-
Notifications
You must be signed in to change notification settings - Fork 16
/
behavior.json
52 lines (52 loc) · 2.96 KB
/
behavior.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
{
"$schema": "http://json-schema.org/draft-04/schema#",
"definitions": {
"behavior": {
"title": "Behavior",
"type": "object",
"description": "A Behavior corresponds to the specific purpose behind a particular snippet of code, as executed by a malware instance. Examples include keylogging, detecting a virtual machine, and installing a backdoor. Behaviors may be composed of one or more Malware Actions, thereby providing context to these Actions.",
"properties": {
"type": {
"type": "string",
"enum": ["behavior"]
},
"id": {
"type": "string",
"description": "Specifies a unique ID for this Behavior."
},
"name": {
"type": "string",
"description": "Captures the name of the Behavior. The values for this property SHOULD come from the behavior-ov open vocabulary."
},
"description": {
"type": "string",
"description": "Specifies a textual description of the Behavior."
},
"timestamp": {
"type": "string",
"format": "date-time",
"description": "Captures the local or relative time at which the Behavior occured or was observed."
},
"attributes": {
"type": "object",
"description": "Captures attributes of the Behavior as name/value pairs. Dictionary keys used in this property SHOULD come from the common-attribute-ov vocabulary. The corresponding values for the keys SHOULD come from the platform-ov and encryption-algorithm-ov vocabularies."
},
"action_refs": {
"type": "array",
"items": {"type": "string"},
"description": "Captures Actions that serve as an implementation of the Behavior. Each list item specifies the unique ID of the Action being referenced. The Action MUST be present in the current Package. The ordering of the references in the list denotes the sequential ordering of the Actions with respect to the Behavior; that is, Actions at the beginning of the list MUST have occurred before those later in the list."
},
"technique_refs": {
"type": "array",
"items": {"$ref": "external-reference.json#/definitions/external-reference"},
"description": "References any techniques, such as DLL Search Order Hijacking, used to implement the Behavior. Each reference SHOULD point to a valid ATT&CK Technique or related entity."
}
},
"required": [
"id",
"type",
"name"
]
}
}
}