malware

The Malware object describes the classification of known malicious software, which is intentionally designed to cause damage to a computer, server, client, or computer network.

Attributes

CaptionNameTypeDescription
Classification IDs classification_ids Integer[] The list of normalized identifiers of the malware classifications. Reference: STIX Malware Types
  • 0: Unknown (UNKNOWN)
  • 1: Adware (ADWARE)
  • 10: Ransomware (RANSOMWARE)
  • 11: Remote-Access-Trojan (REMOTE_ACCESS_TROJAN)
  • 13: Resource-Exploitation (RESOURCE_EXPLOITATION)
  • 14: Rogue-Security-Software (ROGUE_SECURITY_SOFTWARE)
  • 15: Rootkit (ROOTKIT)
  • 16: Screen-Capture (SCREEN_CAPTURE)
  • 17: Spyware (SPYWARE)
  • 18: Trojan (TROJAN)
  • 19: Virus (VIRUS)
  • 2: Backdoor (BACKDOOR)
  • 20: Webshell (WEBSHELL)
  • 21: Wiper (WIPER)
  • 22: Worm (WORM)
  • 3: Bot (BOT)
  • 4: Bootkit (BOOTKIT)
  • 5: DDOS (DDOS)
  • 6: Downloader (DOWNLOADER)
  • 7: Dropper (DROPPER)
  • 8: Exploit-Kit (EXPLOIT_KIT)
  • 9: Keylogger (KEYLOGGER)
  • 99: Other (OTHER)
Classifications classifications String[] The list of malware classifications, normalized to the captions of the classification_ids values. In the case of 'Other', they are defined by the event source.
CVE List cves CVE[] List of Common Vulnerabilities and Exposures (CVE).
Name name String The malware name, as reported by the detection engine.
Path path String The filesystem path of the malware that was observed.
Provider provider String The provider of the malware information.
Raw Data raw_data JSON Group:context
The event data as received from the event source.
Record ID record_id String Group:primary
Unique identifier for the object
Unique ID uid String The malware unique identifier, as reported by the detection engine. For example a virus id or an IPS signature id.
Unmapped unmapped Unmapped[] Data from the source that was not mapped into the schema.

Relationships

Malware shown in context

Inbound Relationships

These objects and events reference Malware in their attributes:

Outbound Relationships

Malware references the following objects and events in its attributes:

This page describes ocsf-1.4.0