Documentation ¶
Overview ¶
Package vocabs implements the STIX 2 Vocabularies.
This package defines variables that contain all of the values for each vocabulary.
The following information comes directly from the STIX 2 specification documents.
The following sections provide object-specific listings for each of the vocabularies referenced in the object description sections defined in Sections 4, 5, 6, and 7.
STIX vocabularies that have type names ending in '-ov', are "open": they provide a listing of common and industry accepted terms as a guide to the user but do not limit the user to that defined list. These vocabularies are referenced from the STIX Objects as type open-vocab and have a statement indicating which vocabulary should be used.
STIX vocabularies that have type names ending in '-enum' are "closed": the only valid values are those in the vocabulary. These vocabularies are referenced from the STIX Objects as type enum and have a statement indicating which enumeration must be used.
Account Type Vocabulary ¶
The following information comes directly from the STIX 2 specification documents.
Vocabulary Name: account-type-ov
The account type vocabulary is currently used in the following SCOs:
- User Account
An open vocabulary of User Account types.
Attack Motivation Vocabulary ¶
The following information comes directly from the STIX 2 specification documents.
Vocabulary Name: attack-motivation-ov
The attack motivation vocabulary is currently used in the following SDOs:
- Intrusion Set
- Threat Actor
Knowing a Threat Actor or Intrusion Set's motivation may allow an analyst or defender to better understand likely targets and behaviors.
Motivation shapes the intensity and the persistence of an attack. Threat Actors and Intrusion Sets usually act in a manner that reflects their underlying emotion or situation, and this informs defenders of the manner of attack. For example, a spy motivated by nationalism (ideology) likely has the patience to achieve long-term goals and work quietly for years, whereas a cyber-vandal out for notoriety can create an intense and attention-grabbing attack but may quickly lose interest and move on. Understanding these differences allows defenders to implement controls tailored to each type of attack for greatest efficiency.
This section including vocabulary items and their descriptions is based on the Threat Agent Motivations publication from Intel Corp in February 2015 [Casey 2015].
Attack Resource Level Vocabulary ¶
The following information comes directly from the STIX 2 specification documents.
Vocabulary Name: attack-resource-level-ov
The attack resource level vocabulary is currently used in the following SDO(s):
- Intrusion Set
- Threat Actor
Attack Resource Level is an open vocabulary that captures the general level of resources that a threat actor, intrusion set, or campaign might have access to. It ranges from individual, a person acting alone, to government, the resources of a national government.
This section including vocabulary items and their descriptions is based on the Threat Agent Library publication from Intel Corp in September 2007 [Casey 2007].
Course of Action Type Vocabulary ¶
The following information comes directly from the STIX 2 specification documents.
Vocabulary Name: course-of-action-type-ov
The course of action type vocabulary is currently used in the following SDO(s):
- Course of Action
The Course of Action Type property uses an open vocabulary to describe the underlying language or structure of the Course of Action that is being represented.
Encryption Algorithm Enumeration ¶
The following information comes directly from the STIX 2 specification documents.
Enumeration Name: encryption-algorithm-enum
The encryption algorithm enumeration is currently used in the following SCOs:
- Artifact
An enumeration of encryption algorithms for sharing defanged and/or confidential artifacts.
Grouping Context Vocabulary ¶
The following information comes directly from the STIX 2 specification documents.
Vocabulary Name: grouping-context-ov
The Grouping Context open vocabulary is currently used in the following object:
- Grouping
While the majority of this vocabulary is undefined (producers may use custom vocabulary entries), it has been added specifically to capture the suspicious-activity-event value. That value indicates that the information contained in the Grouping relates to a suspicious event.
Hashing Algorithm Vocabulary ¶
The following information comes directly from the STIX 2 specification documents.
Vocabulary Name: hash-algorithm-ov
The Hashing Algorithm open vocabulary is currently used in the following object:
- External Reference
- Artifact
- File
- Alternate Data Stream
- Windows™ PE Binary File
- Windows™ PE Optional Header
- Windows™ PE Section
- X.509 Certificate
A vocabulary of hashing algorithms.
Identity Class Vocabulary ¶
The following information comes directly from the STIX 2 specification documents.
Vocabulary Name: identity-class-ov
The identity class vocabulary is currently used in the following SDO(s):
- Identity
This vocabulary describes the type of entity that the Identity represents: whether it describes an organization, group, individual, or class.
Implementation Language Vocabulary ¶
The following information comes directly from the STIX 2 specification documents.
Vocabulary Name: implementation-language-ov
The implementation language vocabulary is currently used in the following SDO(s):
- Malware
This is a non-exhaustive, open vocabulary that covers common programming languages and is intended to characterize the languages that may have been used to implement a malware instance or family.
Indicator Type Vocabulary ¶
The following information comes directly from the STIX 2 specification documents.
Vocabulary Name: indicator-type-ov
The indicator type vocabulary is currently used in the following SDO(s):
- Indicator
Indicator type is an open vocabulary used to categorize Indicators. It is intended to be high-level to promote consistent practices. Indicator types should not be used to capture information that can be better captured via related Malware or Attack Pattern objects. It is better to link an Indicator to a Malware object describing Poison Ivy rather than simply providing a type or label of "poison-ivy".
Industry Sector Vocabulary ¶
The following information comes directly from the STIX 2 specification documents.
Vocabulary Name: industry-sector-ov
The industry sector vocabulary is currently used in the following SDO(s):
- Identity
Industry sector is an open vocabulary that describes industrial and commercial sectors. It is intended to be holistic; it has been derived from several other lists and is not limited to "critical infrastructure" sectors.
Infrastructure Type Vocabulary ¶
The following information comes directly from the STIX 2 specification documents.
Vocabulary Name: infrastructure-type-ov
The infrastructure type vocabulary is currently used in the following SDO(s):
- Infrastructure
A non-exhaustive enumeration of infrastructure types.
Malware AV Result Vocabulary ¶
The following information comes directly from the STIX 2 specification documents.
Vocabulary Name: malware-av-result-ov
The processor architecture vocabulary is currently used in the following SDO(s):
- Malware Analysis
This is a non-exhaustive, open vocabulary that captures common types of generic malware anti-virus (AV) tool results.
Malware Capabilities Vocabulary ¶
The following information comes directly from the STIX 2 specification documents.
Vocabulary Name: malware-capabilities-ov
The malware capabilities vocabulary is currently used in the following SDO(s):
- Malware
This is an open vocabulary that covers common capabilities that may be exhibited by a malware instance or family.
Malware Type Vocabulary ¶
The following information comes directly from the STIX 2 specification documents.
Vocabulary Name: malware-type-ov
The malware type vocabulary is currently used in the following SDO(s):
- Malware
Malware type is an open vocabulary that represents different types and functions of malware. Malware types are not mutually exclusive; for example, a malware instance can be both spyware and a screen capture tool.
Network Socket Address Family Enumeration ¶
The following information comes directly from the STIX 2 specification documents.
Enumeration Name: network-socket-address-family-enum
The network socket address family vocabulary is currently used in the following SCO(s):
- Network Traffic (Network Socket extension)
An enumeration of network socket address family types.
Network Socket Type Enumeration ¶
The following information comes directly from the STIX 2 specification documents.
Enumeration Name: network-socket-type-enum
The network socket type vocabulary is currently used in the following SCO(s):
- Network Traffic (Network Socket extension)
An enumeration of network socket types.
Opinion Enumeration ¶
The following information comes directly from the STIX 2 specification documents.
Enumeration Name: opinion-enum
The agreement enumeration is currently used in the following SDOs:
- Opinion
This enumeration captures a degree of agreement with the information in a STIX Object. It is an ordered enumeration, with the earlier terms representing disagreement, the middle term neutral, and the later terms representing agreement.
Pattern Type Vocabulary ¶
The following information comes directly from the STIX 2 specification documents.
Vocabulary Name: pattern-type-ov
The pattern type vocabulary is currently used in the following SDO(s):
- Indicator
This is a non-exhaustive, open vocabulary that covers common pattern languages and is intended to characterize the pattern language that the indicator pattern is expressed in.
Processor Architecture Vocabulary ¶
The following information comes directly from the STIX 2 specification documents.
Vocabulary Name: processor-architecture-ov
The processor architecture vocabulary is currently used in the following SDO(s):
- Malware
This is a non-exhaustive, open vocabulary that covers common processor architectures and is intended to characterize the architectures that a malware instance or family may be able to execute on.
Region Vocabulary ¶
The following information comes directly from the STIX 2 specification documents.
Vocabulary Name: region-ov
The region vocabulary is currently used in the following SDO(s):
- Location
A list of world regions based on the United Nations geoscheme [UNSD M49].
Report Label Vocabulary ¶
The following information comes directly from the STIX 2 specification documents.
Vocabulary Name: report-type-ov
The report type vocabulary is currently used in the following SDO(s):
- Report
Report type is an open vocabulary to describe the primary purpose or subject of a report. For example, a report that contains malware and indicators for that malware should have a report type of malware to capture that the malware is the primary purpose. Report types are not mutually exclusive: a Report can be both a malware report and a tool report. Just because a report contains objects of a type does not mean that the report should include that type. If the objects are there to simply provide evidence or context for other objects, it is not necessary to include them in the type.
Threat Actor Label Vocabulary ¶
The following information comes directly from the STIX 2 specification documents.
Vocabulary Name: threat-actor-type-ov
The threat actor type vocabulary is currently used in the following SDO(s):
- Threat Actor
Threat actor type is an open vocabulary used to describe what type of threat actor the individual or group is. For example, some threat actors are competitors who try to steal information, while others are activists who act in support of a social or political cause. Actor types are not mutually exclusive: a threat actor can be both a disgruntled insider and a spy. [Casey 2007])
Threat Actor Role Vocabulary ¶
The following information comes directly from the STIX 2 specification documents.
Vocabulary Name: threat-actor-role-ov
The threat actor role vocabulary is currently used in the following SDO(s):
- Threat Actor
Threat actor role is an open vocabulary that is used to describe the different roles that a threat actor can play. For example, some threat actors author malware or operate botnets while other actors actually carry out attacks directly.
Threat actor roles are not mutually exclusive. For example, an actor can be both a financial backer for attacks and also direct attacks.
Threat Actor Sophistication Vocabulary ¶
The following information comes directly from the STIX 2 specification documents.
Vocabulary Name: threat-actor-sophistication-ov
Threat actor sophistication vocabulary is currently used in the following SDO(s):
- Threat Actor
Threat actor sophistication vocabulary captures the skill level of a threat actor. It ranges from "none", which describes a complete novice, to "strategic", which describes an attacker who is able to influence supply chains to introduce vulnerabilities. This vocabulary is separate from resource level because an innovative, highly-skilled threat actor may have access to very few resources while a minimal-level actor might have the resources of an organized crime ring.
Tool Label Vocabulary ¶
The following information comes directly from the STIX 2 specification documents.
Vocabulary Name: tool-type-ov
The tool type vocabulary is currently used in the following SDO(s):
- Tool
Tool types describe the categories of tools that can be used to perform attacks.
Windows™ Integrity Level Enumeration ¶
The following information comes directly from the STIX 2 specification documents.
Enumeration Name: windows-integrity-level-enum
The Windows integrity level enumeration is currently used in the following STIX Cyber-observable Object(s):
- Process (Windows Process extension)
Windows integrity levels are a security feature and represent the trustworthiness of an object.
Windows™ PE Binary Vocabulary ¶
The following information comes directly from the STIX 2 specification documents.
Vocabulary Name: windows-pebinary-type-ov
The Windows PE binary vocabulary is currently used in the following SCO(s):
- File (Windows PE Binary extension)
An open vocabulary of Windows PE binary types.
Windows™ Registry Datatype Enumeration ¶
The following information comes directly from the STIX 2 specification documents.
Enumeration Name: windows-registry-datatype-enum
The Windows registry datatype vocabulary is currently used in the following SCO(s):
- Windows Registry Key
An enumeration of Windows registry data types.
Windows™ Service Start Type Enumeration ¶
The following information comes directly from the STIX 2 specification documents.
Enumeration Name: windows-service-start-type-enum
The Windows service start type vocabulary is currently used in the following SCO(s):
- Process (Windows Service extension)
An enumeration of Windows service start types.
Windows™ Service Type Enumeration ¶
The following information comes directly from the STIX 2 specification documents.
Enumeration Name: windows-service-type-enum
The Windows service type vocabulary is currently used in the following SCO(s):
- Process (Windows Service extension)
An enumeration of Windows service types.
Windows™ Service Status Enumeration ¶
The following information comes directly from the STIX 2 specification documents.
Enumeration Name: windows-service-status-enum
The Windows service status vocabulary is currently used in the following SCO(s):
- Process (Windows Service extension)
An enumeration of Windows service statuses.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var Account = []string{
"facebook",
"ldap",
"nis",
"openid",
"radius",
"skype",
"tacacs",
"twitter",
"unix",
"windows-local",
"windows-domain",
}
Account - This defines the STIX account vocabulary.
var AttackMotivation = []string{
"accidental",
"coercion",
"dominance",
"ideology",
"notoriety",
"organizational-gain",
"personal-gain",
"personal-satisfaction",
"revenge",
"unpredictable",
}
AttackMotivation - This defines the STIX attack motivation vocabulary.
var AttackResourceLevel = []string{
"individual",
"club",
"contest",
"team",
"organization",
"government",
}
AttackResourceLevel - This defines the STIX attack resource level vocabulary.
var CourseOfAction = []string{
"textual:text/plain",
"textual:text/html",
"textual:text/md",
"textual:pdf",
}
CourseOfAction - This defines the STIX course of action vocabulary.
var Encryption = []string{
"AES-256-GCM",
"ChaCha20-Poly1305",
"mime-type-indicated",
}
Encryption - This defines the STIX encryption enumeration.
var Grouping = []string{
"suspicious-activity",
"malware-analysis",
"unspecified",
}
Grouping - This defines the STIX grouping vocabulary.
var HashingAlgorithm = []string{
"MD5",
"SHA-1",
"SHA-256",
"SHA-512",
"SHA3-256",
"SHA3-512",
"SSDEEP",
"TLSH",
}
HashingAlgorithm - This defines the STIX hashing algorithm vocabulary.
var IdentityClass = []string{
"individual",
"group",
"system",
"organization",
"class",
"unspecified",
}
IdentityClass - This defines the STIX identity class vocabulary.
var ImplementationLanguage = []string{
"applescript",
"bash",
"c",
"c++",
"c#",
"go",
"java",
"javascript",
"lua",
"objective-c",
"perl",
"php",
"powershell",
"python",
"ruby",
"scala",
"swift",
"typescript",
"visual-basic",
"x86-32",
"x86-64",
}
ImplementationLanguage - This defines the STIX implementation language vocabulary.
var IndicatorLabel = []string{
"anomalous-activity",
"anonymization",
"benign",
"compromised",
"malicious-activity",
"attribution",
}
IndicatorLabel - This defines the STIX indicator label vocabulary.
var IndicatorType = []string{
"anomalous-activity",
"anonymization",
"benign",
"compromised",
"malicious-activity",
"attribution",
"unknown",
}
IndicatorType - This defines the STIX indicator type vocabulary.
var IndustrySector = []string{
"agriculture",
"aerospace",
"automotive",
"communications",
"construction",
"defense",
"education",
"energy",
"entertainment",
"financial-services",
"government-national",
"government-regional",
"government-local",
"government-public-services",
"healthcare",
"hospitality-leisure",
"infrastructure",
"insurance",
"manufacturing",
"mining",
"non-profit",
"pharmaceuticals",
"retail",
"technology",
"telecommunications",
"transportation",
"utilities",
}
IndustrySector - This defines the STIX industry sector vocabulary.
var InfrastructureType = []string{
"amplification",
"anonymization",
"botnet",
"command-and-control",
"exfiltration",
"hosting-malware",
"hosting-target-lists",
"phishing",
"reconnaissance",
"staging",
"undefined",
}
InfrastructureType - This defines the STIX infrastructure type vocabulary.
var MalwareAVResults = []string{
"malicious",
"suspicious",
"benign",
"unknown",
}
MalwareAVResults - This defines the STIX malware av results vocabulary.
var MalwareCapabilities = []string{
"accesses-remote-machines",
"anti-debugging",
"anti-disassembly",
"anti-emulation",
"anti-memory-forensics",
"anti-sandbox",
"anti-vm",
"captures-input-peripherals",
"captures-output-peripherals",
"captures-system-state-data",
"cleans-traces-of-infection",
"commits-fraud",
"communicates-with-c2",
"compromises-data-availability",
"compromises-data-integrity",
"compromises-system-availability",
"controls-local-machine",
"degrades-security-software",
"degrades-system-updates",
"determines-c2-server",
"emails-spam",
"escalates-privileges",
"evades-av",
"exfiltrates-data",
"fingerprints-host",
"hides-artifacts",
"hides-executing-code",
"infects-files",
"infects-remote-machines",
"installs-other-components",
"persists-after-system-reboot",
"prevents-artifact-access",
"prevents-artifact-deletion",
"probes-network-environment",
"self-modifies",
"steals-authentication-credentials",
"violates-system-operational-integrity",
}
MalwareCapabilities - This defines the STIX malware capabilities vocabulary.
var MalwareType = []string{
"adware",
"backdoor",
"bot",
"bootkit",
"ddos",
"downloader",
"dropper",
"exploit-kit",
"keylogger",
"ransomware",
"remote-access-trojan",
"resource-exploitation",
"rogue-security-software",
"rootkit",
"screen-capture",
"spyware",
"trojan",
"unknown",
"virus",
"webshell",
"wiper",
"worm",
}
MalwareType - This defines the STIX malware type vocabulary.
var NetworkSocketAddressFamily = []string{
"AF_UNSPEC",
"AF_INET",
"AF_IPX",
"AF_APPLETALK",
"AF_NETBIOS",
"AF_INET6",
"AF_IRDA",
"AF_BTH",
}
NetworkSocketAddressFamily - This defines the STIX network socket address family enumeration.
var NetworkSocketType = []string{
"SOCK_STREAM",
"AF_ISOCK_DGRAMNET",
"SOCK_RAW, SOCK_RDM",
"SOCK_SEQPACKET",
}
NetworkSocketType - This defines the STIX network socket type enumeration.
var Opinion = []string{
"strongly-disagree",
"disagree",
"neutral",
"agree",
"strongly-agree",
}
Opinion - This defines the STIX opinion enumeration.
var PatternType = []string{
"stix",
"pcre",
"sigma",
"snort",
"suricata",
"yara",
}
PatternType - This defines the STIX pattern type vocabulary.
var ProcessorArchitecture = []string{
"alpha",
"arm",
"ia-64",
"mips",
"powerpc",
"sparc",
"x86",
"x86-64",
}
ProcessorArchitecture - This defines the STIX processor architecture vocabulary.
var Region = []string{
"africa",
"eastern-africa",
"middle-africa",
"northern-africa",
"southern-africa",
"western-africa",
"americas",
"latin-america-caribbean",
"south-america",
"caribbean",
"central-america",
"northern-america",
"asia",
"central-asia",
"eastern-asia",
"southern-asia",
"south-eastern-asia",
"western-asia",
"europe",
"eastern-europe",
"northern-europe",
"southern-europe",
"western-europe",
"oceania",
"antarctica",
"australia-new-zealand",
"melanesia",
"micronesia",
"polynesia",
}
Region - This defines the STIX region vocabulary.
var ReportType = []string{
"attack-pattern",
"campaign",
"identity",
"indicator",
"intrusion-set",
"malware",
"observed-data",
"threat-actor",
"threat-report",
"tool",
"vulnerability",
}
ReportType - This defines the STIX report type vocabulary.
var ThreatActorRole = []string{
"agent",
"director",
"independent",
"infrastructure-architect",
"infrastructure-operator",
"malware-author",
"sponsor",
}
ThreatActorRole - This defines the STIX threat actor role vocabulary.
var ThreatActorSophistication = []string{
"none",
"minimal",
"intermediate",
"advanced",
"expert",
"innovator",
"strategic",
}
ThreatActorSophistication - This defines the STIX threat actor sophistication vocabulary.
var ThreatActorType = []string{
"activist",
"competitor",
"crime-syndicate",
"criminal",
"hacker",
"insider-accidental",
"insider-disgruntled",
"nation-state",
"sensationalist",
"spy",
"terrorist",
"unknown",
}
ThreatActorType - This defines the STIX threat actor type vocabulary.
var ToolType = []string{
"denial-of-service",
"exploitation",
"information-gathering",
"network-capture",
"credential-exploitation",
"remote-access",
"vulnerability-scanning",
"unknown",
}
ToolType - This defines the STIX tool type vocabulary.
var WindowsIntegrityLevel = []string{
"low",
"medium",
"high",
"system",
}
WindowsIntegrityLevel - This defines the STIX Windows integrity level enumeration
var WindowsPEBinary = []string{
"dll",
"exe",
"sys",
}
WindowsPEBinary - This defines the STIX Windows pe binary vocabulary
var WindowsRegistryDatatype = []string{
"REG_NONE",
"REG_SZ",
"REG_EXPAND_SZ",
"REG_BINARY",
"REG_DWORD",
"REG_DWORD_BIG_ENDIAN",
"REG_DWORD_LITTLE_ENDIAN",
"REG_LINK",
"REG_MULTI_SZ",
"REG_RESOURCE_LIST",
"REG_FULL_RESOURCE_DESCRIPTION",
"REG_RESOURCE_REQUIREMENTS_LIST",
"REG_QWORD",
"REG_INVALID_TYPE",
}
WindowsRegistryDatatype - This defines the STIX Windows registry datatype enumeration.
var WindowsServiceStartType = []string{
"SERVICE_AUTO_START",
"SERVICE_BOOT_START",
"SERVICE_DEMAND_START",
"SERVICE_DISABLED",
"SERVICE_SYSTEM_ALERT",
}
WindowsServiceStartType - This defines the STIX Windows service start type enumeration.
var WindowsServiceStatus = []string{
"SERVICE_CONTINUE_PENDING",
"SERVICE_PAUSE_PENDING",
"SERVICE_PAUSED",
"SERVICE_RUNNING",
"SERVICE_START_PENDING",
"SERVICE_STOP_PENDING",
"SERVICE_STOPPED",
}
WindowsServiceStatus - This defines the STIX Windows service status enumeration.
var WindowsServiceType = []string{
"SERVICE_KERNEL_DRIVER",
"SERVICE_FILE_SYSTEM_DRIVER",
"SERVICE_WIN32_OWN_PROCESS",
"SERVICE_WIN32_SHARE_PROCESS",
}
WindowsServiceType - This defines the STIX Windows service type enumeration.
Functions ¶
This section is empty.
Types ¶
This section is empty.