Malware Schema
Malware
Object containing the following properties:
| Property | Description | Type |
|---|---|---|
id (*) | string | |
type (*) | 'malware' | |
spec_version (*) | The version of the STIX specification used to represent this object. | '2.1' |
created (*) | The created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest millisecond. | string (ISO 8601) |
modified (*) | The modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest millisecond. | string (ISO 8601) |
created_by_ref (*) | The ID of the Source object that describes who created this object. | string |
labels | The labels property specifies a set of terms used to meta this object. | Array<string> |
revoked | The revoked property indicates whether the object has been revoked. | boolean |
confidence | number (int, ≥1, ≤99) | |
lang | Identifies the language of the text content in this object. | string |
external_references (*) | A list of external references with the first containing a valid ATT&CK ID | Array of at least 1 objects:
|
object_marking_refs | The list of marking-definition objects to be applied to this object. | Array<string (_startsWith: marking-definition--_)> (min: 1) |
granular_markings | The set of granular markings that apply to this object. | Array of objects:
|
extensions | Specifies any extensions of the object, as a dictionary where keys are extension definition UUIDs | Object with dynamic keys of type string and values of type Object with properties:
Record<string, unknown> |
name (*) | The name of the object. | string (min length: 1) |
x_mitre_attack_spec_version (*) | The version of the ATT&CK spec used by the object. This field helps consuming software determine if the data format is supported. If the field is not present on an object, the spec version will be assumed to be 2.0.0. Refer to the ATT&CK CHANGELOG for all supported versions. | string (regex: /^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)$/) |
x_mitre_version (*) | Represents the version of the object in a 'major.minor' format, where both 'major' and 'minor' are integers between 0 and 99. This versioning follows semantic versioning principles but excludes the patch number. The version number is incremented by ATT&CK when the content of the object is updated. This property does not apply to relationship objects. | string (regex: /^(\d{1,2})\.(\d{1,2})$/) |
x_mitre_old_attack_id | string | |
x_mitre_deprecated | Indicates whether the object has been deprecated. | boolean |
description (*) | A description of the object. | string |
x_mitre_platforms | List of platforms that apply to the object. | Array<'Field Controller/RTU/PLC/IED' | 'Network Devices' | 'Data Historian' | 'Google Workspace' | 'Office Suite' | 'ESXi' | 'Identity Provider' | 'Containers' | 'Azure AD' | 'Engineering Workstation' | 'Control Server' | 'Human-Machine Interface' | 'Windows' | 'Linux' | 'IaaS' | 'None' | 'iOS' | 'PRE' | 'SaaS' | 'Input/Output Server' | ...> (min: 1) |
x_mitre_contributors | Array<string (_min length: 1_)> (min: 1) | |
x_mitre_aliases | Alternative names used to identify this software. The first alias must match the object's name. | Array<string> |
x_mitre_modified_by_ref (*) | The STIX ID of the MITRE identity object. Used to track the identity of the MITRE organization, which created the current version of the object. Previous versions of the object may have been created by other individuals or organizations. | 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5' |
x_mitre_domains (*) | The technology domains to which the ATT&CK object belongs. | Array<'enterprise-attack' | 'mobile-attack' | 'ics-attack'> (min: 1) |
aliases | Alternative names used to identify this software. | Array<string> |
is_family (*) | Whether the object represents a malware family (if true) or a malware instance (if false) | boolean |
malware_types | A set of categorizations for the malware being described. | Array<'adware' | 'backdoor' | 'bot' | 'bootkit' | 'ddos' | 'downloader' | 'dropper' | 'exploit-kit' | 'keylogger' | 'ransomware' | 'remote-access-trojan' | 'resource-exploitation' | 'rogue-security-software' | 'rootkit' | 'screen-capture' | 'spyware' | 'trojan' | 'virus' | 'webshell' | 'wiper' | ...> |
kill_chain_phases | The list of Kill Chain Phases for which this malware can be used. | Array of objects:
|
first_seen | The time that this malware instance or malware family was first seen. | string (ISO 8601) |
last_seen | The time that this malware family or malware instance was last seen. | string (ISO 8601) |
os_execution_envs | The operating systems that the malware family or malware instance is executable on. This applies to virtualized operating systems as well as those running on bare metal. | Array<string> |
architecture_execution_envs | The processor architectures (e.g., x86, ARM, etc.) that the malware instance or family is executable on. | Array<'alpha' | 'arm' | 'ia-64' | 'mips' | 'powerpc' | 'sparc' | 'x86' | 'x86-64'> |
implementation_languages | The programming language(s) used to implement the malware instance or family. | Array<'applescript' | 'bash' | 'c' | 'c++' | 'c#' | 'go' | 'java' | 'javascript' | 'lua' | 'objective-c' | 'perl' | 'php' | 'powershell' | 'python' | 'ruby' | 'scala' | 'swift' | 'typescript' | 'visual-basic' | 'x86-32' | ...> |
capabilities | Any of the capabilities identified for the malware instance or family. | Array<'accesses-remote-machines' | 'anti-debugging' | 'anti-disassembly' | 'anti-emulation' | 'anti-memory-forensics' | 'anti-sandbox' | 'anti-vm' | 'captures-input-peripherals' | 'captures-output-peripherals' | 'captures-system-state-data' | 'cleans-traces-of-infection' | 'commits-fraud' | 'communicates-with-c2' | 'compromises-data-integrity' | 'compromises-data-availability' | 'compromises-system-availability' | 'controls-local-machine' | 'degrades-security-software' | 'degrades-system-updates' | 'determines-c2-server' | ...> |
sample_refs | The sample_refs property specifies a list of identifiers of the SCO file or artifact objects associated with this malware instance(s) or family. | Array<[StixArtifactType](#stixartifacttype) _or_ [StixFileType](#stixfiletype)> |
(*) Required.
StixArtifactType
Used to specify the artifact stixType of the sample_refs property.
String.
StixFileType
Used to specify the file stixType of the sample_refs property.
String.