Skip to content

Class: WindowsProcessExt

The Windows Process extension specifies properties specific to Windows processes. Used as the value of the 'windows-process-ext' key in a Process object's extensions dictionary.

URI: attack:WindowsProcessExt

 classDiagram
    class WindowsProcessExt
    click WindowsProcessExt href "../WindowsProcessExt/"
      CommonSchemaComponent <|-- WindowsProcessExt
        click CommonSchemaComponent href "../CommonSchemaComponent/"

      WindowsProcessExt : aslr_enabled

      WindowsProcessExt : dep_enabled

      WindowsProcessExt : description

      WindowsProcessExt : id

      WindowsProcessExt : integrity_level





        WindowsProcessExt --> "0..1" WindowsIntegrityLevelEnum : integrity_level
        click WindowsIntegrityLevelEnum href "../WindowsIntegrityLevelEnum/"



      WindowsProcessExt : name

      WindowsProcessExt : owner_sid

      WindowsProcessExt : priority

      WindowsProcessExt : startup_info

      WindowsProcessExt : type

      WindowsProcessExt : window_title

Inheritance

Slots

Name Cardinality and Range Description Inheritance
aslr_enabled 0..1
Boolean		 Specifies whether Address Space Layout Randomization (ASLR) is enabled for th... direct
dep_enabled 0..1
Boolean		 Specifies whether Data Execution Prevention (DEP) is enabled for the process direct
priority 0..1
String		 Specifies the current priority class of the process in Windows direct
owner_sid 0..1
String		 Specifies the Security ID (SID) value of the owner of the process direct
window_title 0..1
String		 Specifies the title of the main window of the process direct
startup_info 0..1
String		 Specifies the STARTUP_INFO struct used by the process direct
integrity_level 0..1
WindowsIntegrityLevelEnum		 Specifies the Windows integrity level of the process direct
id 0..1
StixIdentifier		 STIX object identifier StixEntity
type 0..1
StixTypeName		 STIX object type StixEntity
name 0..1
String		 Human-readable name StixEntity
description 0..1
String		 Human-readable description StixEntity

In Subsets

Comments

  • stix_extension_key: windows-process-ext stix_parent_type: process jsonschema_source: https://github.com/oasis-open/cti-stix2-json-schemas/tree/master/schemas/observables/process.json

Identifier and Mapping Information

Schema Source

  • from schema: https://w3id.org/lmodel/attack

Mappings

Mapping Type Mapped Value
self attack:WindowsProcessExt
native attack:WindowsProcessExt

LinkML Source

Direct

name: WindowsProcessExt
description: The Windows Process extension specifies properties specific to Windows
  processes. Used as the value of the 'windows-process-ext' key in a Process object's
  extensions dictionary.
comments:
- 'stix_extension_key: windows-process-ext stix_parent_type: process jsonschema_source:
  https://github.com/oasis-open/cti-stix2-json-schemas/tree/master/schemas/observables/process.json'
in_subset:
- observables
from_schema: https://w3id.org/lmodel/attack
is_a: CommonSchemaComponent
slots:
- aslr_enabled
- dep_enabled
- priority
- owner_sid
- window_title
- startup_info
- integrity_level

Induced

name: WindowsProcessExt
description: The Windows Process extension specifies properties specific to Windows
  processes. Used as the value of the 'windows-process-ext' key in a Process object's
  extensions dictionary.
comments:
- 'stix_extension_key: windows-process-ext stix_parent_type: process jsonschema_source:
  https://github.com/oasis-open/cti-stix2-json-schemas/tree/master/schemas/observables/process.json'
in_subset:
- observables
from_schema: https://w3id.org/lmodel/attack
is_a: CommonSchemaComponent
attributes:
  aslr_enabled:
    name: aslr_enabled
    description: Specifies whether Address Space Layout Randomization (ASLR) is enabled
      for the process.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: aslr_enabled
    owner: WindowsProcessExt
    domain_of:
    - WindowsProcessExt
    range: boolean
  dep_enabled:
    name: dep_enabled
    description: Specifies whether Data Execution Prevention (DEP) is enabled for
      the process.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: dep_enabled
    owner: WindowsProcessExt
    domain_of:
    - WindowsProcessExt
    range: boolean
  priority:
    name: priority
    description: Specifies the current priority class of the process in Windows.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: priority
    owner: WindowsProcessExt
    domain_of:
    - WindowsProcessExt
    range: string
  owner_sid:
    name: owner_sid
    description: Specifies the Security ID (SID) value of the owner of the process.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: owner_sid
    owner: WindowsProcessExt
    domain_of:
    - WindowsProcessExt
    range: string
  window_title:
    name: window_title
    description: Specifies the title of the main window of the process.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: window_title
    owner: WindowsProcessExt
    domain_of:
    - WindowsProcessExt
    range: string
  startup_info:
    name: startup_info
    description: Specifies the STARTUP_INFO struct used by the process.
    comments:
    - 'jsonschema_rule: patternProperties validator_hint: validate-startup-info-dictionary'
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: startup_info
    owner: WindowsProcessExt
    domain_of:
    - WindowsProcessExt
    range: string
  integrity_level:
    name: integrity_level
    description: Specifies the Windows integrity level of the process.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: integrity_level
    owner: WindowsProcessExt
    domain_of:
    - WindowsProcessExt
    range: WindowsIntegrityLevelEnum
  id:
    name: id
    description: STIX object identifier.
    from_schema: https://w3id.org/lmodel/attack
    related_mappings:
    - unified_cyber_ontology:externalReference
    rank: 1000
    alias: id
    owner: WindowsProcessExt
    domain_of:
    - StixEntity
    - Bundle
    - Core
    - CyberObservableCore
    - ExtensionDefinition
    - LanguageContent
    - MarkingDefinition
    - File
    range: stix_identifier
  type:
    name: type
    description: STIX object type.
    from_schema: https://w3id.org/lmodel/attack
    related_mappings:
    - unified_cyber_ontology:state
    rank: 1000
    alias: type
    owner: WindowsProcessExt
    domain_of:
    - StixEntity
    - Bundle
    - Core
    - CyberObservableCore
    - ExtensionDefinition
    - LanguageContent
    - MarkingDefinition
    - File
    range: stix_type_name
  name:
    name: name
    description: Human-readable name.
    from_schema: https://w3id.org/lmodel/attack
    exact_mappings:
    - unified_cyber_ontology:name
    rank: 1000
    alias: name
    owner: WindowsProcessExt
    domain_of:
    - RelatedAsset
    - StixEntity
    - ExtensionDefinition
    - MarkingDefinition
    - AutonomousSystem
    - File
    range: string
  description:
    name: description
    description: Human-readable description.
    from_schema: https://w3id.org/lmodel/attack
    close_mappings:
    - unified_cyber_ontology:description
    rank: 1000
    alias: description
    owner: WindowsProcessExt
    domain_of:
    - RelatedAsset
    - MutableElement
    - StixEntity
    - ExtensionDefinition
    - ExternalReference
    range: string