDriverActionNameVocab is the default MAEC vocabulary for device driver action names, captured via the ActionType/Name element in CybOX Core.</xs:documentation>
    <xs:documentation>For device driver action names, it should be used in place of the CybOX ActionNameVocab-1.0.</xs:documentation>
    <xs:documentation>Deprecated as of MAEC 4.1.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:DeviceDriverActionNameEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Device Driver Action Names" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DeviceDriverActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:DeviceDriverActionNameEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The DeviceDriverActionNameEnum is a (non-exhaustive) enumeration of the different types of actions associated with device drivers.
Deprecated as of MAEC 4.1.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration load and call driver
The 'load and call' value specifies the defined action of loading a driver into a system and then calling the loaded driver.
enumeration load driver
The 'load driver' value specifies the defined action of loading a driver into a system.
enumeration unload driver
The 'unload driver' value specifies the defined action of unloading a driver from a system.
Source
<xs:simpleType name="DeviceDriverActionNameEnum-1.0">
  <xs:annotation>
    <xs:documentation>The DeviceDriverActionNameEnum is a (non-exhaustive) enumeration of the different types of actions associated with device drivers.</xs:documentation>
    <xs:documentation>Deprecated as of MAEC 4.1.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="load and call driver">
      <xs:annotation>
        <xs:documentation>The 'load and call' value specifies the defined action of loading a driver into a system and then calling the loaded driver.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="load driver">
      <xs:annotation>
        <xs:documentation>The 'load driver' value specifies the defined action of loading a driver into a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="unload driver">
      <xs:annotation>
        <xs:documentation>The 'unload driver' value specifies the defined action of unloading a driver from a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:DeviceDriverActionNameVocab-1.1
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The DeviceDriverActionNameVocab is the default MAEC vocabulary for device driver action names, captured via the ActionType/Name element in CybOX Core.
For device driver action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Starting with MAEC 4.1, it should be used in place of the deprecated DeviceDriverActionNameVocab-1.0.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#DeviceDriverActionNameVocab-1.1_vocab_name maec_default_vocabularies_xsd.tmp#DeviceDriverActionNameVocab-1.1_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Device Driver Action Names optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DeviceDriverActionNameVocab-1.1 optional
Source
<xs:complexType name="DeviceDriverActionNameVocab-1.1">
  <xs:annotation>
    <xs:documentation>The DeviceDriverActionNameVocab is the default MAEC vocabulary for device driver action names, captured via the ActionType/Name element in CybOX Core.</xs:documentation>
    <xs:documentation>For device driver action names, it should be used in place of the CybOX ActionNameVocab-1.0.</xs:documentation>
    <xs:documentation>Starting with MAEC 4.1, it should be used in place of the deprecated DeviceDriverActionNameVocab-1.0.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:DeviceDriverActionNameEnum-1.1"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Device Driver Action Names" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DeviceDriverActionNameVocab-1.1" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:DeviceDriverActionNameEnum-1.1
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The DeviceDriverActionNameEnum is a (non-exhaustive) enumeration of the different types of actions associated with device drivers.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration load and call driver
The 'load and call' value specifies the defined action of loading a driver into a system and then calling the loaded driver.
enumeration load driver
The 'load driver' value specifies the defined action of loading a driver into a system.
enumeration unload driver
The 'unload driver' value specifies the defined action of unloading a driver from a system.
enumeration emulate driver
The 'emulate driver' value specifies the defined action of emulating an existing driver on a system.
Source
<xs:simpleType name="DeviceDriverActionNameEnum-1.1">
  <xs:annotation>
    <xs:documentation>The DeviceDriverActionNameEnum is a (non-exhaustive) enumeration of the different types of actions associated with device drivers.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="load and call driver">
      <xs:annotation>
        <xs:documentation>The 'load and call' value specifies the defined action of loading a driver into a system and then calling the loaded driver.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="load driver">
      <xs:annotation>
        <xs:documentation>The 'load driver' value specifies the defined action of loading a driver into a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="unload driver">
      <xs:annotation>
        <xs:documentation>The 'unload driver' value specifies the defined action of unloading a driver from a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="emulate driver">
      <xs:annotation>
        <xs:documentation>The 'emulate driver' value specifies the defined action of emulating an existing driver on a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:DebuggingActionNameVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The DebuggingActionNameVocab is the default MAEC vocabulary for debugging action names, captured via the ActionType/Name element in CybOX Core.
For debugging action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#DebuggingActionNameVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#DebuggingActionNameVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Debugging Action Names optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DebuggingActionNameVocab-1.0 optional
Source
<xs:complexType name="DebuggingActionNameVocab-1.0">
  <xs:annotation>
    <xs:documentation>The DebuggingActionNameVocab is the default MAEC vocabulary for debugging action names, captured via the ActionType/Name element in CybOX Core.</xs:documentation>
    <xs:documentation>For debugging action names, it should be used in place of the CybOX ActionNameVocab-1.0.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:DebuggingActionNameEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Debugging Action Names" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DebuggingActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:DebuggingActionNameEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The DebuggingActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with debugging.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration check for remote debugger
The 'check for remote debugger' value specifies the defined action of checking for the presence of a remote debugger.
enumeration check for kernel debugger
The 'check for kernel debugger' value specifies the defined action of checking for the presence of a kernel debugger.
Source
<xs:simpleType name="DebuggingActionNameEnum-1.0">
  <xs:annotation>
    <xs:documentation>The DebuggingActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with debugging.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="check for remote debugger">
      <xs:annotation>
        <xs:documentation>The 'check for remote debugger' value specifies the defined action of checking for the presence of a remote debugger.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="check for kernel debugger">
      <xs:annotation>
        <xs:documentation>The 'check for kernel debugger' value specifies the defined action of checking for the presence of a kernel debugger.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:LibraryActionNameVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The LibraryActionNameVocab is the default MAEC vocabulary for library action names, captured via the ActionType/Name element in CybOX Core.
For library action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Deprecated as of MAEC 4.1.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#LibraryActionNameVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#LibraryActionNameVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Library Action Names optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#LibraryActionNameVocab-1.0 optional
Source
<xs:complexType name="LibraryActionNameVocab-1.0">
  <xs:annotation>
    <xs:documentation>The LibraryActionNameVocab is the default MAEC vocabulary for library action names, captured via the ActionType/Name element in CybOX Core.</xs:documentation>
    <xs:documentation>For library action names, it should be used in place of the CybOX ActionNameVocab-1.0.</xs:documentation>
    <xs:documentation>Deprecated as of MAEC 4.1.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:LibraryActionNameEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Library Action Names" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#LibraryActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:LibraryActionNameEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The LibraryActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with libraries.
Deprecated as of MAEC 4.1.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration enumerate libraries
The 'enumerate libraries' value specifies the defined action of enumerating the libraries used by a process.
enumeration free library
The 'free library' value specifies the defined action of freeing a library previously loaded into the address space of the calling process.
enumeration load library
The 'load library' value specifies the defined action of loading a library into the address space of the calling process.
enumeration get function address
The 'get function address' value specifies the defined action of getting the address of an exported function or variable from a library.
Source
<xs:simpleType name="LibraryActionNameEnum-1.0">
  <xs:annotation>
    <xs:documentation>The LibraryActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with libraries.</xs:documentation>
    <xs:documentation>Deprecated as of MAEC 4.1.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="enumerate libraries">
      <xs:annotation>
        <xs:documentation>The 'enumerate libraries' value specifies the defined action of enumerating the libraries used by a process.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="free library">
      <xs:annotation>
        <xs:documentation>The 'free library' value specifies the defined action of freeing a library previously loaded into the address space of the calling process.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="load library">
      <xs:annotation>
        <xs:documentation>The 'load library' value specifies the defined action of loading a library into the address space of the calling process.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="get function address">
      <xs:annotation>
        <xs:documentation>The 'get function address' value specifies the defined action of getting the address of an exported function or variable from a library.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:LibraryActionNameVocab-1.1
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The LibraryActionNameVocab is the default MAEC vocabulary for library action names, captured via the ActionType/Name element in CybOX Core.
For library action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Starting with MAEC 4.1, it should be used in place of the deprecated LibraryActionNameVocab-1.0.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#LibraryActionNameVocab-1.1_vocab_name maec_default_vocabularies_xsd.tmp#LibraryActionNameVocab-1.1_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Library Action Names optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#LibraryActionNameVocab-1.1 optional
Source
<xs:complexType name="LibraryActionNameVocab-1.1">
  <xs:annotation>
    <xs:documentation>The LibraryActionNameVocab is the default MAEC vocabulary for library action names, captured via the ActionType/Name element in CybOX Core.</xs:documentation>
    <xs:documentation>For library action names, it should be used in place of the CybOX ActionNameVocab-1.0.</xs:documentation>
    <xs:documentation>Starting with MAEC 4.1, it should be used in place of the deprecated LibraryActionNameVocab-1.0.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:LibraryActionNameEnum-1.1"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Library Action Names" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#LibraryActionNameVocab-1.1" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:LibraryActionNameEnum-1.1
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The LibraryActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with libraries.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration enumerate libraries
The 'enumerate libraries' value specifies the defined action of enumerating the libraries used by a process.
enumeration free library
The 'free library' value specifies the defined action of freeing a library previously loaded into the address space of the calling process.
enumeration load library
The 'load library' value specifies the defined action of loading a library into the address space of the calling process.
enumeration get function address
The 'get function address' value specifies the defined action of getting the address of an exported function or variable from a library.
enumeration call library function
The 'call library function' value specifies the defined action of calling a function exported by a library.
Source
<xs:simpleType name="LibraryActionNameEnum-1.1">
  <xs:annotation>
    <xs:documentation>The LibraryActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with libraries.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="enumerate libraries">
      <xs:annotation>
        <xs:documentation>The 'enumerate libraries' value specifies the defined action of enumerating the libraries used by a process.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="free library">
      <xs:annotation>
        <xs:documentation>The 'free library' value specifies the defined action of freeing a library previously loaded into the address space of the calling process.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="load library">
      <xs:annotation>
        <xs:documentation>The 'load library' value specifies the defined action of loading a library into the address space of the calling process.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="get function address">
      <xs:annotation>
        <xs:documentation>The 'get function address' value specifies the defined action of getting the address of an exported function or variable from a library.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="call library function">
      <xs:annotation>
        <xs:documentation>The 'call library function' value specifies the defined action of calling a function exported by a library.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:DirectoryActionNameVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The DirectoryActionNameVocab is the default MAEC vocabulary for directory action names, captured via the ActionType/Name element in CybOX Core.
For directory action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Deprecated as of MAEC 4.1
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#DirectoryActionNameVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#DirectoryActionNameVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Directory Action Names optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DirectoryActionNameVocab-1.0 optional
Source
<xs:complexType name="DirectoryActionNameVocab-1.0">
  <xs:annotation>
    <xs:documentation>The DirectoryActionNameVocab is the default MAEC vocabulary for directory action names, captured via the ActionType/Name element in CybOX Core.</xs:documentation>
    <xs:documentation>For directory action names, it should be used in place of the CybOX ActionNameVocab-1.0.</xs:documentation>
    <xs:documentation>Deprecated as of MAEC 4.1</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:DirectoryActionNameEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Directory Action Names" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DirectoryActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:DirectoryActionNameEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The DirectoryActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with a file directories.
Deprecated as of MAEC 4.1
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration create directory
The 'create directory' value specifies the defined action of creating a new directory on the filesystem.
enumeration delete directory
The 'delete directory' value specifies the defined action of deleting an existing directory on the filesystem.
enumeration monitor directory
The 'monitor directory' value specifies the defined action of monitoring an existing directory on the filesystem for changes.
Source
<xs:simpleType name="DirectoryActionNameEnum-1.0">
  <xs:annotation>
    <xs:documentation>The DirectoryActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with a file directories.</xs:documentation>
    <xs:documentation>Deprecated as of MAEC 4.1</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="create directory">
      <xs:annotation>
        <xs:documentation>The 'create directory' value specifies the defined action of creating a new directory on the filesystem.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="delete directory">
      <xs:annotation>
        <xs:documentation>The 'delete directory' value specifies the defined action of deleting an existing directory on the filesystem.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="monitor directory">
      <xs:annotation>
        <xs:documentation>The 'monitor directory' value specifies the defined action of monitoring an existing directory on the filesystem for changes.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:DirectoryActionNameVocab-1.1
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The DirectoryActionNameVocab is the default MAEC vocabulary for directory action names, captured via the ActionType/Name element in CybOX Core.
For directory action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Starting with MAEC 4.1, it should be used in place of the deprecated DirectoryActionNameVocab-1.0.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#DirectoryActionNameVocab-1.1_vocab_name maec_default_vocabularies_xsd.tmp#DirectoryActionNameVocab-1.1_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Directory Action Names optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DirectoryActionNameVocab-1.1 optional
Source
<xs:complexType name="DirectoryActionNameVocab-1.1">
  <xs:annotation>
    <xs:documentation>The DirectoryActionNameVocab is the default MAEC vocabulary for directory action names, captured via the ActionType/Name element in CybOX Core.</xs:documentation>
    <xs:documentation>For directory action names, it should be used in place of the CybOX ActionNameVocab-1.0.</xs:documentation>
    <xs:documentation>Starting with MAEC 4.1, it should be used in place of the deprecated DirectoryActionNameVocab-1.0.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:DirectoryActionNameEnum-1.1"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Directory Action Names" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DirectoryActionNameVocab-1.1" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:DirectoryActionNameEnum-1.1
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The DirectoryActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with a file directories.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration create directory
The 'create directory' value specifies the defined action of creating a new directory on the filesystem.
enumeration delete directory
The 'delete directory' value specifies the defined action of deleting an existing directory on the filesystem.
enumeration monitor directory
The 'monitor directory' value specifies the defined action of monitoring an existing directory on the filesystem for changes.
enumeration hide directory
The 'hide directory' value specifies the defined action of hiding an existing directory.
Source
<xs:simpleType name="DirectoryActionNameEnum-1.1">
  <xs:annotation>
    <xs:documentation>The DirectoryActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with a file directories.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="create directory">
      <xs:annotation>
        <xs:documentation>The 'create directory' value specifies the defined action of creating a new directory on the filesystem.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="delete directory">
      <xs:annotation>
        <xs:documentation>The 'delete directory' value specifies the defined action of deleting an existing directory on the filesystem.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="monitor directory">
      <xs:annotation>
        <xs:documentation>The 'monitor directory' value specifies the defined action of monitoring an existing directory on the filesystem for changes.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="hide directory">
      <xs:annotation>
        <xs:documentation>The 'hide directory' value specifies the defined action of hiding an existing directory.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:DiskActionNameVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The DiskActionNameVocab is the default MAEC vocabulary for disk action names, captured via the ActionType/Name element in CybOX Core.
For disk action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Deprecated as of MAEC 4.1.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#DiskActionNameVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#DiskActionNameVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Disk Action Names optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DiskActionNameVocab-1.0 optional
Source
<xs:complexType name="DiskActionNameVocab-1.0">
  <xs:annotation>
    <xs:documentation>The DiskActionNameVocab is the default MAEC vocabulary for disk action names, captured via the ActionType/Name element in CybOX Core.</xs:documentation>
    <xs:documentation>For disk action names, it should be used in place of the CybOX ActionNameVocab-1.0.</xs:documentation>
    <xs:documentation>Deprecated as of MAEC 4.1.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:DiskActionNameEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Disk Action Names" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DiskActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:DiskActionNameEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The DiskActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with hard disks.
Deprecated as of MAEC 4.1.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration get disk type
The 'get disk type' value specifies the defined action of getting the disk type.
enumeration get disk attributes
The 'get disk attributes' value specifies the defined action of querying the attributes of a disk, such as the amount of available free space.
enumeration mount disk
The 'mount disk' value specifies the defined action of mounting an existing file system to a mounting point.
enumeration unmount disk
The 'unmount disk' value specifies the defined action of unmounting an existing file system from a mounting point.
Source
<xs:simpleType name="DiskActionNameEnum-1.0">
  <xs:annotation>
    <xs:documentation>The DiskActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with hard disks.</xs:documentation>
    <xs:documentation>Deprecated as of MAEC 4.1.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="get disk type">
      <xs:annotation>
        <xs:documentation>The 'get disk type' value specifies the defined action of getting the disk type.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="get disk attributes">
      <xs:annotation>
        <xs:documentation>The 'get disk attributes' value specifies the defined action of querying the attributes of a disk, such as the amount of available free space.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="mount disk">
      <xs:annotation>
        <xs:documentation>The 'mount disk' value specifies the defined action of mounting an existing file system to a mounting point.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="unmount disk">
      <xs:annotation>
        <xs:documentation>The 'unmount disk' value specifies the defined action of unmounting an existing file system from a mounting point.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:DiskActionNameVocab-1.1
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The DiskActionNameVocab is the default MAEC vocabulary for disk action names, captured via the ActionType/Name element in CybOX Core.
For disk action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Starting with MAEC 4.1, it should be used in place of the deprecated DiskActionNameVocab-1.0.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#DiskActionNameVocab-1.1_vocab_name maec_default_vocabularies_xsd.tmp#DiskActionNameVocab-1.1_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Disk Action Names optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DiskActionNameVocab-1.1 optional
Source
<xs:complexType name="DiskActionNameVocab-1.1">
  <xs:annotation>
    <xs:documentation>The DiskActionNameVocab is the default MAEC vocabulary for disk action names, captured via the ActionType/Name element in CybOX Core.</xs:documentation>
    <xs:documentation>For disk action names, it should be used in place of the CybOX ActionNameVocab-1.0.</xs:documentation>
    <xs:documentation>Starting with MAEC 4.1, it should be used in place of the deprecated DiskActionNameVocab-1.0.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:DiskActionNameEnum-1.1"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Disk Action Names" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DiskActionNameVocab-1.1" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:DiskActionNameEnum-1.1
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The DiskActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with hard disks.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration get disk type
The 'get disk type' value specifies the defined action of getting the disk type.
enumeration get disk attributes
The 'get disk attributes' value specifies the defined action of querying the attributes of a disk, such as the amount of available free space.
enumeration mount disk
The 'mount disk' value specifies the defined action of mounting an existing file system to a mounting point.
enumeration unmount disk
The 'unmount disk' value specifies the defined action of unmounting an existing file system from a mounting point.
enumeration emulate disk
The 'emulate disk' value specifies the defined action of emulating an existing disk.
enumeration list disks
The 'list disks' value specifies the defined action of listing all disks available on a system.
enumeration monitor disk
The 'monitor disk' value specifies the defined action of monitoring an existing disk for changes.
Source
<xs:simpleType name="DiskActionNameEnum-1.1">
  <xs:annotation>
    <xs:documentation>The DiskActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with hard disks.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="get disk type">
      <xs:annotation>
        <xs:documentation>The 'get disk type' value specifies the defined action of getting the disk type.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="get disk attributes">
      <xs:annotation>
        <xs:documentation>The 'get disk attributes' value specifies the defined action of querying the attributes of a disk, such as the amount of available free space.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="mount disk">
      <xs:annotation>
        <xs:documentation>The 'mount disk' value specifies the defined action of mounting an existing file system to a mounting point.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="unmount disk">
      <xs:annotation>
        <xs:documentation>The 'unmount disk' value specifies the defined action of unmounting an existing file system from a mounting point.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="emulate disk">
      <xs:annotation>
        <xs:documentation>The 'emulate disk' value specifies the defined action of emulating an existing disk.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="list disks">
      <xs:annotation>
        <xs:documentation>The 'list disks' value specifies the defined action of listing all disks available on a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="monitor disk">
      <xs:annotation>
        <xs:documentation>The 'monitor disk' value specifies the defined action of monitoring an existing disk for changes.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:FileActionNameVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The FileActionNameVocab is the default MAEC vocabulary for file action names, captured via the ActionType/Name element in CybOX Core.
For file action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Deprecated as of MAEC 4.1.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#FileActionNameVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#FileActionNameVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default File Action Names optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#FileActionNameVocab-1.0 optional
Source
<xs:complexType name="FileActionNameVocab-1.0">
  <xs:annotation>
    <xs:documentation>The FileActionNameVocab is the default MAEC vocabulary for file action names, captured via the ActionType/Name element in CybOX Core.</xs:documentation>
    <xs:documentation>For file action names, it should be used in place of the CybOX ActionNameVocab-1.0.</xs:documentation>
    <xs:documentation>Deprecated as of MAEC 4.1.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:FileActionNameEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default File Action Names" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#FileActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:FileActionNameEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The FileActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with a file.
Deprecated as of MAEC 4.1.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration create file
The 'create file' value specifies the defined action of creating a new file.
enumeration delete file
The 'delete file' value specifies the defined action of deleting an existing file.
enumeration copy file
The 'copy file' value specifies the defined action of copying an existing file from one location to another.
enumeration create file symbolic link
The 'create file symbolic link' value specifies the defined action of creating a symbolic link to an existing file.
enumeration find file
The 'find file' value specifies the defined action of searching for an existing file.
enumeration get file attributes
The 'get file attributes' value specifies the defined action of getting the attributes of an existing file.
enumeration set file attributes
The 'set file attributes' value specifies the defined action of setting the file attributes for an existing file.
enumeration lock file
The 'lock file' value specifies the defined action of locking an existing file.
enumeration unlock file
The 'unlock file' value specifies the defined action of unlocking an existing file.
enumeration modify file
The 'modify file' value specifies the defined action of modifying an existing file in some manner.
enumeration move file
The 'move file' value specifies the defined action of moving an existing file from one location to another.
enumeration open file
The 'open file' value specifies the defined action of opening an existing file for reading or writing.
enumeration read from file
The 'read from file' value specifies the defined action of reading from an existing file.
enumeration write to file
The 'write to file' value specifies the defined action of writing to an existing file.
enumeration rename file
The 'rename file' value specifies the defined action of renaming an existing file.
enumeration create file alternate data stream
The 'create file alternate data stream' value specifies the defined action of creating an alternate data stream in an existing file.
enumeration send control code to file
The 'send control code to file' value specifies the defined action of sending a control code to a file.
enumeration create file mapping
The 'create file mapping' value specifies the defined action of creating a new file mapping object.
enumeration open file mapping
The 'open file mapping' value specifies the defined action of opening an existing file mapping object.
Source
<xs:simpleType name="FileActionNameEnum-1.0">
  <xs:annotation>
    <xs:documentation>The FileActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with a file.</xs:documentation>
    <xs:documentation>Deprecated as of MAEC 4.1.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="create file">
      <xs:annotation>
        <xs:documentation>The 'create file' value specifies the defined action of creating a new file.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="delete file">
      <xs:annotation>
        <xs:documentation>The 'delete file' value specifies the defined action of deleting an existing file.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="copy file">
      <xs:annotation>
        <xs:documentation>The 'copy file' value specifies the defined action of copying an existing file from one location to another.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="create file symbolic link">
      <xs:annotation>
        <xs:documentation>The 'create file symbolic link' value specifies the defined action of creating a symbolic link to an existing file.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="find file">
      <xs:annotation>
        <xs:documentation>The 'find file' value specifies the defined action of searching for an existing file.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="get file attributes">
      <xs:annotation>
        <xs:documentation>The 'get file attributes' value specifies the defined action of getting the attributes of an existing file.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="set file attributes">
      <xs:annotation>
        <xs:documentation>The 'set file attributes' value specifies the defined action of setting the file attributes for an existing file.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="lock file">
      <xs:annotation>
        <xs:documentation>The 'lock file' value specifies the defined action of locking an existing file.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="unlock file">
      <xs:annotation>
        <xs:documentation>The 'unlock file' value specifies the defined action of unlocking an existing file.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="modify file">
      <xs:annotation>
        <xs:documentation>The 'modify file' value specifies the defined action of modifying an existing file in some manner.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="move file">
      <xs:annotation>
        <xs:documentation>The 'move file' value specifies the defined action of moving an existing file from one location to another.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="open file">
      <xs:annotation>
        <xs:documentation>The 'open file' value specifies the defined action of opening an existing file for reading or writing.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="read from file">
      <xs:annotation>
        <xs:documentation>The 'read from file' value specifies the defined action of reading from an existing file.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="write to file">
      <xs:annotation>
        <xs:documentation>The 'write to file' value specifies the defined action of writing to an existing file.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="rename file">
      <xs:annotation>
        <xs:documentation>The 'rename file' value specifies the defined action of renaming an existing file.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="create file alternate data stream">
      <xs:annotation>
        <xs:documentation>The 'create file alternate data stream' value specifies the defined action of creating an alternate data stream in an existing file.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="send control code to file">
      <xs:annotation>
        <xs:documentation>The 'send control code to file' value specifies the defined action of sending a control code to a file.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="create file mapping">
      <xs:annotation>
        <xs:documentation>The 'create file mapping' value specifies the defined action of creating a new file mapping object.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="open file mapping">
      <xs:annotation>
        <xs:documentation>The 'open file mapping' value specifies the defined action of opening an existing file mapping object.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:FileActionNameVocab-1.1
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The FileActionNameVocab is the default MAEC vocabulary for file action names, captured via the ActionType/Name element in CybOX Core.
For file action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Starting with MAEC 4.1, it should be used in place of the deprecated FileActionNameVocab-1.0.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#FileActionNameVocab-1.1_vocab_name maec_default_vocabularies_xsd.tmp#FileActionNameVocab-1.1_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default File Action Names optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#FileActionNameVocab-1.1 optional
Source
<xs:complexType name="FileActionNameVocab-1.1">
  <xs:annotation>
    <xs:documentation>The FileActionNameVocab is the default MAEC vocabulary for file action names, captured via the ActionType/Name element in CybOX Core.</xs:documentation>
    <xs:documentation>For file action names, it should be used in place of the CybOX ActionNameVocab-1.0.</xs:documentation>
    <xs:documentation>Starting with MAEC 4.1, it should be used in place of the deprecated FileActionNameVocab-1.0.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:FileActionNameEnum-1.1"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default File Action Names" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#FileActionNameVocab-1.1" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:FileActionNameEnum-1.1
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The FileActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with a file.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration create file
The 'create file' value specifies the defined action of creating a new file.
enumeration delete file
The 'delete file' value specifies the defined action of deleting an existing file.
enumeration copy file
The 'copy file' value specifies the defined action of copying an existing file from one location to another.
enumeration create file symbolic link
The 'create file symbolic link' value specifies the defined action of creating a symbolic link to an existing file.
enumeration find file
The 'find file' value specifies the defined action of searching for an existing file.
enumeration get file attributes
The 'get file attributes' value specifies the defined action of getting the attributes of an existing file.
enumeration set file attributes
The 'set file attributes' value specifies the defined action of setting the file attributes for an existing file.
enumeration lock file
The 'lock file' value specifies the defined action of locking an existing file.
enumeration unlock file
The 'unlock file' value specifies the defined action of unlocking an existing file.
enumeration modify file
The 'modify file' value specifies the defined action of modifying an existing file in some manner.
enumeration move file
The 'move file' value specifies the defined action of moving an existing file from one location to another.
enumeration open file
The 'open file' value specifies the defined action of opening an existing file for reading or writing.
enumeration read from file
The 'read from file' value specifies the defined action of reading from an existing file.
enumeration write to file
The 'write to file' value specifies the defined action of writing to an existing file.
enumeration rename file
The 'rename file' value specifies the defined action of renaming an existing file.
enumeration create file alternate data stream
The 'create file alternate data stream' value specifies the defined action of creating an alternate data stream in an existing file.
enumeration send control code to file
The 'send control code to file' value specifies the defined action of sending a control code to a file.
enumeration create file mapping
The 'create file mapping' value specifies the defined action of creating a new file mapping object.
enumeration open file mapping
The 'open file mapping' value specifies the defined action of opening an existing file mapping object.
enumeration execute file
The 'execute file' value specifies the defined action of executing an existing file.
enumeration hide file
The 'hide file' value specifies the defined action of hiding an existing file.
enumeration close file
The 'close file' value specifies the defined action of closing an existing file that previously opened for reading or writing.
Source
<xs:simpleType name="FileActionNameEnum-1.1">
  <xs:annotation>
    <xs:documentation>The FileActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with a file.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="create file">
      <xs:annotation>
        <xs:documentation>The 'create file' value specifies the defined action of creating a new file.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="delete file">
      <xs:annotation>
        <xs:documentation>The 'delete file' value specifies the defined action of deleting an existing file.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="copy file">
      <xs:annotation>
        <xs:documentation>The 'copy file' value specifies the defined action of copying an existing file from one location to another.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="create file symbolic link">
      <xs:annotation>
        <xs:documentation>The 'create file symbolic link' value specifies the defined action of creating a symbolic link to an existing file.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="find file">
      <xs:annotation>
        <xs:documentation>The 'find file' value specifies the defined action of searching for an existing file.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="get file attributes">
      <xs:annotation>
        <xs:documentation>The 'get file attributes' value specifies the defined action of getting the attributes of an existing file.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="set file attributes">
      <xs:annotation>
        <xs:documentation>The 'set file attributes' value specifies the defined action of setting the file attributes for an existing file.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="lock file">
      <xs:annotation>
        <xs:documentation>The 'lock file' value specifies the defined action of locking an existing file.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="unlock file">
      <xs:annotation>
        <xs:documentation>The 'unlock file' value specifies the defined action of unlocking an existing file.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="modify file">
      <xs:annotation>
        <xs:documentation>The 'modify file' value specifies the defined action of modifying an existing file in some manner.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="move file">
      <xs:annotation>
        <xs:documentation>The 'move file' value specifies the defined action of moving an existing file from one location to another.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="open file">
      <xs:annotation>
        <xs:documentation>The 'open file' value specifies the defined action of opening an existing file for reading or writing.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="read from file">
      <xs:annotation>
        <xs:documentation>The 'read from file' value specifies the defined action of reading from an existing file.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="write to file">
      <xs:annotation>
        <xs:documentation>The 'write to file' value specifies the defined action of writing to an existing file.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="rename file">
      <xs:annotation>
        <xs:documentation>The 'rename file' value specifies the defined action of renaming an existing file.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="create file alternate data stream">
      <xs:annotation>
        <xs:documentation>The 'create file alternate data stream' value specifies the defined action of creating an alternate data stream in an existing file.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="send control code to file">
      <xs:annotation>
        <xs:documentation>The 'send control code to file' value specifies the defined action of sending a control code to a file.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="create file mapping">
      <xs:annotation>
        <xs:documentation>The 'create file mapping' value specifies the defined action of creating a new file mapping object.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="open file mapping">
      <xs:annotation>
        <xs:documentation>The 'open file mapping' value specifies the defined action of opening an existing file mapping object.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="execute file">
      <xs:annotation>
        <xs:documentation>The 'execute file' value specifies the defined action of executing an existing file.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="hide file">
      <xs:annotation>
        <xs:documentation>The 'hide file' value specifies the defined action of hiding an existing file.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="close file">
      <xs:annotation>
        <xs:documentation>The 'close file' value specifies the defined action of closing an existing file that previously opened for reading or writing.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:HookingActionNameVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The HookingActionNameVocab is the default MAEC vocabulary for hooking action names, captured via the ActionType/Name element in CybOX Core.
For hooking action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Deprecated as of MAEC 4.1.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#HookingActionNameVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#HookingActionNameVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Hooking Action Names optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#HookingActionNameVocab-1.0 optional
Source
<xs:complexType name="HookingActionNameVocab-1.0">
  <xs:annotation>
    <xs:documentation>The HookingActionNameVocab is the default MAEC vocabulary for hooking action names, captured via the ActionType/Name element in CybOX Core.</xs:documentation>
    <xs:documentation>For hooking action names, it should be used in place of the CybOX ActionNameVocab-1.0.</xs:documentation>
    <xs:documentation>Deprecated as of MAEC 4.1.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:HookingActionNameEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Hooking Action Names" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#HookingActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:HookingActionNameEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The HookingActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with various kinds of hooking.
Deprecated as of MAEC 4.1.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration add system call hook
The 'add system call hook' value specifies the defined action of adding a new system call hook.
enumeration add windows hook
The 'add windows hook' value specifies the defined action of adding a new Windows application-defined hook procedure.
Source
<xs:simpleType name="HookingActionNameEnum-1.0">
  <xs:annotation>
    <xs:documentation>The HookingActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with various kinds of hooking.</xs:documentation>
    <xs:documentation>Deprecated as of MAEC 4.1.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="add system call hook">
      <xs:annotation>
        <xs:documentation>The 'add system call hook' value specifies the defined action of adding a new system call hook.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="add windows hook">
      <xs:annotation>
        <xs:documentation>The 'add windows hook' value specifies the defined action of adding a new Windows application-defined hook procedure.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:HookingActionNameVocab-1.1
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The HookingActionNameVocab is the default MAEC vocabulary for hooking action names, captured via the ActionType/Name element in CybOX Core.
For hooking action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Starting with MAEC 4.1, it should be used in place of the deprecated HookingActionNameVocab-1.0.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#HookingActionNameVocab-1.1_vocab_name maec_default_vocabularies_xsd.tmp#HookingActionNameVocab-1.1_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Hooking Action Names optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#HookingActionNameVocab-1.1 optional
Source
<xs:complexType name="HookingActionNameVocab-1.1">
  <xs:annotation>
    <xs:documentation>The HookingActionNameVocab is the default MAEC vocabulary for hooking action names, captured via the ActionType/Name element in CybOX Core.</xs:documentation>
    <xs:documentation>For hooking action names, it should be used in place of the CybOX ActionNameVocab-1.0.</xs:documentation>
    <xs:documentation>Starting with MAEC 4.1, it should be used in place of the deprecated HookingActionNameVocab-1.0.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:HookingActionNameEnum-1.1"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Hooking Action Names" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#HookingActionNameVocab-1.1" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:HookingActionNameEnum-1.1
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The HookingActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with various kinds of hooking.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration add system call hook
The 'add system call hook' value specifies the defined action of adding a new system call hook.
enumeration add windows hook
The 'add windows hook' value specifies the defined action of adding a new Windows application-defined hook procedure.
enumeration hide hook
The 'hide hook' value specifies the defined action of hiding an existing hook.
Source
<xs:simpleType name="HookingActionNameEnum-1.1">
  <xs:annotation>
    <xs:documentation>The HookingActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with various kinds of hooking.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="add system call hook">
      <xs:annotation>
        <xs:documentation>The 'add system call hook' value specifies the defined action of adding a new system call hook.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="add windows hook">
      <xs:annotation>
        <xs:documentation>The 'add windows hook' value specifies the defined action of adding a new Windows application-defined hook procedure.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="hide hook">
      <xs:annotation>
        <xs:documentation>The 'hide hook' value specifies the defined action of hiding an existing hook.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:DNSActionNameVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The DNSActionNameVocab is the default MAEC vocabulary for DNS action names, captured via the ActionType/Name element in CybOX Core.
For DNS action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#DNSActionNameVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#DNSActionNameVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default DNS Action Names optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DNSActionNameVocab-1.0 optional
Source
<xs:complexType name="DNSActionNameVocab-1.0">
  <xs:annotation>
    <xs:documentation>The DNSActionNameVocab is the default MAEC vocabulary for DNS action names, captured via the ActionType/Name element in CybOX Core.</xs:documentation>
    <xs:documentation>For DNS action names, it should be used in place of the CybOX ActionNameVocab-1.0.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:DNSActionNameEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default DNS Action Names" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DNSActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:DNSActionNameEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The DNSActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with the Domain Name System (DNS).
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration send dns query
The 'send dns query' value specifies the defined action of sending a DNS query.
enumeration send reverse dns lookup
The 'send reverse dns lookup' value specifies the defined action of sending a reverse DNS lookup.
Source
<xs:simpleType name="DNSActionNameEnum-1.0">
  <xs:annotation>
    <xs:documentation>The DNSActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with the Domain Name System (DNS).</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="send dns query">
      <xs:annotation>
        <xs:documentation>The 'send dns query' value specifies the defined action of sending a DNS query.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="send reverse dns lookup">
      <xs:annotation>
        <xs:documentation>The 'send reverse dns lookup' value specifies the defined action of sending a reverse DNS lookup.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:IRCActionNameVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The IRCActionNameVocab is the default MAEC vocabulary for IRC action names, captured via the ActionType/Name element in CybOX Core.
For IRC action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#IRCActionNameVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#IRCActionNameVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default IRC Action Names optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#IRCActionNameVocab-1.0 optional
Source
<xs:complexType name="IRCActionNameVocab-1.0">
  <xs:annotation>
    <xs:documentation>The IRCActionNameVocab is the default MAEC vocabulary for IRC action names, captured via the ActionType/Name element in CybOX Core.</xs:documentation>
    <xs:documentation>For IRC action names, it should be used in place of the CybOX ActionNameVocab-1.0.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:IRCActionNameEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default IRC Action Names" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#IRCActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:IRCActionNameEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The IRCActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with the Internet Relay Chat (IRC).
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration connect to irc server
The 'connect to irc server' value specifies the defined action of connecting to an existing IRC server.
enumeration disconnect from irc server
The 'disconnect from irc server' value specifies the defined action of disconnecting from an existing IRC server.
enumeration set irc nickname
The 'set irc nickname' value specifies the defined action of setting an IRC nickname on an IRC server.
enumeration join irc channel
The 'join irc channel' value specifies the defined action of joining a channel on an IRC server.
enumeration leave irc channel
The 'leave irc channel' value specifies the defined action of leaving a channel on an IRC server.
enumeration send irc private message
The 'send irc private message' value specifies the defined action of sending a private message to another user on an IRC server.
enumeration receive irc private message
The 'receive irc private message' value specifies the defined action of receiving a private message from another user on an IRC server.
Source
<xs:simpleType name="IRCActionNameEnum-1.0">
  <xs:annotation>
    <xs:documentation>The IRCActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with the Internet Relay Chat (IRC).</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="connect to irc server">
      <xs:annotation>
        <xs:documentation>The 'connect to irc server' value specifies the defined action of connecting to an existing IRC server.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="disconnect from irc server">
      <xs:annotation>
        <xs:documentation>The 'disconnect from irc server' value specifies the defined action of disconnecting from an existing IRC server.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="set irc nickname">
      <xs:annotation>
        <xs:documentation>The 'set irc nickname' value specifies the defined action of setting an IRC nickname on an IRC server.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="join irc channel">
      <xs:annotation>
        <xs:documentation>The 'join irc channel' value specifies the defined action of joining a channel on an IRC server.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="leave irc channel">
      <xs:annotation>
        <xs:documentation>The 'leave irc channel' value specifies the defined action of leaving a channel on an IRC server.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="send irc private message">
      <xs:annotation>
        <xs:documentation>The 'send irc private message' value specifies the defined action of sending a private message to another user on an IRC server.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="receive irc private message">
      <xs:annotation>
        <xs:documentation>The 'receive irc private message' value specifies the defined action of receiving a private message from another user on an IRC server.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:FTPActionNameVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The FTPActionNameVocab is the default MAEC vocabulary for FTP action names, captured via the ActionType/Name element in CybOX Core.
For FTP action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#FTPActionNameVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#FTPActionNameVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default FTP Action Names optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#FTPActionNameVocab-1.0 optional
Source
<xs:complexType name="FTPActionNameVocab-1.0">
  <xs:annotation>
    <xs:documentation>The FTPActionNameVocab is the default MAEC vocabulary for FTP action names, captured via the ActionType/Name element in CybOX Core.</xs:documentation>
    <xs:documentation>For FTP action names, it should be used in place of the CybOX ActionNameVocab-1.0.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:FTPActionNameEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default FTP Action Names" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#FTPActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:FTPActionNameEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The FTPActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with the File Transfer Protocol (FTP).
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration connect to ftp server
The 'connect to ftp server' value specifies the defined action of connecting to an existing FTP server.
enumeration disconnect from ftp server
The 'disconnect from ftp server' value specifies the defined action of disconnecting from an existing FTP server.
enumeration send ftp command
The 'send ftp command' value specifies the defined action of sending a command on an FTP server connection.
Source
<xs:simpleType name="FTPActionNameEnum-1.0">
  <xs:annotation>
    <xs:documentation>The FTPActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with the File Transfer Protocol (FTP).</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="connect to ftp server">
      <xs:annotation>
        <xs:documentation>The 'connect to ftp server' value specifies the defined action of connecting to an existing FTP server.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="disconnect from ftp server">
      <xs:annotation>
        <xs:documentation>The 'disconnect from ftp server' value specifies the defined action of disconnecting from an existing FTP server.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="send ftp command">
      <xs:annotation>
        <xs:documentation>The 'send ftp command' value specifies the defined action of sending a command on an FTP server connection.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:HTTPActionNameVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The HTTPActionNameVocab is the default MAEC vocabulary for HTTP action names, captured via the ActionType/Name element in CybOX Core.
For HTTP action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#HTTPActionNameVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#HTTPActionNameVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default HTTP Action Names optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#HTTPActionNameVocab-1.0 optional
Source
<xs:complexType name="HTTPActionNameVocab-1.0">
  <xs:annotation>
    <xs:documentation>The HTTPActionNameVocab is the default MAEC vocabulary for HTTP action names, captured via the ActionType/Name element in CybOX Core.</xs:documentation>
    <xs:documentation>For HTTP action names, it should be used in place of the CybOX ActionNameVocab-1.0.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:HTTPActionNameEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default HTTP Action Names" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#HTTPActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:HTTPActionNameEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The HTTPActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with the Hypertext Transfer Protocol (HTTP).
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration send http get request
Specifies the defined action of sending an HTTP GET client request to an existing server.
enumeration send http head request
The 'send http head request' value specifies the defined action of sending an HTTP HEAD client request to an existing server.
enumeration send http post request
The 'send http post request' value specifies the defined action of sending an HTTP HEAD client request to an existing server.
enumeration send http put request
The 'send http put request' value specifies the defined action of sending an HTTP PUT client request to an existing server.
enumeration send http delete request
The 'send http delete request' value specifies the defined action of sending an HTTP DELETE client request to an existing server.
enumeration send http trace request
The 'send http trace request' value specifies the defined action of sending an HTTP TRACE client request to an existing server.
enumeration send http options request
The 'send http options request' value specifies the defined action of sending an HTTP OPTIONS client request to an existing server.
enumeration send http connect request
The 'send http connect request' value specifies the defined action of sending an HTTP CONNECT client request to an existing server.
enumeration send http patch request
The 'send http patch request' value specifies the defined action of sending an HTTP PATCH client request to an existing server.
enumeration receive http response
The 'receive http response' value specifies the defined action of receiving an HTTP server response for a prior HTTP request.
Source
<xs:simpleType name="HTTPActionNameEnum-1.0">
  <xs:annotation>
    <xs:documentation>The HTTPActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with the Hypertext Transfer Protocol (HTTP).</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="send http get request">
      <xs:annotation>
        <xs:documentation>Specifies the defined action of sending an HTTP GET client request to an existing server.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="send http head request">
      <xs:annotation>
        <xs:documentation>The 'send http head request' value specifies the defined action of sending an HTTP HEAD client request to an existing server.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="send http post request">
      <xs:annotation>
        <xs:documentation>The 'send http post request' value specifies the defined action of sending an HTTP HEAD client request to an existing server.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="send http put request">
      <xs:annotation>
        <xs:documentation>The 'send http put request' value specifies the defined action of sending an HTTP PUT client request to an existing server.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="send http delete request">
      <xs:annotation>
        <xs:documentation>The 'send http delete request' value specifies the defined action of sending an HTTP DELETE client request to an existing server.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="send http trace request">
      <xs:annotation>
        <xs:documentation>The 'send http trace request' value specifies the defined action of sending an HTTP TRACE client request to an existing server.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="send http options request">
      <xs:annotation>
        <xs:documentation>The 'send http options request' value specifies the defined action of sending an HTTP OPTIONS client request to an existing server.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="send http connect request">
      <xs:annotation>
        <xs:documentation>The 'send http connect request' value specifies the defined action of sending an HTTP CONNECT client request to an existing server.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="send http patch request">
      <xs:annotation>
        <xs:documentation>The 'send http patch request' value specifies the defined action of sending an HTTP PATCH client request to an existing server.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="receive http response">
      <xs:annotation>
        <xs:documentation>The 'receive http response' value specifies the defined action of receiving an HTTP server response for a prior HTTP request.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:NetworkActionNameVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The NetworkActionNameVocab is the default MAEC vocabulary for network action names, captured via the ActionType/Name element in CybOX Core.
For network action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Deprecated as of MAEC 4.1.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#NetworkActionNameVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#NetworkActionNameVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Network Action Names optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#NetworkActionNameVocab-1.0 optional
Source
<xs:complexType name="NetworkActionNameVocab-1.0">
  <xs:annotation>
    <xs:documentation>The NetworkActionNameVocab is the default MAEC vocabulary for network action names, captured via the ActionType/Name element in CybOX Core.</xs:documentation>
    <xs:documentation>For network action names, it should be used in place of the CybOX ActionNameVocab-1.0.</xs:documentation>
    <xs:documentation>Deprecated as of MAEC 4.1.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:NetworkActionNameEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Network Action Names" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#NetworkActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:NetworkActionNameEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The NetworkActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with networking.
Deprecated as of MAEC 4.1.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration open port
The 'open port' value specifies the defined action of opening a network port.
enumeration close port
The 'close port' value specifies the defined action of closing a network port.
enumeration connect to ip
The 'connect to ip' value specifies the defined action of connecting to an IP address.
enumeration disconnect from ip
The 'disconnect from ip' value specifies the defined action of disconnecting from a previously established connection to an IP address.
enumeration connect to url
The 'connect to url' value specifies the defined action of connecting to a URL.
enumeration connect to socket address
The 'connect to socket address' value specifies the defined action of connecting to a socket address, consisting of an IP address and port number.
enumeration download file
The 'download file' value specifies the defined action of downloading a file from a remote location.
enumeration upload file
The 'upload file' value specifies the defined action of uploading a file to a remote location.
enumeration listen on port
The 'listen on port' value specifies the defined action of listening on a specific port.
enumeration send email message
The 'send email message' value specifies the defined action of sending an email message.
enumeration send icmp request
The 'send icmp request' value specifies the defined action of sending an ICMP request.
Source
<xs:simpleType name="NetworkActionNameEnum-1.0">
  <xs:annotation>
    <xs:documentation>The NetworkActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with networking.</xs:documentation>
    <xs:documentation>Deprecated as of MAEC 4.1.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="open port">
      <xs:annotation>
        <xs:documentation>The 'open port' value specifies the defined action of opening a network port.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="close port">
      <xs:annotation>
        <xs:documentation>The 'close port' value specifies the defined action of closing a network port.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="connect to ip">
      <xs:annotation>
        <xs:documentation>The 'connect to ip' value specifies the defined action of connecting to an IP address.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="disconnect from ip">
      <xs:annotation>
        <xs:documentation>The 'disconnect from ip' value specifies the defined action of disconnecting from a previously established connection to an IP address.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="connect to url">
      <xs:annotation>
        <xs:documentation>The 'connect to url' value specifies the defined action of connecting to a URL.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="connect to socket address">
      <xs:annotation>
        <xs:documentation>The 'connect to socket address' value specifies the defined action of connecting to a socket address, consisting of an IP address and port number.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="download file">
      <xs:annotation>
        <xs:documentation>The 'download file' value specifies the defined action of downloading a file from a remote location.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="upload file">
      <xs:annotation>
        <xs:documentation>The 'upload file' value specifies the defined action of uploading a file to a remote location.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="listen on port">
      <xs:annotation>
        <xs:documentation>The 'listen on port' value specifies the defined action of listening on a specific port.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="send email message">
      <xs:annotation>
        <xs:documentation>The 'send email message' value specifies the defined action of sending an email message.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="send icmp request">
      <xs:annotation>
        <xs:documentation>The 'send icmp request' value specifies the defined action of sending an ICMP request.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:NetworkActionNameVocab-1.1
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The NetworkActionNameVocab is the default MAEC vocabulary for network action names, captured via the ActionType/Name element in CybOX Core.
For network action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Starting with MAEC 4.1, it should be used in place of the deprecated NetworkActionNameVocab-1.0.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#NetworkActionNameVocab-1.1_vocab_name maec_default_vocabularies_xsd.tmp#NetworkActionNameVocab-1.1_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Network Action Names optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#NetworkActionNameVocab-1.1 optional
Source
<xs:complexType name="NetworkActionNameVocab-1.1">
  <xs:annotation>
    <xs:documentation>The NetworkActionNameVocab is the default MAEC vocabulary for network action names, captured via the ActionType/Name element in CybOX Core.</xs:documentation>
    <xs:documentation>For network action names, it should be used in place of the CybOX ActionNameVocab-1.0.</xs:documentation>
    <xs:documentation>Starting with MAEC 4.1, it should be used in place of the deprecated NetworkActionNameVocab-1.0.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:NetworkActionNameEnum-1.1"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Network Action Names" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#NetworkActionNameVocab-1.1" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:NetworkActionNameEnum-1.1
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The NetworkActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with networking.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration open port
The 'open port' value specifies the defined action of opening a network port.
enumeration close port
The 'close port' value specifies the defined action of closing a network port.
enumeration connect to ip
The 'connect to ip' value specifies the defined action of connecting to an IP address.
enumeration disconnect from ip
The 'disconnect from ip' value specifies the defined action of disconnecting from a previously established connection to an IP address.
enumeration connect to url
The 'connect to url' value specifies the defined action of connecting to a URL.
enumeration connect to socket address
The 'connect to socket address' value specifies the defined action of connecting to a socket address, consisting of an IP address and port number.
enumeration download file
The 'download file' value specifies the defined action of downloading a file from a remote location.
enumeration upload file
The 'upload file' value specifies the defined action of uploading a file to a remote location.
enumeration listen on port
The 'listen on port' value specifies the defined action of listening on a specific port.
enumeration send email message
The 'send email message' value specifies the defined action of sending an email message.
enumeration send icmp request
The 'send icmp request' value specifies the defined action of sending an ICMP request.
enumeration send network packet
The 'send network packet' value specifies the defined action of sending a packet on a network.
enumeration receive network packet
The 'receive network packet' value specifies the defined action of receiving a packet on a network.
Source
<xs:simpleType name="NetworkActionNameEnum-1.1">
  <xs:annotation>
    <xs:documentation>The NetworkActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with networking.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="open port">
      <xs:annotation>
        <xs:documentation>The 'open port' value specifies the defined action of opening a network port.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="close port">
      <xs:annotation>
        <xs:documentation>The 'close port' value specifies the defined action of closing a network port.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="connect to ip">
      <xs:annotation>
        <xs:documentation>The 'connect to ip' value specifies the defined action of connecting to an IP address.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="disconnect from ip">
      <xs:annotation>
        <xs:documentation>The 'disconnect from ip' value specifies the defined action of disconnecting from a previously established connection to an IP address.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="connect to url">
      <xs:annotation>
        <xs:documentation>The 'connect to url' value specifies the defined action of connecting to a URL.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="connect to socket address">
      <xs:annotation>
        <xs:documentation>The 'connect to socket address' value specifies the defined action of connecting to a socket address, consisting of an IP address and port number.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="download file">
      <xs:annotation>
        <xs:documentation>The 'download file' value specifies the defined action of downloading a file from a remote location.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="upload file">
      <xs:annotation>
        <xs:documentation>The 'upload file' value specifies the defined action of uploading a file to a remote location.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="listen on port">
      <xs:annotation>
        <xs:documentation>The 'listen on port' value specifies the defined action of listening on a specific port.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="send email message">
      <xs:annotation>
        <xs:documentation>The 'send email message' value specifies the defined action of sending an email message.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="send icmp request">
      <xs:annotation>
        <xs:documentation>The 'send icmp request' value specifies the defined action of sending an ICMP request.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="send network packet">
      <xs:annotation>
        <xs:documentation>The 'send network packet' value specifies the defined action of sending a packet on a network.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="receive network packet">
      <xs:annotation>
        <xs:documentation>The 'receive network packet' value specifies the defined action of receiving a packet on a network.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:NetworkShareActionNameVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The NetworkShareActionNameVocab is the default MAEC vocabulary for Windows network share action names, captured via the ActionType/Name element in CybOX Core.
For network share action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#NetworkShareActionNameVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#NetworkShareActionNameVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Network Share Action Names optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#NetworkShareActionNameVocab-1.0 optional
Source
<xs:complexType name="NetworkShareActionNameVocab-1.0">
  <xs:annotation>
    <xs:documentation>The NetworkShareActionNameVocab is the default MAEC vocabulary for Windows network share action names, captured via the ActionType/Name element in CybOX Core.</xs:documentation>
    <xs:documentation>For network share action names, it should be used in place of the CybOX ActionNameVocab-1.0.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:NetworkShareActionNameEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Network Share Action Names" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#NetworkShareActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:NetworkShareActionNameEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The NetworkShareActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with Windows network shares.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration add connection to network share
The 'add connection to network share' value specifies the defined action of adding a connection to an existing network share.
enumeration add network share
The 'add network share' value specifies the defined action of adding a new network share on a server.
enumeration delete network share
The 'delete network share' value specifies the defined action of deleting an existing network share on a server.
enumeration connect to network share
The 'connect to network share' value specifies the defined action of connecting to an existing network share.
enumeration disconnect from network share
The 'disconnect from network share' value specifies the defined action of disconnecting from an existing network share.
enumeration enumerate network shares
The 'enumerate network shares' value specifies the defined action of enumerating the available shared resources on a server.
Source
<xs:simpleType name="NetworkShareActionNameEnum-1.0">
  <xs:annotation>
    <xs:documentation>The NetworkShareActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with Windows network shares.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="add connection to network share">
      <xs:annotation>
        <xs:documentation>The 'add connection to network share' value specifies the defined action of adding a connection to an existing network share.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="add network share">
      <xs:annotation>
        <xs:documentation>The 'add network share' value specifies the defined action of adding a new network share on a server.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="delete network share">
      <xs:annotation>
        <xs:documentation>The 'delete network share' value specifies the defined action of deleting an existing network share on a server.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="connect to network share">
      <xs:annotation>
        <xs:documentation>The 'connect to network share' value specifies the defined action of connecting to an existing network share.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="disconnect from network share">
      <xs:annotation>
        <xs:documentation>The 'disconnect from network share' value specifies the defined action of disconnecting from an existing network share.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="enumerate network shares">
      <xs:annotation>
        <xs:documentation>The 'enumerate network shares' value specifies the defined action of enumerating the available shared resources on a server.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:SocketActionNameVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The SocketActionNameVocab is the default MAEC vocabulary for socket action names, captured via the ActionType/Name element in CybOX Core.
For socket action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#SocketActionNameVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#SocketActionNameVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Socket Action Names optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#SocketActionNameVocab-1.0 optional
Source
<xs:complexType name="SocketActionNameVocab-1.0">
  <xs:annotation>
    <xs:documentation>The SocketActionNameVocab is the default MAEC vocabulary for socket action names, captured via the ActionType/Name element in CybOX Core.</xs:documentation>
    <xs:documentation>For socket action names, it should be used in place of the CybOX ActionNameVocab-1.0.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:SocketActionNameEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Socket Action Names" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#SocketActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:SocketActionNameEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The SocketActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with network sockets.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration accept socket connection
The 'accept socket connection' value specifies the defined action of accepting a socket connection.
enumeration bind address to socket
The 'bind address to socket' value specifies the defined action of binding a socket address to a socket.
enumeration create socket
The 'create socket' value specifies the defined action of creating a new socket.
enumeration close socket
The 'close socket' value specifies the defined action of closing an existing socket.
enumeration connect to socket
The 'connect to socket' value specifies the defined action of connecting to an existing socket.
enumeration disconnect from socket
The 'disconnect from socket' value specifies the defined action of disconnecting from an existing socket.
enumeration listen on socket
The 'listen on socket' value specifies the defined action of listening on an existing socket.
enumeration send data on socket
The 'send data on socket' value specifies the defined action of sending data on an existing, connected socket.
enumeration receive data on socket
The 'receive data on socket' value specifies the defined action of receiving data on an existing socket.
enumeration send data to address on socket
The 'send data to address on socket' value specifies the defined action of sending data to a specified IP address on an existing, unconnected socket.
enumeration get host by address
The 'get host by address' value specifies the defined action of getting information on a host from a local or remote host database by its IP address.
enumeration get host by name
The 'get host by name' value specifies the defined action of getting information on a host from a local or remote host database by its name.
Source
<xs:simpleType name="SocketActionNameEnum-1.0">
  <xs:annotation>
    <xs:documentation>The SocketActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with network sockets.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="accept socket connection">
      <xs:annotation>
        <xs:documentation>The 'accept socket connection' value specifies the defined action of accepting a socket connection.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="bind address to socket">
      <xs:annotation>
        <xs:documentation>The 'bind address to socket' value specifies the defined action of binding a socket address to a socket.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="create socket">
      <xs:annotation>
        <xs:documentation>The 'create socket' value specifies the defined action of creating a new socket.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="close socket">
      <xs:annotation>
        <xs:documentation>The 'close socket' value specifies the defined action of closing an existing socket.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="connect to socket">
      <xs:annotation>
        <xs:documentation>The 'connect to socket' value specifies the defined action of connecting to an existing socket.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="disconnect from socket">
      <xs:annotation>
        <xs:documentation>The 'disconnect from socket' value specifies the defined action of disconnecting from an existing socket.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="listen on socket">
      <xs:annotation>
        <xs:documentation>The 'listen on socket' value specifies the defined action of listening on an existing socket.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="send data on socket">
      <xs:annotation>
        <xs:documentation>The 'send data on socket' value specifies the defined action of sending data on an existing, connected socket.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="receive data on socket">
      <xs:annotation>
        <xs:documentation>The 'receive data on socket' value specifies the defined action of receiving data on an existing socket.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="send data to address on socket">
      <xs:annotation>
        <xs:documentation>The 'send data to address on socket' value specifies the defined action of sending data to a specified IP address on an existing, unconnected socket.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="get host by address">
      <xs:annotation>
        <xs:documentation>The 'get host by address' value specifies the defined action of getting information on a host from a local or remote host database by its IP address.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="get host by name">
      <xs:annotation>
        <xs:documentation>The 'get host by name' value specifies the defined action of getting information on a host from a local or remote host database by its name.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:RegistryActionNameVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The RegistryActionNameVocab is the default MAEC vocabulary for registry action names, captured via the ActionType/Name element in CybOX Core.
For registry action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#RegistryActionNameVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#RegistryActionNameVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Registry Action Names optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#RegistryActionNameVocab-1.0 optional
Source
<xs:complexType name="RegistryActionNameVocab-1.0">
  <xs:annotation>
    <xs:documentation>The RegistryActionNameVocab is the default MAEC vocabulary for registry action names, captured via the ActionType/Name element in CybOX Core.</xs:documentation>
    <xs:documentation>For registry action names, it should be used in place of the CybOX ActionNameVocab-1.0.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:RegistryActionNameEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Registry Action Names" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#RegistryActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:RegistryActionNameEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The RegistryActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with the Windows registry.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration create registry key
The 'create registry key' value specifies the defined action of creating a new registry key.
enumeration delete registry key
The 'delete registry key' value specifies the defined action of deleting an existing registry key.
enumeration open registry key
The 'open registry key' value specifies the defined action of opening an existing registry key.
enumeration close registry key
The 'close registry key' value specifies the defined action of closing a handle to an existing registry key.
enumeration create registry key value
The 'create registry key value' value specifies the defined action of creating a new named value under an existing registry key.
enumeration delete registry key value
The 'delete registry key value' value specifies the defined action of deleting an existing named value under an existing registry key.
enumeration enumerate registry key subkeys
The 'enumerate registry key subkeys' value specifies the defined action of enumerating the registry key subkeys under an existing registry key.
enumeration enumerate registry key values
The 'enumerate registry key values' value specifies the defined action of enumerating the named values under an existing registry key.
enumeration get registry key attributes
The 'get registry key attributes' value specifies the defined action of getting the attributes of an existing registry key.
enumeration read registry key value
The 'read registry key value' value specifies the defined action of reading an existing named value of an existing registry key.
enumeration modify registry key value
The 'modify registry key value' value specifies the defined action of modifying an existing named value of an existing registry key.
enumeration modify registry key
The 'modify registry key' value specifies the defined action of modifying an existing registry key.
enumeration monitor registry key
The 'monitor registry key' value specifies the defined action of monitoring an existing registry key for changes.
Source
<xs:simpleType name="RegistryActionNameEnum-1.0">
  <xs:annotation>
    <xs:documentation>The RegistryActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with the Windows registry.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="create registry key">
      <xs:annotation>
        <xs:documentation>The 'create registry key' value specifies the defined action of creating a new registry key.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="delete registry key">
      <xs:annotation>
        <xs:documentation>The 'delete registry key' value specifies the defined action of deleting an existing registry key.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="open registry key">
      <xs:annotation>
        <xs:documentation>The 'open registry key' value specifies the defined action of opening an existing registry key.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="close registry key">
      <xs:annotation>
        <xs:documentation>The 'close registry key' value specifies the defined action of closing a handle to an existing registry key.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="create registry key value">
      <xs:annotation>
        <xs:documentation>The 'create registry key value' value specifies the defined action of creating a new named value under an existing registry key.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="delete registry key value">
      <xs:annotation>
        <xs:documentation>The 'delete registry key value' value specifies the defined action of deleting an existing named value under an existing registry key.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="enumerate registry key subkeys">
      <xs:annotation>
        <xs:documentation>The 'enumerate registry key subkeys' value specifies the defined action of enumerating the registry key subkeys under an existing registry key.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="enumerate registry key values">
      <xs:annotation>
        <xs:documentation>The 'enumerate registry key values' value specifies the defined action of enumerating the named values under an existing registry key.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="get registry key attributes">
      <xs:annotation>
        <xs:documentation>The 'get registry key attributes' value specifies the defined action of getting the attributes of an existing registry key.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="read registry key value">
      <xs:annotation>
        <xs:documentation>The 'read registry key value' value specifies the defined action of reading an existing named value of an existing registry key.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="modify registry key value">
      <xs:annotation>
        <xs:documentation>The 'modify registry key value' value specifies the defined action of modifying an existing named value of an existing registry key.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="modify registry key">
      <xs:annotation>
        <xs:documentation>The 'modify registry key' value specifies the defined action of modifying an existing registry key.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="monitor registry key">
      <xs:annotation>
        <xs:documentation>The 'monitor registry key' value specifies the defined action of monitoring an existing registry key for changes.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:UserActionNameVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The UserActionNameVocab is the default MAEC vocabulary for user action names, captured via the ActionType/Name element in CybOX Core.
For user action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Deprecated as of MAEC 4.1.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#UserActionNameVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#UserActionNameVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default User Action Names optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#UserActionNameVocab-1.0 optional
Source
<xs:complexType name="UserActionNameVocab-1.0">
  <xs:annotation>
    <xs:documentation>The UserActionNameVocab is the default MAEC vocabulary for user action names, captured via the ActionType/Name element in CybOX Core.</xs:documentation>
    <xs:documentation>For user action names, it should be used in place of the CybOX ActionNameVocab-1.0.</xs:documentation>
    <xs:documentation>Deprecated as of MAEC 4.1.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:UserActionNameEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default User Action Names" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#UserActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:UserActionNameEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The UserActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with users.
Deprecated as of MAEC 4.1.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration add user
The 'add user' value specifies the defined action of adding a new user.
enumeration delete user
The 'delete user' value specifies the defined action of deleting an existing user.
enumeration enumerate users
The 'enumerate users' value specifies the defined action of enumerating all users.
enumeration get user attributes
The 'get user attributes' value specifies the defined action of getting the attributes of an existing user.
enumeration logon as user
The 'logon as user' value specifies the defined action of logging on as a specific user.
Source
<xs:simpleType name="UserActionNameEnum-1.0">
  <xs:annotation>
    <xs:documentation>The UserActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with users.</xs:documentation>
    <xs:documentation>Deprecated as of MAEC 4.1.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="add user">
      <xs:annotation>
        <xs:documentation>The 'add user' value specifies the defined action of adding a new user.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="delete user">
      <xs:annotation>
        <xs:documentation>The 'delete user' value specifies the defined action of deleting an existing user.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="enumerate users">
      <xs:annotation>
        <xs:documentation>The 'enumerate users' value specifies the defined action of enumerating all users.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="get user attributes">
      <xs:annotation>
        <xs:documentation>The 'get user attributes' value specifies the defined action of getting the attributes of an existing user.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="logon as user">
      <xs:annotation>
        <xs:documentation>The 'logon as user' value specifies the defined action of logging on as a specific user.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:UserActionNameVocab-1.1
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The UserActionNameVocab is the default MAEC vocabulary for user action names, captured via the ActionType/Name element in CybOX Core.
For user action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Starting with MAEC 4.1, it should be used in place of the deprecated UserActionNameVocab-1.0.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#UserActionNameVocab-1.1_vocab_name maec_default_vocabularies_xsd.tmp#UserActionNameVocab-1.1_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default User Action Names optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#UserActionNameVocab-1.1 optional
Source
<xs:complexType name="UserActionNameVocab-1.1">
  <xs:annotation>
    <xs:documentation>The UserActionNameVocab is the default MAEC vocabulary for user action names, captured via the ActionType/Name element in CybOX Core.</xs:documentation>
    <xs:documentation>For user action names, it should be used in place of the CybOX ActionNameVocab-1.0.</xs:documentation>
    <xs:documentation>Starting with MAEC 4.1, it should be used in place of the deprecated UserActionNameVocab-1.0.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:UserActionNameEnum-1.1"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default User Action Names" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#UserActionNameVocab-1.1" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:UserActionNameEnum-1.1
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The UserActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with users.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration add user
The 'add user' value specifies the defined action of adding a new user.
enumeration delete user
The 'delete user' value specifies the defined action of deleting an existing user.
enumeration enumerate users
The 'enumerate users' value specifies the defined action of enumerating all users.
enumeration get user attributes
The 'get user attributes' value specifies the defined action of getting the attributes of an existing user.
enumeration logon as user
The 'logon as user' value specifies the defined action of logging on as a specific user.
enumeration change password
The 'change password' value specifies the defined action of changing an existing user's password.
enumeration add user to group
The 'add user to group' value specifies the defined action of adding an existing user to an existing group.
enumeration remove user from group
The 'remove user from group' value specifies the defined action of removing an existing user from existing group.
enumeration invoke user privilege
The 'invoke user privilege' value specifies the defined action of invoking a privilege given to an existing user.
Source
<xs:simpleType name="UserActionNameEnum-1.1">
  <xs:annotation>
    <xs:documentation>The UserActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with users.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="add user">
      <xs:annotation>
        <xs:documentation>The 'add user' value specifies the defined action of adding a new user.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="delete user">
      <xs:annotation>
        <xs:documentation>The 'delete user' value specifies the defined action of deleting an existing user.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="enumerate users">
      <xs:annotation>
        <xs:documentation>The 'enumerate users' value specifies the defined action of enumerating all users.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="get user attributes">
      <xs:annotation>
        <xs:documentation>The 'get user attributes' value specifies the defined action of getting the attributes of an existing user.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="logon as user">
      <xs:annotation>
        <xs:documentation>The 'logon as user' value specifies the defined action of logging on as a specific user.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="change password">
      <xs:annotation>
        <xs:documentation>The 'change password' value specifies the defined action of changing an existing user's password.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="add user to group">
      <xs:annotation>
        <xs:documentation>The 'add user to group' value specifies the defined action of adding an existing user to an existing group.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="remove user from group">
      <xs:annotation>
        <xs:documentation>The 'remove user from group' value specifies the defined action of removing an existing user from existing group.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="invoke user privilege">
      <xs:annotation>
        <xs:documentation>The 'invoke user privilege' value specifies the defined action of invoking a privilege given to an existing user.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:IPCActionNameVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The IPCActionNameVocab is the default MAEC vocabulary for inter-process communication action names, captured via the ActionType/Name element in CybOX Core.
For IPC action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#IPCActionNameVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#IPCActionNameVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default IPC Action Names optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#IPCActionNameVocab-1.0 optional
Source
<xs:complexType name="IPCActionNameVocab-1.0">
  <xs:annotation>
    <xs:documentation>The IPCActionNameVocab is the default MAEC vocabulary for inter-process communication action names, captured via the ActionType/Name element in CybOX Core.</xs:documentation>
    <xs:documentation>For IPC action names, it should be used in place of the CybOX ActionNameVocab-1.0.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:IPCActionNameEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default IPC Action Names" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#IPCActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:IPCActionNameEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The IPCActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with entities related to Inter-Process Communication (IPC).
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration create named pipe
The 'create named pipe' value specifies the defined action of creating a new named pipe.
enumeration delete named pipe
The 'delete named pipe' value specifies the defined action of deleting an existing named pipe.
enumeration connect to named pipe
The 'connected to named pipe' value specifies the defined action of connecting to an existing named pipe.
enumeration disconnect from named pipe
The 'disconnect from named pipe' value specifies the defined action of disconnecting from an existing named pipe.
enumeration read from named pipe
The 'read from named pipe' value specifies the defined action of reading some data from an existing named pipe.
enumeration write to named pipe
The 'write to named pipe' value specifies the defined action of writing some data to an existing named pipe.
enumeration create mailslot
The 'create mailslot' value specifies the defined action of creating a new named mailslot.
enumeration read from mailslot
The 'read from mailslot' value specifies the defined action of reading some data from an existing named mailslot.
enumeration write to mailslot
The 'write to mailslot' value specifies the defined action of writing some data to an existing named mailslot.
Source
<xs:simpleType name="IPCActionNameEnum-1.0">
  <xs:annotation>
    <xs:documentation>The IPCActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with entities related to Inter-Process Communication (IPC).</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="create named pipe">
      <xs:annotation>
        <xs:documentation>The 'create named pipe' value specifies the defined action of creating a new named pipe.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="delete named pipe">
      <xs:annotation>
        <xs:documentation>The 'delete named pipe' value specifies the defined action of deleting an existing named pipe.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="connect to named pipe">
      <xs:annotation>
        <xs:documentation>The 'connected to named pipe' value specifies the defined action of connecting to an existing named pipe.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="disconnect from named pipe">
      <xs:annotation>
        <xs:documentation>The 'disconnect from named pipe' value specifies the defined action of disconnecting from an existing named pipe.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="read from named pipe">
      <xs:annotation>
        <xs:documentation>The 'read from named pipe' value specifies the defined action of reading some data from an existing named pipe.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="write to named pipe">
      <xs:annotation>
        <xs:documentation>The 'write to named pipe' value specifies the defined action of writing some data to an existing named pipe.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="create mailslot">
      <xs:annotation>
        <xs:documentation>The 'create mailslot' value specifies the defined action of creating a new named mailslot.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="read from mailslot">
      <xs:annotation>
        <xs:documentation>The 'read from mailslot' value specifies the defined action of reading some data from an existing named mailslot.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="write to mailslot">
      <xs:annotation>
        <xs:documentation>The 'write to mailslot' value specifies the defined action of writing some data to an existing named mailslot.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:ProcessMemoryActionNameVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The ProcessMemoryActionNameVocab is the default MAEC vocabulary for process memory action names, captured via the ActionType/Name element in CybOX Core.
For process memory action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#ProcessMemoryActionNameVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#ProcessMemoryActionNameVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Process Memory Action Names optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#ProcessMemoryActionNameVocab-1.0 optional
Source
<xs:complexType name="ProcessMemoryActionNameVocab-1.0">
  <xs:annotation>
    <xs:documentation>The ProcessMemoryActionNameVocab is the default MAEC vocabulary for process memory action names, captured via the ActionType/Name element in CybOX Core.</xs:documentation>
    <xs:documentation>For process memory action names, it should be used in place of the CybOX ActionNameVocab-1.0.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:ProcessMemoryActionNameEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Process Memory Action Names" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#ProcessMemoryActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:ProcessMemoryActionNameEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The ProcessMemoryActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with the memory regions of a process.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration allocate process virtual memory
The 'allocate process virtual memory' value specifies the defined action of allocating some virtual memory region in an existing process.
enumeration free process virtual memory
The 'free process virtual memory' value specifies the defined action of freeing some virtual memory region from an existing process.
enumeration modify process virtual memory protection
The 'modify process virtual memory protection' value specifies the defined action of modifying the protection on a memory region in the virtual address space of an existing process.
enumeration read from process memory
The 'read from process memory' value specifies the defined action of reading from a memory region of an existing process.
enumeration write to process memory
The 'write to process memory' value specifies the defined action of writing to a memory region of an existing process.
enumeration map file into process
The 'map file into process' value specifies the defined action of mapping an existing file into the address space of the calling process.
enumeration unmap file from process
The 'unmap file from process' value specifies the defined action of unmapping an existing file from the address space of the calling process.
enumeration map library into process
The 'map library into process' value specifies the defined action of mapping a library into the address space of the calling process.
Source
<xs:simpleType name="ProcessMemoryActionNameEnum-1.0">
  <xs:annotation>
    <xs:documentation>The ProcessMemoryActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with the memory regions of a process.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="allocate process virtual memory">
      <xs:annotation>
        <xs:documentation>The 'allocate process virtual memory' value specifies the defined action of allocating some virtual memory region in an existing process.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="free process virtual memory">
      <xs:annotation>
        <xs:documentation>The 'free process virtual memory' value specifies the defined action of freeing some virtual memory region from an existing process.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="modify process virtual memory protection">
      <xs:annotation>
        <xs:documentation>The 'modify process virtual memory protection' value specifies the defined action of modifying the protection on a memory region in the virtual address space of an existing process.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="read from process memory">
      <xs:annotation>
        <xs:documentation>The 'read from process memory' value specifies the defined action of reading from a memory region of an existing process.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="write to process memory">
      <xs:annotation>
        <xs:documentation>The 'write to process memory' value specifies the defined action of writing to a memory region of an existing process.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="map file into process">
      <xs:annotation>
        <xs:documentation>The 'map file into process' value specifies the defined action of mapping an existing file into the address space of the calling process.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="unmap file from process">
      <xs:annotation>
        <xs:documentation>The 'unmap file from process' value specifies the defined action of unmapping an existing file from the address space of the calling process.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="map library into process">
      <xs:annotation>
        <xs:documentation>The 'map library into process' value specifies the defined action of mapping a library into the address space of the calling process.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:ProcessActionNameVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The ProcessActionNameVocab is the default MAEC vocabulary for process action names, captured via the ActionType/Name element in CybOX Core.
For process action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#ProcessActionNameVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#ProcessActionNameVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Process Action Names optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#ProcessActionNameVocab-1.0 optional
Source
<xs:complexType name="ProcessActionNameVocab-1.0">
  <xs:annotation>
    <xs:documentation>The ProcessActionNameVocab is the default MAEC vocabulary for process action names, captured via the ActionType/Name element in CybOX Core.</xs:documentation>
    <xs:documentation>For process action names, it should be used in place of the CybOX ActionNameVocab-1.0.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:ProcessActionNameEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Process Action Names" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#ProcessActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:ProcessActionNameEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The ProcessActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with processes.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration create process
The 'create process' value specifies the defined action of creating a new process.
enumeration kill process
The 'kill process' value specifies the defined action of killing an existing process.
enumeration create process as user
The 'create process as user' value specifies the defined action of creating a new process in the security context of a specified user.
enumeration enumerate processes
The 'enumerate processes' value specifies the defined action of enumerating all of the running processes on a system.
enumeration open process
The 'open process' value specifies the defined action of opening an existing process.
enumeration flush process instruction cache
The 'flush process instruction cache' value specifies the defined action of flushing the instruction cache of an existing process.
enumeration get process current directory
The 'get process current directory' value specifies the defined action of getting the current directory of an existing process.
enumeration set process current directory
The 'set process current directory' value specifies the defined action of setting the current directory of an existing process.
enumeration get process environment variable
The 'get process environment variable' value specifies the defined action of getting an environment variable used by an existing process.
enumeration set process environment variable
The 'set process environment variable' value specifies the defined action of setting an environment variable used by an existing process.
enumeration sleep process
The 'sleep process' value specifies the defined action of sleeping an existing process for some period of time.
enumeration get process startupinfo
The 'get process startupinfo' value specifies the defined action of getting the STARTUPINFO struct associated with an existing process.
Source
<xs:simpleType name="ProcessActionNameEnum-1.0">
  <xs:annotation>
    <xs:documentation>The ProcessActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with processes.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="create process">
      <xs:annotation>
        <xs:documentation>The 'create process' value specifies the defined action of creating a new process.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="kill process">
      <xs:annotation>
        <xs:documentation>The 'kill process' value specifies the defined action of killing an existing process.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="create process as user">
      <xs:annotation>
        <xs:documentation>The 'create process as user' value specifies the defined action of creating a new process in the security context of a specified user.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="enumerate processes">
      <xs:annotation>
        <xs:documentation>The 'enumerate processes' value specifies the defined action of enumerating all of the running processes on a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="open process">
      <xs:annotation>
        <xs:documentation>The 'open process' value specifies the defined action of opening an existing process.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="flush process instruction cache">
      <xs:annotation>
        <xs:documentation>The 'flush process instruction cache' value specifies the defined action of flushing the instruction cache of an existing process.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="get process current directory">
      <xs:annotation>
        <xs:documentation>The 'get process current directory' value specifies the defined action of getting the current directory of an existing process.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="set process current directory">
      <xs:annotation>
        <xs:documentation>The 'set process current directory' value specifies the defined action of setting the current directory of an existing process.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="get process environment variable">
      <xs:annotation>
        <xs:documentation>The 'get process environment variable' value specifies the defined action of getting an environment variable used by an existing process.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="set process environment variable">
      <xs:annotation>
        <xs:documentation>The 'set process environment variable' value specifies the defined action of setting an environment variable used by an existing process.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="sleep process">
      <xs:annotation>
        <xs:documentation>The 'sleep process' value specifies the defined action of sleeping an existing process for some period of time.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="get process startupinfo">
      <xs:annotation>
        <xs:documentation>The 'get process startupinfo' value specifies the defined action of getting the STARTUPINFO struct associated with an existing process.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:ProcessThreadActionNameVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The ProcessThreadActionNameVocab is the default MAEC vocabulary for process thread action names, captured via the ActionType/Name element in CybOX Core.
For process thread action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#ProcessThreadActionNameVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#ProcessThreadActionNameVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Process Thread Action Names optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#ProcessThreadActionNameVocab-1.0 optional
Source
<xs:complexType name="ProcessThreadActionNameVocab-1.0">
  <xs:annotation>
    <xs:documentation>The ProcessThreadActionNameVocab is the default MAEC vocabulary for process thread action names, captured via the ActionType/Name element in CybOX Core.</xs:documentation>
    <xs:documentation>For process thread action names, it should be used in place of the CybOX ActionNameVocab-1.0.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:ProcessThreadActionNameEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Process Thread Action Names" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#ProcessThreadActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:ProcessThreadActionNameEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The ProcessThreadActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with process threads.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration create thread
The 'create thread' value specifies the defined action of creating a new thread in the virtual address space of the calling process.
enumeration kill thread
The 'kill thread' value specifies the defined action of killing a thread existing in the virtual address space of the calling process.
enumeration create remote thread in process
The 'create remote thread in process' value specifies the defined action of creating a thread that runs in the virtual address space of another existing process.
enumeration enumerate threads
The 'enumerate threads' value specifies the defined action of enumerating all threads in the calling process.
enumeration get thread username
The 'get thread username' value specifies the defined action of getting the name or ID of the user associated with an existing thread.
enumeration impersonate process
The 'impersonate process' value specifies the defined action of a thread in the calling process impersonating the security context of another existing process.
enumeration revert thread to self
The 'revert thread to self' value specifies the defined action of reverting an existing thread to its own security context.
enumeration get thread context
The 'get thread context' value specifies the defined action of getting the context structure (containing processor-specific register data) of an existing thread.
enumeration set thread context
The 'set thread context' value specifies the defined action of setting the context structure (containing processor-specific register data) for an existing thread.
enumeration queue apc in thread
The 'queue apc in thread' value specifies the defined action of queing a new Asynchronized Procedure Call (APC) in the context of an existing thread.
Source
<xs:simpleType name="ProcessThreadActionNameEnum-1.0">
  <xs:annotation>
    <xs:documentation>The ProcessThreadActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with process threads.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="create thread">
      <xs:annotation>
        <xs:documentation>The 'create thread' value specifies the defined action of creating a new thread in the virtual address space of the calling process.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="kill thread">
      <xs:annotation>
        <xs:documentation>The 'kill thread' value specifies the defined action of killing a thread existing in the virtual address space of the calling process.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="create remote thread in process">
      <xs:annotation>
        <xs:documentation>The 'create remote thread in process' value specifies the defined action of creating a thread that runs in the virtual address space of another existing process.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="enumerate threads">
      <xs:annotation>
        <xs:documentation>The 'enumerate threads' value specifies the defined action of enumerating all threads in the calling process.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="get thread username">
      <xs:annotation>
        <xs:documentation>The 'get thread username' value specifies the defined action of getting the name or ID of the user associated with an existing thread.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="impersonate process">
      <xs:annotation>
        <xs:documentation>The 'impersonate process' value specifies the defined action of a thread in the calling process impersonating the security context of another existing process.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="revert thread to self">
      <xs:annotation>
        <xs:documentation>The 'revert thread to self' value specifies the defined action of reverting an existing thread to its own security context.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="get thread context">
      <xs:annotation>
        <xs:documentation>The 'get thread context' value specifies the defined action of getting the context structure (containing processor-specific register data) of an existing thread.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="set thread context">
      <xs:annotation>
        <xs:documentation>The 'set thread context' value specifies the defined action of setting the context structure (containing processor-specific register data) for an existing thread.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="queue apc in thread">
      <xs:annotation>
        <xs:documentation>The 'queue apc in thread' value specifies the defined action of queing a new Asynchronized Procedure Call (APC) in the context of an existing thread.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:ServiceActionNameVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The ServiceActionNameVocab is the default MAEC vocabulary for service action names, captured via the ActionType/Name element in CybOX Core.
For service action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Deprecated as of MAEC 4.1.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#ServiceActionNameVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#ServiceActionNameVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Service Action Names optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#ServiceActionNameVocab-1.0 optional
Source
<xs:complexType name="ServiceActionNameVocab-1.0">
  <xs:annotation>
    <xs:documentation>The ServiceActionNameVocab is the default MAEC vocabulary for service action names, captured via the ActionType/Name element in CybOX Core.</xs:documentation>
    <xs:documentation>For service action names, it should be used in place of the CybOX ActionNameVocab-1.0.</xs:documentation>
    <xs:documentation>Deprecated as of MAEC 4.1.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:ServiceActionNameEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Service Action Names" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#ServiceActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:ServiceActionNameEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The ServiceActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with services or daemons.
Deprecated as of MAEC 4.1.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration create service
The 'create service' value specifies the defined action of creating a new service.
enumeration delete service
The 'delete service' value specifies the defined action of deleting an existing service.
enumeration start service
The 'start service' value specifies the defined action of starting an existing service.
enumeration enumerate services
The 'enumerate services' value specifies the defined action of enumerating a specific set of services on a system.
enumeration modify service configuration
The 'modify service configuration' value specifies the defined action of modifying the configuration parameters of an existing service.
enumeration open service
The 'open service' value specifies the defined action of opening an existing service.
enumeration send control code to service
The 'send control code to service' value specifies the defined action of sending a control code to an existing service.
Source
<xs:simpleType name="ServiceActionNameEnum-1.0">
  <xs:annotation>
    <xs:documentation>The ServiceActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with services or daemons.</xs:documentation>
    <xs:documentation>Deprecated as of MAEC 4.1.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="create service">
      <xs:annotation>
        <xs:documentation>The 'create service' value specifies the defined action of creating a new service.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="delete service">
      <xs:annotation>
        <xs:documentation>The 'delete service' value specifies the defined action of deleting an existing service.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="start service">
      <xs:annotation>
        <xs:documentation>The 'start service' value specifies the defined action of starting an existing service.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="enumerate services">
      <xs:annotation>
        <xs:documentation>The 'enumerate services' value specifies the defined action of enumerating a specific set of services on a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="modify service configuration">
      <xs:annotation>
        <xs:documentation>The 'modify service configuration' value specifies the defined action of modifying the configuration parameters of an existing service.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="open service">
      <xs:annotation>
        <xs:documentation>The 'open service' value specifies the defined action of opening an existing service.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="send control code to service">
      <xs:annotation>
        <xs:documentation>The 'send control code to service' value specifies the defined action of sending a control code to an existing service.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:ServiceActionNameVocab-1.1
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The ServiceActionNameVocab is the default MAEC vocabulary for service action names, captured via the ActionType/Name element in CybOX Core.
For service action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Starting with MAEC 4.1, it should be used in place of the deprecated ServiceActionNameVocab-1.0.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#ServiceActionNameVocab-1.1_vocab_name maec_default_vocabularies_xsd.tmp#ServiceActionNameVocab-1.1_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Service Action Names optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#ServiceActionNameVocab-1.1 optional
Source
<xs:complexType name="ServiceActionNameVocab-1.1">
  <xs:annotation>
    <xs:documentation>The ServiceActionNameVocab is the default MAEC vocabulary for service action names, captured via the ActionType/Name element in CybOX Core.</xs:documentation>
    <xs:documentation>For service action names, it should be used in place of the CybOX ActionNameVocab-1.0.</xs:documentation>
    <xs:documentation>Starting with MAEC 4.1, it should be used in place of the deprecated ServiceActionNameVocab-1.0.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:ServiceActionNameEnum-1.1"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Service Action Names" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#ServiceActionNameVocab-1.1" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:ServiceActionNameEnum-1.1
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The ServiceActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with services or daemons.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration create service
The 'create service' value specifies the defined action of creating a new service.
enumeration delete service
The 'delete service' value specifies the defined action of deleting an existing service.
enumeration start service
The 'start service' value specifies the defined action of starting an existing service.
enumeration stop service
The 'stop service' value specifies the defined action of stopping an existing service.
enumeration enumerate services
The 'enumerate services' value specifies the defined action of enumerating a specific set of services on a system.
enumeration modify service configuration
The 'modify service configuration' value specifies the defined action of modifying the configuration parameters of an existing service.
enumeration open service
The 'open service' value specifies the defined action of opening an existing service.
enumeration send control code to service
The 'send control code to service' value specifies the defined action of sending a control code to an existing service.
Source
<xs:simpleType name="ServiceActionNameEnum-1.1">
  <xs:annotation>
    <xs:documentation>The ServiceActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with services or daemons.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="create service">
      <xs:annotation>
        <xs:documentation>The 'create service' value specifies the defined action of creating a new service.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="delete service">
      <xs:annotation>
        <xs:documentation>The 'delete service' value specifies the defined action of deleting an existing service.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="start service">
      <xs:annotation>
        <xs:documentation>The 'start service' value specifies the defined action of starting an existing service.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="stop service">
      <xs:annotation>
        <xs:documentation>The 'stop service' value specifies the defined action of stopping an existing service.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="enumerate services">
      <xs:annotation>
        <xs:documentation>The 'enumerate services' value specifies the defined action of enumerating a specific set of services on a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="modify service configuration">
      <xs:annotation>
        <xs:documentation>The 'modify service configuration' value specifies the defined action of modifying the configuration parameters of an existing service.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="open service">
      <xs:annotation>
        <xs:documentation>The 'open service' value specifies the defined action of opening an existing service.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="send control code to service">
      <xs:annotation>
        <xs:documentation>The 'send control code to service' value specifies the defined action of sending a control code to an existing service.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:SynchronizationActionNameVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The SynchronizationActionNameVocab is the default MAEC vocabulary for synchronization action names, captured via the ActionType/Name element in CybOX Core.
For synchronization action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#SynchronizationActionNameVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#SynchronizationActionNameVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Synchronization Action Names optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#SynchronizationActionNameVocab-1.0 optional
Source
<xs:complexType name="SynchronizationActionNameVocab-1.0">
  <xs:annotation>
    <xs:documentation>The SynchronizationActionNameVocab is the default MAEC vocabulary for synchronization action names, captured via the ActionType/Name element in CybOX Core.</xs:documentation>
    <xs:documentation>For synchronization action names, it should be used in place of the CybOX ActionNameVocab-1.0.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:SynchronizationActionNameEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Synchronization Action Names" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#SynchronizationActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:SynchronizationActionNameEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The SynchronizationActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with process and thread synchronization-related entities.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration create mutex
The 'create mutex' value specifies the defined action of creating a new named mutex.
enumeration delete mutex
The 'delete mutex' value specifies the defined action of deleting an existing named mutex.
enumeration open mutex
The 'open mutex' value specifies the defined action of opening an existing named mutex.
enumeration release mutex
The 'release mutex' value specifies the defined action of releasing ownership of an existing named mutex.
enumeration create semaphore
The 'create semaphore' value specifies the defined action of creating a new named semaphore.
enumeration delete semaphore
The 'delete semaphore' value specifies the defined action of deleting an existing named semaphore.
enumeration open semaphore
The 'open semaphore' value specifies the defined action of opening an existing named semaphore.
enumeration release semaphore
The 'release semaphore' value specifies the defined action of releasing ownership of an existing named semaphore.
enumeration create event
The 'create event' value specifies the defined action of creating a new named event object.
enumeration delete event
The 'delete event' value specifies the defined action of deleting an existing named event object.
enumeration open event
The 'open event' value specifies the defined action of opening an existing named event object.
enumeration reset event
The 'reset event' value specifies the defined action of resetting an existing named event object to the non-signaled state.
enumeration create critical section
The 'create critical section' value specifies the defined action of creating a new critical section.
enumeration delete critical section
The 'delete critical section' value specifies the defined action of deleting an existing critical section object.
enumeration open critical section
The 'open critical section' value specifies the defined action of opening an existing critical section object.
enumeration release critical section
The 'release critical section' value specifies the defined action of releasing an existing critical section object.
Source
<xs:simpleType name="SynchronizationActionNameEnum-1.0">
  <xs:annotation>
    <xs:documentation>The SynchronizationActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with process and thread synchronization-related entities.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="create mutex">
      <xs:annotation>
        <xs:documentation>The 'create mutex' value specifies the defined action of creating a new named mutex.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="delete mutex">
      <xs:annotation>
        <xs:documentation>The 'delete mutex' value specifies the defined action of deleting an existing named mutex.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="open mutex">
      <xs:annotation>
        <xs:documentation>The 'open mutex' value specifies the defined action of opening an existing named mutex.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="release mutex">
      <xs:annotation>
        <xs:documentation>The 'release mutex' value specifies the defined action of releasing ownership of an existing named mutex.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="create semaphore">
      <xs:annotation>
        <xs:documentation>The 'create semaphore' value specifies the defined action of creating a new named semaphore.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="delete semaphore">
      <xs:annotation>
        <xs:documentation>The 'delete semaphore' value specifies the defined action of deleting an existing named semaphore.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="open semaphore">
      <xs:annotation>
        <xs:documentation>The 'open semaphore' value specifies the defined action of opening an existing named semaphore.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="release semaphore">
      <xs:annotation>
        <xs:documentation>The 'release semaphore' value specifies the defined action of releasing ownership of an existing named semaphore.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="create event">
      <xs:annotation>
        <xs:documentation>The 'create event' value specifies the defined action of creating a new named event object.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="delete event">
      <xs:annotation>
        <xs:documentation>The 'delete event' value specifies the defined action of deleting an existing named event object.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="open event">
      <xs:annotation>
        <xs:documentation>The 'open event' value specifies the defined action of opening an existing named event object.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="reset event">
      <xs:annotation>
        <xs:documentation>The 'reset event' value specifies the defined action of resetting an existing named event object to the non-signaled state.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="create critical section">
      <xs:annotation>
        <xs:documentation>The 'create critical section' value specifies the defined action of creating a new critical section.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="delete critical section">
      <xs:annotation>
        <xs:documentation>The 'delete critical section' value specifies the defined action of deleting an existing critical section object.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="open critical section">
      <xs:annotation>
        <xs:documentation>The 'open critical section' value specifies the defined action of opening an existing critical section object.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="release critical section">
      <xs:annotation>
        <xs:documentation>The 'release critical section' value specifies the defined action of releasing an existing critical section object.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:SystemActionNameVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The SystemActionNameVocab is the default MAEC vocabulary for system action names, captured via the ActionType/Name element in CybOX Core.
For system action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#SystemActionNameVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#SystemActionNameVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default System Action Names optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#SystemActionNameVocab-1.0 optional
Source
<xs:complexType name="SystemActionNameVocab-1.0">
  <xs:annotation>
    <xs:documentation>The SystemActionNameVocab is the default MAEC vocabulary for system action names, captured via the ActionType/Name element in CybOX Core.</xs:documentation>
    <xs:documentation>For system action names, it should be used in place of the CybOX ActionNameVocab-1.0.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:SystemActionNameEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default System Action Names" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#SystemActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:SystemActionNameEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The SystemInfoActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with system-related entities.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration add scheduled task
The 'add scheduled task' value specifies the defined action of adding a scheduled task to a system.
enumeration shutdown system
The 'shutdown system' value specifies the defined action of shutting down a system.
enumeration sleep system
The 'sleep system' value specifies the defined action of sleeping a system for some period of time.
enumeration get elapsed system up time
The 'get elapsed system up time' value specifies the defined action of getting the elapsed up-time for a system.
enumeration get netbios name
The 'get netbios name' value specifies the defined action of getting the NetBIOS name of a system.
enumeration set netbios name
The 'set netbios name' value specifies the defined action of setting the NetBIOS name of a system.
enumeration get system host name
The 'get system host name' value specifies the defined action of getting the host name of a system.
enumeration set system host name
The 'set system host name' value specifies the defined action of setting the system host name of a system.
enumeration get system time
The 'get system time' value specifies the defined action of getting the system time of a system, represented in Coordinated Universal Time (UTC).
enumeration set system time
The 'set system time' value specifies the defined action of setting the system time for a system, represented in Coordinated Universal Time (UTC).
enumeration get system local time
The 'get system local time' value specifies the defined action of getting the local time of a system.
enumeration set system local time
The 'set system local time' value specifies the defined action of setting the local time of a system.
enumeration get username
The 'get username' value specifies the defined action of getting the username of the currently logged in user of a system.
enumeration enumerate system handles
The 'enumerate system handles' value specifies the defined action of enumerating all open handles on a system.
enumeration get system global flags
The 'get system global flags' value specifies the defined action of getting the enabled global flags on a system.
enumeration set system global flags
The 'set system global flags' value specifies the defined action of setting system global flags on a system.
enumeration get windows directory
The 'get windows directory' value specifies the defined action of getting the Windows installation directory on a system.
enumeration get windows system directory
The 'get windows system directory' value specifies the defined action of getting the Windows \System directory on a system.
enumeration get windows temporary files directory
The 'get windows temporary files directory' value specifies the defined action of getting the Windows Temporary Files Directory on a System.
Source
<xs:simpleType name="SystemActionNameEnum-1.0">
  <xs:annotation>
    <xs:documentation>The SystemInfoActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with system-related entities.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="add scheduled task">
      <xs:annotation>
        <xs:documentation>The 'add scheduled task' value specifies the defined action of adding a scheduled task to a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="shutdown system">
      <xs:annotation>
        <xs:documentation>The 'shutdown system' value specifies the defined action of shutting down a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="sleep system">
      <xs:annotation>
        <xs:documentation>The 'sleep system' value specifies the defined action of sleeping a system for some period of time.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="get elapsed system up time">
      <xs:annotation>
        <xs:documentation>The 'get elapsed system up time' value specifies the defined action of getting the elapsed up-time for a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="get netbios name">
      <xs:annotation>
        <xs:documentation>The 'get netbios name' value specifies the defined action of getting the NetBIOS name of a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="set netbios name">
      <xs:annotation>
        <xs:documentation>The 'set netbios name' value specifies the defined action of setting the NetBIOS name of a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="get system host name">
      <xs:annotation>
        <xs:documentation>The 'get system host name' value specifies the defined action of getting the host name of a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="set system host name">
      <xs:annotation>
        <xs:documentation>The 'set system host name' value specifies the defined action of setting the system host name of a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="get system time">
      <xs:annotation>
        <xs:documentation>The 'get system time' value specifies the defined action of getting the system time of a system, represented in Coordinated Universal Time (UTC).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="set system time">
      <xs:annotation>
        <xs:documentation>The 'set system time' value specifies the defined action of setting the system time for a system, represented in Coordinated Universal Time (UTC).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="get system local time">
      <xs:annotation>
        <xs:documentation>The 'get system local time' value specifies the defined action of getting the local time of a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="set system local time">
      <xs:annotation>
        <xs:documentation>The 'set system local time' value specifies the defined action of setting the local time of a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="get username">
      <xs:annotation>
        <xs:documentation>The 'get username' value specifies the defined action of getting the username of the currently logged in user of a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="enumerate system handles">
      <xs:annotation>
        <xs:documentation>The 'enumerate system handles' value specifies the defined action of enumerating all open handles on a system.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="get system global flags">
      <xs:annotation>
        <xs:documentation>The 'get system global flags' value specifies the defined action of getting the enabled global flags on a system.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="set system global flags">
      <xs:annotation>
        <xs:documentation>The 'set system global flags' value specifies the defined action of setting system global flags on a system.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="get windows directory">
      <xs:annotation>
        <xs:documentation>The 'get windows directory' value specifies the defined action of getting the Windows installation directory on a system.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="get windows system directory">
      <xs:annotation>
        <xs:documentation>The 'get windows system directory' value specifies the defined action of getting the Windows \System directory on a system.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="get windows temporary files directory">
      <xs:annotation>
        <xs:documentation>The 'get windows temporary files directory' value specifies the defined action of getting the Windows Temporary Files Directory on a System.</xs:documentation>
        <xs:documentation>Windows-specific.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:GUIActionNameVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The GUIActionNameVocab is the default MAEC vocabulary for GUI action names, captured via the ActionType/Name element in CybOX Core.
For GUI action names, it should be used in place of the CybOX ActionNameVocab-1.0.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#GUIActionNameVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#GUIActionNameVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default GUI Action Names optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#GUIActionNameVocab-1.0 optional
Source
<xs:complexType name="GUIActionNameVocab-1.0">
  <xs:annotation>
    <xs:documentation>The GUIActionNameVocab is the default MAEC vocabulary for GUI action names, captured via the ActionType/Name element in CybOX Core.</xs:documentation>
    <xs:documentation>For GUI action names, it should be used in place of the CybOX ActionNameVocab-1.0.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:GUIActionNameEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default GUI Action Names" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#GUIActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:GUIActionNameEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The GUIActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with graphical user interfaces (GUIs).
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration create window
The 'create window' value specifies the defined action of creating a new window.
enumeration kill window
The 'kill window' value specifies the defined action of killing an existing window.
enumeration create dialog box
The 'create dialog box' value specifies the defined action of creating a new dialog box.
enumeration enumerate windows
The 'enumerate windows' value specifies the defined action of enumerating all open windows.
enumeration find window
The 'find window' value specifies the defined action of search for a particular window.
enumeration hide window
The 'hide window' value specifies the defined action of hiding an existing window.
enumeration show window
The 'show window' value specifies the defined action of showing an existing window.
Source
<xs:simpleType name="GUIActionNameEnum-1.0">
  <xs:annotation>
    <xs:documentation>The GUIActionNameEnum is a (non-exhaustive) enumeration of the different actions associated with graphical user interfaces (GUIs).</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="create window">
      <xs:annotation>
        <xs:documentation>The 'create window' value specifies the defined action of creating a new window.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="kill window">
      <xs:annotation>
        <xs:documentation>The 'kill window' value specifies the defined action of killing an existing window.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="create dialog box">
      <xs:annotation>
        <xs:documentation>The 'create dialog box' value specifies the defined action of creating a new dialog box.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="enumerate windows">
      <xs:annotation>
        <xs:documentation>The 'enumerate windows' value specifies the defined action of enumerating all open windows.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="find window">
      <xs:annotation>
        <xs:documentation>The 'find window' value specifies the defined action of search for a particular window.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="hide window">
      <xs:annotation>
        <xs:documentation>The 'hide window' value specifies the defined action of hiding an existing window.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="show window">
      <xs:annotation>
        <xs:documentation>The 'show window' value specifies the defined action of showing an existing window.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:GroupingRelationshipTypeVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The GroupingRelationshipTypeVocab is the default MAEC vocabulary for the grouping relatonships in a Package, captured via the GroupingRelationshipType/Type element in the MAEC Package.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#GroupingRelationshipTypeVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#GroupingRelationshipTypeVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Grouping Relationship Types optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#GroupingRelationshipTypeVocab-1.0 optional
Source
<xs:complexType name="GroupingRelationshipTypeVocab-1.0">
  <xs:annotation>
    <xs:documentation>The GroupingRelationshipTypeVocab is the default MAEC vocabulary for the grouping relatonships in a Package, captured via the GroupingRelationshipType/Type element in the MAEC Package.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:GroupingRelationshipEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Grouping Relationship Types" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#GroupingRelationshipTypeVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:GroupingRelationshipEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The GroupingRelationshipEnum is a non-exhaustive enumeration of Malware Subject grouping relationships.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration same malware family
The 'same malware family' value indicates that the Malware Subjects in the Package are all part of the same malware family.
enumeration clustered together
The 'clustered together' value indicates that the Malware Subjects in the Package were clustered together by some algorithm or other capability.
enumeration observed together
The 'observed together' value indicates that the Malware Subjects in the Package were abstractly observed together, such as on a host system, in some archive, etc.
enumeration part of intrusion set
The 'part of intrusion' set value indicates that the Malware Subjects in the Package were found as part of the same malware intrusion set.
enumeration same malware toolkit
The 'same malware toolkit' value indicates that the Malware Subjects in the Package were all created using the same malware toolkit, independent of toolkit version.
Source
<xs:simpleType name="GroupingRelationshipEnum-1.0">
  <xs:annotation>
    <xs:documentation>The GroupingRelationshipEnum is a non-exhaustive enumeration of Malware Subject grouping relationships.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="same malware family">
      <xs:annotation>
        <xs:documentation>The 'same malware family' value indicates that the Malware Subjects in the Package are all part of the same malware family.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="clustered together">
      <xs:annotation>
        <xs:documentation>The 'clustered together' value indicates that the Malware Subjects in the Package were clustered together by some algorithm or other capability.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="observed together">
      <xs:annotation>
        <xs:documentation>The 'observed together' value indicates that the Malware Subjects in the Package were abstractly observed together, such as on a host system, in some archive, etc.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="part of intrusion set">
      <xs:annotation>
        <xs:documentation>The 'part of intrusion' set value indicates that the Malware Subjects in the Package were found as part of the same malware intrusion set.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="same malware toolkit">
      <xs:annotation>
        <xs:documentation>The 'same malware toolkit' value indicates that the Malware Subjects in the Package were all created using the same malware toolkit, independent of toolkit version.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:MalwareConfigurationParameterVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The MalwareConfigurationParameterVocab is the default MAEC vocabulary for malware configuration parameter names, captured via the MalwareConfigurationParameterType/Name element in the MAEC Package.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#MalwareConfigurationParameterVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#MalwareConfigurationParameterVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Malware Configuration Parameter Names optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#MalwareConfigurationParameterVocab-1.0 optional
Source
<xs:complexType name="MalwareConfigurationParameterVocab-1.0">
  <xs:annotation>
    <xs:documentation>The MalwareConfigurationParameterVocab is the default MAEC vocabulary for malware configuration parameter names, captured via the MalwareConfigurationParameterType/Name element in the MAEC Package.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:MalwareConfigurationParameterEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Malware Configuration Parameter Names" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#MalwareConfigurationParameterVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:MalwareConfigurationParameterEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The MalwareConfigurationParameterEnum is a non-exhaustive enumeration of malware configuration parameter names.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration magic number
The 'magic number' value refers to a configuration parameter that captures a file signature that may be used to identify or validate the content the malware instance.
enumeration id
The 'id' value refers to a configuration parameter that captures an identifier for the malware instance.
enumeration group id
The 'group id' value refers to a configuration parameter that captures an identifier for a collection of malware instances.
enumeration mutex
The 'mutex' value refers to a configuration parameter that captures a unique mutex value associated the malware instance.
enumeration filename
The 'filename' value refers to a configuration parameter that captures the name of a malicious binary such as one that is downloaded or embedded within the malware instance.
enumeration installation path
The 'installation path' value refers to a configuration parameter that captures a location on disk to which the malware instance is installed, copied, or moved.
Source
<xs:simpleType name="MalwareConfigurationParameterEnum-1.0">
  <xs:annotation>
    <xs:documentation>The MalwareConfigurationParameterEnum is a non-exhaustive enumeration of malware configuration parameter names.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="magic number">
      <xs:annotation>
        <xs:documentation>The 'magic number' value refers to a configuration parameter that captures a file signature that may be used to identify or validate the content the malware instance.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="id">
      <xs:annotation>
        <xs:documentation>The 'id' value refers to a configuration parameter that captures an identifier for the malware instance.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="group id">
      <xs:annotation>
        <xs:documentation>The 'group id' value refers to a configuration parameter that captures an identifier for a collection of malware instances.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="mutex">
      <xs:annotation>
        <xs:documentation>The 'mutex' value refers to a configuration parameter that captures a unique mutex value associated the malware instance.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="filename">
      <xs:annotation>
        <xs:documentation>The 'filename' value refers to a configuration parameter that captures the name of a malicious binary such as one that is downloaded or embedded within the malware instance.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="installation path">
      <xs:annotation>
        <xs:documentation>The 'installation path' value refers to a configuration parameter that captures a location on disk to which the malware instance is installed, copied, or moved.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:MalwareSubjectRelationshipTypeVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The MalwareSubjectRelationshipTypeVocab is the default MAEC vocabulary for the Malware Subject relationships in a Package, captured via the MalwareSubjectRelationshipType/Type element in the MAEC Package.
Deprecated as of MAEC 4.1.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#MalwareSubjectRelationshipTypeVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#MalwareSubjectRelationshipTypeVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Malware Subject Relationship Types optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#MalwareSubjectRelationshipTypeVocab-1.0 optional
Source
<xs:complexType name="MalwareSubjectRelationshipTypeVocab-1.0">
  <xs:annotation>
    <xs:documentation>The MalwareSubjectRelationshipTypeVocab is the default MAEC vocabulary for the Malware Subject relationships in a Package, captured via the MalwareSubjectRelationshipType/Type element in the MAEC Package.</xs:documentation>
    <xs:documentation>Deprecated as of MAEC 4.1.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:MalwareSubjectRelationshipEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Malware Subject Relationship Types" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#MalwareSubjectRelationshipTypeVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:MalwareSubjectRelationshipEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The MalwareSubjectRelationshipEnum is a non-exhaustive enumeration of relationships between Malware Subjects.
Deprecated as of MAEC 4.1.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration downloads
The 'downloads' value specifies that the Malware Subject downloads one or more other Malware Subject(s).
enumeration downloaded by
The 'downloaded by' value specifies that the current Malware Subject was downloaded by one or more other Malware Subject(s).
enumeration drops
The 'drops' value specifies that the Malware Subject drops (or writes to disk) one or more other Malware Subject(s).
enumeration dropped by
The 'dropped by' value specifies that the current Malware Subject was dropped (or written to disk) by one or more other Malware Subject(s).
enumeration extracts
The 'extracts' value specifies that the Malware Subject extracts (from an embedded archive or another container) one or more other Malware Subject(s).
enumeration extracted from
The 'extracted from' value specifies that the current Malware Subject was extracted from one or more other Malware Subject(s).
Source
<xs:simpleType name="MalwareSubjectRelationshipEnum-1.0">
  <xs:annotation>
    <xs:documentation>The MalwareSubjectRelationshipEnum is a non-exhaustive enumeration of relationships between Malware Subjects.</xs:documentation>
    <xs:documentation>Deprecated as of MAEC 4.1.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="downloads">
      <xs:annotation>
        <xs:documentation>The 'downloads' value specifies that the Malware Subject downloads one or more other Malware Subject(s).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="downloaded by">
      <xs:annotation>
        <xs:documentation>The 'downloaded by' value specifies that the current Malware Subject was downloaded by one or more other Malware Subject(s).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="drops">
      <xs:annotation>
        <xs:documentation>The 'drops' value specifies that the Malware Subject drops (or writes to disk) one or more other Malware Subject(s).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="dropped by">
      <xs:annotation>
        <xs:documentation>The 'dropped by' value specifies that the current Malware Subject was dropped (or written to disk) by one or more other Malware Subject(s).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="extracts">
      <xs:annotation>
        <xs:documentation>The 'extracts' value specifies that the Malware Subject extracts (from an embedded archive or another container) one or more other Malware Subject(s).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="extracted from">
      <xs:annotation>
        <xs:documentation>The 'extracted from' value specifies that the current Malware Subject was extracted from one or more other Malware Subject(s).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:MalwareSubjectRelationshipTypeVocab-1.1
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The MalwareSubjectRelationshipTypeVocab is the default MAEC vocabulary for the Malware Subject relationships in a Package, captured via the MalwareSubjectRelationshipType/Type element in the MAEC Package.
Starting with MAEC 4.1, this vocabulary should be used in place of the deprecated MalwareSubjectRelationshipTypeVocab-1.0.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#MalwareSubjectRelationshipTypeVocab-1.1_vocab_name maec_default_vocabularies_xsd.tmp#MalwareSubjectRelationshipTypeVocab-1.1_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Malware Subject Relationship Types optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#MalwareSubjectRelationshipTypeVocab-1.1 optional
Source
<xs:complexType name="MalwareSubjectRelationshipTypeVocab-1.1">
  <xs:annotation>
    <xs:documentation>The MalwareSubjectRelationshipTypeVocab is the default MAEC vocabulary for the Malware Subject relationships in a Package, captured via the MalwareSubjectRelationshipType/Type element in the MAEC Package.</xs:documentation>
    <xs:documentation>Starting with MAEC 4.1, this vocabulary should be used in place of the deprecated MalwareSubjectRelationshipTypeVocab-1.0.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:MalwareSubjectRelationshipEnum-1.1"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Malware Subject Relationship Types" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#MalwareSubjectRelationshipTypeVocab-1.1" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:MalwareSubjectRelationshipEnum-1.1
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The MalwareSubjectRelationshipEnum is a non-exhaustive enumeration of relationships between Malware Subjects.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration downloads
The 'downloads' value specifies that the Malware Subject downloads one or more other Malware Subject(s).
enumeration downloaded by
The 'downloaded by' value specifies that the current Malware Subject was downloaded by one or more other Malware Subject(s).
enumeration drops
The 'drops' value specifies that the Malware Subject drops (or writes to disk) one or more other Malware Subject(s).
enumeration dropped by
The 'dropped by' value specifies that the current Malware Subject was dropped (or written to disk) by one or more other Malware Subject(s).
enumeration extracts
The 'extracts' value specifies that the Malware Subject extracts (from an embedded archive or another container) one or more other Malware Subject(s).
enumeration extracted from
The 'extracted from' value specifies that the current Malware Subject was extracted from one or more other Malware Subject(s).
enumeration direct descendant of
The 'direct descendant of' value specifies that the current Malware Subject is a direct descendant (i.e. in terms of development lineage) of one or more other Malware Subject(s).
enumeration direct ancestor of
The 'direct ancestor of' value specifies that the current Malware Subject is a direct ancestor (i.e. in terms of development lineage) of one or more other Malware Subject(s).
enumeration memory image of
The 'memory image of' value specifies that the current Malware Subject represents a memory image associated with one or more other Malware Subject(s).
enumeration contained in memory image
The 'contained in memory image' value specifies that the current Malware Subject is a malware binary or component contained in one or more other Malware Subject(s) that represent memory images.
enumeration disk image of
The 'disk image of' value specifies that the current Malware Subject represents a disk image associated with one or more other Malware Subject(s).
enumeration contained in disk image
The 'contained in disk image' value specifies that the current Malware Subject is a malware binary or component contained in one or more other Malware Subject(s) that represent disk images.
enumeration network traffic capture of
The 'network traffic capture of' value specifies that the current Malware Subject represents captured network traffic associated with one or more other Malware Subject(s).
enumeration contained in network traffic capture
The 'contained in network traffic capture' value specifies that the current Malware Subject is a malware binary or component contained in one or more other Malware Subject(s) that represent captures of network traffic.
enumeration packed version of
The 'packed version of' value specifies that the current Malware Subject represents a packed version (in terms of executable binary packing) of one or more other Malware Subject(s).
enumeration unpacked version of
The 'unpacked version of' value specifies that the current Malware Subject represents an unpacked version (in terms of executable binary packing) of one or more other Malware Subject(s).
enumeration installs
The 'installs' value specifies that the current Malware Subject installs one or more other Malware Subject(s).
enumeration installed by
The 'installed by' value specifies that the current Malware Subject is installed by one or more other Malware Subject(s).
enumeration 64-bit version of
The '64-bit version of' value specifies that the current Malware Subject is a 64-bit version of one or more other Malware Subject(s).
enumeration 32-bit version of
The '32-bit version of' value specifies that the current Malware Subject is a 32-bit version of one or more other Malware Subject(s).
enumeration encrypted version of
The 'encrypted version of' value specifies that the current Malware Subject is an encrypted version of one or more other Malware Subject(s).
enumeration decrypted version of
The 'decrypted version of' value specifies that the current Malware Subject is a decrypted version of one or more other Malware Subject(s).
Source
<xs:simpleType name="MalwareSubjectRelationshipEnum-1.1">
  <xs:annotation>
    <xs:documentation>The MalwareSubjectRelationshipEnum is a non-exhaustive enumeration of relationships between Malware Subjects.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="downloads">
      <xs:annotation>
        <xs:documentation>The 'downloads' value specifies that the Malware Subject downloads one or more other Malware Subject(s).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="downloaded by">
      <xs:annotation>
        <xs:documentation>The 'downloaded by' value specifies that the current Malware Subject was downloaded by one or more other Malware Subject(s).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="drops">
      <xs:annotation>
        <xs:documentation>The 'drops' value specifies that the Malware Subject drops (or writes to disk) one or more other Malware Subject(s).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="dropped by">
      <xs:annotation>
        <xs:documentation>The 'dropped by' value specifies that the current Malware Subject was dropped (or written to disk) by one or more other Malware Subject(s).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="extracts">
      <xs:annotation>
        <xs:documentation>The 'extracts' value specifies that the Malware Subject extracts (from an embedded archive or another container) one or more other Malware Subject(s).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="extracted from">
      <xs:annotation>
        <xs:documentation>The 'extracted from' value specifies that the current Malware Subject was extracted from one or more other Malware Subject(s).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="direct descendant of">
      <xs:annotation>
        <xs:documentation>The 'direct descendant of' value specifies that the current Malware Subject is a direct descendant (i.e. in terms of development lineage) of one or more other Malware Subject(s).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="direct ancestor of">
      <xs:annotation>
        <xs:documentation>The 'direct ancestor of' value specifies that the current Malware Subject is a direct ancestor (i.e. in terms of development lineage) of one or more other Malware Subject(s).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="memory image of">
      <xs:annotation>
        <xs:documentation>The 'memory image of' value specifies that the current Malware Subject represents a memory image associated with one or more other Malware Subject(s).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="contained in memory image">
      <xs:annotation>
        <xs:documentation>The 'contained in memory image' value specifies that the current Malware Subject is a malware binary or component contained in one or more other Malware Subject(s) that represent memory images.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="disk image of">
      <xs:annotation>
        <xs:documentation>The 'disk image of' value specifies that the current Malware Subject represents a disk image associated with one or more other Malware Subject(s).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="contained in disk image">
      <xs:annotation>
        <xs:documentation>The 'contained in disk image' value specifies that the current Malware Subject is a malware binary or component contained in one or more other Malware Subject(s) that represent disk images.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="network traffic capture of">
      <xs:annotation>
        <xs:documentation>The 'network traffic capture of' value specifies that the current Malware Subject represents captured network traffic associated with one or more other Malware Subject(s).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="contained in network traffic capture">
      <xs:annotation>
        <xs:documentation>The 'contained in network traffic capture' value specifies that the current Malware Subject is a malware binary or component contained in one or more other Malware Subject(s) that represent captures of network traffic.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="packed version of">
      <xs:annotation>
        <xs:documentation>The 'packed version of' value specifies that the current Malware Subject represents a packed version (in terms of executable binary packing) of one or more other Malware Subject(s).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="unpacked version of">
      <xs:annotation>
        <xs:documentation>The 'unpacked version of' value specifies that the current Malware Subject represents an unpacked version (in terms of executable binary packing) of one or more other Malware Subject(s).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="installs">
      <xs:annotation>
        <xs:documentation>The 'installs' value specifies that the current Malware Subject installs one or more other Malware Subject(s).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="installed by">
      <xs:annotation>
        <xs:documentation>The 'installed by' value specifies that the current Malware Subject is installed by one or more other Malware Subject(s).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="64-bit version of">
      <xs:annotation>
        <xs:documentation>The '64-bit version of' value specifies that the current Malware Subject is a 64-bit version of one or more other Malware Subject(s).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="32-bit version of">
      <xs:annotation>
        <xs:documentation>The '32-bit version of' value specifies that the current Malware Subject is a 32-bit version of one or more other Malware Subject(s).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="encrypted version of">
      <xs:annotation>
        <xs:documentation>The 'encrypted version of' value specifies that the current Malware Subject is an encrypted version of one or more other Malware Subject(s).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="decrypted version of">
      <xs:annotation>
        <xs:documentation>The 'decrypted version of' value specifies that the current Malware Subject is a decrypted version of one or more other Malware Subject(s).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:MalwareDevelopmentToolVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The MalwareDevelopmentToolVocab is the default MAEC vocabulary for the Type field in the CybOX ToolInformationType, as used in the Development_Environment/Tools/Tool field in the Malware Subject.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#MalwareDevelopmentToolVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#MalwareDevelopmentToolVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Malware Development Tool Types optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#MalwareDevelopmentToolVocab-1.0 optional
Source
<xs:complexType name="MalwareDevelopmentToolVocab-1.0">
  <xs:annotation>
    <xs:documentation>The MalwareDevelopmentToolVocab is the default MAEC vocabulary for the Type field in the CybOX ToolInformationType, as used in the Development_Environment/Tools/Tool field in the Malware Subject.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:MalwareDevelopmentToolEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Malware Development Tool Types" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#MalwareDevelopmentToolVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:MalwareDevelopmentToolEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The GroupingRelationshipEnum is a non-exhaustive enumeration tools used in the development of malware.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration builder
The 'builder' value specifies a malware builder tool (commonly used to mass-produce malware) that was used to generate the malware instance.
enumeration compiler
The 'compiler' value specifies a compiler tool that was used to compile the code composing the malware instance.
enumeration linker
The 'linker' value specifies a linker tool that was used to link the object files associated with the malware instance.
enumeration packer
The 'packer' value specifies a packer tool that was used to shrink the size of the executable binary associated with the malware instance. Packers are also sometimes referred to as 'compressors'.
enumeration crypter
The 'crypter' value specifies a crypter tool that was used to encrypt the executable binary associated with the malware instance.
enumeration protector
The 'protector' value specifies a protector tool that was used to obfuscate the executable binary associated with the malware instance to make it more difficult to reverse engineer.
Source
<xs:simpleType name="MalwareDevelopmentToolEnum-1.0">
  <xs:annotation>
    <xs:documentation>The GroupingRelationshipEnum is a non-exhaustive enumeration tools used in the development of malware.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="builder">
      <xs:annotation>
        <xs:documentation>The 'builder' value specifies a malware builder tool (commonly used to mass-produce malware) that was used to generate the malware instance.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="compiler">
      <xs:annotation>
        <xs:documentation>The 'compiler' value specifies a compiler tool that was used to compile the code composing the malware instance.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="linker">
      <xs:annotation>
        <xs:documentation>The 'linker' value specifies a linker tool that was used to link the object files associated with the malware instance.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="packer">
      <xs:annotation>
        <xs:documentation>The 'packer' value specifies a packer tool that was used to shrink the size of the executable binary associated with the malware instance. Packers are also sometimes referred to as 'compressors'.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="crypter">
      <xs:annotation>
        <xs:documentation>The 'crypter' value specifies a crypter tool that was used to encrypt the executable binary associated with the malware instance.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="protector">
      <xs:annotation>
        <xs:documentation>The 'protector' value specifies a protector tool that was used to obfuscate the executable binary associated with the malware instance to make it more difficult to reverse engineer.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:MalwareLabelVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The MalwareLabelVocab-1.0 is the default MAEC Vocabulary for common malware labels.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#MalwareLabelVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#MalwareLabelVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Malware Labels optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#MalwareLabelVocab-1.0 optional
Source
<xs:complexType name="MalwareLabelVocab-1.0">
  <xs:annotation>
    <xs:documentation>The MalwareLabelVocab-1.0 is the default MAEC Vocabulary for common malware labels.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:MalwareLabelEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Malware Labels" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#MalwareLabelVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:MalwareLabelEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The MalwareLabelEnum-1.0 is a non-exhaustive enumeration of common malware labels.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration adware
The 'adware' value specifies any software that is funded by advertising. Some adware may install itself in such a manner as to become difficult to remove, hiding components and disabling removal techniques. Adware may also gather sensitive user information from a system.
enumeration appender
The 'appender' value specifies a file-infecting virus that places its code at the end of the files it infects, adjusting the file's entry point to cause its code to be executed before that of the original file.
enumeration backdoor
The 'backdoor' value specifies a piece of software which, once running on a system, opens a communication vector to the outside so that the computer can be accessed remotely by an attacker.
enumeration boot sector virus
The 'boot sector virus' value specifies a virus that infects the master boot record of a storage device.
enumeration bot
The 'bot' value specifies a program which resides on an infected system, communicating with and forming part of a botnet. The bot may be implanted by a worm or trojan, which opens a backdoor. The bot then monitors the backdoor for further instructions.
enumeration clicker
The 'clicker' value specifies a trojan that makes a system visit a specific web page, often very frequently and usually with the aim of increasing the traffic recorded by the site and thus increasing revenue from advertising. Clickers may also be used to carry out DDoS attacks.
enumeration companion virus
The 'companion virus' value specifies a virus that takes the place of a particular file on a system instead of injecting code into it.
enumeration cavity filler
The 'cavity filler' value specifies a type of file-infecting virus which seeks out unused space within the files it infects, inserting its code into these gaps to avoid changing the size of the file and thus not alerting integrity-checking software to its presence.
enumeration data diddler
The 'data diddler' value specifies a type of malware that makes small, random changes to data, such as data in a spreadsheet, to render the data contained in a document inaccurate and in some cases worthless.
enumeration downloader
The 'downloader' value specifies a small trojan file programmed to download and execute other files, usually more complex malware.
enumeration dropper file
The 'dropper file' value specifies a type of Trojan that deposits an enclosed payload onto a destination host computer by loading itself into memory, extracting the malicious payload, and then writing it to the file system.
enumeration file infector virus
The 'file infector virus' value specifies a virus that infects a system by inserting itself somewhere in existing files; this is the "classic" form of virus.
enumeration fork bomb
The 'fork bomb' value specifies a very simple form of malware, a type of rabbit which simply launches more copies of itself. Once a fork bomb is executed, it will attempt to run several identical processes, which will do the same, the number growing exponentially until the system resources are overwhelmed by the number of identical processes running, which may in some cases bring the system down and cause a denial of service.
enumeration greyware
The 'greyware' value specifies software that, while not definitely malicious, has a suspicious or potentially unwanted aspect.
enumeration implant
The 'implant' value specifies code inserted into an existing program using a code patcher or other tool.
enumeration infector
The 'infector' value specifies a function of malware that alters target files for the purpose of persisting and hiding the injected malware.
enumeration keylogger
The 'keylogger' value specifies a type of program implanted on a system to monitor the keys pressed and thus record any sensitive data, such as passwords, entered by the user.
enumeration kleptographic worm
The 'kleptographic worm' value specifies a worm that encrypts information assets on compromised systems so they can only be decrypted by the worm's author, also known as information-stealing worm.
enumeration macro virus
The 'macro virus' value specifies a virus that uses a macro language, for example in Microsoft Office documents.
enumeration malcode
The 'malcode' value is short for malicious code, also known as malware.
enumeration mass-mailer
The 'mass-mailer' value specifies a worm that uses email to propagate across the internet.
enumeration metamorphic virus
The 'metamorphic virus' value specifies a virus that changes its own code with each infection.
enumeration mid-infector
The 'mid-infector' value specifies a type of file-infecting virus which places its code in the middle of files it infects. It may move a section of the original code to the end of the file, or simply push the code aside to make space for its own code.
enumeration mobile code
The 'mobile code' value specifies 1. Code received from remote, possibly untrusted systems, but executed on a local system. 2. Software transferred between systems (e.g across a network) and executed on a local system without explicit installation or execution by the recipient.
enumeration multipartite virus
The 'multipartite virus' value specifies malware that infects boot records, boot sectors, and files.
enumeration password stealer
The 'password stealer' value specifies a type of trojan designed to steal passwords, personal data and details, or other sensitive information from the infected system.
enumeration polymorphic virus
The 'polymorphic virus' value specifies a type of virus that encrypts its code differently with each infection, or generation of infections.
enumeration premium dialer/smser
The 'premium dialer/smser' value specifies a piece of malware whose primary aim is to dial or send SMS messages to premium rate numbers..
enumeration prepender
The 'prepender' value specifies a file-infecting virus which inserts code at the beginning of the files it infects.
enumeration ransomware
The 'ransomware' value specifies a type of malware that encrypts files on a victim's system, demanding payment of ransom in return for the access codes required to unlock files.
enumeration rat
The 'rat' value specifies a remote access trojan or RAT, which is a trojan horse capable of controlling a machine through commands issue by a remote attacker.
enumeration rogue anti-malware
The 'rogue anti-malware' value specifies a fake security product that demands money to clean phony infections.
enumeration rootkit
The 'rootkit' value generally refers to a method of hiding files or processes from normal methods of monitoring, and is often used by malware to conceal its presence and activities. Originally, the term applied to UNIX-based operating systems - a root kit was a collection of tools to enable a user to obtain root (administrator-level) access to a system and conceal any changes they might make. Such tools often included trojanized versions of standard monitoring software which would hide the root kit operators' activities. More recently the term has generally been applied to malware using stealth techniques. Rootkits can operate at a number of levels, from the application level - simply replacing or adjusting the settings of system software to prevent the display of certain information - through hooking certain functions or inserting modules or drivers into the operating system kernel, to the deeper level of firmware or virtualization rook kits, which are activated before the operating system and thus even harder to detect while the system is running.
enumeration shellcode
The 'shellcode' value specifies 1. A small piece of code that activates a command-line interface to a system that can be used to disable security measures, open a backdoor, or download further malicious code. 2. A small piece of code that opens a system up for exploitation, sometimes by not necessarily involving a command-line shell.
enumeration spaghetti packer
A packer that obfuscates programs by emitting "spaghetti" code with a complex and tangled control structure.
enumeration spyware
The 'spyware' value specifies software that gathers information and passes it to a third-party without adequate permission from the owner of the data. It may also be used in a wider sense, to include software that makes changes to a system or any of its component software, or which makes use of system resources without the full understanding and consent of the system owner.
enumeration trojan horse
The 'trojan horse' value specifies a piece of malicious code disguised as something inert or benign.
enumeration variant
The 'variant' value refers to the fact that types of malware can be subdivided into a number of families, or groups sharing many similarities, generally based on the same blocks of code and sharing similar behaviours. Within a family, a variant signifies a single individual item that is uniquely different from other members of the same family.
enumeration virus
The 'virus' value specifies 1. A self-replicating malicious program that requires human interaction to replicate. 2. A self-replicating program that runs and spreads by modifying other programs or files.
enumeration wabbit
The 'wabbit' value specifies a form of self-replicating malware that makes copies of itself on the local system. Unlike worms, rabbits do not attempt to spread across networks.
enumeration web bug
The 'web bug' value specifies a piece of code, generally a small file such as a tiny, transparent GIF image, which is used to track data on those viewing the page or mail in which it is hidden.
enumeration wiper
The 'wiper' value specifies a piece of malware whose primary aim is to delete files or entire disks on a machine.
enumeration worm
The 'worm' value specifies 1. A self-replicating malicious program that replicates using a network and does not require human interaction. 2. A self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread itself.
enumeration zip bomb
The 'zip bomb' value specifies a file compressed into some archive format and that expands to an enormous size when uncompressed, often by looping over the extraction code until the system's resources are exhausted.
Source
<xs:simpleType name="MalwareLabelEnum-1.0">
  <xs:annotation>
    <xs:documentation>The MalwareLabelEnum-1.0 is a non-exhaustive enumeration of common malware labels.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="adware">
      <xs:annotation>
        <xs:documentation>The 'adware' value specifies any software that is funded by advertising. Some adware may install itself in such a manner as to become difficult to remove, hiding components and disabling removal techniques. Adware may also gather sensitive user information from a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="appender">
      <xs:annotation>
        <xs:documentation>The 'appender' value specifies a file-infecting virus that places its code at the end of the files it infects, adjusting the file's entry point to cause its code to be executed before that of the original file.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="backdoor">
      <xs:annotation>
        <xs:documentation>The 'backdoor' value specifies a piece of software which, once running on a system, opens a communication vector to the outside so that the computer can be accessed remotely by an attacker.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="boot sector virus">
      <xs:annotation>
        <xs:documentation>The 'boot sector virus' value specifies a virus that infects the master boot record of a storage device.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="bot">
      <xs:annotation>
        <xs:documentation>The 'bot' value specifies a program which resides on an infected system, communicating with and forming part of a botnet. The bot may be implanted by a worm or trojan, which opens a backdoor. The bot then monitors the backdoor for further instructions.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="clicker">
      <xs:annotation>
        <xs:documentation>The 'clicker' value specifies a trojan that makes a system visit a specific web page, often very frequently and usually with the aim of increasing the traffic recorded by the site and thus increasing revenue from advertising. Clickers may also be used to carry out DDoS attacks.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="companion virus">
      <xs:annotation>
        <xs:documentation>The 'companion virus' value specifies a virus that takes the place of a particular file on a system instead of injecting code into it.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="cavity filler">
      <xs:annotation>
        <xs:documentation>The 'cavity filler' value specifies a type of file-infecting virus which seeks out unused space within the files it infects, inserting its code into these gaps to avoid changing the size of the file and thus not alerting integrity-checking software to its presence.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="data diddler">
      <xs:annotation>
        <xs:documentation>The 'data diddler' value specifies a type of malware that makes small, random changes to data, such as data in a spreadsheet, to render the data contained in a document inaccurate and in some cases worthless.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="downloader">
      <xs:annotation>
        <xs:documentation>The 'downloader' value specifies a small trojan file programmed to download and execute other files, usually more complex malware.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="dropper file">
      <xs:annotation>
        <xs:documentation>The 'dropper file' value specifies a type of Trojan that deposits an enclosed payload onto a destination host computer by loading itself into memory, extracting the malicious payload, and then writing it to the file system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="file infector virus">
      <xs:annotation>
        <xs:documentation>The 'file infector virus' value specifies a virus that infects a system by inserting itself somewhere in existing files; this is the "classic" form of virus.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="fork bomb">
      <xs:annotation>
        <xs:documentation>The 'fork bomb' value specifies a very simple form of malware, a type of rabbit which simply launches more copies of itself. Once a fork bomb is executed, it will attempt to run several identical processes, which will do the same, the number growing exponentially until the system resources are overwhelmed by the number of identical processes running, which may in some cases bring the system down and cause a denial of service.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="greyware">
      <xs:annotation>
        <xs:documentation>The 'greyware' value specifies software that, while not definitely malicious, has a suspicious or potentially unwanted aspect.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="implant">
      <xs:annotation>
        <xs:documentation>The 'implant' value specifies code inserted into an existing program using a code patcher or other tool.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="infector">
      <xs:annotation>
        <xs:documentation>The 'infector' value specifies a function of malware that alters target files for the purpose of persisting and hiding the injected malware.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="keylogger">
      <xs:annotation>
        <xs:documentation>The 'keylogger' value specifies a type of program implanted on a system to monitor the keys pressed and thus record any sensitive data, such as passwords, entered by the user.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="kleptographic worm">
      <xs:annotation>
        <xs:documentation>The 'kleptographic worm' value specifies a worm that encrypts information assets on compromised systems so they can only be decrypted by the worm's author, also known as information-stealing worm.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="macro virus">
      <xs:annotation>
        <xs:documentation>The 'macro virus' value specifies a virus that uses a macro language, for example in Microsoft Office documents.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="malcode">
      <xs:annotation>
        <xs:documentation>The 'malcode' value is short for malicious code, also known as malware.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="mass-mailer">
      <xs:annotation>
        <xs:documentation>The 'mass-mailer' value specifies a worm that uses email to propagate across the internet.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="metamorphic virus">
      <xs:annotation>
        <xs:documentation>The 'metamorphic virus' value specifies a virus that changes its own code with each infection.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="mid-infector">
      <xs:annotation>
        <xs:documentation>The 'mid-infector' value specifies a type of file-infecting virus which places its code in the middle of files it infects. It may move a section of the original code to the end of the file, or simply push the code aside to make space for its own code.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="mobile code">
      <xs:annotation>
        <xs:documentation>The 'mobile code' value specifies 1. Code received from remote, possibly untrusted systems, but executed on a local system. 2. Software transferred between systems (e.g across a network) and executed on a local system without explicit installation or execution by the recipient.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="multipartite virus">
      <xs:annotation>
        <xs:documentation>The 'multipartite virus' value specifies malware that infects boot records, boot sectors, and files.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="password stealer">
      <xs:annotation>
        <xs:documentation>The 'password stealer' value specifies a type of trojan designed to steal passwords, personal data and details, or other sensitive information from the infected system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="polymorphic virus">
      <xs:annotation>
        <xs:documentation>The 'polymorphic virus' value specifies a type of virus that encrypts its code differently with each infection, or generation of infections.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="premium dialer/smser">
      <xs:annotation>
        <xs:documentation>The 'premium dialer/smser' value specifies a piece of malware whose primary aim is to dial or send SMS messages to premium rate numbers..</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="prepender">
      <xs:annotation>
        <xs:documentation>The 'prepender' value specifies a file-infecting virus which inserts code at the beginning of the files it infects.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="ransomware">
      <xs:annotation>
        <xs:documentation>The 'ransomware' value specifies a type of malware that encrypts files on a victim's system, demanding payment of ransom in return for the access codes required to unlock files.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="rat">
      <xs:annotation>
        <xs:documentation>The 'rat' value specifies a remote access trojan or RAT, which is a trojan horse capable of controlling a machine through commands issue by a remote attacker.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="rogue anti-malware">
      <xs:annotation>
        <xs:documentation>The 'rogue anti-malware' value specifies a fake security product that demands money to clean phony infections.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="rootkit">
      <xs:annotation>
        <xs:documentation>The 'rootkit' value generally refers to a method of hiding files or processes from normal methods of monitoring, and is often used by malware to conceal its presence and activities. Originally, the term applied to UNIX-based operating systems - a root kit was a collection of tools to enable a user to obtain root (administrator-level) access to a system and conceal any changes they might make. Such tools often included trojanized versions of standard monitoring software which would hide the root kit operators' activities. More recently the term has generally been applied to malware using stealth techniques. Rootkits can operate at a number of levels, from the application level - simply replacing or adjusting the settings of system software to prevent the display of certain information - through hooking certain functions or inserting modules or drivers into the operating system kernel, to the deeper level of firmware or virtualization rook kits, which are activated before the operating system and thus even harder to detect while the system is running.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="shellcode">
      <xs:annotation>
        <xs:documentation>The 'shellcode' value specifies 1. A small piece of code that activates a command-line interface to a system that can be used to disable security measures, open a backdoor, or download further malicious code. 2. A small piece of code that opens a system up for exploitation, sometimes by not necessarily involving a command-line shell.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="spaghetti packer">
      <xs:annotation>
        <xs:documentation>A packer that obfuscates programs by emitting "spaghetti" code with a complex and tangled control structure.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="spyware">
      <xs:annotation>
        <xs:documentation>The 'spyware' value specifies software that gathers information and passes it to a third-party without adequate permission from the owner of the data. It may also be used in a wider sense, to include software that makes changes to a system or any of its component software, or which makes use of system resources without the full understanding and consent of the system owner.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="trojan horse">
      <xs:annotation>
        <xs:documentation>The 'trojan horse' value specifies a piece of malicious code disguised as something inert or benign.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="variant">
      <xs:annotation>
        <xs:documentation>The 'variant' value refers to the fact that types of malware can be subdivided into a number of families, or groups sharing many similarities, generally based on the same blocks of code and sharing similar behaviours. Within a family, a variant signifies a single individual item that is uniquely different from other members of the same family.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="virus">
      <xs:annotation>
        <xs:documentation>The 'virus' value specifies 1. A self-replicating malicious program that requires human interaction to replicate. 2. A self-replicating program that runs and spreads by modifying other programs or files.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="wabbit">
      <xs:annotation>
        <xs:documentation>The 'wabbit' value specifies a form of self-replicating malware that makes copies of itself on the local system. Unlike worms, rabbits do not attempt to spread across networks.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="web bug">
      <xs:annotation>
        <xs:documentation>The 'web bug' value specifies a piece of code, generally a small file such as a tiny, transparent GIF image, which is used to track data on those viewing the page or mail in which it is hidden.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="wiper">
      <xs:annotation>
        <xs:documentation>The 'wiper' value specifies a piece of malware whose primary aim is to delete files or entire disks on a machine.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="worm">
      <xs:annotation>
        <xs:documentation>The 'worm' value specifies 1. A self-replicating malicious program that replicates using a network and does not require human interaction. 2. A self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread itself.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="zip bomb">
      <xs:annotation>
        <xs:documentation>The 'zip bomb' value specifies a file compressed into some archive format and that expands to an enormous size when uncompressed, often by looping over the extraction code until the system's resources are exhausted.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:CapabilityObjectiveRelationshipTypeVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The CapabilityObjectiveRelationshipTypeVocab is the default MAEC vocabulary for relationships between Malware Capability Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#CapabilityObjectiveRelationshipTypeVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#CapabilityObjectiveRelationshipTypeVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Malware Capability Objective Relationship Types optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#CapabilityObjectiveRelationshipTypeVocab-1.0 optional
Source
<xs:complexType name="CapabilityObjectiveRelationshipTypeVocab-1.0">
  <xs:annotation>
    <xs:documentation>The CapabilityObjectiveRelationshipTypeVocab is the default MAEC vocabulary for relationships between Malware Capability Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:CapabilityObjectiveRelationshipEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Malware Capability Objective Relationship Types" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#CapabilityObjectiveRelationshipTypeVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:CapabilityObjectiveRelationshipEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The CapabilityObjectiveRelationshipEnum is a non-exhaustive enumeration of relationships between Malware Capability Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration child of
The 'child of' value indicates that the Objective is a child of the Objective being referenced.
enumeration parent of
The 'parent of' value indicates that the Objective is a parent of the Objective being referenced.
enumeration incorporates
The 'incorporates' value indicates that the Objective incorporates the Objective being referenced in a supporting or enabling role.
enumeration incorporated by
The 'incorporated by' value indicates that the Objective is incorporated in a supporting or enabling role by the Objective being referenced.
Source
<xs:simpleType name="CapabilityObjectiveRelationshipEnum-1.0">
  <xs:annotation>
    <xs:documentation>The CapabilityObjectiveRelationshipEnum is a non-exhaustive enumeration of relationships between Malware Capability Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="child of">
      <xs:annotation>
        <xs:documentation>The 'child of' value indicates that the Objective is a child of the Objective being referenced.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="parent of">
      <xs:annotation>
        <xs:documentation>The 'parent of' value indicates that the Objective is a parent of the Objective being referenced.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="incorporates">
      <xs:annotation>
        <xs:documentation>The 'incorporates' value indicates that the Objective incorporates the Objective being referenced in a supporting or enabling role.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="incorporated by">
      <xs:annotation>
        <xs:documentation>The 'incorporated by' value indicates that the Objective is incorporated in a supporting or enabling role by the Objective being referenced.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:AntiBehavioralAnalysisPropertiesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The AntiBehavioralAnalysisPropertiesVocab-1.0 is the default MAEC Vocabulary for Anti-Behavioral Analysis Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#AntiBehavioralAnalysisPropertiesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#AntiBehavioralAnalysisPropertiesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Anti-Behavioral Analysis Capability and Objective Properties optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#AntiBehavioralAnalysisPropertiesVocab-1.0 optional
Source
<xs:complexType name="AntiBehavioralAnalysisPropertiesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The AntiBehavioralAnalysisPropertiesVocab-1.0 is the default MAEC Vocabulary for Anti-Behavioral Analysis Capability/Strategic Objective/Tactical Objective Properties.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:AntiBehavioralAnalysisPropertiesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Anti-Behavioral Analysis Capability and Objective Properties" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#AntiBehavioralAnalysisPropertiesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:AntiBehavioralAnalysisPropertiesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The AntiBehavioralAnalysisStrategicObjectivesEnum-1.0 is an enumeration of Anti-Behavioral Analysis Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration targeted vm
The 'targeted vm' value refers to the name of a virtual machine (VM) targeted by the Anti-Behavioral Analysis Capability or one of its child Objectives.
enumeration targeted sandbox
The 'targeted sandbox' value refers to the name of a sandbox targeted by the Anti-Behavioral Analysis Capability or one of its child Objectives.
Source
<xs:simpleType name="AntiBehavioralAnalysisPropertiesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The AntiBehavioralAnalysisStrategicObjectivesEnum-1.0 is an enumeration of Anti-Behavioral Analysis Capability/Strategic Objective/Tactical Objective Properties.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="targeted vm">
      <xs:annotation>
        <xs:documentation>The 'targeted vm' value refers to the name of a virtual machine (VM) targeted by the Anti-Behavioral Analysis Capability or one of its child Objectives.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="targeted sandbox">
      <xs:annotation>
        <xs:documentation>The 'targeted sandbox' value refers to the name of a sandbox targeted by the Anti-Behavioral Analysis Capability or one of its child Objectives.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:InfectionPropagationPropertiesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The InfectionPropagationPropertiesVocab-1.0 is the default MAEC Vocabulary for Infection/Propagation Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#InfectionPropagationPropertiesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#InfectionPropagationPropertiesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Infection/Propagation Capability and Objective Properties optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#InfectionPropagationPropertiesVocab-1.0 optional
Source
<xs:complexType name="InfectionPropagationPropertiesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The InfectionPropagationPropertiesVocab-1.0 is the default MAEC Vocabulary for Infection/Propagation Capability/Strategic Objective/Tactical Objective Properties.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:InfectionPropagationPropertiesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Infection/Propagation Capability and Objective Properties" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#InfectionPropagationPropertiesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:InfectionPropagationPropertiesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The InfectionPropagationPropertiesEnum-1.0 is an enumeration of Infection/Propagation Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration scope
The 'scope' value refers to the scope of the infection or propagation performed by the malware instance via the Infection/Propagation Capability, i.e. whether it infects just the local machine or actively propagates to other machines as well.
enumeration infection targeting
The 'targeting' value refers to the type of targeting employed by the Infect Remote Machine Strategic Objective, i.e. whether the targeted machines are randomly selected, or chosen from some particular set.
enumeration autonomy
The 'autonomy' value refers to the type of autonomy emplyed by the Infect Remote Machine Strategic Objective, i.e. whether the remote infection is performed autonomously.
enumeration targeted file type
The 'targeted file type' value refers to the types of files targeted by the Infect File Strategic Objective.
enumeration targeted file architecture type
The 'targeted file architecture' value refers to type of file architecture targeted by the Infect File Strategic Objective.
enumeration file infection type
The 'file infection type' value refers to the type of file infection employed by the Infect File Strategic Objective.
Source
<xs:simpleType name="InfectionPropagationPropertiesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The InfectionPropagationPropertiesEnum-1.0 is an enumeration of Infection/Propagation Capability/Strategic Objective/Tactical Objective Properties.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="scope">
      <xs:annotation>
        <xs:documentation>The 'scope' value refers to the scope of the infection or propagation performed by the malware instance via the Infection/Propagation Capability, i.e. whether it infects just the local machine or actively propagates to other machines as well.</xs:documentation>
        <xs:documentation>Recommended values are: 'local', or 'remote'.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="infection targeting">
      <xs:annotation>
        <xs:documentation>The 'targeting' value refers to the type of targeting employed by the Infect Remote Machine Strategic Objective, i.e. whether the targeted machines are randomly selected, or chosen from some particular set.</xs:documentation>
        <xs:documentation>Recommended values are: 'targeted', 'semi-targeted', or 'untargeted'.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="autonomy">
      <xs:annotation>
        <xs:documentation>The 'autonomy' value refers to the type of autonomy emplyed by the Infect Remote Machine Strategic Objective, i.e. whether the remote infection is performed autonomously.</xs:documentation>
        <xs:documentation>Recommended values are: 'semi-autonomous', 'autonomous'.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="targeted file type">
      <xs:annotation>
        <xs:documentation>The 'targeted file type' value refers to the types of files targeted by the Infect File Strategic Objective.</xs:documentation>
        <xs:documentation>It is recommended that files be specified via their extension, e.g. "exe", "pdf", etc.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="targeted file architecture type">
      <xs:annotation>
        <xs:documentation>The 'targeted file architecture' value refers to type of file architecture targeted by the Infect File Strategic Objective.</xs:documentation>
        <xs:documentation>>Recommended values are: '32 bit', or '64 bit'.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="file infection type">
      <xs:annotation>
        <xs:documentation>The 'file infection type' value refers to the type of file infection employed by the Infect File Strategic Objective.</xs:documentation>
        <xs:documentation>Recommended values are: 'appending', 'prepending', 'overwriting', 'companion', 'variable key', 'polymorphic', or 'metamorphic'.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:DataTheftPropertiesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The DataTheftPropertiesVocab-1.0 is the default MAEC Vocabulary for Data Theft Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#DataTheftPropertiesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#DataTheftPropertiesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Data Theft Capability and Objective Properties optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DataTheftPropertiesVocab-1.0 optional
Source
<xs:complexType name="DataTheftPropertiesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The DataTheftPropertiesVocab-1.0 is the default MAEC Vocabulary for Data Theft Capability/Strategic Objective/Tactical Objective Properties.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:DataTheftPropertiesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Data Theft Capability and Objective Properties" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DataTheftPropertiesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:DataTheftPropertiesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The DataTheftPropertiesEnum-1.0 is an enumeration of Data Theft Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration targeted application
The 'targeted application' value refers to the name of an application targeted by the Steal Authentication Credentials Strategic Objective.
enumeration targeted website
The 'targeted website' value refers to the domain name of a website targeted by the Steal Web/Network Credential Tactical Objective.
Source
<xs:simpleType name="DataTheftPropertiesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The DataTheftPropertiesEnum-1.0 is an enumeration of Data Theft Capability/Strategic Objective/Tactical Objective Properties.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="targeted application">
      <xs:annotation>
        <xs:documentation>The 'targeted application' value refers to the name of an application targeted by the Steal Authentication Credentials Strategic Objective.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="targeted website">
      <xs:annotation>
        <xs:documentation>The 'targeted website' value refers to the domain name of a website targeted by the Steal Web/Network Credential Tactical Objective.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:CommandandControlPropertiesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The CommandandControlPropertiesVocab-1.0 is the default MAEC Vocabulary for Command and Control Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#CommandandControlPropertiesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#CommandandControlPropertiesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Command and Control Capability and Objective Properties optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#CommandandControlPropertiesVocab-1.0 optional
Source
<xs:complexType name="CommandandControlPropertiesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The CommandandControlPropertiesVocab-1.0 is the default MAEC Vocabulary for Command and Control Capability/Strategic Objective/Tactical Objective Properties.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:CommandandControlPropertiesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Command and Control Capability and Objective Properties" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#CommandandControlPropertiesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:CommandandControlPropertiesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The CommandandControlPropertiesEnum-1.0 is an enumeration of Command and Control Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration frequency
The 'frequency' value refers to a description of the frequency that the Receive Data from C2 Server and Send Data to C2 Server Strategic Objectives, as well as their child Tactical Objectives, are employed.
Source
<xs:simpleType name="CommandandControlPropertiesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The CommandandControlPropertiesEnum-1.0 is an enumeration of Command and Control Capability/Strategic Objective/Tactical Objective Properties.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="frequency">
      <xs:annotation>
        <xs:documentation>The 'frequency' value refers to a description of the frequency that the Receive Data from C2 Server and Send Data to C2 Server Strategic Objectives, as well as their child Tactical Objectives, are employed.</xs:documentation>
        <xs:documentation>It is recommended that the description follow the format of "every x [units]", e.g. "every 5 minutes".</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:PrivilegeEscalationPropertiesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The PrivilegeEscalationPropertiesVocab-1.0 is the default MAEC Vocabulary for Privilege Escalation Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#PrivilegeEscalationPropertiesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#PrivilegeEscalationPropertiesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Privilege Escalation Capability and Objective Properties optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#PrivilegeEscalationPropertiesVocab-1.0 optional
Source
<xs:complexType name="PrivilegeEscalationPropertiesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The PrivilegeEscalationPropertiesVocab-1.0 is the default MAEC Vocabulary for Privilege Escalation Capability/Strategic Objective/Tactical Objective Properties.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:PrivilegeEscalationPropertiesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Privilege Escalation Capability and Objective Properties" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#PrivilegeEscalationPropertiesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:PrivilegeEscalationPropertiesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The PrivilegeEscalationPropertiesEnum-1.0 is an enumeration of Privilege Escalation Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration user privilege escalation type
The 'user privilege escalation type' value refers to the type of user privilege escalation employed by the Escalate User Privilege Strategic Objective.
Source
<xs:simpleType name="PrivilegeEscalationPropertiesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The PrivilegeEscalationPropertiesEnum-1.0 is an enumeration of Privilege Escalation Capability/Strategic Objective/Tactical Objective Properties.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="user privilege escalation type">
      <xs:annotation>
        <xs:documentation>The 'user privilege escalation type' value refers to the type of user privilege escalation employed by the Escalate User Privilege Strategic Objective.</xs:documentation>
        <xs:documentation>Recommended values are: 'horizontal', or 'vertical'.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:PersistencePropertiesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The PrivilegeEscalationPropertiesVocab-1.0 is the default MAEC Vocabulary for Persistence Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#PersistencePropertiesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#PersistencePropertiesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Persistence Capability and Objective Properties optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#PersistencePropertiesVocab-1.0 optional
Source
<xs:complexType name="PersistencePropertiesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The PrivilegeEscalationPropertiesVocab-1.0 is the default MAEC Vocabulary for Persistence Capability/Strategic Objective/Tactical Objective Properties.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:PersistencePropertiesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Persistence Capability and Objective Properties" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#PersistencePropertiesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:PersistencePropertiesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The PersistencePropertiesEnum-1.0 is an enumeration of Persistence Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration scope
The 'scope' value refers to the scope of persistence employed by the Persistence Capability, i.e. whether the malware instance make itself persist, or whether it makes other malware components persist.
Source
<xs:simpleType name="PersistencePropertiesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The PersistencePropertiesEnum-1.0 is an enumeration of Persistence Capability/Strategic Objective/Tactical Objective Properties.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="scope">
      <xs:annotation>
        <xs:documentation>The 'scope' value refers to the scope of persistence employed by the Persistence Capability, i.e. whether the malware instance make itself persist, or whether it makes other malware components persist.</xs:documentation>
        <xs:documentation>Recommended values are: 'self', or 'other malware/components'.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:DestructionPropertiesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The DestructionPropertiesVocab-1.0 is the default MAEC Vocabulary for Destruction Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#DestructionPropertiesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#DestructionPropertiesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Destruction Capability and Objective Properties optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DestructionPropertiesVocab-1.0 optional
Source
<xs:complexType name="DestructionPropertiesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The DestructionPropertiesVocab-1.0 is the default MAEC Vocabulary for Destruction Capability/Strategic Objective/Tactical Objective Properties.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:DestructionPropertiesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Destruction Capability and Objective Properties" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DestructionPropertiesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:DestructionPropertiesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The DestructionPropertiesEnum-1.0 is an enumeration of Destruction Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration erasure scope
The 'erasure scope' value refers to the scope of the erasure performed by the Erase Data Tactical Objective.
Source
<xs:simpleType name="DestructionPropertiesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The DestructionPropertiesEnum-1.0 is an enumeration of Destruction Capability/Strategic Objective/Tactical Objective Properties.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="erasure scope">
      <xs:annotation>
        <xs:documentation>The 'erasure scope' value refers to the scope of the erasure performed by the Erase Data Tactical Objective.</xs:documentation>
        <xs:documentation>Recommended values are: 'whole disk', or 'targeted files'.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:SecurityDegradationPropertiesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The SecurityDegradationPropertiesVocab-1.0 is the default MAEC Vocabulary for Security Degradation Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#SecurityDegradationPropertiesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#SecurityDegradationPropertiesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Security Degradation Capability and Objective Properties optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#SecurityDegradationPropertiesVocab-1.0 optional
Source
<xs:complexType name="SecurityDegradationPropertiesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The SecurityDegradationPropertiesVocab-1.0 is the default MAEC Vocabulary for Security Degradation Capability/Strategic Objective/Tactical Objective Properties.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:SecurityDegradationPropertiesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Security Degradation Capability and Objective Properties" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#SecurityDegradationPropertiesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:SecurityDegradationPropertiesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The SecurityDegradationPropertiesEnum-1.0 is an enumeration of Security Degradation Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration targeted program
The 'targeted program' value refers to the name of a program targeted by the Degrade Security Programs Strategic Objective or one of its child Tactical Objectives.
Source
<xs:simpleType name="SecurityDegradationPropertiesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The SecurityDegradationPropertiesEnum-1.0 is an enumeration of Security Degradation Capability/Strategic Objective/Tactical Objective Properties.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="targeted program">
      <xs:annotation>
        <xs:documentation>The 'targeted program' value refers to the name of a program targeted by the Degrade Security Programs Strategic Objective or one of its child Tactical Objectives.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:SecondaryOperationPropertiesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The SecondaryOperationPropertiesVocab-1.0 is the default MAEC Vocabulary for Secondary Operation Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#SecondaryOperationPropertiesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#SecondaryOperationPropertiesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Secondary Operation Capability and Objective Properties optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#SecondaryOperationPropertiesVocab-1.0 optional
Source
<xs:complexType name="SecondaryOperationPropertiesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The SecondaryOperationPropertiesVocab-1.0 is the default MAEC Vocabulary for Secondary Operation Capability/Strategic Objective/Tactical Objective Properties.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:SecondaryOperationPropertiesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Secondary Operation Capability and Objective Properties" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#SecondaryOperationPropertiesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:SecondaryOperationPropertiesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The SecondaryOperationPropertiesEnum-1.0 is an enumeration of Secondary Operation Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration trigger type
The 'trigger type' value refers to a description of the trigger used to wake or terminate the malware instance in the Lie Dormant or Suicide Exit Strategic Objectives, respectively.
Source
<xs:simpleType name="SecondaryOperationPropertiesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The SecondaryOperationPropertiesEnum-1.0 is an enumeration of Secondary Operation Capability/Strategic Objective/Tactical Objective Properties.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="trigger type">
      <xs:annotation>
        <xs:documentation>The 'trigger type' value refers to a description of the trigger used to wake or terminate the malware instance in the Lie Dormant or Suicide Exit Strategic Objectives, respectively.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:MachineAccessControlPropertiesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The MachineAccessControlPropertiesVocab-1.0 is the default MAEC Vocabulary for Machine Access/Control Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#MachineAccessControlPropertiesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#MachineAccessControlPropertiesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Machine Access/Control Capability and Objective Properties optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#MachineAccessControlPropertiesVocab-1.0 optional
Source
<xs:complexType name="MachineAccessControlPropertiesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The MachineAccessControlPropertiesVocab-1.0 is the default MAEC Vocabulary for Machine Access/Control Capability/Strategic Objective/Tactical Objective Properties.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:MachineAccessControlPropertiesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Machine Access/Control Capability and Objective Properties" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#MachineAccessControlPropertiesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:MachineAccessControlPropertiesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The MachineAccessControlPropertiesEnum-1.0 is an enumeration of Machine Access/Control Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration backdoor type
The 'backdoor type' value refers to the type of backdoor, e.g. reverse shell, employed by the Install Backdoor Strategic Objective.
Source
<xs:simpleType name="MachineAccessControlPropertiesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The MachineAccessControlPropertiesEnum-1.0 is an enumeration of Machine Access/Control Capability/Strategic Objective/Tactical Objective Properties.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="backdoor type">
      <xs:annotation>
        <xs:documentation>The 'backdoor type' value refers to the type of backdoor, e.g. reverse shell, employed by the Install Backdoor Strategic Objective.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:DataExfiltrationPropertiesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The DataExfiltrationPropertiesVocab-1.0 is the default MAEC Vocabulary for Data Exfiltration Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#DataExfiltrationPropertiesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#DataExfiltrationPropertiesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Data Exfiltration Capability and Objective Properties optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DataExfiltrationPropertiesVocab-1.0 optional
Source
<xs:complexType name="DataExfiltrationPropertiesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The DataExfiltrationPropertiesVocab-1.0 is the default MAEC Vocabulary for Data Exfiltration Capability/Strategic Objective/Tactical Objective Properties.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:DataExfiltrationPropertiesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Data Exfiltration Capability and Objective Properties" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DataExfiltrationPropertiesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:DataExfiltrationPropertiesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The DataExfiltrationPropertiesEnum-1.0 is an enumeration of Data Exfiltration Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration archive type
The 'archive type' value refers to the name of the file archive format used in the Stage Data for Exfiltration Strategic Objective and/or its Package Data Tactical Objective.
enumeration file type
The 'file type' value refers to the name of the file format used for storing data to be exfiltrated as part of the Data Exfiltration Capability or its child Objectives.
Source
<xs:simpleType name="DataExfiltrationPropertiesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The DataExfiltrationPropertiesEnum-1.0 is an enumeration of Data Exfiltration Capability/Strategic Objective/Tactical Objective Properties.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="archive type">
      <xs:annotation>
        <xs:documentation>The 'archive type' value refers to the name of the file archive format used in the Stage Data for Exfiltration Strategic Objective and/or its Package Data Tactical Objective.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="file type">
      <xs:annotation>
        <xs:documentation>The 'file type' value refers to the name of the file format used for storing data to be exfiltrated as part of the Data Exfiltration Capability or its child Objectives.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:AvailabilityViolationPropertiesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The AvailabilityViolationPropertiesVocab-1.0 is the default MAEC Vocabulary for Availability Violation Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#AvailabilityViolationPropertiesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#AvailabilityViolationPropertiesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Availability Violation Capability and Objective Properties optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#AvailabilityViolationPropertiesVocab-1.0 optional
Source
<xs:complexType name="AvailabilityViolationPropertiesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The AvailabilityViolationPropertiesVocab-1.0 is the default MAEC Vocabulary for Availability Violation Capability/Strategic Objective/Tactical Objective Properties.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:AvailabilityViolationPropertiesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Availability Violation Capability and Objective Properties" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#AvailabilityViolationPropertiesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:AvailabilityViolationPropertiesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The AvailabilityViolationPropertiesEnum-1.0 is an enumeration of Availability Violation Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration cryptocurrency type
The 'cryptocurrency type' value refers to the type of cryptocurrency targeted by the Mine for CryptoCurrency Strategic Objective.
Source
<xs:simpleType name="AvailabilityViolationPropertiesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The AvailabilityViolationPropertiesEnum-1.0 is an enumeration of Availability Violation Capability/Strategic Objective/Tactical Objective Properties.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="cryptocurrency type">
      <xs:annotation>
        <xs:documentation>The 'cryptocurrency type' value refers to the type of cryptocurrency targeted by the Mine for CryptoCurrency Strategic Objective.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:CommonCapabilityPropertiesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The CommonCapabilityPropertiesVocab-1.0 is the a MAEC Vocabulary of properties common to many Capabilities and their child Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#CommonCapabilityPropertiesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#CommonCapabilityPropertiesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Common Capability and Objective Properties optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#CommonCapabilityPropertiesVocab-1.0 optional
Source
<xs:complexType name="CommonCapabilityPropertiesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The CommonCapabilityPropertiesVocab-1.0 is the a MAEC Vocabulary of properties common to many Capabilities and their child Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:CommonCapabilityPropertiesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Common Capability and Objective Properties" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#CommonCapabilityPropertiesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:CommonCapabilityPropertiesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The CommonCapabilityPropertiesEnum-1.0 is an enumeration of properties common to many Capability/Strategic Objective/Tactical Objective Properties.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration encryption algorithm
The 'encryption algorithm' value refers to the name of the encryption algorithm used in the Capability or Objective.
enumeration protocol used
The 'protocol used' value refers to the name of the network protocol used in the Capability or Objective.
Source
<xs:simpleType name="CommonCapabilityPropertiesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The CommonCapabilityPropertiesEnum-1.0 is an enumeration of properties common to many Capability/Strategic Objective/Tactical Objective Properties.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="encryption algorithm">
      <xs:annotation>
        <xs:documentation>The 'encryption algorithm' value refers to the name of the encryption algorithm used in the Capability or Objective.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="protocol used">
      <xs:annotation>
        <xs:documentation>The 'protocol used' value refers to the name of the network protocol used in the Capability or Objective.</xs:documentation>
        <xs:documentation>It is recommended that protocols be specified by their acronym or abbreviated name, e.g. "IRC", "HTTP".</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:MalwareCapabilityVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The MalwareCapabilyVocab-1.0 is the default MAEC Vocabulary for Malware Capabilities.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#MalwareCapabilityVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#MalwareCapabilityVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Malware Capabilities optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#MalwareCapabilityVocab-1.0 optional
Source
<xs:complexType name="MalwareCapabilityVocab-1.0">
  <xs:annotation>
    <xs:documentation>The MalwareCapabilyVocab-1.0 is the default MAEC Vocabulary for Malware Capabilities.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:MalwareCapabilityEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Malware Capabilities" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#MalwareCapabilityVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Complex Type maecVocabs:CommandandControlStrategicObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The CommandandControlStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Command and Control Capability Strategic Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#CommandandControlStrategicObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#CommandandControlStrategicObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Command and Control Capability Strategic Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#CommandandControlStrategicObjectivesVocab-1.0 optional
Source
<xs:complexType name="CommandandControlStrategicObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The CommandandControlStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Command and Control Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:CommandandControlStrategicObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Command and Control Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#CommandandControlStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:CommandandControlStrategicObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The CommandandControlStrategicObjectivesEnum-1.0 is an enumeration of Command and Control Capability Strategic Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration determine c2 server
The 'determine c2 server' value indicates that the malware instance is able to identify one or more command and control (C2) servers with which to communicate.
enumeration receive data from c2 server
The 'control behavior' value indicates that the malware instance is able to control its behavior through some external stimulus (e.g., a remotely submitted command).
enumeration send data to c2 server
The 'send data to c2 server' value indicates that the malware instance is able to send some data to a command and control server.
Source
<xs:simpleType name="CommandandControlStrategicObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The CommandandControlStrategicObjectivesEnum-1.0 is an enumeration of Command and Control Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="determine c2 server">
      <xs:annotation>
        <xs:documentation>The 'determine c2 server' value indicates that the malware instance is able to identify one or more command and control (C2) servers with which to communicate.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="receive data from c2 server">
      <xs:annotation>
        <xs:documentation>The 'control behavior' value indicates that the malware instance is able to control its behavior through some external stimulus (e.g., a remotely submitted command).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="send data to c2 server">
      <xs:annotation>
        <xs:documentation>The 'send data to c2 server' value indicates that the malware instance is able to send some data to a command and control server.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:CommandandControlTacticalObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The CommandandControlTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Command and Control Capability Tactical Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#CommandandControlTacticalObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#CommandandControlTacticalObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Command and Control Capability Tactical Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#CommandandControlTacticalObjectivesVocab-1.0 optional
Source
<xs:complexType name="CommandandControlTacticalObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The CommandandControlTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Command and Control Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:CommandandControlTacticalObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Command and Control Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#CommandandControlTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:CommandandControlTacticalObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The CommandandControlTacticalObjectivesEnum-1.0 is an enumeration of Command and Control Capability Tactical Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration check for payload
The 'check for payload' value indicates that the mawlare instance is able to query a command and control server to check whether a new malicious payload is available for download.
enumeration validate data
The 'validate data' value indicates that the malware instance is able to validate the integrity of the data it receives from a command and control server.
enumeration control malware via remote command
The 'control malware via remote command' value indicates that the malware instance is able to execute commands issued to it from a remote source such as a command and control server, for the purpose of controlling its behavior.
enumeration send system information
The 'send system information' value indicates that the malware instance is able to send data regarding the system on which it is executing to a command and control server.
enumeration send heartbeat data
The 'send heartbeat data' value indicates that the malware instance is able to send heartbeat data to a command and control server, indicating that it is still active on the host system and able to communicate.
enumeration generate c2 domain name(s)
The 'generate c2 domain name(s)' value indicates that the malware instance is able to generate the domain name of the command and control server to which it connects to.
enumeration update configuration
The 'update configuration' value indicates that the malware instance is able to update its configuration using data received from a command and control server.
Source
<xs:simpleType name="CommandandControlTacticalObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The CommandandControlTacticalObjectivesEnum-1.0 is an enumeration of Command and Control Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="check for payload">
      <xs:annotation>
        <xs:documentation>The 'check for payload' value indicates that the mawlare instance is able to query a command and control server to check whether a new malicious payload is available for download.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="validate data">
      <xs:annotation>
        <xs:documentation>The 'validate data' value indicates that the malware instance is able to validate the integrity of the data it receives from a command and control server.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="control malware via remote command">
      <xs:annotation>
        <xs:documentation>The 'control malware via remote command' value indicates that the malware instance is able to execute commands issued to it from a remote source such as a command and control server, for the purpose of controlling its behavior.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="send system information">
      <xs:annotation>
        <xs:documentation>The 'send system information' value indicates that the malware instance is able to send data regarding the system on which it is executing to a command and control server.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="send heartbeat data">
      <xs:annotation>
        <xs:documentation>The 'send heartbeat data' value indicates that the malware instance is able to send heartbeat data to a command and control server, indicating that it is still active on the host system and able to communicate.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="generate c2 domain name(s)">
      <xs:annotation>
        <xs:documentation>The 'generate c2 domain name(s)' value indicates that the malware instance is able to generate the domain name of the command and control server to which it connects to.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="update configuration">
      <xs:annotation>
        <xs:documentation>The 'update configuration' value indicates that the malware instance is able to update its configuration using data received from a command and control server.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:RemoteMachineManipulationStrategicObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The RemoteMachineManipulationStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Remote Machine Manipulation Capability Strategic Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#RemoteMachineManipulationStrategicObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#RemoteMachineManipulationStrategicObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Remote Machine Manipulation Capability Strategic Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#RemoteMachineManipulationStrategicObjectivesVocab-1.0 optional
Source
<xs:complexType name="RemoteMachineManipulationStrategicObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The RemoteMachineManipulationStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Remote Machine Manipulation Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:RemoteMachineManipulationStrategicObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Remote Machine Manipulation Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#RemoteMachineManipulationStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:RemoteMachineManipulationStrategicObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The RemoteMachineManipulationStrategicObjectivesEnum-1.0 is an enumeration of Remote Machine Manipulation Capability Strategic Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration access remote machine
The 'access remote machine' value indicates that the malware instance is able to access a remote machine.
enumeration search for remote machines
The 'search' for remote machines' value indicates that the malware instance is able to search for remote machines to target.
Source
<xs:simpleType name="RemoteMachineManipulationStrategicObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The RemoteMachineManipulationStrategicObjectivesEnum-1.0 is an enumeration of Remote Machine Manipulation Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="access remote machine">
      <xs:annotation>
        <xs:documentation>The 'access remote machine' value indicates that the malware instance is able to access a remote machine.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="search for remote machines">
      <xs:annotation>
        <xs:documentation>The 'search' for remote machines' value indicates that the malware instance is able to search for remote machines to target.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:RemoteMachineManipulationTacticalObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The RemoteMachineManipulationTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Remote Machine Manipulation Capability Tactical Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#RemoteMachineManipulationTacticalObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#RemoteMachineManipulationTacticalObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Remote Machine Manipulation Capability Tactical Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#RemoteMachineManipulationTacticalObjectivesVocab-1.0 optional
Source
<xs:complexType name="RemoteMachineManipulationTacticalObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The RemoteMachineManipulationTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Remote Machine Manipulation Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:RemoteMachineManipulationTacticalObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Remote Machine Manipulation Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#RemoteMachineManipulationTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:RemoteMachineManipulationTacticalObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The RemoteMachineManipulationTacticalObjectivesEnum-1.0 is an enumeration of Remote Machine Manipulation Capability Tactical Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration compromise remote machine
The 'compromise remote machine' value indicates that the malware instance is able to gain control of a remote machine through compromise.
Source
<xs:simpleType name="RemoteMachineManipulationTacticalObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The RemoteMachineManipulationTacticalObjectivesEnum-1.0 is an enumeration of Remote Machine Manipulation Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="compromise remote machine">
      <xs:annotation>
        <xs:documentation>The 'compromise remote machine' value indicates that the malware instance is able to gain control of a remote machine through compromise.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:PrivilegeEscalationStrategicObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The PrivilegeEscalationStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Privilege Escalation Capability Strategic Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#PrivilegeEscalationStrategicObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#PrivilegeEscalationStrategicObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Privilege Escalation Capability Strategic Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#PrivilegeEscalationStrategicObjectivesVocab-1.0 optional
Source
<xs:complexType name="PrivilegeEscalationStrategicObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The PrivilegeEscalationStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Privilege Escalation Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:PrivilegeEscalationStrategicObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Privilege Escalation Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#PrivilegeEscalationStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:PrivilegeEscalationStrategicObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The PrivilegeEscalationStrategicObjectivesEnum-1.0 is an enumeration of Privilege Escalation Capability Strategic Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration impersonate user
The 'impersonate user' value indicates that the malware instance is able to impersonate another user to operate within a different security context (also known as horizontal privilege escalation).
enumeration escalate user privilege
The 'escalate user privilege' indicates that the malware instance is able to obtain a higher level of access than intended by the system (also known as vertical privilege escalation).
Source
<xs:simpleType name="PrivilegeEscalationStrategicObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The PrivilegeEscalationStrategicObjectivesEnum-1.0 is an enumeration of Privilege Escalation Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="impersonate user">
      <xs:annotation>
        <xs:documentation>The 'impersonate user' value indicates that the malware instance is able to impersonate another user to operate within a different security context (also known as horizontal privilege escalation).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="escalate user privilege">
      <xs:annotation>
        <xs:documentation>The 'escalate user privilege' indicates that the malware instance is able to obtain a higher level of access than intended by the system (also known as vertical privilege escalation).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:PrivilegeEscalationTacticalObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The PrivilegeEscalationTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Privilege Escalation Capability Tactical Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#PrivilegeEscalationTacticalObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#PrivilegeEscalationTacticalObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Privilege Escalation Capability Tactical Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#PrivilegeEscalationTacticalObjectivesVocab-1.0 optional
Source
<xs:complexType name="PrivilegeEscalationTacticalObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The PrivilegeEscalationTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Privilege Escalation Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:PrivilegeEscalationTacticalObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Privilege Escalation Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#PrivilegeEscalationTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:PrivilegeEscalationTacticalObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The PrivilegeEscalationTacticalObjectivesEnum-1.0 is an enumeration of Privilege Escalation Capability Tactical Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration elevate cpu mode
The 'elevate cpu mode' value indicates that the malware instance is able to elevate the CPU (processor) mode under which it executes.
Source
<xs:simpleType name="PrivilegeEscalationTacticalObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The PrivilegeEscalationTacticalObjectivesEnum-1.0 is an enumeration of Privilege Escalation Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="elevate cpu mode">
      <xs:annotation>
        <xs:documentation>The 'elevate cpu mode' value indicates that the malware instance is able to elevate the CPU (processor) mode under which it executes.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:DataTheftStrategicObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The DataTheftStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Data Theft Capability Strategic Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#DataTheftStrategicObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#DataTheftStrategicObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Data Theft Capability Strategic Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DataTheftStrategicObjectivesVocab-1.0 optional
Source
<xs:complexType name="DataTheftStrategicObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The DataTheftStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Data Theft Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:DataTheftStrategicObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Data Theft Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DataTheftStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:DataTheftStrategicObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The DataTheftStrategicObjectivesEnum-1.0 is an enumeration of Data Theft Capability Strategic Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration steal stored information
The 'steal stored information' value indicates that the malware instance is able to steal information stored on a system (e.g., files).
enumeration steal user data
The 'steal user data' value indicates that the malware instance is able to steal user data (e.g., email).
enumeration steal system information
The 'steal system information' value indicates that the malware instance is able to steal information about a system (e.g., network address data).
enumeration steal authentication credentials
The 'steal authentication credentials' value indicates that the malware instance is able to steal authentication credentials.
Source
<xs:simpleType name="DataTheftStrategicObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The DataTheftStrategicObjectivesEnum-1.0 is an enumeration of Data Theft Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="steal stored information">
      <xs:annotation>
        <xs:documentation>The 'steal stored information' value indicates that the malware instance is able to steal information stored on a system (e.g., files).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="steal user data">
      <xs:annotation>
        <xs:documentation>The 'steal user data' value indicates that the malware instance is able to steal user data (e.g., email).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="steal system information">
      <xs:annotation>
        <xs:documentation>The 'steal system information' value indicates that the malware instance is able to steal information about a system (e.g., network address data).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="steal authentication credentials">
      <xs:annotation>
        <xs:documentation>The 'steal authentication credentials' value indicates that the malware instance is able to steal authentication credentials.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:DataTheftTacticalObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The DataTheftTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Data Theft Capability Tactical Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#DataTheftTacticalObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#DataTheftTacticalObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Data Theft Capability Tactical Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DataTheftTacticalObjectivesVocab-1.0 optional
Source
<xs:complexType name="DataTheftTacticalObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The DataTheftTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Data Theft Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:DataTheftTacticalObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Data Theft Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DataTheftTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:DataTheftTacticalObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The DataTheftTacticalObjectivesEnum-1.0 is an enumeration of Data Theft Capability Tactical Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration steal dialed phone numbers
The 'steal dialed phone numbers' value indicates that the malware instance is able to steal the list of phone numbers that a user has dialed.
enumeration steal email data
The 'steal email data' value indicates that the malware instance is able to steal a user's email data.
enumeration steal referrer urls
The 'steal referer urls' value indicates that the malware instance is able to steal HTTP referrer information (URL of the webpage that linked to the resource being requested).
enumeration steal cryptocurrency data
The 'steal cryptocurrency data' value indicates that the malware instance is able to steal cryptocurrency data (e.g., Bitcoin wallets).
enumeration steal pki software certificate
The 'steal pki software certificate' value indicates that the malware instance is able to steal one or more public key infrastructure (PKI) software certficates.
enumeration steal browser cache
The 'steal browser cache' value indicates that the malware instance is able to steal a user's browser cache.
enumeration steal serial numbers
The 'steal serial numbers' values indicates that the malware instance is able to steal serial numbers stored on a system.
enumeration steal sms database
The 'steal sms database' value indicates that the malware instance is able to steal a user's short message service (SMS) (text messaging) database.
enumeration steal cookie
The 'steal cookie' value indicates that the malware instance is able to steal cookies.
enumeration steal password hash
The 'steal password hashes' value indicates that the malware instance is able to steal password hashes.
enumeration steal make/model
The 'steal make/model' value indicates that the malware instance is able to steal the information on the make and/or model of a system.
enumeration steal documents
The 'steal documents' value indicates that the malware instance is able to steal document files stored on a system.
enumeration steal network address
The 'steal network address' value indicates that the malware instance is able to steal information about the network addresses used by a system.
enumeration steal open port
The 'steal open port' value indicates that the malware instance is able to steal information about the open ports on a system.
enumeration steal images
The 'steal images' value indicates that the malware instance is able to steal image files stored on a system.
enumeration steal browser history
The 'steal browser history' value indicates that the malware instance is able to steal a user's browser history.
enumeration steal web/network credential
The 'steal web/network credential' value indicates that the malware instance is able to steal usernames, passwords, or other forms of network credentials.
enumeration steal pki key
The 'steal pki key' value indicates that the malware instance is able to steal one or more public key infrastructure (PKI) keys.
enumeration steal contact list data
The 'steal contact list data' value indicates that the malware instance is able to steal a user's contact list.
enumeration steal database content
The 'steal database content' value indicates that the malware instance is able to steal database content.
Source
<xs:simpleType name="DataTheftTacticalObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The DataTheftTacticalObjectivesEnum-1.0 is an enumeration of Data Theft Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="steal dialed phone numbers">
      <xs:annotation>
        <xs:documentation>The 'steal dialed phone numbers' value indicates that the malware instance is able to steal the list of phone numbers that a user has dialed.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="steal email data">
      <xs:annotation>
        <xs:documentation>The 'steal email data' value indicates that the malware instance is able to steal a user's email data.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="steal referrer urls">
      <xs:annotation>
        <xs:documentation>The 'steal referer urls' value indicates that the malware instance is able to steal HTTP referrer information (URL of the webpage that linked to the resource being requested).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="steal cryptocurrency data">
      <xs:annotation>
        <xs:documentation>The 'steal cryptocurrency data' value indicates that the malware instance is able to steal cryptocurrency data (e.g., Bitcoin wallets).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="steal pki software certificate">
      <xs:annotation>
        <xs:documentation>The 'steal pki software certificate' value indicates that the malware instance is able to steal one or more public key infrastructure (PKI) software certficates.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="steal browser cache">
      <xs:annotation>
        <xs:documentation>The 'steal browser cache' value indicates that the malware instance is able to steal a user's browser cache.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="steal serial numbers">
      <xs:annotation>
        <xs:documentation>The 'steal serial numbers' values indicates that the malware instance is able to steal serial numbers stored on a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="steal sms database">
      <xs:annotation>
        <xs:documentation>The 'steal sms database' value indicates that the malware instance is able to steal a user's short message service (SMS) (text messaging) database.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="steal cookie">
      <xs:annotation>
        <xs:documentation>The 'steal cookie' value indicates that the malware instance is able to steal cookies.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="steal password hash">
      <xs:annotation>
        <xs:documentation>The 'steal password hashes' value indicates that the malware instance is able to steal password hashes.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="steal make/model">
      <xs:annotation>
        <xs:documentation>The 'steal make/model' value indicates that the malware instance is able to steal the information on the make and/or model of a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="steal documents">
      <xs:annotation>
        <xs:documentation>The 'steal documents' value indicates that the malware instance is able to steal document files stored on a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="steal network address">
      <xs:annotation>
        <xs:documentation>The 'steal network address' value indicates that the malware instance is able to steal information about the network addresses used by a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="steal open port">
      <xs:annotation>
        <xs:documentation>The 'steal open port' value indicates that the malware instance is able to steal information about the open ports on a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="steal images">
      <xs:annotation>
        <xs:documentation>The 'steal images' value indicates that the malware instance is able to steal image files stored on a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="steal browser history">
      <xs:annotation>
        <xs:documentation>The 'steal browser history' value indicates that the malware instance is able to steal a user's browser history.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="steal web/network credential">
      <xs:annotation>
        <xs:documentation>The 'steal web/network credential' value indicates that the malware instance is able to steal usernames, passwords, or other forms of network credentials.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="steal pki key">
      <xs:annotation>
        <xs:documentation>The 'steal pki key' value indicates that the malware instance is able to steal one or more public key infrastructure (PKI) keys.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="steal contact list data">
      <xs:annotation>
        <xs:documentation>The 'steal contact list data' value indicates that the malware instance is able to steal a user's contact list.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="steal database content">
      <xs:annotation>
        <xs:documentation>The 'steal database content' value indicates that the malware instance is able to steal database content.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:SpyingStrategicObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The SpyingStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Spying Capability Strategic Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#SpyingStrategicObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#SpyingStrategicObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Spying Capability Strategic Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#SpyingStrategicObjectivesVocab-1.0 optional
Source
<xs:complexType name="SpyingStrategicObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The SpyingStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Spying Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:SpyingStrategicObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Spying Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#SpyingStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:SpyingStrategicObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The SpyingStrategicObjectivesEnum-1.0 is an enumeration of Spying Capability Strategic Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration capture system input peripheral data
The 'capture system input peripheral data' value indicates that the malware instance is able to capture data from a system's input peripheral devices.
enumeration capture system state data
The 'capture system state data' value indicates that the malware instance is able to capture information about a system's state (e.g., from its RAM).
enumeration capture system interface data
The 'capture system interface data' value indicates that the malware instance is able to capture data from a system's interfaces.
enumeration capture system output peripheral data
The 'capture system output peripheral data' value indicates that the malware instance is able to capture data sent to a system's output peripheral devices.
Source
<xs:simpleType name="SpyingStrategicObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The SpyingStrategicObjectivesEnum-1.0 is an enumeration of Spying Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="capture system input peripheral data">
      <xs:annotation>
        <xs:documentation>The 'capture system input peripheral data' value indicates that the malware instance is able to capture data from a system's input peripheral devices.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="capture system state data">
      <xs:annotation>
        <xs:documentation>The 'capture system state data' value indicates that the malware instance is able to capture information about a system's state (e.g., from its RAM).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="capture system interface data">
      <xs:annotation>
        <xs:documentation>The 'capture system interface data' value indicates that the malware instance is able to capture data from a system's interfaces.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="capture system output peripheral data">
      <xs:annotation>
        <xs:documentation>The 'capture system output peripheral data' value indicates that the malware instance is able to capture data sent to a system's output peripheral devices.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:SpyingTacticalObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The SpyingTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Spying Capability Tactical Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#SpyingTacticalObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#SpyingTacticalObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Spying Capability Tactical Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#SpyingTacticalObjectivesVocab-1.0 optional
Source
<xs:complexType name="SpyingTacticalObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The SpyingTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Spying Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:SpyingTacticalObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Spying Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#SpyingTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:SpyingTacticalObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The SpyingTacticalObjectivesEnum-1.0 is an enumeration of Spying Capability Tactical Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration capture system screenshot
The 'capture system screenshot' value indicates that the malware instance is able to capture images of what is currently being displayed on a system's screen, either locally or remotely via a remote desktop protocol.
enumeration capture camera input
The 'capture camera input' value indicates that the malware instance is able to capture data from a system's camera.
enumeration capture file system
The 'capture file system' value indicates that the malware instance is able to capture data from a system's file system.
enumeration capture printer output
The 'capture printer output' value indicates that the malware instance is able to capture data sent to a system's printer.
enumeration capture gps data
The 'capture gps data' value indicates that the malware instance is able to capture system GPS data.
enumeration capture keyboard input
The 'capture keyboard input' value indicates that the malware instance is able to capture data from a system's keyboard.
enumeration capture mouse input
The 'capture mouse input' value indicates that the malware instance is able to capture data from a system's mouse.
enumeration capture microphone input
The 'capture microphone input' value indicates that the malware instance is able to capture data from a system's microphone.
enumeration capture system network traffic
The 'capture system network traffic' value indicates that the malware instance is able to capture system network traffic.
enumeration capture touchscreen input
The 'capture touchscreen input' value indicates that the malware instance is able to capture data from a system's touchscreen.
enumeration capture system memory
The 'capture system memory' value indicates that the malware instance is able to capture data from a system's RAM.
Source
<xs:simpleType name="SpyingTacticalObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The SpyingTacticalObjectivesEnum-1.0 is an enumeration of Spying Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="capture system screenshot">
      <xs:annotation>
        <xs:documentation>The 'capture system screenshot' value indicates that the malware instance is able to capture images of what is currently being displayed on a system's screen, either locally or remotely via a remote desktop protocol.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="capture camera input">
      <xs:annotation>
        <xs:documentation>The 'capture camera input' value indicates that the malware instance is able to capture data from a system's camera.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="capture file system">
      <xs:annotation>
        <xs:documentation>The 'capture file system' value indicates that the malware instance is able to capture data from a system's file system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="capture printer output">
      <xs:annotation>
        <xs:documentation>The 'capture printer output' value indicates that the malware instance is able to capture data sent to a system's printer.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="capture gps data">
      <xs:annotation>
        <xs:documentation>The 'capture gps data' value indicates that the malware instance is able to capture system GPS data.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="capture keyboard input">
      <xs:annotation>
        <xs:documentation>The 'capture keyboard input' value indicates that the malware instance is able to capture data from a system's keyboard.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="capture mouse input">
      <xs:annotation>
        <xs:documentation>The 'capture mouse input' value indicates that the malware instance is able to capture data from a system's mouse.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="capture microphone input">
      <xs:annotation>
        <xs:documentation>The 'capture microphone input' value indicates that the malware instance is able to capture data from a system's microphone.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="capture system network traffic">
      <xs:annotation>
        <xs:documentation>The 'capture system network traffic' value indicates that the malware instance is able to capture system network traffic.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="capture touchscreen input">
      <xs:annotation>
        <xs:documentation>The 'capture touchscreen input' value indicates that the malware instance is able to capture data from a system's touchscreen.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="capture system memory">
      <xs:annotation>
        <xs:documentation>The 'capture system memory' value indicates that the malware instance is able to capture data from a system's RAM.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:SecondaryOperationStrategicObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The SecondaryOperationStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Secondary Operation Capability Strategic Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#SecondaryOperationStrategicObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#SecondaryOperationStrategicObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Secondary Operation Capability Strategic Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#SecondaryOperationStrategicObjectivesVocab-1.0 optional
Source
<xs:complexType name="SecondaryOperationStrategicObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The SecondaryOperationStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Secondary Operation Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:SecondaryOperationStrategicObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Secondary Operation Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#SecondaryOperationStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:SecondaryOperationStrategicObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The SecondaryOperationStrategicObjectivesEnum-1.0 is an enumeration of Secondary Operation Capability Strategic Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration patch operating system file(s)
The 'patch operating system file(s)' value indicates that the malware instance is able to patch or modify the critical system files of the operating system under which it executes.
enumeration remove traces of infection
The 'remove traces of infection' value indicates that the malware instance is able to remove traces of its infection of a system.
enumeration log activity
The 'log activity' value indicates that the malware instance is able to log its own activity.
enumeration lay dormant
The 'lay dormant' value indicates that the malware instance is able to lay dormant on a system for some period of time.
enumeration install other components
The 'install other components' value indicates that the malware instance is able to install additional components.  This encompasses the dropping/downloading of other malicious components such as libraries, other malware, and tools.
enumeration suicide exit
The 'suicide exit' value indicates that the malware instance is able to terminate itself based on some condition or value.
Source
<xs:simpleType name="SecondaryOperationStrategicObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The SecondaryOperationStrategicObjectivesEnum-1.0 is an enumeration of Secondary Operation Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="patch operating system file(s)">
      <xs:annotation>
        <xs:documentation>The 'patch operating system file(s)' value indicates that the malware instance is able to patch or modify the critical system files of the operating system under which it executes.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="remove traces of infection">
      <xs:annotation>
        <xs:documentation>The 'remove traces of infection' value indicates that the malware instance is able to remove traces of its infection of a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="log activity">
      <xs:annotation>
        <xs:documentation>The 'log activity' value indicates that the malware instance is able to log its own activity.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="lay dormant">
      <xs:annotation>
        <xs:documentation>The 'lay dormant' value indicates that the malware instance is able to lay dormant on a system for some period of time.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="install other components">
      <xs:annotation>
        <xs:documentation>The 'install other components' value indicates that the malware instance is able to install additional components. This encompasses the dropping/downloading of other malicious components such as libraries, other malware, and tools.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="suicide exit">
      <xs:annotation>
        <xs:documentation>The 'suicide exit' value indicates that the malware instance is able to terminate itself based on some condition or value.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:SecondaryOperationTacticalObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The SecondaryOperationTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Secondary Operation Capability Tactical Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#SecondaryOperationTacticalObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#SecondaryOperationTacticalObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Secondary Operation Capability Tactical Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#SecondaryOperationTacticalObjectivesVocab-1.0 optional
Source
<xs:complexType name="SecondaryOperationTacticalObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The SecondaryOperationTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Secondary Operation Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:SecondaryOperationTacticalObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Secondary Operation Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#SecondaryOperationTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:SecondaryOperationTacticalObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The SecondaryOperationTacticalObjectivesEnum-1.0 is an enumeration of Secondary Operation Capability Tactical Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration install secondary module
The 'install secondary module' value indicates that the malware instance is able to install a secondary module (typically related to itself).
enumeration install secondary malware
The 'install secondary malware' value indicates that the malware instance is able to install another malware instance.
enumeration install legitimate software
The 'install legitimate software' value indicates that the malware instance is able to install legitimate software.
enumeration remove self
The 'remove self' value indicates that the malware instance is able to remove itself from the system.
enumeration remove system artifacts
The 'remove system artifacts' value indicates that the malware instance is able to remove its artifacts from a system.
Source
<xs:simpleType name="SecondaryOperationTacticalObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The SecondaryOperationTacticalObjectivesEnum-1.0 is an enumeration of Secondary Operation Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="install secondary module">
      <xs:annotation>
        <xs:documentation>The 'install secondary module' value indicates that the malware instance is able to install a secondary module (typically related to itself).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="install secondary malware">
      <xs:annotation>
        <xs:documentation>The 'install secondary malware' value indicates that the malware instance is able to install another malware instance.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="install legitimate software">
      <xs:annotation>
        <xs:documentation>The 'install legitimate software' value indicates that the malware instance is able to install legitimate software.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="remove self">
      <xs:annotation>
        <xs:documentation>The 'remove self' value indicates that the malware instance is able to remove itself from the system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="remove system artifacts">
      <xs:annotation>
        <xs:documentation>The 'remove system artifacts' value indicates that the malware instance is able to remove its artifacts from a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:AntiDetectionStrategicObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The AntiDetectionStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Anti-Detection Capability Strategic Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#AntiDetectionStrategicObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#AntiDetectionStrategicObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Anti-Detection Capability Strategic Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#AntiDetectionStrategicObjectivesVocab-1.0 optional
Source
<xs:complexType name="AntiDetectionStrategicObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The AntiDetectionStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Anti-Detection Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:AntiDetectionStrategicObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Anti-Detection Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#AntiDetectionStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:AntiDetectionStrategicObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The AntiDetectionStrategicObjectivesEnum-1.0 is an enumeration of Anti-Detection Capability Strategic Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration security software evasion
The 'security software evasion' value indicates that the malware instance is able to evade security software (e.g., anti-virus tools).
enumeration hide executing code
The 'hide executing code' value indicates that the malware instance is able to hide its executing code.
enumeration self-modification
The 'self-modification' value indicates that the malware instance is able to modify itself.
enumeration anti-memory forensics
The 'anti-memory forensics' value indicates that the malware instance is able to prevent or make memory forensics more difficult.
enumeration hide non-executing code
The 'hide non-executing code' value indicates that the malware instance is able to hide its non-executing code.
enumeration hide malware artifacts
The 'hide malware artifacts' value indicates that the malware instance is able to hide its artifacts.
Source
<xs:simpleType name="AntiDetectionStrategicObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The AntiDetectionStrategicObjectivesEnum-1.0 is an enumeration of Anti-Detection Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="security software evasion">
      <xs:annotation>
        <xs:documentation>The 'security software evasion' value indicates that the malware instance is able to evade security software (e.g., anti-virus tools).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="hide executing code">
      <xs:annotation>
        <xs:documentation>The 'hide executing code' value indicates that the malware instance is able to hide its executing code.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="self-modification">
      <xs:annotation>
        <xs:documentation>The 'self-modification' value indicates that the malware instance is able to modify itself.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="anti-memory forensics">
      <xs:annotation>
        <xs:documentation>The 'anti-memory forensics' value indicates that the malware instance is able to prevent or make memory forensics more difficult.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="hide non-executing code">
      <xs:annotation>
        <xs:documentation>The 'hide non-executing code' value indicates that the malware instance is able to hide its non-executing code.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="hide malware artifacts">
      <xs:annotation>
        <xs:documentation>The 'hide malware artifacts' value indicates that the malware instance is able to hide its artifacts.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:AntiDetectionTacticalObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The AntiDetectionTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Anti-Detection Capability Tactical Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#AntiDetectionTacticalObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#AntiDetectionTacticalObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Anti-Detection Capability Tactical Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#AntiDetectionTacticalObjectivesVocab-1.0 optional
Source
<xs:complexType name="AntiDetectionTacticalObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The AntiDetectionTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Anti-Detection Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:AntiDetectionTacticalObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Anti-Detection Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#AntiDetectionTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:AntiDetectionTacticalObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The AntiDetectionTacticalObjectivesEnum-1.0 is an enumeration of Anti-Detection Capability Tactical Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration hide open network ports
The 'hide open network ports' value indicates that the malware instance is able to hide its open network ports.
enumeration execute before/external to kernel/hypervisor
The 'execute before/external to kernel/hypervisor' value indicates that the malware instance is able to execute some or all of its code before or external to the system's kernel or hypervisor (e.g., through the BIOS).
enumeration encrypt self
The 'encrypt self' value indicates that the malware is able to encrypt itself.
enumeration hide processes
The 'hide processes' value indicates that the malware instance is able to hide its processes.
enumeration hide network traffic
The 'hide network traffic' value indicates that the malware instance is able to hide its network traffic.
enumeration change/add content
The 'change/add content' value indicates that the malware instance is able to change or add to its content.
enumeration execute stealthy code
The 'execute stealthy code' value indicates that the malware instance is able to execute some or all of its code in a hidden manner (e.g., by injecting it into a benign process).
enumeration hide registry artifacts
The 'hide registry artifacts' value indicates that the malware instance is able to hide its Windows registry artifacts.
enumeration hide userspace libraries
The 'hide userspace libraries' value indicates that the malware instance is able to hide its usage of userspace libraries.
enumeration hide arbitrary virtual memory
The 'hide arbitrary virtual memory' value indicates that the malware instance is able to hide arbitrary virtual memory to prevent retrieval.
enumeration execute non-main cpu code
The 'execute non-main cpu code' value indicates that the malware instance is able to execute some or all of its code on a secondary, non CPU processor (e.g., a GPU).
enumeration feed misinformation during physical memory acquisition
The 'feed misinformation during physical memory acquisition' value indicates that the malware instance is able to report inaccurate data when the content of physical memory is retrieved.
enumeration prevent physical memory acquisition
The 'prevent physical memory acquisition' value indicates that the malware instance is able to prevent the contents of a system's physical memory from being retrieved.
enumeration prevent native api hooking
The 'prevent native api hooking' value indicates that the malware instance is able to prevent other software from hooking native APIs.
enumeration obfuscate artifact properties
The 'obfuscate artifact properties' value indicates that the malware instance is able to hide the properties of its artifacts (e.g., by altering timestamps).
enumeration hide kernel modules
The 'hide kernel modules' value indicates that the malware instance is able to hide its usage of kernel modules.
enumeration hide code in file
The 'hide code in file' value indicates that the malware instance is able to hide its code in a file.
enumeration hide services
The 'hide services' value indicates that the malware instance is able to hide any system services it creates or injects itself into.
enumeration hide file system artifacts
The 'hide file system artifacts' value indicates that the malware instance is able to hide its file system artifacts.
enumeration hide threads
The 'hide threads' value indicates that the malware instance is able to hide its threads.
Source
<xs:simpleType name="AntiDetectionTacticalObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The AntiDetectionTacticalObjectivesEnum-1.0 is an enumeration of Anti-Detection Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="hide open network ports">
      <xs:annotation>
        <xs:documentation>The 'hide open network ports' value indicates that the malware instance is able to hide its open network ports.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="execute before/external to kernel/hypervisor">
      <xs:annotation>
        <xs:documentation>The 'execute before/external to kernel/hypervisor' value indicates that the malware instance is able to execute some or all of its code before or external to the system's kernel or hypervisor (e.g., through the BIOS).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="encrypt self">
      <xs:annotation>
        <xs:documentation>The 'encrypt self' value indicates that the malware is able to encrypt itself.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="hide processes">
      <xs:annotation>
        <xs:documentation>The 'hide processes' value indicates that the malware instance is able to hide its processes.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="hide network traffic">
      <xs:annotation>
        <xs:documentation>The 'hide network traffic' value indicates that the malware instance is able to hide its network traffic.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="change/add content">
      <xs:annotation>
        <xs:documentation>The 'change/add content' value indicates that the malware instance is able to change or add to its content.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="execute stealthy code">
      <xs:annotation>
        <xs:documentation>The 'execute stealthy code' value indicates that the malware instance is able to execute some or all of its code in a hidden manner (e.g., by injecting it into a benign process).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="hide registry artifacts">
      <xs:annotation>
        <xs:documentation>The 'hide registry artifacts' value indicates that the malware instance is able to hide its Windows registry artifacts.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="hide userspace libraries">
      <xs:annotation>
        <xs:documentation>The 'hide userspace libraries' value indicates that the malware instance is able to hide its usage of userspace libraries.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="hide arbitrary virtual memory">
      <xs:annotation>
        <xs:documentation>The 'hide arbitrary virtual memory' value indicates that the malware instance is able to hide arbitrary virtual memory to prevent retrieval.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="execute non-main cpu code">
      <xs:annotation>
        <xs:documentation>The 'execute non-main cpu code' value indicates that the malware instance is able to execute some or all of its code on a secondary, non CPU processor (e.g., a GPU).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="feed misinformation during physical memory acquisition">
      <xs:annotation>
        <xs:documentation>The 'feed misinformation during physical memory acquisition' value indicates that the malware instance is able to report inaccurate data when the content of physical memory is retrieved.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="prevent physical memory acquisition">
      <xs:annotation>
        <xs:documentation>The 'prevent physical memory acquisition' value indicates that the malware instance is able to prevent the contents of a system's physical memory from being retrieved.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="prevent native api hooking">
      <xs:annotation>
        <xs:documentation>The 'prevent native api hooking' value indicates that the malware instance is able to prevent other software from hooking native APIs.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="obfuscate artifact properties">
      <xs:annotation>
        <xs:documentation>The 'obfuscate artifact properties' value indicates that the malware instance is able to hide the properties of its artifacts (e.g., by altering timestamps).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="hide kernel modules">
      <xs:annotation>
        <xs:documentation>The 'hide kernel modules' value indicates that the malware instance is able to hide its usage of kernel modules.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="hide code in file">
      <xs:annotation>
        <xs:documentation>The 'hide code in file' value indicates that the malware instance is able to hide its code in a file.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="hide services">
      <xs:annotation>
        <xs:documentation>The 'hide services' value indicates that the malware instance is able to hide any system services it creates or injects itself into.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="hide file system artifacts">
      <xs:annotation>
        <xs:documentation>The 'hide file system artifacts' value indicates that the malware instance is able to hide its file system artifacts.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="hide threads">
      <xs:annotation>
        <xs:documentation>The 'hide threads' value indicates that the malware instance is able to hide its threads.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:AntiCodeAnalysisStrategicObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The AntiCodeAnalysisStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Anti-Code Analysis Capability Strategic Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#AntiCodeAnalysisStrategicObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#AntiCodeAnalysisStrategicObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Anti-Code Analysis Capability Strategic Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#AntiCodeAnalysisStrategicObjectivesVocab-1.0 optional
Source
<xs:complexType name="AntiCodeAnalysisStrategicObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The AntiCodeAnalysisStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Anti-Code Analysis Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:AntiCodeAnalysisStrategicObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Anti-Code Analysis Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#AntiCodeAnalysisStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:AntiCodeAnalysisStrategicObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The AntiCodeAnalysisStrategicObjectivesEnum-1.0 is an enumeration of Anti-Code Analysis Capability Strategic Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration anti-debugging
The 'anti-debugging' value indicates that the malware instance is able to prevent itself from being debugged and/or from being run in a debugger or is able to make debugging more difficult.
enumeration code obfuscation
The 'code obfuscation' value indicates that the malware instance is able to obfuscate its code.
enumeration anti-disassembly
The 'anti-disassembly' value indicates that the malware instance is able to prevent itself from being disassembled or make disassembly more difficult.
Source
<xs:simpleType name="AntiCodeAnalysisStrategicObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The AntiCodeAnalysisStrategicObjectivesEnum-1.0 is an enumeration of Anti-Code Analysis Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="anti-debugging">
      <xs:annotation>
        <xs:documentation>The 'anti-debugging' value indicates that the malware instance is able to prevent itself from being debugged and/or from being run in a debugger or is able to make debugging more difficult.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="code obfuscation">
      <xs:annotation>
        <xs:documentation>The 'code obfuscation' value indicates that the malware instance is able to obfuscate its code.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="anti-disassembly">
      <xs:annotation>
        <xs:documentation>The 'anti-disassembly' value indicates that the malware instance is able to prevent itself from being disassembled or make disassembly more difficult.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:AntiCodeAnalysisTacticalObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The AntiCodeAnalysisTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Anti-Code Analysis Capability Tactical Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#AntiCodeAnalysisTacticalObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#AntiCodeAnalysisTacticalObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Anti-Code Analysis Capability Tactical Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#AntiCodeAnalysisTacticalObjectivesVocab-1.0 optional
Source
<xs:complexType name="AntiCodeAnalysisTacticalObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The AntiCodeAnalysisTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Anti-Code Analysis Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:AntiCodeAnalysisTacticalObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Anti-Code Analysis Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#AntiCodeAnalysisTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:AntiCodeAnalysisTacticalObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The AntiCodeAnalysisTacticalObjectivesEnum-1.0 is an enumeration of Anti-Code Analysis Capability Tactical Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration transform control flow
The 'transform control flow' value indicates that the malware instance is able to transform its control flow.
enumeration restructure arrays
The 'restructure arrays' value indicates that the malware instance is able to restructure its arrays, making disassembly more difficult.
enumeration detect debugging
The 'detect debugging' value indicates that the malware instance is able to detect its execution in a debugger.
enumeration prevent debugging
The 'prevent debugging' value indicates that the malware instance is able to prevent its execution in a debugger.
enumeration defeat flow-oriented (recursive traversal) disassembler
The 'defeat flow-oriented disassembler' value indicates that the malware instance is able to defeat its disassembly in a flow-oriented (recursive traversal) disassembler.
enumeration defeat linear disassembler
The 'defeat linear disassembler' value indicates that the malware instance is able to prevent its disassembly in a linear disassembler.
enumeration obfuscate instructions
The 'obfuscate instructions' value indicates that the malware instance obfuscates its instructions.
enumeration obfuscate imports
The 'obfuscate imports' value indicates that the malware instance is able to obfuscate its import table, making disassembly more difficult.
enumeration defeat call graph generation
The 'defeat call graph generation' value indicates that the malware instance is able to defeat accurate call graph generation during disassembly.
enumeration obfuscate runtime code
The 'obfuscate runtime code' value indicates that the malware instance is able to obfuscate its runtime code.
Source
<xs:simpleType name="AntiCodeAnalysisTacticalObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The AntiCodeAnalysisTacticalObjectivesEnum-1.0 is an enumeration of Anti-Code Analysis Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="transform control flow">
      <xs:annotation>
        <xs:documentation>The 'transform control flow' value indicates that the malware instance is able to transform its control flow.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="restructure arrays">
      <xs:annotation>
        <xs:documentation>The 'restructure arrays' value indicates that the malware instance is able to restructure its arrays, making disassembly more difficult.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="detect debugging">
      <xs:annotation>
        <xs:documentation>The 'detect debugging' value indicates that the malware instance is able to detect its execution in a debugger.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="prevent debugging">
      <xs:annotation>
        <xs:documentation>The 'prevent debugging' value indicates that the malware instance is able to prevent its execution in a debugger.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="defeat flow-oriented (recursive traversal) disassembler">
      <xs:annotation>
        <xs:documentation>The 'defeat flow-oriented disassembler' value indicates that the malware instance is able to defeat its disassembly in a flow-oriented (recursive traversal) disassembler.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="defeat linear disassembler">
      <xs:annotation>
        <xs:documentation>The 'defeat linear disassembler' value indicates that the malware instance is able to prevent its disassembly in a linear disassembler.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="obfuscate instructions">
      <xs:annotation>
        <xs:documentation>The 'obfuscate instructions' value indicates that the malware instance obfuscates its instructions.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="obfuscate imports">
      <xs:annotation>
        <xs:documentation>The 'obfuscate imports' value indicates that the malware instance is able to obfuscate its import table, making disassembly more difficult.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="defeat call graph generation">
      <xs:annotation>
        <xs:documentation>The 'defeat call graph generation' value indicates that the malware instance is able to defeat accurate call graph generation during disassembly.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="obfuscate runtime code">
      <xs:annotation>
        <xs:documentation>The 'obfuscate runtime code' value indicates that the malware instance is able to obfuscate its runtime code.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:InfectionPropagationStrategicObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The InfectionPropagationStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Infection/Propagation Capability Strategic Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#InfectionPropagationStrategicObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#InfectionPropagationStrategicObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Infection/Propagation Capability Strategic Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#InfectionPropagationStrategicObjectivesVocab-1.0 optional
Source
<xs:complexType name="InfectionPropagationStrategicObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The InfectionPropagationStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Infection/Propagation Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:InfectionPropagationStrategicObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Infection/Propagation Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#InfectionPropagationStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:InfectionPropagationStrategicObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The InfectionPropagationStrategicObjectivesEnum-1.0 is an enumeration of Infection/Propagation Capability Strategic Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration prevent duplicate infection
The 'prevent duplicate infection' value indicates that the malware instance is able to prevent itself from infecting a machine multiple times.
enumeration infect file
The 'infect file' value denotes that the malware instance is able to infect a file.
enumeration infect remote machine
The 'infect remote machine' value indicates that the malware instance is able to self-propagate or infect a machine with malware that is different than itself.
Source
<xs:simpleType name="InfectionPropagationStrategicObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The InfectionPropagationStrategicObjectivesEnum-1.0 is an enumeration of Infection/Propagation Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="prevent duplicate infection">
      <xs:annotation>
        <xs:documentation>The 'prevent duplicate infection' value indicates that the malware instance is able to prevent itself from infecting a machine multiple times.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="infect file">
      <xs:annotation>
        <xs:documentation>The 'infect file' value denotes that the malware instance is able to infect a file.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="infect remote machine">
      <xs:annotation>
        <xs:documentation>The 'infect remote machine' value indicates that the malware instance is able to self-propagate or infect a machine with malware that is different than itself.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:InfectionPropagationTacticalObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The InfectionPropagationTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Infection/Propagation Capability Tactical Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#InfectionPropagationTacticalObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#InfectionPropagationTacticalObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Infection/Propagation Capability Tactical Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#InfectionPropagationTacticalObjectivesVocab-1.0 optional
Source
<xs:complexType name="InfectionPropagationTacticalObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The InfectionPropagationTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Infection/Propagation Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:InfectionPropagationTacticalObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Infection/Propagation Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#InfectionPropagationTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:InfectionPropagationTacticalObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The InfectionPropagationTacticalObjectivesEnum-1.0 is an enumeration of Infection/Propagation Capability Tactical Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration identify file
The 'identify file' value indicates that the malware instance is able to identify a file or files on a local, removable, and/or network drive for infection.
enumeration perform autonomous remote infection
The 'perform autonomous remote infection' value indicates that the malware instance is able to infect a remote machine autonomously, without the involvement of any end user (e.g., through the exploitation of a remote procedure call vulnerability).
enumeration identify target machine(s)
The 'identify target machine(s)' value indicates that the malware instance is able to identify one or more machines to be targeted for infection via some remote means (e.g., via email or the network).
enumeration perform social-engineering based remote infection
The 'perform social-engineering based remote infection' value indicates that the malware instance is able to infect remote machines via some method that involves social engineering (e.g., sending an email with a malicious attachment).
enumeration inventory victims
The 'inventory victims' value indicates that the malware instance is able to keep an inventory of the victims that it remotely infects.
enumeration write code into file
The 'write code into file' value indicates that the malware instance is able to write code into a file.
enumeration modify file
The 'modify file' value indicates that the malware instance is able to modify a file in some other manner than writing code to it, such as packing it (in terms of binary executable packing).
Source
<xs:simpleType name="InfectionPropagationTacticalObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The InfectionPropagationTacticalObjectivesEnum-1.0 is an enumeration of Infection/Propagation Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="identify file">
      <xs:annotation>
        <xs:documentation>The 'identify file' value indicates that the malware instance is able to identify a file or files on a local, removable, and/or network drive for infection.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="perform autonomous remote infection">
      <xs:annotation>
        <xs:documentation>The 'perform autonomous remote infection' value indicates that the malware instance is able to infect a remote machine autonomously, without the involvement of any end user (e.g., through the exploitation of a remote procedure call vulnerability).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="identify target machine(s)">
      <xs:annotation>
        <xs:documentation>The 'identify target machine(s)' value indicates that the malware instance is able to identify one or more machines to be targeted for infection via some remote means (e.g., via email or the network).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="perform social-engineering based remote infection">
      <xs:annotation>
        <xs:documentation>The 'perform social-engineering based remote infection' value indicates that the malware instance is able to infect remote machines via some method that involves social engineering (e.g., sending an email with a malicious attachment).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="inventory victims">
      <xs:annotation>
        <xs:documentation>The 'inventory victims' value indicates that the malware instance is able to keep an inventory of the victims that it remotely infects.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="write code into file">
      <xs:annotation>
        <xs:documentation>The 'write code into file' value indicates that the malware instance is able to write code into a file.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="modify file">
      <xs:annotation>
        <xs:documentation>The 'modify file' value indicates that the malware instance is able to modify a file in some other manner than writing code to it, such as packing it (in terms of binary executable packing).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:AntiBehavioralAnalysisStrategicObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The AntiBehavioralAnalysisStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Anti-Behavioral Analysis Capability Strategic Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#AntiBehavioralAnalysisStrategicObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#AntiBehavioralAnalysisStrategicObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Anti-Behavioral Analysis Capability Strategic Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#AntiBehavioralAnalysisStrategicObjectivesVocab-1.0 optional
Source
<xs:complexType name="AntiBehavioralAnalysisStrategicObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The AntiBehavioralAnalysisStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Anti-Behavioral Analysis Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:AntiBehavioralAnalysisStrategicObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Anti-Behavioral Analysis Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#AntiBehavioralAnalysisStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:AntiBehavioralAnalysisStrategicObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The AntiBehavioralAnalysisStrategicObjectivesEnum-1.0 is an enumeration of Anti-Behavioral Analysis Capability Strategic Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration anti-vm
The 'anti-vm' value indicates that the malware instance is able to prevent virtual machine (VM) based behavioral analysis or make it more difficult.
enumeration anti-sandbox
The 'anti-sandbox' value specifies that the malware instance is able to prevent sandbox-based behavioral analysis or make it more difficult.
Source
<xs:simpleType name="AntiBehavioralAnalysisStrategicObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The AntiBehavioralAnalysisStrategicObjectivesEnum-1.0 is an enumeration of Anti-Behavioral Analysis Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="anti-vm">
      <xs:annotation>
        <xs:documentation>The 'anti-vm' value indicates that the malware instance is able to prevent virtual machine (VM) based behavioral analysis or make it more difficult.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="anti-sandbox">
      <xs:annotation>
        <xs:documentation>The 'anti-sandbox' value specifies that the malware instance is able to prevent sandbox-based behavioral analysis or make it more difficult.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:AntiBehavioralAnalysisTacticalObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The AntiBehavioralAnalysisTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Anti-Behavioral Analysis Capability Tactical Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#AntiBehavioralAnalysisTacticalObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#AntiBehavioralAnalysisTacticalObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Anti-Behavioral Analysis Capability Tactical Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#AntiBehavioralAnalysisTacticalObjectivesVocab-1.0 optional
Source
<xs:complexType name="AntiBehavioralAnalysisTacticalObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The AntiBehavioralAnalysisTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Anti-Behavioral Analysis Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:AntiBehavioralAnalysisTacticalObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Anti-Behavioral Analysis Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#AntiBehavioralAnalysisTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:AntiBehavioralAnalysisTacticalObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The AntiBehavioralAnalysisTacticalObjectivesEnum-1.0 is an enumeration of Anti-Behavioral Analysis Capability Tactical Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration detect vm environment
The 'detect vm environment' value indicates that the malware instance is able to detect whether it is being executed in a virtual machine (VM).
enumeration overload sandbox
The 'overload sandbox' value indicates that the malware instance is able to overload a sandbox (e.g., by generating a flood of meaningless behavioral data).
enumeration prevent execution in sandbox
The 'prevent execution in sandbox' value indicates that the malware instance is able to prevent its execution in a sandbox.
enumeration detect sandbox environment
The 'detect sandbox environment' value indicates that the malware instance is able to detect whether it is being executed in a sandbox environment.
enumeration prevent execution in vm
The 'prevent execution in wm' value indicates that the malware instance is able to prevent its execution in a virtual machine (VM).
Source
<xs:simpleType name="AntiBehavioralAnalysisTacticalObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The AntiBehavioralAnalysisTacticalObjectivesEnum-1.0 is an enumeration of Anti-Behavioral Analysis Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="detect vm environment">
      <xs:annotation>
        <xs:documentation>The 'detect vm environment' value indicates that the malware instance is able to detect whether it is being executed in a virtual machine (VM).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="overload sandbox">
      <xs:annotation>
        <xs:documentation>The 'overload sandbox' value indicates that the malware instance is able to overload a sandbox (e.g., by generating a flood of meaningless behavioral data).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="prevent execution in sandbox">
      <xs:annotation>
        <xs:documentation>The 'prevent execution in sandbox' value indicates that the malware instance is able to prevent its execution in a sandbox.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="detect sandbox environment">
      <xs:annotation>
        <xs:documentation>The 'detect sandbox environment' value indicates that the malware instance is able to detect whether it is being executed in a sandbox environment.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="prevent execution in vm">
      <xs:annotation>
        <xs:documentation>The 'prevent execution in wm' value indicates that the malware instance is able to prevent its execution in a virtual machine (VM).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:IntegrityViolationStrategicObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The IntegrityViolationStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Integrity Violation Capability Strategic Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#IntegrityViolationStrategicObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#IntegrityViolationStrategicObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Integrity Violation Capability Strategic Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#IntegrityViolationStrategicObjectivesVocab-1.0 optional
Source
<xs:complexType name="IntegrityViolationStrategicObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The IntegrityViolationStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Integrity Violation Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:IntegrityViolationStrategicObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Integrity Violation Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#IntegrityViolationStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:IntegrityViolationStrategicObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The IntegrityViolationStrategicObjectivesEnum-1.0 is an enumeration of Integrity Violation Capability Strategic Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration compromise system operational integrity
The 'compromise system operational integrity' value indicates that the malware instance is able to compromise the operational integrity of a system.
enumeration compromise user data integrity
The 'compromise user data integrity' value indicates that the malware instance is able to compromise a system's user data.
enumeration annoy user
The 'annoy user' value indicates that the malware instance is able to annoy the users of a system.
enumeration compromise network operational integrity
The 'compromise network operational integrity' value indicates that the malware instance is able to compromise the operational integrity of a network.
enumeration compromise system data integrity
The 'compromise system data integrity' value indicates that the malware instance is able to compromise the integrity of a system's data.
Source
<xs:simpleType name="IntegrityViolationStrategicObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The IntegrityViolationStrategicObjectivesEnum-1.0 is an enumeration of Integrity Violation Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="compromise system operational integrity">
      <xs:annotation>
        <xs:documentation>The 'compromise system operational integrity' value indicates that the malware instance is able to compromise the operational integrity of a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="compromise user data integrity">
      <xs:annotation>
        <xs:documentation>The 'compromise user data integrity' value indicates that the malware instance is able to compromise a system's user data.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="annoy user">
      <xs:annotation>
        <xs:documentation>The 'annoy user' value indicates that the malware instance is able to annoy the users of a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="compromise network operational integrity">
      <xs:annotation>
        <xs:documentation>The 'compromise network operational integrity' value indicates that the malware instance is able to compromise the operational integrity of a network.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="compromise system data integrity">
      <xs:annotation>
        <xs:documentation>The 'compromise system data integrity' value indicates that the malware instance is able to compromise the integrity of a system's data.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:IntegrityViolationTacticalObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The IntegrityViolationTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Integrity Violation Capability Tactical Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#IntegrityViolationTacticalObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#IntegrityViolationTacticalObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Integrity Violation Capability Tactical Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#IntegrityViolationTacticalObjectivesVocab-1.0 optional
Source
<xs:complexType name="IntegrityViolationTacticalObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The IntegrityViolationTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Integrity Violation Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:IntegrityViolationTacticalObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Integrity Violation Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#IntegrityViolationTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:IntegrityViolationTacticalObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The IntegrityViolationTacticalObjectivesEnum-1.0 is an enumeration of Integrity Violation Capability Tactical Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration subvert system
The 'subvert system' value indicates that the malware instance is able to subvert a system to perform beyond its operational boundaries or to perform tasks for which it was not originally intended.
enumeration corrupt system data
The 'corrupt system data' value indicates that the malware instance is able to corrupt a system's data.
enumeration annoy local system user
The 'annoy local system user' value indicates that the malware instance is able to annoy local system users.
enumeration intercept/manipulate network traffic
The 'intercept/manipulate network traffic' value indicates that the malware is able to intercept and/or manipulate traffic on a network.
enumeration annoy remote user
The 'annoy remote user' value indicates that the malware instance is able to annoy a remote user.
enumeration corrupt user data
The 'corrupt user data' value indicates that the malware instance is able to corrupt a system's user data.
Source
<xs:simpleType name="IntegrityViolationTacticalObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The IntegrityViolationTacticalObjectivesEnum-1.0 is an enumeration of Integrity Violation Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="subvert system">
      <xs:annotation>
        <xs:documentation>The 'subvert system' value indicates that the malware instance is able to subvert a system to perform beyond its operational boundaries or to perform tasks for which it was not originally intended.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="corrupt system data">
      <xs:annotation>
        <xs:documentation>The 'corrupt system data' value indicates that the malware instance is able to corrupt a system's data.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="annoy local system user">
      <xs:annotation>
        <xs:documentation>The 'annoy local system user' value indicates that the malware instance is able to annoy local system users.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="intercept/manipulate network traffic">
      <xs:annotation>
        <xs:documentation>The 'intercept/manipulate network traffic' value indicates that the malware is able to intercept and/or manipulate traffic on a network.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="annoy remote user">
      <xs:annotation>
        <xs:documentation>The 'annoy remote user' value indicates that the malware instance is able to annoy a remote user.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="corrupt user data">
      <xs:annotation>
        <xs:documentation>The 'corrupt user data' value indicates that the malware instance is able to corrupt a system's user data.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:DataExfiltrationStrategicObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The DataExfiltrationStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Data Exfiltration Capability Strategic Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#DataExfiltrationStrategicObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#DataExfiltrationStrategicObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Data Exfiltration Capability Strategic Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DataExfiltrationStrategicObjectivesVocab-1.0 optional
Source
<xs:complexType name="DataExfiltrationStrategicObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The DataExfiltrationStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Data Exfiltration Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:DataExfiltrationStrategicObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Data Exfiltration Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DataExfiltrationStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:DataExfiltrationStrategicObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The DataExfiltrationStrategicObjectivesEnum-1.0 is an enumeration of Data Exfiltration Capability Strategic Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration perform data exfiltration
The 'perform data exfiltration' value indicates that the malware instance is able to perform data exfiltration via some physical or virtual means.
enumeration obfuscate data for exfiltration
The 'obfuscate data for exfiltration' value indicates that the malware is able to obfuscate data that will be exfiltrated.
enumeration stage data for exfiltration
The 'stage data for exfiltration' value indicates that the malware instance is able to gather and prepare data for exfiltration.
Source
<xs:simpleType name="DataExfiltrationStrategicObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The DataExfiltrationStrategicObjectivesEnum-1.0 is an enumeration of Data Exfiltration Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="perform data exfiltration">
      <xs:annotation>
        <xs:documentation>The 'perform data exfiltration' value indicates that the malware instance is able to perform data exfiltration via some physical or virtual means.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="obfuscate data for exfiltration">
      <xs:annotation>
        <xs:documentation>The 'obfuscate data for exfiltration' value indicates that the malware is able to obfuscate data that will be exfiltrated.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="stage data for exfiltration">
      <xs:annotation>
        <xs:documentation>The 'stage data for exfiltration' value indicates that the malware instance is able to gather and prepare data for exfiltration.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:DataExfiltrationTacticalObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The DataExfiltrationTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Data Exfiltration Capability Tactical Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#DataExfiltrationTacticalObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#DataExfiltrationTacticalObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Data Exfiltration Capability Tactical Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DataExfiltrationTacticalObjectivesVocab-1.0 optional
Source
<xs:complexType name="DataExfiltrationTacticalObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The DataExfiltrationTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Data Exfiltration Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:DataExfiltrationTacticalObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Data Exfiltration Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DataExfiltrationTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:DataExfiltrationTacticalObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The DataExfiltrationTacticalObjectivesEnum-1.0 is an enumeration of Data Exfiltration Capability Tactical Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration exfiltrate via covert channel
The 'exfiltrate via covert channel' value indicates that the malware instance is able to exfiltrate data using a covert channel.
enumeration exfiltrate via fax
The 'exfiltrate via fax' value indicates that the malware instance is able to exfiltrate data using a fax system.
enumeration exfiltrate via physical media
The 'exfiltrate via physical media' value indicates that the malware instance is able to exfiltrate data using physical media (e.g., a USB drive).
enumeration encrypt data
The 'encrypt data' value indicates that the malware instance is able to encrypt data that will be exfiltrated.
enumeration exfiltrate via network
The 'exfiltrate via network' value indicates that the malware instance is able to exfiltrate data across the network.
enumeration hide data
The 'hide data in other formats' value indicates that the malware instance is able to hide data that will be exfiltrated in other formats (also known as steganography).
enumeration package data
The 'package data' value indicates that the malware instance is able to package data for exfiltration.
enumeration exfiltrate via dumpster dive
The 'exfiltrate via dumpster dive' value indicates that the malware instance is able to exfiltrate data via dumpster dive (i.e., encoded data printed by malware is viewed as garbage and thrown away to then be physically picked up).
enumeration move data to staging server
The 'move data to staging server' value indicates that the malware instance is able to move data to be exfiltrated to a particular server to prepare for exfiltration.
enumeration exfiltrate via voip/phone
The 'exfiltrate via VoIP/phone' value indicates that the malware instance is able to exfiltrate data (encoded as audio) using a phone system.
Source
<xs:simpleType name="DataExfiltrationTacticalObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The DataExfiltrationTacticalObjectivesEnum-1.0 is an enumeration of Data Exfiltration Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="exfiltrate via covert channel">
      <xs:annotation>
        <xs:documentation>The 'exfiltrate via covert channel' value indicates that the malware instance is able to exfiltrate data using a covert channel.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="exfiltrate via fax">
      <xs:annotation>
        <xs:documentation>The 'exfiltrate via fax' value indicates that the malware instance is able to exfiltrate data using a fax system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="exfiltrate via physical media">
      <xs:annotation>
        <xs:documentation>The 'exfiltrate via physical media' value indicates that the malware instance is able to exfiltrate data using physical media (e.g., a USB drive).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="encrypt data">
      <xs:annotation>
        <xs:documentation>The 'encrypt data' value indicates that the malware instance is able to encrypt data that will be exfiltrated.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="exfiltrate via network">
      <xs:annotation>
        <xs:documentation>The 'exfiltrate via network' value indicates that the malware instance is able to exfiltrate data across the network.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="hide data">
      <xs:annotation>
        <xs:documentation>The 'hide data in other formats' value indicates that the malware instance is able to hide data that will be exfiltrated in other formats (also known as steganography).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="package data">
      <xs:annotation>
        <xs:documentation>The 'package data' value indicates that the malware instance is able to package data for exfiltration.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="exfiltrate via dumpster dive">
      <xs:annotation>
        <xs:documentation>The 'exfiltrate via dumpster dive' value indicates that the malware instance is able to exfiltrate data via dumpster dive (i.e., encoded data printed by malware is viewed as garbage and thrown away to then be physically picked up).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="move data to staging server">
      <xs:annotation>
        <xs:documentation>The 'move data to staging server' value indicates that the malware instance is able to move data to be exfiltrated to a particular server to prepare for exfiltration.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="exfiltrate via voip/phone">
      <xs:annotation>
        <xs:documentation>The 'exfiltrate via VoIP/phone' value indicates that the malware instance is able to exfiltrate data (encoded as audio) using a phone system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:AntiRemovalStrategicObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The AntiRemovalStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Anti-Removal Capability Strategic Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#AntiRemovalStrategicObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#AntiRemovalStrategicObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Anti-Removal Capability Strategic Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#AntiRemovalStrategicObjectivesVocab-1.0 optional
Source
<xs:complexType name="AntiRemovalStrategicObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The AntiRemovalStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Anti-Removal Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:AntiRemovalStrategicObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Anti-Removal Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#AntiRemovalStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:AntiRemovalStrategicObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The AntiRemovalStrategicObjectivesEnum-1.0 is an enumeration of Anti-Removal Capability Strategic Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration prevent malware artifact access
The 'prevent malware artifact access' value indicates that the malware instance is able to prevent its artifacts from being accessed.
enumeration prevent malware artifact deletion
The 'prevent malware artifact deletion' value indicates that the malware instance is able to prevent its artifacts from being deleted from a system.
Source
<xs:simpleType name="AntiRemovalStrategicObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The AntiRemovalStrategicObjectivesEnum-1.0 is an enumeration of Anti-Removal Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="prevent malware artifact access">
      <xs:annotation>
        <xs:documentation>The 'prevent malware artifact access' value indicates that the malware instance is able to prevent its artifacts from being accessed.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="prevent malware artifact deletion">
      <xs:annotation>
        <xs:documentation>The 'prevent malware artifact deletion' value indicates that the malware instance is able to prevent its artifacts from being deleted from a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:AntiRemovalTacticalObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The AntiRemovalTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Anti-Removal Capability Tactical Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#AntiRemovalTacticalObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#AntiRemovalTacticalObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Anti-Removal Capability Tactical Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#AntiRemovalTacticalObjectivesVocab-1.0 optional
Source
<xs:complexType name="AntiRemovalTacticalObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The AntiRemovalTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Anti-Removal Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:AntiRemovalTacticalObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Anti-Removal Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#AntiRemovalTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:AntiRemovalTacticalObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The AntiRemovalTacticalObjectivesEnum-1.0 is an enumeration of Anti-Removal Capability Tactical Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration prevent registry deletion
The 'prevent registry deletion' value indicates that the malware instance is able to prevent its Windows registry entries from being deleted from a system.
enumeration prevent api unhooking
The 'prevent api unhooking' value indicates that the malware instance is able to prevent its API hooks from being removed.
enumeration prevent file access
The 'prevent file access' value indicates that the malware instance is able to prevent access to the file system.
enumeration prevent memory access
The 'prevent memory access' value indicates that the malware instance is able to prevent access to system memory where it may be storing code or data.
enumeration prevent registry access
The 'prevent registry access' value indicates that the malware instance is able to prevent access to the Windows registry.
enumeration prevent file deletion
The 'prevent file deletion' value indicates that the malware instance is able to prevent its files from being deleted from a system.
Source
<xs:simpleType name="AntiRemovalTacticalObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The AntiRemovalTacticalObjectivesEnum-1.0 is an enumeration of Anti-Removal Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="prevent registry deletion">
      <xs:annotation>
        <xs:documentation>The 'prevent registry deletion' value indicates that the malware instance is able to prevent its Windows registry entries from being deleted from a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="prevent api unhooking">
      <xs:annotation>
        <xs:documentation>The 'prevent api unhooking' value indicates that the malware instance is able to prevent its API hooks from being removed.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="prevent file access">
      <xs:annotation>
        <xs:documentation>The 'prevent file access' value indicates that the malware instance is able to prevent access to the file system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="prevent memory access">
      <xs:annotation>
        <xs:documentation>The 'prevent memory access' value indicates that the malware instance is able to prevent access to system memory where it may be storing code or data.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="prevent registry access">
      <xs:annotation>
        <xs:documentation>The 'prevent registry access' value indicates that the malware instance is able to prevent access to the Windows registry.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="prevent file deletion">
      <xs:annotation>
        <xs:documentation>The 'prevent file deletion' value indicates that the malware instance is able to prevent its files from being deleted from a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:SecurityDegradationStrategicObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The SecurityDegradationStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Security Degradation Capability Strategic Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#SecurityDegradationStrategicObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#SecurityDegradationStrategicObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Security Degradation Capability Strategic Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#SecurityDegradationStrategicObjectivesVocab-1.0 optional
Source
<xs:complexType name="SecurityDegradationStrategicObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The SecurityDegradationStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Security Degradation Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:SecurityDegradationStrategicObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Security Degradation Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#SecurityDegradationStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:SecurityDegradationStrategicObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The SecurityDegradationStrategicObjectivesEnum-1.0 is an enumeration of Security Degradation Capability Strategic Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration disable service provider security features
The 'disable service provider security features' value indicates that the malware instance is able to bypass or disable third-party security features that would otherwise identify or notify users of its presence.
enumeration degrade security programs
The 'degrade security programs' value indicates that the malware instance is able to degrade security programs running on a system, either by stopping them from executing or by making changes to their code or configuration parameters.
enumeration disable system updates
The 'disable system updates' values indicates that the malware instance is able to disable the downloading and installation of system updates.
enumeration disable os security features
The 'disable os security features' value indicates that the malware instance is able to bypass inherent operating system security mechanisms that typically involve elevated privileges.
enumeration disable [host-based or os] access controls
The 'disable access controls' value indicates that the malware instance is able to bypass access control mechanisms designed to prevent unauthorized or unprivileged use or execution of applications or files.
Source
<xs:simpleType name="SecurityDegradationStrategicObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The SecurityDegradationStrategicObjectivesEnum-1.0 is an enumeration of Security Degradation Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="disable service provider security features">
      <xs:annotation>
        <xs:documentation>The 'disable service provider security features' value indicates that the malware instance is able to bypass or disable third-party security features that would otherwise identify or notify users of its presence.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="degrade security programs">
      <xs:annotation>
        <xs:documentation>The 'degrade security programs' value indicates that the malware instance is able to degrade security programs running on a system, either by stopping them from executing or by making changes to their code or configuration parameters.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="disable system updates">
      <xs:annotation>
        <xs:documentation>The 'disable system updates' values indicates that the malware instance is able to disable the downloading and installation of system updates.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="disable os security features">
      <xs:annotation>
        <xs:documentation>The 'disable os security features' value indicates that the malware instance is able to bypass inherent operating system security mechanisms that typically involve elevated privileges.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="disable [host-based or os] access controls">
      <xs:annotation>
        <xs:documentation>The 'disable access controls' value indicates that the malware instance is able to bypass access control mechanisms designed to prevent unauthorized or unprivileged use or execution of applications or files.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:SecurityDegradationTacticalObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The SecurityDegradationTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Security Degradation Capability Tactical Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#SecurityDegradationTacticalObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#SecurityDegradationTacticalObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Security Degradation Capability Tactical Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#SecurityDegradationTacticalObjectivesVocab-1.0 optional
Source
<xs:complexType name="SecurityDegradationTacticalObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The SecurityDegradationTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Security Degradation Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:SecurityDegradationTacticalObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Security Degradation Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#SecurityDegradationTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:SecurityDegradationTacticalObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The SecurityDegradationTacticalObjectivesEnum-1.0 is an enumeration of Security Degradation Capability Tactical Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration stop execution of security program
The 'stop execution of security program' value indicates that the malware instance is able to stop one or more security programs that may already be executing on a system.
enumeration disable firewall
The 'disable firewall' value indicates that the malware instance is able to evade or disable the host-based firewall or otherwise prevent the blocking of network communications.
enumeration disable access right checking
The 'disable access right checking' value indicates that the malware instance is able to bbypass, disable, or modify the access tokens or access control lists, thereby enabling the malware to read, write, or execute a file with one or more of these controls set.
enumeration disable kernel patching protection
The 'disable kernel patch protection' value indicates that the malware instance is able to bypass or disable PatchGuard; thus it is capable of operating at the same level as the kernel and kernel mode drivers (KMD).
enumeration prevent access to security websites
The 'prevent access to security websites' value indicates that the malware instance is able to prevent access from a system to one or more security vendor or security-related websites.
enumeration remove sms warning messages
The 'remove sms warning messages' value indicates that the malware instance is able to capture the message body of incoming SMS messages and abort the broadcasting of a message that meets a certain criteria.
enumeration modify security program configuration
The 'modify security program configuration' value indicates that the malware instance is able to modify the configuration of one or more security programs running on a system in order to hamper their usefulness and ability to detect the malware instance.
enumeration prevent security program from running
The 'prevent security program from running' value indicates that the malware instance is able to prevent one or more security programs from running on a system.
enumeration disable system update services/daemons
The 'disable system update services/daemons' value indicates that the malware instance is able to disable system update services or daemons that may be running on a system.
enumeration disable system service pack/patch installation
The 'disable system service pack/patch installation' value indicates that the malware instance is able to disable the system's ability to install service packs or patches.
enumeration disable system file overwrite protection
The 'disable system file overwrite protection' value indicates that the malware instance is able to bypass or disable the Windows file protection feature; thus, enabling system files to be modified or replaced.
enumeration disable privilege limiting
The 'disable privilege limiting' value indicates that the malware instance is able to bypass controls that limit the privileges that can be granted to a user or entity.
enumeration gather security product info
The 'gather security product info' value indicates that the malware instance is able to gather information about the security products installed or running on a system.
enumeration disable os security alerts
The 'disable os security alerts' value indicates that the malware instance is able to evade or disable identification and/or notification of its presence by inherent features of the operating system.
enumeration disable user account control
The 'disable user account control' value indicates that the malware instance is able to bypass or disable user account control (UAC); thus, enabling a user to run an application with elevated privileges.
Source
<xs:simpleType name="SecurityDegradationTacticalObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The SecurityDegradationTacticalObjectivesEnum-1.0 is an enumeration of Security Degradation Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="stop execution of security program">
      <xs:annotation>
        <xs:documentation>The 'stop execution of security program' value indicates that the malware instance is able to stop one or more security programs that may already be executing on a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="disable firewall">
      <xs:annotation>
        <xs:documentation>The 'disable firewall' value indicates that the malware instance is able to evade or disable the host-based firewall or otherwise prevent the blocking of network communications.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="disable access right checking">
      <xs:annotation>
        <xs:documentation>The 'disable access right checking' value indicates that the malware instance is able to bbypass, disable, or modify the access tokens or access control lists, thereby enabling the malware to read, write, or execute a file with one or more of these controls set.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="disable kernel patching protection">
      <xs:annotation>
        <xs:documentation>The 'disable kernel patch protection' value indicates that the malware instance is able to bypass or disable PatchGuard; thus it is capable of operating at the same level as the kernel and kernel mode drivers (KMD).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="prevent access to security websites">
      <xs:annotation>
        <xs:documentation>The 'prevent access to security websites' value indicates that the malware instance is able to prevent access from a system to one or more security vendor or security-related websites.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="remove sms warning messages">
      <xs:annotation>
        <xs:documentation>The 'remove sms warning messages' value indicates that the malware instance is able to capture the message body of incoming SMS messages and abort the broadcasting of a message that meets a certain criteria.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="modify security program configuration">
      <xs:annotation>
        <xs:documentation>The 'modify security program configuration' value indicates that the malware instance is able to modify the configuration of one or more security programs running on a system in order to hamper their usefulness and ability to detect the malware instance.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="prevent security program from running">
      <xs:annotation>
        <xs:documentation>The 'prevent security program from running' value indicates that the malware instance is able to prevent one or more security programs from running on a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="disable system update services/daemons">
      <xs:annotation>
        <xs:documentation>The 'disable system update services/daemons' value indicates that the malware instance is able to disable system update services or daemons that may be running on a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="disable system service pack/patch installation">
      <xs:annotation>
        <xs:documentation>The 'disable system service pack/patch installation' value indicates that the malware instance is able to disable the system's ability to install service packs or patches.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="disable system file overwrite protection">
      <xs:annotation>
        <xs:documentation>The 'disable system file overwrite protection' value indicates that the malware instance is able to bypass or disable the Windows file protection feature; thus, enabling system files to be modified or replaced.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="disable privilege limiting">
      <xs:annotation>
        <xs:documentation>The 'disable privilege limiting' value indicates that the malware instance is able to bypass controls that limit the privileges that can be granted to a user or entity.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="gather security product info">
      <xs:annotation>
        <xs:documentation>The 'gather security product info' value indicates that the malware instance is able to gather information about the security products installed or running on a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="disable os security alerts">
      <xs:annotation>
        <xs:documentation>The 'disable os security alerts' value indicates that the malware instance is able to evade or disable identification and/or notification of its presence by inherent features of the operating system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="disable user account control">
      <xs:annotation>
        <xs:documentation>The 'disable user account control' value indicates that the malware instance is able to bypass or disable user account control (UAC); thus, enabling a user to run an application with elevated privileges.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:AvailabilityViolationStrategicObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The AvailabilityViolationStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Availability Violation Capability Strategic Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#AvailabilityViolationStrategicObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#AvailabilityViolationStrategicObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Availability Violation Capability Strategic Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#AvailabilityViolationStrategicObjectivesVocab-1.0 optional
Source
<xs:complexType name="AvailabilityViolationStrategicObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The AvailabilityViolationStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Availability Violation Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:AvailabilityViolationStrategicObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Availability Violation Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#AvailabilityViolationStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:AvailabilityViolationStrategicObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The AvailabilityViolationStrategicObjectivesEnum-1.0 is an enumeration of Availability Violation Capability Strategic Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration compromise data availability
The 'compromise data availabilty' value indicates that the malware instance is able to compromise the availability of data on a system.
enumeration compromise system availability
The 'compromise system availability' value indicates that the malware instance compromises the availability of the system.
enumeration consume system resources
The 'consume system resources' value indicates that the malware instance is able to consume system resources for its own purposes.
Source
<xs:simpleType name="AvailabilityViolationStrategicObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The AvailabilityViolationStrategicObjectivesEnum-1.0 is an enumeration of Availability Violation Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="compromise data availability">
      <xs:annotation>
        <xs:documentation>The 'compromise data availabilty' value indicates that the malware instance is able to compromise the availability of data on a system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="compromise system availability">
      <xs:annotation>
        <xs:documentation>The 'compromise system availability' value indicates that the malware instance compromises the availability of the system.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="consume system resources">
      <xs:annotation>
        <xs:documentation>The 'consume system resources' value indicates that the malware instance is able to consume system resources for its own purposes.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:AvailabilityViolationTacticalObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The AvailabilityViolationTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Availability Violation Capability Tactical Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#AvailabilityViolationTacticalObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#AvailabilityViolationTacticalObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Availability Violation Capability Tactical Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#AvailabilityViolationTacticalObjectivesVocab-1.0 optional
Source
<xs:complexType name="AvailabilityViolationTacticalObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The AvailabilityViolationTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Availability Violation Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:AvailabilityViolationTacticalObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Availability Violation Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#AvailabilityViolationTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:AvailabilityViolationTacticalObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The AvailabilityViolationTacticalObjectivesEnum-1.0 is an enumeration of Availability Violation Capability Tactical Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration denial of service
The 'denial of service' value indicates that the malware instance is able to cause a server to be unavailable, otherwise known as a denial of service (DOS).
enumeration compromise local system availability
The 'compromise local system availability' value indicates that the malware instance is able to cause the local system to be unavailable.
enumeration crack passwords
The 'crack passwords' value indicates that the malware instance is able to consume system resources for password cracking.
enumeration mine for cryptocurrency
The 'mine for cryptocurrency' value indicates that the malware instance is able to consume system resources for cryptocurrency mining.
enumeration compromise access to information assets
The 'compromise access to information assets' value indicates that the malware instance is able to prevent data from being accessed (e.g., by encrypting user data on a compromised system).
Source
<xs:simpleType name="AvailabilityViolationTacticalObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The AvailabilityViolationTacticalObjectivesEnum-1.0 is an enumeration of Availability Violation Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="denial of service">
      <xs:annotation>
        <xs:documentation>The 'denial of service' value indicates that the malware instance is able to cause a server to be unavailable, otherwise known as a denial of service (DOS).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="compromise local system availability">
      <xs:annotation>
        <xs:documentation>The 'compromise local system availability' value indicates that the malware instance is able to cause the local system to be unavailable.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="crack passwords">
      <xs:annotation>
        <xs:documentation>The 'crack passwords' value indicates that the malware instance is able to consume system resources for password cracking.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="mine for cryptocurrency">
      <xs:annotation>
        <xs:documentation>The 'mine for cryptocurrency' value indicates that the malware instance is able to consume system resources for cryptocurrency mining.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="compromise access to information assets">
      <xs:annotation>
        <xs:documentation>The 'compromise access to information assets' value indicates that the malware instance is able to prevent data from being accessed (e.g., by encrypting user data on a compromised system).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:DestructionStrategicObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The DestructionStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Destruction Capability Strategic Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#DestructionStrategicObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#DestructionStrategicObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Destruction Capability Strategic Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DestructionStrategicObjectivesVocab-1.0 optional
Source
<xs:complexType name="DestructionStrategicObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The DestructionStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Destruction Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:DestructionStrategicObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Destruction Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DestructionStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:DestructionStrategicObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The DestructionStrategicObjectivesEnum-1.0 is an enumeration of Destruction Capability Strategic Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration destroy physical entity
The 'destroy physical entity' value indicates that the malware instance is able to destroy a physical entity.
enumeration destroy virtual entity
The 'destroy virtual entity' value indicates that the malware instance is able to destroy a virtual entity.
Source
<xs:simpleType name="DestructionStrategicObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The DestructionStrategicObjectivesEnum-1.0 is an enumeration of Destruction Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="destroy physical entity">
      <xs:annotation>
        <xs:documentation>The 'destroy physical entity' value indicates that the malware instance is able to destroy a physical entity.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="destroy virtual entity">
      <xs:annotation>
        <xs:documentation>The 'destroy virtual entity' value indicates that the malware instance is able to destroy a virtual entity.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:DestructionTacticalObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The DestructionTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Destruction Capability Tactical Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#DestructionTacticalObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#DestructionTacticalObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Destruction Capability Tactical Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DestructionTacticalObjectivesVocab-1.0 optional
Source
<xs:complexType name="DestructionTacticalObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The DestructionTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Destruction Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:DestructionTacticalObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Destruction Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DestructionTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:DestructionTacticalObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The DestructionTacticalObjectivesEnum-1.0 is an enumeration of Destruction Capability Tactical Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration erase data
The 'erase data' value indicates that the malware instance is able to destroy data by erasure.
enumeration destroy firmware
The 'destroy firmware' value indicates that the malware instance is able to destroy a system's firmware.
enumeration destroy hardware
The 'destroy hardware' value indicates that the malware instance is able to destroy a system's hardware.
Source
<xs:simpleType name="DestructionTacticalObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The DestructionTacticalObjectivesEnum-1.0 is an enumeration of Destruction Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="erase data">
      <xs:annotation>
        <xs:documentation>The 'erase data' value indicates that the malware instance is able to destroy data by erasure.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="destroy firmware">
      <xs:annotation>
        <xs:documentation>The 'destroy firmware' value indicates that the malware instance is able to destroy a system's firmware.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="destroy hardware">
      <xs:annotation>
        <xs:documentation>The 'destroy hardware' value indicates that the malware instance is able to destroy a system's hardware.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:FraudStrategicObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The FraudStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Fraud Capability Strategic Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#FraudStrategicObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#FraudStrategicObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Fraud Capability Strategic Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#FraudStrategicObjectivesVocab-1.0 optional
Source
<xs:complexType name="FraudStrategicObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The FraudStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Fraud Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:FraudStrategicObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Fraud Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#FraudStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:FraudStrategicObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The FraudStrategicObjectivesEnum-1.0 is an enumeration of Fraud Capability Strategic Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration perform premium rate fraud
The 'perform premium rate fraud' value indicates that the malware instance is able to send text messages or dial phone numbers that are charged at premium rates.
enumeration perform click fraud
The 'perform click fraud' value indicates that the malware instance is able to simulate clicks on website advertisements for the purpose of revenue generation.
Source
<xs:simpleType name="FraudStrategicObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The FraudStrategicObjectivesEnum-1.0 is an enumeration of Fraud Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="perform premium rate fraud">
      <xs:annotation>
        <xs:documentation>The 'perform premium rate fraud' value indicates that the malware instance is able to send text messages or dial phone numbers that are charged at premium rates.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="perform click fraud">
      <xs:annotation>
        <xs:documentation>The 'perform click fraud' value indicates that the malware instance is able to simulate clicks on website advertisements for the purpose of revenue generation.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:FraudTacticalObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The FraudTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Fraud Capability Tactical Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#FraudTacticalObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#FraudTacticalObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Fraud Capability Tactical Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#FraudTacticalObjectivesVocab-1.0 optional
Source
<xs:complexType name="FraudTacticalObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The FraudTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Fraud Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:FraudTacticalObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Fraud Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#FraudTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:FraudTacticalObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The FraudTacticalObjectivesEnum-1.0 is an enumeration of Fraud Capability Tactical Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration access premium service
The 'access premium service' value indicates that the malware instance is able to access a premium service.
Source
<xs:simpleType name="FraudTacticalObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The FraudTacticalObjectivesEnum-1.0 is an enumeration of Fraud Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="access premium service">
      <xs:annotation>
        <xs:documentation>The 'access premium service' value indicates that the malware instance is able to access a premium service.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:PersistenceStrategicObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The PersistenceStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Persistence Capability Strategic Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#PersistenceStrategicObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#PersistenceStrategicObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Persistence Capability Strategic Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#PersistenceStrategicObjectivesVocab-1.0 optional
Source
<xs:complexType name="PersistenceStrategicObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The PersistenceStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Persistence Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:PersistenceStrategicObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Persistence Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#PersistenceStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:PersistenceStrategicObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The PersistenceStrategicObjectivesEnum-1.0 is an enumeration of Persistence Capability Strategic Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration persist to re-infect system
The 'persist to re-infect system' value indicates that the malware instance is able to re-infect a system after some of its components have been removed.
enumeration gather information for improvement
The 'gather information for improvement' value indicates that the malware instance is able to gather information from its environment to make itself less likely to be detected.
enumeration ensure compatibility
The 'ensure compatibility' value indicates that the malware instance is able to manipulate or modify the system on which it executes to ensure that it is able to continue executing.
enumeration persist to continuously execute on system
The 'persist to continuously execute on system' value indicates that the malware instance is able to continue to execute on a system after significant system events (e.g., after a reboot).
Source
<xs:simpleType name="PersistenceStrategicObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The PersistenceStrategicObjectivesEnum-1.0 is an enumeration of Persistence Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="persist to re-infect system">
      <xs:annotation>
        <xs:documentation>The 'persist to re-infect system' value indicates that the malware instance is able to re-infect a system after some of its components have been removed.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="gather information for improvement">
      <xs:annotation>
        <xs:documentation>The 'gather information for improvement' value indicates that the malware instance is able to gather information from its environment to make itself less likely to be detected.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="ensure compatibility">
      <xs:annotation>
        <xs:documentation>The 'ensure compatibility' value indicates that the malware instance is able to manipulate or modify the system on which it executes to ensure that it is able to continue executing.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="persist to continuously execute on system">
      <xs:annotation>
        <xs:documentation>The 'persist to continuously execute on system' value indicates that the malware instance is able to continue to execute on a system after significant system events (e.g., after a reboot).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:PersistenceTacticalObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The PersistenceTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Persistence Capability Tactical Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#PersistenceTacticalObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#PersistenceTacticalObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Persistence Capability Tactical Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#PersistenceTacticalObjectivesVocab-1.0 optional
Source
<xs:complexType name="PersistenceTacticalObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The PersistenceTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Persistence Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:PersistenceTacticalObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Persistence Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#PersistenceTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:PersistenceTacticalObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The PersistenceTacticalObjectivesEnum-1.0 is an enumeration of Persistence Capability Tactical Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration reinstantiate self after initial detection
The 'reinstantiate self after initial detection' value indicates that the malware instance is able to re-establish itself on the system after it is initially detected.
enumeration limit application type/version
The 'limit application type/version' value indicates that the malware instance is able to limit the type or version of an application that runs on a system in order to ensure that it is able to continue executing.
enumeration persist after os install/reinstall
The 'persist after os install/reinstall' value indicates that the malware instance is able to continue to execute after the operating system is installed or reinstalled.
enumeration drop/retrieve debug log file
The 'drop/retrieve debug log file' value indicates that the malware instance is able to generate and retrieve a log file of errors associated with the malware.
enumeration persist independent of hard disk/os changes
The 'persist independent of hard disk/os changes' value indicates that the malware instance is able to continue to execute after changes to the hard disk or the operating system have been made.
enumeration persist after system reboot
The 'persist after system reboot' value indicates that the malware instance is able to continue to execute after a system reboot.
Source
<xs:simpleType name="PersistenceTacticalObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The PersistenceTacticalObjectivesEnum-1.0 is an enumeration of Persistence Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="reinstantiate self after initial detection">
      <xs:annotation>
        <xs:documentation>The 'reinstantiate self after initial detection' value indicates that the malware instance is able to re-establish itself on the system after it is initially detected.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="limit application type/version">
      <xs:annotation>
        <xs:documentation>The 'limit application type/version' value indicates that the malware instance is able to limit the type or version of an application that runs on a system in order to ensure that it is able to continue executing.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="persist after os install/reinstall">
      <xs:annotation>
        <xs:documentation>The 'persist after os install/reinstall' value indicates that the malware instance is able to continue to execute after the operating system is installed or reinstalled.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="drop/retrieve debug log file">
      <xs:annotation>
        <xs:documentation>The 'drop/retrieve debug log file' value indicates that the malware instance is able to generate and retrieve a log file of errors associated with the malware.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="persist independent of hard disk/os changes">
      <xs:annotation>
        <xs:documentation>The 'persist independent of hard disk/os changes' value indicates that the malware instance is able to continue to execute after changes to the hard disk or the operating system have been made.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="persist after system reboot">
      <xs:annotation>
        <xs:documentation>The 'persist after system reboot' value indicates that the malware instance is able to continue to execute after a system reboot.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:MachineAccessControlStrategicObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The MachineAccessControlStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Machine Access/Control Capability Strategic Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#MachineAccessControlStrategicObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#MachineAccessControlStrategicObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Machine Access/Control Capability Strategic Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#MachineAccessControlStrategicObjectivesVocab-1.0 optional
Source
<xs:complexType name="MachineAccessControlStrategicObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The MachineAccessControlStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Machine Access/Control Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:MachineAccessControlStrategicObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Machine Access/Control Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#MachineAccessControlStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:MachineAccessControlStrategicObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The MachineAccessControlStrategicObjectivesEnum-1.0 is an enumeration of Machine Access/Control Capability Strategic Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration control local machine
The 'control local machine' value indicates that the malware instance is able to control the machine on which it is resident.  Examples of malware with this capability include bots, backdoors, and RATs.
enumeration install backdoor
The 'install backdoor' value indicates that the malware instance is able to install a backdoor, capable of providing covert remote access to the machine on which it is resident.
Source
<xs:simpleType name="MachineAccessControlStrategicObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The MachineAccessControlStrategicObjectivesEnum-1.0 is an enumeration of Machine Access/Control Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="control local machine">
      <xs:annotation>
        <xs:documentation>The 'control local machine' value indicates that the malware instance is able to control the machine on which it is resident. Examples of malware with this capability include bots, backdoors, and RATs.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="install backdoor">
      <xs:annotation>
        <xs:documentation>The 'install backdoor' value indicates that the malware instance is able to install a backdoor, capable of providing covert remote access to the machine on which it is resident.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:MachineAccessControlTacticalObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The MachineAccessControlTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Machine Access/Control Capability Tactical Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#MachineAccessControlTacticalObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#MachineAccessControlTacticalObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Machine Access/Control Capability Tactical Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#MachineAccessControlTacticalObjectivesVocab-1.0 optional
Source
<xs:complexType name="MachineAccessControlTacticalObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The MachineAccessControlTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Machine Access/Control Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:MachineAccessControlTacticalObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Machine Access/Control Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#MachineAccessControlTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:MachineAccessControlTacticalObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The MachineAccessControlTacticalObjectivesEnum-1.0 is an enumeration of Machine Access/Control Capability Tactical Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration control machine via remote command
The 'control machine via remote command' value indicates that the malware instance is able to execute commands issued to it from a remote source, for the purpose of controlling the machine on which it is resident.
Source
<xs:simpleType name="MachineAccessControlTacticalObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The MachineAccessControlTacticalObjectivesEnum-1.0 is an enumeration of Machine Access/Control Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="control machine via remote command">
      <xs:annotation>
        <xs:documentation>The 'control machine via remote command' value indicates that the malware instance is able to execute commands issued to it from a remote source, for the purpose of controlling the machine on which it is resident.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:ProbingStrategicObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The ProbingStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Probing Capability Strategic Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#ProbingStrategicObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#ProbingStrategicObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Probing Capability Strategic Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#ProbingStrategicObjectivesVocab-1.0 optional
Source
<xs:complexType name="ProbingStrategicObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The ProbingStrategicObjectivesVocab-1.0 is the default MAEC Vocabulary for Probing Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:ProbingStrategicObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Probing Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#ProbingStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:ProbingStrategicObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The ProbingStrategicObjectivesEnum-1.0 is an enumeration of Probing Capability Strategic Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration probe host configuration
The 'probe host configuration' value indicates that the malware instance is able to probe the configuration of the host system on which it executes.
enumeration probe network environment
The 'probe network environment' value indicates that the malware instance is able to probe the properties of its network environment, e.g. to determine whether it funnels traffic through a proxy.
Source
<xs:simpleType name="ProbingStrategicObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The ProbingStrategicObjectivesEnum-1.0 is an enumeration of Probing Capability Strategic Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="probe host configuration">
      <xs:annotation>
        <xs:documentation>The 'probe host configuration' value indicates that the malware instance is able to probe the configuration of the host system on which it executes.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="probe network environment">
      <xs:annotation>
        <xs:documentation>The 'probe network environment' value indicates that the malware instance is able to probe the properties of its network environment, e.g. to determine whether it funnels traffic through a proxy.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecVocabs:ProbingTacticalObjectivesVocab-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The ProbingTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Probing Capability Tactical Objectives.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType maec_default_vocabularies_xsd.tmp#ProbingTacticalObjectivesVocab-1.0_vocab_name maec_default_vocabularies_xsd.tmp#ProbingTacticalObjectivesVocab-1.0_vocab_reference
Type restriction of cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string MAEC Default Probing Capability Tactical Objectives optional
vocab_reference xs:anyURI http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#ProbingTacticalObjectivesVocab-1.0 optional
Source
<xs:complexType name="ProbingTacticalObjectivesVocab-1.0">
  <xs:annotation>
    <xs:documentation>The ProbingTacticalObjectivesVocab-1.0 is the default MAEC Vocabulary for Probing Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:restriction base="cyboxCommon:ControlledVocabularyStringType">
      <xs:simpleType>
        <xs:union memberTypes="maecVocabs:ProbingTacticalObjectivesEnum-1.0"/>
      </xs:simpleType>
      <xs:attribute fixed="MAEC Default Probing Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
      <xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#ProbingTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
    </xs:restriction>
  </xs:simpleContent>
</xs:complexType>
Simple Type maecVocabs:ProbingTacticalObjectivesEnum-1.0
Namespace http://maec.mitre.org/default_vocabularies-1
Annotations
The ProbingTacticalObjectivesEnum-1.0 is an enumeration of Probing Capability Tactical Objectives.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration identify os
The 'identify os' value indicates that the malware instance is able to identify the operating system under which it executes.
enumeration check for proxy
The 'check for proxy' value indicates that the malware instance is able to check whether the network environment in which it executes contains a hardware or software proxy.
enumeration check for firewall
The 'check for firewall' value indicates that the malware instance is able to check whether the network environment in which it executes contains a hardware or software firewall.
enumeration check for network drives
The 'check for shared drive' value indicates that the malware instance is able to check for network drives that may be present in the network environment.
enumeration map local network
The 'map local network' value indicates that the malware instance is able to map the layout of the local network environment in which it executes.
enumeration inventory system applications
The 'inventory system applications' value indicates that the malware instance is able to inventory the applications installed on the system on which it executes.
enumeration check language
The 'check language' value indicates that the malware instance is able to check the language of the host system on which it executes.
enumeration check for internet connectivity
The 'check for internet connectivity' value indicates that the malware instance is able to check whether the network environment in which it executes is connected to the internet.
Source
<xs:simpleType name="ProbingTacticalObjectivesEnum-1.0">
  <xs:annotation>
    <xs:documentation>The ProbingTacticalObjectivesEnum-1.0 is an enumeration of Probing Capability Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="identify os">
      <xs:annotation>
        <xs:documentation>The 'identify os' value indicates that the malware instance is able to identify the operating system under which it executes.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="check for proxy">
      <xs:annotation>
        <xs:documentation>The 'check for proxy' value indicates that the malware instance is able to check whether the network environment in which it executes contains a hardware or software proxy.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="check for firewall">
      <xs:annotation>
        <xs:documentation>The 'check for firewall' value indicates that the malware instance is able to check whether the network environment in which it executes contains a hardware or software firewall.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="check for network drives">
      <xs:annotation>
        <xs:documentation>The 'check for shared drive' value indicates that the malware instance is able to check for network drives that may be present in the network environment.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="map local network">
      <xs:annotation>
        <xs:documentation>The 'map local network' value indicates that the malware instance is able to map the layout of the local network environment in which it executes.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="inventory system applications">
      <xs:annotation>
        <xs:documentation>The 'inventory system applications' value indicates that the malware instance is able to inventory the applications installed on the system on which it executes.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="check language">
      <xs:annotation>
        <xs:documentation>The 'check language' value indicates that the malware instance is able to check the language of the host system on which it executes.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="check for internet connectivity">
      <xs:annotation>
        <xs:documentation>The 'check for internet connectivity' value indicates that the malware instance is able to check whether the network environment in which it executes is connected to the internet.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Attribute maecVocabs:ActionObjectAssociationTypeVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Action-Object Association Names" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:ActionObjectAssociationTypeVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#ActionObjectAssociationTypeVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:ImportanceTypeVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Importance Types" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:ImportanceTypeVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#ImportanceTypeVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:MalwareEntityTypeVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Malware Entity Types" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:MalwareEntityTypeVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#MalwareEntityTypeVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:DeviceDriverActionNameVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Device Driver Action Names" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:DeviceDriverActionNameVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DeviceDriverActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:DeviceDriverActionNameVocab-1.1 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Device Driver Action Names" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:DeviceDriverActionNameVocab-1.1 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DeviceDriverActionNameVocab-1.1" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:DebuggingActionNameVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Debugging Action Names" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:DebuggingActionNameVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DebuggingActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:LibraryActionNameVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Library Action Names" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:LibraryActionNameVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#LibraryActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:LibraryActionNameVocab-1.1 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Library Action Names" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:LibraryActionNameVocab-1.1 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#LibraryActionNameVocab-1.1" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:DirectoryActionNameVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Directory Action Names" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:DirectoryActionNameVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DirectoryActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:DirectoryActionNameVocab-1.1 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Directory Action Names" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:DirectoryActionNameVocab-1.1 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DirectoryActionNameVocab-1.1" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:DiskActionNameVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Disk Action Names" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:DiskActionNameVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DiskActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:DiskActionNameVocab-1.1 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Disk Action Names" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:DiskActionNameVocab-1.1 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DiskActionNameVocab-1.1" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:FileActionNameVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default File Action Names" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:FileActionNameVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#FileActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:FileActionNameVocab-1.1 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default File Action Names" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:FileActionNameVocab-1.1 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#FileActionNameVocab-1.1" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:HookingActionNameVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Hooking Action Names" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:HookingActionNameVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#HookingActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:HookingActionNameVocab-1.1 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Hooking Action Names" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:HookingActionNameVocab-1.1 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#HookingActionNameVocab-1.1" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:DNSActionNameVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default DNS Action Names" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:DNSActionNameVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DNSActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:IRCActionNameVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default IRC Action Names" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:IRCActionNameVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#IRCActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:FTPActionNameVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default FTP Action Names" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:FTPActionNameVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#FTPActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:HTTPActionNameVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default HTTP Action Names" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:HTTPActionNameVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#HTTPActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:NetworkActionNameVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Network Action Names" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:NetworkActionNameVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#NetworkActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:NetworkActionNameVocab-1.1 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Network Action Names" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:NetworkActionNameVocab-1.1 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#NetworkActionNameVocab-1.1" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:NetworkShareActionNameVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Network Share Action Names" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:NetworkShareActionNameVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#NetworkShareActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:SocketActionNameVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Socket Action Names" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:SocketActionNameVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#SocketActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:RegistryActionNameVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Registry Action Names" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:RegistryActionNameVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#RegistryActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:UserActionNameVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default User Action Names" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:UserActionNameVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#UserActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:UserActionNameVocab-1.1 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default User Action Names" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:UserActionNameVocab-1.1 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#UserActionNameVocab-1.1" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:IPCActionNameVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default IPC Action Names" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:IPCActionNameVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#IPCActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:ProcessMemoryActionNameVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Process Memory Action Names" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:ProcessMemoryActionNameVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#ProcessMemoryActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:ProcessActionNameVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Process Action Names" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:ProcessActionNameVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#ProcessActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:ProcessThreadActionNameVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Process Thread Action Names" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:ProcessThreadActionNameVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#ProcessThreadActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:ServiceActionNameVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Service Action Names" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:ServiceActionNameVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#ServiceActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:ServiceActionNameVocab-1.1 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Service Action Names" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:ServiceActionNameVocab-1.1 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#ServiceActionNameVocab-1.1" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:SynchronizationActionNameVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Synchronization Action Names" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:SynchronizationActionNameVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#SynchronizationActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:SystemActionNameVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default System Action Names" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:SystemActionNameVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#SystemActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:GUIActionNameVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default GUI Action Names" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:GUIActionNameVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#GUIActionNameVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:GroupingRelationshipTypeVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Grouping Relationship Types" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:GroupingRelationshipTypeVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#GroupingRelationshipTypeVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:MalwareConfigurationParameterVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Malware Configuration Parameter Names" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:MalwareConfigurationParameterVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#MalwareConfigurationParameterVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:MalwareSubjectRelationshipTypeVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Malware Subject Relationship Types" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:MalwareSubjectRelationshipTypeVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#MalwareSubjectRelationshipTypeVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:MalwareSubjectRelationshipTypeVocab-1.1 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Malware Subject Relationship Types" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:MalwareSubjectRelationshipTypeVocab-1.1 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#MalwareSubjectRelationshipTypeVocab-1.1" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:MalwareDevelopmentToolVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Malware Development Tool Types" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:MalwareDevelopmentToolVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#MalwareDevelopmentToolVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:MalwareLabelVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Malware Labels" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:MalwareLabelVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#MalwareLabelVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:CapabilityObjectiveRelationshipTypeVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Malware Capability Objective Relationship Types" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:CapabilityObjectiveRelationshipTypeVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#CapabilityObjectiveRelationshipTypeVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:AntiBehavioralAnalysisPropertiesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Anti-Behavioral Analysis Capability and Objective Properties" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:AntiBehavioralAnalysisPropertiesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#AntiBehavioralAnalysisPropertiesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:InfectionPropagationPropertiesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Infection/Propagation Capability and Objective Properties" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:InfectionPropagationPropertiesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#InfectionPropagationPropertiesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:DataTheftPropertiesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Data Theft Capability and Objective Properties" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:DataTheftPropertiesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DataTheftPropertiesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:CommandandControlPropertiesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Command and Control Capability and Objective Properties" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:CommandandControlPropertiesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#CommandandControlPropertiesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:PrivilegeEscalationPropertiesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Privilege Escalation Capability and Objective Properties" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:PrivilegeEscalationPropertiesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#PrivilegeEscalationPropertiesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:PersistencePropertiesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Persistence Capability and Objective Properties" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:PersistencePropertiesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#PersistencePropertiesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:DestructionPropertiesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Destruction Capability and Objective Properties" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:DestructionPropertiesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DestructionPropertiesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:SecurityDegradationPropertiesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Security Degradation Capability and Objective Properties" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:SecurityDegradationPropertiesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#SecurityDegradationPropertiesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:SecondaryOperationPropertiesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Secondary Operation Capability and Objective Properties" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:SecondaryOperationPropertiesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#SecondaryOperationPropertiesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:MachineAccessControlPropertiesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Machine Access/Control Capability and Objective Properties" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:MachineAccessControlPropertiesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#MachineAccessControlPropertiesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:DataExfiltrationPropertiesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Data Exfiltration Capability and Objective Properties" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:DataExfiltrationPropertiesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DataExfiltrationPropertiesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:AvailabilityViolationPropertiesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Availability Violation Capability and Objective Properties" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:AvailabilityViolationPropertiesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#AvailabilityViolationPropertiesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:CommonCapabilityPropertiesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Common Capability and Objective Properties" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:CommonCapabilityPropertiesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#CommonCapabilityPropertiesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:MalwareCapabilityVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Malware Capabilities" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:MalwareCapabilityVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#MalwareCapabilityVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:CommandandControlStrategicObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Command and Control Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:CommandandControlStrategicObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#CommandandControlStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:CommandandControlTacticalObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Command and Control Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:CommandandControlTacticalObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#CommandandControlTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:RemoteMachineManipulationStrategicObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Remote Machine Manipulation Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:RemoteMachineManipulationStrategicObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#RemoteMachineManipulationStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:RemoteMachineManipulationTacticalObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Remote Machine Manipulation Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:RemoteMachineManipulationTacticalObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#RemoteMachineManipulationTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:PrivilegeEscalationStrategicObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Privilege Escalation Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:PrivilegeEscalationStrategicObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#PrivilegeEscalationStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:PrivilegeEscalationTacticalObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Privilege Escalation Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:PrivilegeEscalationTacticalObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#PrivilegeEscalationTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:DataTheftStrategicObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Data Theft Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:DataTheftStrategicObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DataTheftStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:DataTheftTacticalObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Data Theft Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:DataTheftTacticalObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DataTheftTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:SpyingStrategicObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Spying Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:SpyingStrategicObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#SpyingStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:SpyingTacticalObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Spying Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:SpyingTacticalObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#SpyingTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:SecondaryOperationStrategicObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Secondary Operation Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:SecondaryOperationStrategicObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#SecondaryOperationStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:SecondaryOperationTacticalObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Secondary Operation Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:SecondaryOperationTacticalObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#SecondaryOperationTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:AntiDetectionStrategicObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Anti-Detection Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:AntiDetectionStrategicObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#AntiDetectionStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:AntiDetectionTacticalObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Anti-Detection Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:AntiDetectionTacticalObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#AntiDetectionTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:AntiCodeAnalysisStrategicObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Anti-Code Analysis Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:AntiCodeAnalysisStrategicObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#AntiCodeAnalysisStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:AntiCodeAnalysisTacticalObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Anti-Code Analysis Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:AntiCodeAnalysisTacticalObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#AntiCodeAnalysisTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:InfectionPropagationStrategicObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Infection/Propagation Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:InfectionPropagationStrategicObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#InfectionPropagationStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:InfectionPropagationTacticalObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Infection/Propagation Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:InfectionPropagationTacticalObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#InfectionPropagationTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:AntiBehavioralAnalysisStrategicObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Anti-Behavioral Analysis Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:AntiBehavioralAnalysisStrategicObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#AntiBehavioralAnalysisStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:AntiBehavioralAnalysisTacticalObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Anti-Behavioral Analysis Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:AntiBehavioralAnalysisTacticalObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#AntiBehavioralAnalysisTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:IntegrityViolationStrategicObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Integrity Violation Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:IntegrityViolationStrategicObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#IntegrityViolationStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:IntegrityViolationTacticalObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Integrity Violation Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:IntegrityViolationTacticalObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#IntegrityViolationTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:DataExfiltrationStrategicObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Data Exfiltration Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:DataExfiltrationStrategicObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DataExfiltrationStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:DataExfiltrationTacticalObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Data Exfiltration Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:DataExfiltrationTacticalObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DataExfiltrationTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:AntiRemovalStrategicObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Anti-Removal Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:AntiRemovalStrategicObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#AntiRemovalStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:AntiRemovalTacticalObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Anti-Removal Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:AntiRemovalTacticalObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#AntiRemovalTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:SecurityDegradationStrategicObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Security Degradation Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:SecurityDegradationStrategicObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#SecurityDegradationStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:SecurityDegradationTacticalObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Security Degradation Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:SecurityDegradationTacticalObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#SecurityDegradationTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:AvailabilityViolationStrategicObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Availability Violation Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:AvailabilityViolationStrategicObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#AvailabilityViolationStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:AvailabilityViolationTacticalObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Availability Violation Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:AvailabilityViolationTacticalObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#AvailabilityViolationTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:DestructionStrategicObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Destruction Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:DestructionStrategicObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DestructionStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:DestructionTacticalObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Destruction Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:DestructionTacticalObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#DestructionTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:FraudStrategicObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Fraud Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:FraudStrategicObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#FraudStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:FraudTacticalObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Fraud Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:FraudTacticalObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#FraudTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:PersistenceStrategicObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Persistence Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:PersistenceStrategicObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#PersistenceStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:PersistenceTacticalObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Persistence Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:PersistenceTacticalObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#PersistenceTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:MachineAccessControlStrategicObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Machine Access/Control Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:MachineAccessControlStrategicObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#MachineAccessControlStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:MachineAccessControlTacticalObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Machine Access/Control Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:MachineAccessControlTacticalObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#MachineAccessControlTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:ProbingStrategicObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Probing Capability Strategic Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:ProbingStrategicObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#ProbingStrategicObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>
Attribute maecVocabs:ProbingTacticalObjectivesVocab-1.0 / @vocab_name
Namespace No namespace
Type xs:string
Used by
Source
<xs:attribute fixed="MAEC Default Probing Capability Tactical Objectives" name="vocab_name" type="xs:string" use="optional"/>
Attribute maecVocabs:ProbingTacticalObjectivesVocab-1.0 / @vocab_reference
Namespace No namespace
Type xs:anyURI
Used by
Source
<xs:attribute fixed="http://maec.mitre.org/XMLSchema/default_vocabularies/2.1/maec_default_vocabularies.xsd#ProbingTacticalObjectivesVocab-1.0" name="vocab_reference" type="xs:anyURI" use="optional"/>