Class: Malware
_Malware is a type of TTP that is also known as malicious code and malicious software, refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim. _
URI: attack:Malware
classDiagram
class Malware
click Malware href "../Malware/"
StixDomainObject <|-- Malware
click StixDomainObject href "../StixDomainObject/"
Malware : aliases
Malware : architecture_execution_envs
Malware : capabilities
Malware : confidence
Malware : created
Malware : created_by_ref
Malware : description
Malware : extensions
Malware : external_references
Malware --> "*" ExternalReference : external_references
click ExternalReference href "../ExternalReference/"
Malware : first_seen
Malware : granular_markings
Malware --> "*" GranularMarking : granular_markings
click GranularMarking href "../GranularMarking/"
Malware : id
Malware : implementation_languages
Malware : is_family
Malware : kill_chain_phases
Malware --> "*" KillChainPhase : kill_chain_phases
click KillChainPhase href "../KillChainPhase/"
Malware : labels
Malware : lang
Malware : last_seen
Malware : malware_types
Malware : modified
Malware : name
Malware : object_marking_refs
Malware : operating_system_refs
Malware : revoked
Malware : sample_refs
Malware : spec_version
Malware --> "1" SpecVersionEnum : spec_version
click SpecVersionEnum href "../SpecVersionEnum/"
Malware : type
Inheritance
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| aliases | * String |
Alternative names for the object | direct |
| first_seen | 0..1 Datetime |
First time observed | direct |
| last_seen | 0..1 Datetime |
Last time observed | direct |
| operating_system_refs | * StixIdentifier |
References to software operating systems | direct |
| architecture_execution_envs | * ProcessorArchitectureOv or String |
Open-vocabulary processor architectures (processor-architecture-ov) | direct |
| implementation_languages | * String or ImplementationLanguageOv |
Open-vocabulary implementation languages (implementation-language-ov) | direct |
| capabilities | * MalwareCapabilityOv or String |
Open-vocabulary malware capabilities (malware-capabilities-ov) | direct |
| sample_refs | * StixIdentifier |
References to associated sample artifacts/files | direct |
| malware_types | * String or MalwareTypeOv |
Open-vocabulary malware types (malware-type-ov) | direct |
| is_family | 1 Boolean |
Indicates if malware object is a family | direct |
| kill_chain_phases | * KillChainPhase |
Kill chain phases associated with this object | direct |
| type | 1 StixTypeName |
STIX object type | Core, StixEntity |
| spec_version | 1 SpecVersionEnum |
STIX specification version | Core |
| id | 1 StixIdentifier |
STIX object identifier | Core, StixEntity |
| created | 1 Datetime |
Creation timestamp | Core |
| modified | 1 Datetime |
Modification timestamp | Core |
| created_by_ref | 0..1 StixIdentifier |
ID of the object that created this object | Core |
| labels | * String |
Terms used to describe this object | Core |
| revoked | 0..1 Boolean |
Indicates whether this object has been revoked | Core |
| confidence | 0..1 Integer |
Confidence that the producer has in this data | Core |
| lang | 0..1 String |
Language of textual properties | Core |
| external_references | * ExternalReference |
External references to non-STIX information | Core |
| object_marking_refs | * StixIdentifier |
Marking definition references applied to this object | Core |
| granular_markings | * GranularMarking |
Granular markings that apply to selected content | Core |
| extensions | * String |
Open-ended extension payloads | Core |
| name | 0..1 String |
Human-readable name | StixEntity |
| description | 0..1 String |
Human-readable description | StixEntity |
In Subsets
Comments
- jsonschema_rule: oneOf validator_hint: enforce-malware-family-name-constraint jsonschema_source: https://github.com/oasis-open/cti-stix2-json-schemas/tree/master/schemas/sdos/malware.json
Notes
- JSON Schema includes oneOf semantics where name is required when is_family=true.
Identifier and Mapping Information
Schema Source
- from schema: https://w3id.org/lmodel/attack
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | attack:Malware |
| native | attack:Malware |
| narrow | unified_cyber_ontology:Software |
LinkML Source
Direct
name: Malware
description: 'Malware is a type of TTP that is also known as malicious code and malicious
software, refers to a program that is inserted into a system, usually covertly,
with the intent of compromising the confidentiality, integrity, or availability
of the victim''s data, applications, or operating system (OS) or of otherwise annoying
or disrupting the victim. '
notes:
- JSON Schema includes oneOf semantics where name is required when is_family=true.
comments:
- 'jsonschema_rule: oneOf validator_hint: enforce-malware-family-name-constraint jsonschema_source:
https://github.com/oasis-open/cti-stix2-json-schemas/tree/master/schemas/sdos/malware.json'
in_subset:
- sdos
from_schema: https://w3id.org/lmodel/attack
narrow_mappings:
- unified_cyber_ontology:Software
is_a: StixDomainObject
slots:
- aliases
- first_seen
- last_seen
- operating_system_refs
- architecture_execution_envs
- implementation_languages
- capabilities
- sample_refs
- malware_types
- is_family
- kill_chain_phases
slot_usage:
id:
name: id
pattern: ^malware--[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$
type:
name: type
pattern: ^malware$
is_family:
name: is_family
required: true
malware_types:
name: malware_types
comments:
- 'jsonschema_minItems: "1"'
operating_system_refs:
name: operating_system_refs
comments:
- 'jsonschema_minItems: "1"'
pattern: ^software--
architecture_execution_envs:
name: architecture_execution_envs
comments:
- 'jsonschema_minItems: "1"'
implementation_languages:
name: implementation_languages
comments:
- 'jsonschema_minItems: "1"'
capabilities:
name: capabilities
comments:
- 'jsonschema_minItems: "1"'
sample_refs:
name: sample_refs
comments:
- 'jsonschema_minItems: "1"'
aliases:
name: aliases
comments:
- 'jsonschema_minItems: "1"'
kill_chain_phases:
name: kill_chain_phases
comments:
- 'jsonschema_minItems: "1"'
Induced
name: Malware
description: 'Malware is a type of TTP that is also known as malicious code and malicious
software, refers to a program that is inserted into a system, usually covertly,
with the intent of compromising the confidentiality, integrity, or availability
of the victim''s data, applications, or operating system (OS) or of otherwise annoying
or disrupting the victim. '
notes:
- JSON Schema includes oneOf semantics where name is required when is_family=true.
comments:
- 'jsonschema_rule: oneOf validator_hint: enforce-malware-family-name-constraint jsonschema_source:
https://github.com/oasis-open/cti-stix2-json-schemas/tree/master/schemas/sdos/malware.json'
in_subset:
- sdos
from_schema: https://w3id.org/lmodel/attack
narrow_mappings:
- unified_cyber_ontology:Software
is_a: StixDomainObject
slot_usage:
id:
name: id
pattern: ^malware--[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$
type:
name: type
pattern: ^malware$
is_family:
name: is_family
required: true
malware_types:
name: malware_types
comments:
- 'jsonschema_minItems: "1"'
operating_system_refs:
name: operating_system_refs
comments:
- 'jsonschema_minItems: "1"'
pattern: ^software--
architecture_execution_envs:
name: architecture_execution_envs
comments:
- 'jsonschema_minItems: "1"'
implementation_languages:
name: implementation_languages
comments:
- 'jsonschema_minItems: "1"'
capabilities:
name: capabilities
comments:
- 'jsonschema_minItems: "1"'
sample_refs:
name: sample_refs
comments:
- 'jsonschema_minItems: "1"'
aliases:
name: aliases
comments:
- 'jsonschema_minItems: "1"'
kill_chain_phases:
name: kill_chain_phases
comments:
- 'jsonschema_minItems: "1"'
attributes:
aliases:
name: aliases
description: Alternative names for the object.
comments:
- 'jsonschema_minItems: "1"'
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: aliases
owner: Malware
domain_of:
- AttackPattern
- Campaign
- Infrastructure
- IntrusionSet
- Malware
- ThreatActor
- Tool
range: string
multivalued: true
first_seen:
name: first_seen
description: First time observed.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: first_seen
owner: Malware
domain_of:
- Campaign
- Infrastructure
- IntrusionSet
- Malware
- ThreatActor
- Sighting
range: datetime
last_seen:
name: last_seen
description: Last time observed.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: last_seen
owner: Malware
domain_of:
- Campaign
- Infrastructure
- IntrusionSet
- Malware
- ThreatActor
- Sighting
range: datetime
operating_system_refs:
name: operating_system_refs
description: References to software operating systems.
comments:
- 'jsonschema_minItems: "1"'
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: operating_system_refs
owner: Malware
domain_of:
- Malware
range: stix_identifier
multivalued: true
pattern: ^software--
architecture_execution_envs:
name: architecture_execution_envs
description: Open-vocabulary processor architectures (processor-architecture-ov).
comments:
- 'jsonschema_minItems: "1"'
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: architecture_execution_envs
owner: Malware
domain_of:
- Malware
range: string
multivalued: true
any_of:
- range: ProcessorArchitectureOv
- range: string
implementation_languages:
name: implementation_languages
description: Open-vocabulary implementation languages (implementation-language-ov).
comments:
- 'jsonschema_minItems: "1"'
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: implementation_languages
owner: Malware
domain_of:
- Malware
range: string
multivalued: true
any_of:
- range: ImplementationLanguageOv
- range: string
capabilities:
name: capabilities
description: Open-vocabulary malware capabilities (malware-capabilities-ov).
comments:
- 'jsonschema_minItems: "1"'
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: capabilities
owner: Malware
domain_of:
- Malware
range: string
multivalued: true
any_of:
- range: MalwareCapabilityOv
- range: string
sample_refs:
name: sample_refs
description: References to associated sample artifacts/files.
comments:
- 'jsonschema_minItems: "1"'
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: sample_refs
owner: Malware
domain_of:
- Malware
range: stix_identifier
multivalued: true
malware_types:
name: malware_types
description: Open-vocabulary malware types (malware-type-ov).
comments:
- 'jsonschema_minItems: "1"'
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: malware_types
owner: Malware
domain_of:
- Malware
range: string
multivalued: true
any_of:
- range: MalwareTypeOv
- range: string
is_family:
name: is_family
description: Indicates if malware object is a family.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: is_family
owner: Malware
domain_of:
- Malware
range: boolean
required: true
kill_chain_phases:
name: kill_chain_phases
description: Kill chain phases associated with this object.
comments:
- 'jsonschema_minItems: "1"'
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: kill_chain_phases
owner: Malware
domain_of:
- AttackPattern
- Indicator
- Infrastructure
- Malware
- Tool
range: KillChainPhase
multivalued: true
type:
name: type
description: STIX object type.
from_schema: https://w3id.org/lmodel/attack
related_mappings:
- unified_cyber_ontology:state
rank: 1000
alias: type
owner: Malware
domain_of:
- StixEntity
- Bundle
- Core
- CyberObservableCore
- ExtensionDefinition
- LanguageContent
- MarkingDefinition
- File
range: stix_type_name
required: true
pattern: ^malware$
spec_version:
name: spec_version
description: STIX specification version.
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:specVersion
rank: 1000
alias: spec_version
owner: Malware
domain_of:
- Core
- CyberObservableCore
- MarkingDefinition
range: SpecVersionEnum
required: true
id:
name: id
description: STIX object identifier.
from_schema: https://w3id.org/lmodel/attack
related_mappings:
- unified_cyber_ontology:externalReference
rank: 1000
alias: id
owner: Malware
domain_of:
- StixEntity
- Bundle
- Core
- CyberObservableCore
- ExtensionDefinition
- LanguageContent
- MarkingDefinition
- File
range: stix_identifier
required: true
pattern: ^malware--[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$
created:
name: created
description: Creation timestamp.
notes:
- STIX core timestamps require millisecond precision.
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:objectCreatedTime
rank: 1000
alias: created
owner: Malware
domain_of:
- Core
- MarkingDefinition
range: datetime
required: true
pattern: T\d{2}:\d{2}:\d{2}\.\d{3,}Z$
modified:
name: modified
description: Modification timestamp.
notes:
- STIX core timestamps require millisecond precision.
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:modifiedTime
rank: 1000
alias: modified
owner: Malware
domain_of:
- Core
range: datetime
required: true
pattern: T\d{2}:\d{2}:\d{2}\.\d{3,}Z$
created_by_ref:
name: created_by_ref
description: ID of the object that created this object.
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:createdBy
rank: 1000
alias: created_by_ref
owner: Malware
domain_of:
- Core
- MarkingDefinition
range: stix_identifier
labels:
name: labels
description: Terms used to describe this object.
comments:
- 'jsonschema_minItems: "1"'
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:tag
rank: 1000
alias: labels
owner: Malware
domain_of:
- Core
range: string
multivalued: true
revoked:
name: revoked
description: Indicates whether this object has been revoked.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: revoked
owner: Malware
domain_of:
- Core
range: boolean
confidence:
name: confidence
description: Confidence that the producer has in this data.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: confidence
owner: Malware
domain_of:
- Core
range: integer
minimum_value: 0
maximum_value: 100
lang:
name: lang
description: Language of textual properties.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: lang
owner: Malware
domain_of:
- Core
- GranularMarking
range: string
external_references:
name: external_references
description: External references to non-STIX information.
comments:
- 'jsonschema_minItems: "1"'
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:externalReference
rank: 1000
alias: external_references
owner: Malware
domain_of:
- Core
- MarkingDefinition
range: ExternalReference
multivalued: true
object_marking_refs:
name: object_marking_refs
description: Marking definition references applied to this object.
comments:
- 'jsonschema_minItems: "1"'
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:objectMarking
rank: 1000
alias: object_marking_refs
owner: Malware
domain_of:
- Core
- CyberObservableCore
- MarkingDefinition
range: stix_identifier
multivalued: true
granular_markings:
name: granular_markings
description: Granular markings that apply to selected content.
comments:
- 'jsonschema_minItems: "1"'
from_schema: https://w3id.org/lmodel/attack
narrow_mappings:
- unified_cyber_ontology:objectMarking
rank: 1000
alias: granular_markings
owner: Malware
domain_of:
- Core
- CyberObservableCore
- MarkingDefinition
range: GranularMarking
multivalued: true
extensions:
name: extensions
description: Open-ended extension payloads.
notes:
- JSON Schema uses patternProperties for extension keys; exact key validation
is delegated to validator tooling.
comments:
- 'jsonschema_rule: patternProperties validator_hint: validate-extension-keys-and-values'
from_schema: https://w3id.org/lmodel/attack
related_mappings:
- unified_cyber_ontology:hasFacet
rank: 1000
alias: extensions
owner: Malware
domain_of:
- Core
- CyberObservableCore
- MarkingDefinition
- File
range: string
multivalued: true
name:
name: name
description: Human-readable name.
from_schema: https://w3id.org/lmodel/attack
exact_mappings:
- unified_cyber_ontology:name
rank: 1000
alias: name
owner: Malware
domain_of:
- RelatedAsset
- StixEntity
- ExtensionDefinition
- MarkingDefinition
- AutonomousSystem
- File
range: string
description:
name: description
description: Human-readable description.
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:description
rank: 1000
alias: description
owner: Malware
domain_of:
- RelatedAsset
- MutableElement
- StixEntity
- ExtensionDefinition
- ExternalReference
range: string