| abstract |
Brief summary text |
| account_created |
Account creation timestamp |
| account_expires |
Account expiration timestamp |
| account_first_login |
Account first-login timestamp |
| account_last_login |
Account last-login timestamp |
| account_login |
Account login string |
| account_type |
Account type value (account-type-ov) |
| additional_header_fields |
Additional email headers |
| address_family |
Specifies the address family (AF_*) that the socket is configured for |
| address_of_entry_point |
Specifies the address of the entry point relative to the image base when the ... |
| administrative_area |
Sub-national administrative area |
| ads_hashes |
Specifies a dictionary of hashes for the alternate data stream |
| ads_name |
Specifies the name of the alternate data stream |
| ads_size |
Specifies the size of the alternate data stream, in bytes |
| aliases |
Alternative names for the object |
| alternate_data_streams |
Specifies a list of NTFS alternate data streams that exist for the file |
| analysis_definition_version |
Malware analysis definition version |
| analysis_ended |
Analysis end timestamp |
| analysis_engine_version |
Malware analysis engine version |
| analysis_sco_refs |
Referenced SCOs captured in analysis |
| analysis_started |
Analysis start timestamp |
| architecture_execution_envs |
Open-vocabulary processor architectures (processor-architecture-ov) |
| aslr_enabled |
Specifies whether Address Space Layout Randomization (ASLR) is enabled for th... |
| atime |
Last access time |
| authority_key_identifier |
Specifies the identifier that provides a means of identifying the public key ... |
| authors |
Author list |
| base_of_code |
Specifies the address that is relative to the image base of the beginning-of-... |
| base_of_data |
Specifies the address that is relative to the image base of the beginning-of-... |
| basic_constraints |
Specifies a multi-valued extension which indicates whether a certificate is a... |
| bcc_refs |
Bcc-recipient references |
| belongs_to_ref |
Single reference this observable belongs to |
| belongs_to_refs |
References this observable belongs to |
| bits_per_pixel |
Specifies the sum of bits used for each color channel in the image in the ima... |
| body |
Specifies a string containing the email body |
| body_multipart |
List of MIME parts comprising the email body (multipart emails only) |
| body_raw_ref |
Reference to an Artifact or File object for non-textual MIME part content |
| bundle_objects |
Objects contained in a bundle |
| can_escalate_privs |
Privilege escalation capability flag |
| capabilities |
Open-vocabulary malware capabilities (malware-capabilities-ov) |
| cc_refs |
Cc-recipient references |
| certificate_policies |
Specifies a sequence of one or more policy information terms, each of which c... |
| characteristics_hex |
Specifies the flags that indicate the file's characteristics |
| checksum_hex |
Specifies the checksum of the PE binary |
| child_refs |
Child process references |
| city |
City name |
| command_line |
Process command line |
| comment |
Specifies a comment included as part of the archive file |
| confidence |
Confidence that the producer has in this data |
| configuration_version |
Malware analysis product configuration version |
| contact_information |
Identity contact information |
| contains_refs |
References to contained objects |
| content |
Main text content payload |
| content_disposition |
Value of the Content-Disposition header field of the MIME part |
| content_ref |
Referenced content object |
| content_type |
Specifies the value of the 'Content-Type' header of the email message |
| contents |
Language content dictionary payload |
| context |
Grouping context classifier |
| count |
This is an integer between 0 and 999,999,999 inclusive and represents the num... |
| country |
Country name |
| cpe |
Specifies the Common Platform Enumeration (CPE) entry for the software |
| created |
Creation timestamp |
| created_by_ref |
ID of the object that created this object |
| created_time |
Process creation time |
| creator_user_ref |
Creating user reference |
| credential |
Account credential value |
| credential_last_changed |
Credential last-changed timestamp |
| crl_distribution_points |
Specifies how CRL information is obtained |
| ctime |
Creation time |
| cwd |
Current working directory |
| decryption_key |
Decryption key material |
| defanged |
Defines whether or not the data contained within the object has been defanged |
| definition |
Marking definition payload |
| definition_type |
Type discriminator for marking definition content |
| dep_enabled |
Specifies whether Data Execution Prevention (DEP) is enabled for the process |
| description |
Human-readable description |
| descriptions |
Specifies the descriptions defined for the service |
| display_name |
Human-friendly display name |
| dll_characteristics_hex |
Specifies the flags that characterize the PE binary |
| document_info_dict |
Specifies details of the PDF document information dictionary (DID), which inc... |
| dst_byte_count |
Bytes sent destination to source |
| dst_flags_hex |
Specifies the destination TCP flags, as the union of all TCP flags observed b... |
| dst_packets |
Destination-to-source packet count |
| dst_payload_ref |
Destination payload reference |
| dst_port |
Destination port number |
| dst_ref |
Destination observable reference |
| email_date |
Date/time the email message was sent |
| encapsulated_by_ref |
Referencing encapsulating network-traffic object |
| encapsulates_refs |
Referenced encapsulated network-traffic objects |
| encryption_algorithm |
Artifact encryption algorithm |
| end |
Network traffic end time |
| entropy |
Specifies the calculated entropy for the section, as calculated using the Sha... |
| environment_variables |
Environment variable payload |
| exif_tags |
Specifies the set of EXIF tags found in the image file, as a dictionary |
| explanation |
Explanation text for an opinion |
| extended_key_usage |
Specifies a list of usages indicating purposes for which the certificate publ... |
| extension_properties |
Extension-defined property names |
| extension_type |
Type discriminator for extension payloads |
| extension_types |
Extension-definition type list |
| extensions |
Open-ended extension payloads |
| external_id |
An identifier for the external reference content |
| external_references |
External references to non-STIX information |
| file_alignment |
Specifies the factor (in bytes) that is used to align the raw data of section... |
| file_header_hashes |
Specifies any hashes that were computed for the file header |
| first_observed |
Start of observation window |
| first_seen |
First time observed |
| from_ref |
Sender mailbox reference |
| gid |
Specifies the primary group ID of the account |
| goals |
Threat actor goals |
| granular_markings |
Granular markings that apply to selected content |
| group_name |
Specifies the name of the load ordering group of which the service is a membe... |
| groups |
Specifies a list of names of groups the account is a member of |
| hashes |
Specifies a dictionary of hashes for the file or content |
| home_dir |
Specifies the home directory of the account |
| host_vm_ref |
Host VM software reference |
| icmp_code_hex |
Specifies the ICMP code byte |
| icmp_type_hex |
Specifies the ICMP type byte |
| id |
STIX object identifier |
| identity_class |
Identity class value (identity-class-ov) |
| image_base |
Specifies the preferred address of the first byte of the image when it is loa... |
| image_height |
Specifies the height of the image in the image file, in pixels |
| image_ref |
Process image file reference |
| image_width |
Specifies the width of the image in the image file, in pixels |
| imphash |
Specifies the special import hash, or 'imphash', calculated for the PE binary |
| implementation_languages |
Open-vocabulary implementation languages (implementation-language-ov) |
| indicator_types |
This field is an Open Vocabulary that specifies the type of indicator |
| infrastructure_types |
Open-vocabulary infrastructure categories (infrastructure-type-ov) |
| inhibit_any_policy |
Specifies the number of additional certificates that may appear in the path b... |
| installed_software_refs |
Installed software references |
| integrity_level |
Specifies the Windows integrity level of the process |
| ipfix |
Specifies any IP Flow Information Export (IPFIX) data for the traffic |
| is_active |
Indicates traffic is still active |
| is_blocking |
Specifies whether the socket is in blocking mode |
| is_disabled |
Disabled account flag |
| is_family |
Indicates if malware object is a family |
| is_hidden |
Specifies whether the process is hidden |
| is_listening |
Specifies whether the socket is in listening mode |
| is_multipart |
Indicates whether the email body contains multiple MIME parts |
| is_optimized |
Specifies whether the PDF file has been optimized |
| is_privileged |
Privileged account flag |
| is_self_signed |
Specifies whether the certificate is self-signed |
| is_service_account |
Service account flag |
| issuer |
Certificate issuer |
| issuer_alternative_name |
Specifies the additional identities to be bound to the issuer of the certific... |
| key |
Registry key path |
| key_usage |
Specifies a multi-valued extension consisting of a list of names of the permi... |
| kill_chain_name |
Name of the kill chain |
| kill_chain_phases |
Kill chain phases associated with this object |
| labels |
Terms used to describe this object |
| lang |
Language of textual properties |
| languages |
Specifies the languages supported by the software |
| last_observed |
End of observation window |
| last_seen |
Last time observed |
| latitude |
Latitude in decimal degrees |
| loader_flags_hex |
Specifies the reserved loader flags |
| log_source_channel |
The specific log channel, event ID, or event category within the log source (... |
| log_source_name |
The log source provider or service name (e |
| longitude |
Longitude in decimal degrees |
| machine_hex |
Specifies the type of target machine |
| magic_hex |
Specifies the unsigned integer that indicates the type of the PE binary (e |
| magic_number_hex |
Hex magic number |
| major_image_version |
Specifies the major version number of the image |
| major_linker_version |
Specifies the linker major version number |
| major_os_version |
Specifies the major version number of the required operating system |
| major_subsystem_version |
Specifies the major version number of the subsystem |
| malware_types |
Open-vocabulary malware types (malware-type-ov) |
| marking_ref |
Marking-definition reference |
| message_body_data_ref |
Specifies the data contained in the HTTP message body, as a reference to an A... |
| message_body_length |
Specifies the length of the HTTP message body, if included in the request |
| message_id |
Message identifier field |
| mime_type |
MIME type value |
| minor_image_version |
Specifies the minor version number of the image |
| minor_linker_version |
Specifies the linker minor version number |
| minor_os_version |
Specifies the minor version number of the required operating system |
| minor_subsystem_version |
Specifies the minor version number of the subsystem |
| modified |
Modification timestamp |
| modified_time |
Modification timestamp |
| modules |
Malware analysis module names |
| mtime |
Last modification time |
| mutable_field |
The name of the analytic field or parameter that can be tuned by a defender t... |
| name |
Human-readable name |
| name_constraints |
Specifies a namespace within which all subject names in subsequent certificat... |
| name_enc |
Encoding for a name field |
| number |
Numeric identifier value |
| number_observed |
Number of observations |
| number_of_rva_and_sizes |
Specifies the number of data-directory entries in the remainder of the option... |
| number_of_sections |
Specifies the number of sections in the PE binary, as a non-negative integer |
| number_of_subkeys |
Number of registry subkeys |
| number_of_symbols |
Specifies the number of entries in the symbol table of the PE binary, as a no... |
| object_marking_refs |
Marking definition references applied to this object |
| object_modified |
Referenced object modified timestamp |
| object_ref |
Single object reference |
| object_refs |
Referenced STIX objects |
| objective |
Campaign objective |
| objects |
Embedded cyber observable dictionary payload |
| observed_data_refs |
References to observed-data objects |
| opened_connection_refs |
Referenced opened network connections |
| operating_system_ref |
Operating system software reference |
| operating_system_refs |
References to software operating systems |
| opinion |
Opinion value |
| optional_header |
Specifies the PE optional header of the PE binary |
| owner_sid |
Specifies the Security ID (SID) value of the owner of the process |
| parent_directory_ref |
Parent directory reference |
| parent_ref |
Parent process reference |
| path |
Filesystem path |
| path_enc |
Encoding used for a filesystem path |
| pattern |
The detection pattern for this indicator |
| pattern_type |
The type of pattern used in this indicator |
| pattern_version |
The version of the pattern that is used |
| payload_bin |
Base64 binary payload |
| pdfid0 |
Specifies the first file identifier found for the PDF file |
| pdfid1 |
Specifies the second file identifier found for the PDF file |
| pe_section_hashes |
Specifies any hashes computed over the section |
| pe_section_name |
Specifies the name of the PE section |
| pe_section_size |
Specifies the size of the PE section, in bytes |
| pe_type |
Specifies the type of the PE binary |
| personal_motivations |
Personal motivations of the threat actor (attack-motivation-ov) |
| phase_name |
Name of the kill chain phase |
| pid |
Specifies the Process ID, or PID, of the process |
| pointer_to_symbol_table_hex |
Specifies the file offset of the COFF symbol table |
| policy_constraints |
Specifies any constraints on path validation for certificates issued to CAs |
| policy_mappings |
Specifies one or more pairs of OIDs; each pair includes an issuerDomainPolicy... |
| postal_code |
Postal code |
| precision |
Coordinate precision in meters |
| primary_motivation |
Primary motivation (attack-motivation-ov) |
| priority |
Specifies the current priority class of the process in Windows |
| private_key_usage_period_not_after |
Specifies the date on which the validity period ends for the private key, if ... |
| private_key_usage_period_not_before |
Specifies the date on which the validity period begins for the private key, i... |
| product |
Malware analysis product name |
| protocols |
Network protocols list |
| published |
Timestamp when a report was published |
| raw_email_ref |
Reference to raw email artifact |
| received_lines |
Received header lines |
| region |
Geographic region |
| registry_value_data |
Registry value data content |
| registry_value_data_type |
Registry value data type |
| registry_value_name |
Registry value name |
| related_asset_sectors |
The industry sectors in which this related (aliased) asset variant is observe... |
| relationship_type |
Name of the relationship type |
| report_types |
Open-vocabulary report categories |
| request_header |
Specifies all of the HTTP header fields that may be found in the HTTP client ... |
| request_method |
Specifies the HTTP method portion of the HTTP request line |
| request_value |
Specifies the value (typically a resource path) portion of the HTTP request l... |
| request_version |
Specifies the HTTP version portion of the HTTP request line |
| resolves_to_refs |
References this observable resolves to |
| resource_level |
Threat actor resource level (attack-resource-level-ov) |
| result |
Malware analysis result value (malware-av-result-ov) |
| result_name |
Analysis result name |
| revoked |
Indicates whether this object has been revoked |
| rir |
Regional Internet Registry name |
| roles |
Open-vocabulary threat actor roles |
| sample_ref |
Analysis subject sample reference |
| sample_refs |
References to associated sample artifacts/files |
| schema |
Extension schema definition or URL |
| secondary_motivations |
Secondary motivations (attack-motivation-ov) |
| section_alignment |
Specifies the alignment (in bytes) of PE sections when they are loaded into m... |
| sections |
Specifies metadata about the sections in the PE file |
| sectors |
Identity sector values (industry-sector-ov) |
| selectors |
A list of selectors for content contained within the STIX object in which thi... |
| sender_ref |
Sender reference |
| serial_number |
X509 serial number |
| service_dll_refs |
Specifies the DLLs loaded by the service |
| service_name |
Specifies the name of the service |
| service_status |
Specifies the current status of the service |
| service_type |
Specifies the type of the service |
| shell |
Specifies the account's command shell |
| sid |
Specifies the security ID (SID) value assigned to the file |
| sighting_of_ref |
Reference to the object being sighted |
| signature_algorithm |
X509 signature algorithm |
| size |
Object size in bytes |
| size_of_code |
Specifies the size of the code (text) section |
| size_of_headers |
Specifies the combined size of the MS-DOS, PE header, and section headers, ro... |
| size_of_heap_commit |
Specifies the size of the local heap space to commit |
| size_of_heap_reserve |
Specifies the size of the local heap space to reserve |
| size_of_image |
Specifies the size, in bytes, of the image, including all headers, as the ima... |
| size_of_initialized_data |
Specifies the size of the initialized data section |
| size_of_optional_header |
Specifies the size of the optional header of the PE binary |
| size_of_stack_commit |
Specifies the size of the stack to commit |
| size_of_stack_reserve |
Specifies the size of the stack to reserve |
| size_of_uninitialized_data |
Specifies the size of the uninitialized data section |
| socket_descriptor |
Specifies the socket file descriptor value associated with the socket |
| socket_handle |
Specifies the handle or inode value associated with the socket |
| socket_options |
Specifies any options (SO_*) that may be used by the socket |
| socket_type |
Specifies the type of the socket |
| sophistication |
Threat actor sophistication level |
| source_name |
Name of the external source |
| source_ref |
Relationship source object reference |
| spec_version |
STIX specification version |
| src_byte_count |
Bytes sent source to destination |
| src_flags_hex |
Specifies the source TCP flags, as the union of all TCP flags observed betwee... |
| src_packets |
Source-to-destination packet count |
| src_payload_ref |
Source payload reference |
| src_port |
Source port number |
| src_ref |
Source observable reference |
| start |
Network traffic start time |
| start_time |
Start timestamp for temporal relationship validity |
| start_type |
Specifies the start options defined for the service |
| startup_info |
Specifies the STARTUP_INFO struct used by the process |
| statement |
A statement (e |
| stop_time |
End timestamp for temporal relationship validity |
| street_address |
Street address |
| subject |
Subject value |
| subject_alternative_name |
Specifies the additional identities to be bound to the subject of the certifi... |
| subject_directory_attributes |
Specifies the identification attributes (e |
| subject_key_identifier |
Specifies the identifier that provides a means of identifying certificates th... |
| subject_public_key_algorithm |
Subject public key algorithm |
| subject_public_key_exponent |
Subject public key exponent |
| subject_public_key_modulus |
Subject public key modulus |
| submitted |
Malware sample submission timestamp |
| subsystem_hex |
Specifies the subsystem (e |
| summary |
The summary property indicates whether the Sighting should be considered summ... |
| swid |
SWID tag value |
| tactic_refs |
An ordered list of STIX IDs referencing x-mitre-tactic objects that constitut... |
| target_ref |
Relationship target object reference |
| threat_actor_types |
Open-vocabulary threat actor categories |
| time_date_stamp |
Specifies the time when the PE binary was created |
| tlp |
The Traffic Light Protocol level assigned by this TLP marking definition |
| to_refs |
To-recipient references |
| tool_types |
Open-vocabulary tool categories (tool-type-ov) |
| tool_version |
Version identifier for a tool |
| type |
STIX object type |
| url |
A URL reference to an external resource |
| user_id |
User account identifier |
| valid_from |
The time from which this indicator should be considered valuable intelligence |
| valid_until |
The time at which this indicator should no longer be considered valuable inte... |
| validity_not_after |
Certificate validity end |
| validity_not_before |
Certificate validity start |
| value |
Canonical string value for simple cyber observables |
| values |
Registry value entries |
| vendor |
Vendor name |
| version |
Version string |
| where_sighted_refs |
References to identities or locations where sighted |
| win32_version_value_hex |
Specifies the reserved win32 version value |
| window_title |
Specifies the title of the main window of the process |
| x509_v3_extensions |
X509 v3 extensions payload |
| x_mitre_aliases |
ATT&CK-recognized alternative names or aliases for this software object (Malw... |
| x_mitre_analytic_refs |
An ordered array of STIX IDs referencing x-mitre-analytic objects that implem... |
| x_mitre_attack_spec_version |
The version of the ATT&CK Data Model specification used to construct this obj... |
| x_mitre_collection_layers |
The technology stack layers from which telemetry for this Data Source can be ... |
| x_mitre_contents |
An ordered list of versioned object references specifying the exact version o... |
| x_mitre_contributors |
Names of people and organizations who have contributed to the creation or enr... |
| x_mitre_data_component_ref |
The STIX ID of the x-mitre-data-component object that this log source referen... |
| x_mitre_data_source_ref |
DEPRECATED in ATT&CK Specification v3 |
| x_mitre_data_sources |
DEPRECATED in ATT&CK Specification v3 |
| x_mitre_defense_bypassed |
DEPRECATED in ATT&CK Specification v3 |
| x_mitre_deprecated |
Boolean flag indicating that this ATT&CK object has been deprecated and shoul... |
| x_mitre_detection |
DEPRECATED in ATT&CK Specification v3 |
| x_mitre_domains |
The ATT&CK technology domains to which this object belongs |
| x_mitre_effective_permissions |
DEPRECATED in ATT&CK Specification v3 |
| x_mitre_first_seen_citation |
One or more inline citation references documenting the original sources that ... |
| x_mitre_impact_type |
Indicates whether this technique can be used for availability attacks, integr... |
| x_mitre_is_subtechnique |
Boolean flag indicating whether this attack-pattern is a sub-technique (true)... |
| x_mitre_last_seen_citation |
One or more inline citation references documenting the original sources that ... |
| x_mitre_log_source_references |
A list of log source references that link this analytic to specific data comp... |
| x_mitre_log_sources |
Platform-specific log collection configurations for this data component |
| x_mitre_modified_by_ref |
The STIX ID of the identity object that created the current version of this o... |
| x_mitre_mutable_elements |
Environment-tunable parameters within this analytic that defenders can adjust... |
| x_mitre_network_requirements |
Boolean indicating whether this technique requires network connectivity as a ... |
| x_mitre_old_attack_id |
A legacy ATT&CK ID previously assigned to this object before a knowledge base... |
| x_mitre_permissions_required |
DEPRECATED in ATT&CK Specification v3 |
| x_mitre_platforms |
The set of technology platforms or operating environments to which this ATT&C... |
| x_mitre_related_assets |
Sector-specific aliases and related device types associated with this primary... |
| x_mitre_remote_support |
DEPRECATED in ATT&CK Specification v3 |
| x_mitre_sectors |
The industry sectors in which this ICS Asset is commonly observed or deployed |
| x_mitre_shortname |
The machine-readable short identifier for an ATT&CK tactic |
| x_mitre_system_requirements |
DEPRECATED in ATT&CK Specification v3 |
| x_mitre_tactic_type |
Indicates the adversary's device access model for Mobile ATT&CK techniques |
| x_mitre_version |
The version of this ATT&CK object content in 'major |