Warning
This documentation is still a work in progress. If you have any issues or questions, please ask on the maec-discussion mailing list or file a bug in our issue tracker.
This page includes some basic examples of creating and parsing MAEC content.
There are a couple things we do in these examples for purposes of demonstration that shouldn’t be done in production code:
The most commonly used MAEC output format is the MAEC Package, which can contain one or more Malware Subjects. Malware Subjects (discussed in more detail below) encompass all of the data for a single malware instance, including that from different types of analysis.
from maec.package.package import Package
from maec.package.malware_subject import MalwareSubject
from maec.utils import IDGenerator, set_id_method
set_id_method(IDGenerator.METHOD_INT)
p = Package()
ms = MalwareSubject()
p.add_malware_subject(ms)
print p.to_xml(include_namespaces=False)
Which outputs:
<maecPackage:MAEC_Package id="example:package-1" schema_version="2.1">
<maecPackage:Malware_Subjects>
<maecPackage:Malware_Subject id="example:malware_subject-2">
</maecPackage:Malware_Subject>
</maecPackage:Malware_Subjects>
</maecPackage:MAEC_Package>
The easiest way to create a Malware Subject is to construct one and then set various properties on it. The Malware_Instance_Object_Attributes field on a Malware Subject MUST be set in order to identify the particular malware instance that it is characterizing.
from maec.package.malware_subject import MalwareSubject
from maec.utils import IDGenerator, set_id_method
from cybox.core import Object
from cybox.objects.file_object import File
set_id_method(IDGenerator.METHOD_INT)
ms = MalwareSubject()
ms.malware_instance_object_attributes = Object()
ms.malware_instance_object_attributes.properties = File()
ms.malware_instance_object_attributes.properties.file_name = "malware.exe"
ms.malware_instance_object_attributes.properties.file_path = "C:\Windows\Temp\malware.exe"
print ms.to_xml(include_namespaces=False)
Which outputs:
<maecPackage:MalwareSubjectType id="example:malware_subject-1">
<maecPackage:Malware_Instance_Object_Attributes id="example:Object-1">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File_Name>malware.exe</FileObj:File_Name>
<FileObj:File_Path>C:\Windows\Temp\malware.exe</FileObj:File_Path>
</cybox:Properties>
</maecPackage:Malware_Instance_Object_Attributes>
</maecPackage:MalwareSubjectType>
In MAEC, the Bundle represents a container for capturing the results from a particular malware analysis that was performed on a malware instance. While a Bundle is most commonly included as part of a Malware Subject, it can also be used a standalone output format when only malware analysis results for a malware instance wish to be shared. We’ll cover both cases here.
Standalone Bundles function very similarly to Malware Subjects. Therefore, the easiest way to create a standalone Bundle is to construct one and then set various properties on it. The Malware_Instance_Object_Attributes field on a standalone Bundle MUST be set in order to identify the particular malware instance that it is characterizing.
from maec.bundle.bundle import Bundle
from maec.utils import IDGenerator, set_id_method
from cybox.core import Object
from cybox.objects.file_object import File
set_id_method(IDGenerator.METHOD_INT)
b = Bundle()
b.malware_instance_object_attributes = Object()
b.malware_instance_object_attributes.properties = File()
b.malware_instance_object_attributes.properties.file_name = "malware.exe"
b.malware_instance_object_attributes.properties.file_path = "C:\Windows\Temp\malware.exe"
print b.to_xml(include_namespaces=False)
Which outputs:
<maecBundle:MAEC_Bundle defined_subject="false" id="example:bundle-1" schema_version="4.1">
<maecBundle:Malware_Instance_Object_Attributes id="example:Object-1">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File_Name>malware.exe</FileObj:File_Name>
<FileObj:File_Path>C:\Windows\Temp\malware.exe</FileObj:File_Path>
</cybox:Properties>
</maecBundle:Malware_Instance_Object_Attributes>
</maecBundle:MAEC_Bundle>
Bundles in a Malware Subject are defined nearly identically to those of the standalone variety, with the sole exception that they do not require their Malware_Instance_Object_Attributes field to be set, since this would already be defined in their parent Malware Subject.
set_id_method(IDGenerator.METHOD_INT)
ms = MalwareSubject()
ms.malware_instance_object_attributes = Object()
ms.malware_instance_object_attributes.properties = File()
ms.malware_instance_object_attributes.properties.file_name = "malware.exe"
ms.malware_instance_object_attributes.properties.file_path = "C:\Windows\Temp\malware.exe"
b = Bundle()
ms.add_findings_bundle(b)
print ms.to_xml(include_namespaces=False)
Which outputs:
<maecPackage:MalwareSubjectType id="example:malware_subject-1">
<maecPackage:Malware_Instance_Object_Attributes id="example:Object-1">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File_Name>malware.exe</FileObj:File_Name>
<FileObj:File_Path>C:\Windows\Temp\malware.exe</FileObj:File_Path>
</cybox:Properties>
</maecPackage:Malware_Instance_Object_Attributes>
</maecPackage:MalwareSubjectType>
MAEC uses its MalwareAction to capture the low-level dynamic entities, such as API calls or their abstractions, performed by malware. A MalwareAction is stored in a Bundle (either standalone or embedded in a Malware Subject, as discussed above). As with the other MAEC entities, the easiest way to use the MalwareAction is to instantiate it and then set various properties on it as needed.
set_id_method(IDGenerator.METHOD_INT)
b = Bundle()
a = MalwareAction()
ao = AssociatedObject()
ao.properties = File()
ao.properties.file_name = "badware.exe"
ao.properties.size_in_bytes = "123456"
ao.association_type = AssociationType()
ao.association_type.value = 'output'
ao.association_type.xsi_type = 'maecVocabs:ActionObjectAssociationTypeVocab-1.0'
a.name = 'create file'
a.name.xsi_type = 'maecVocabs:FileActionNameVocab-1.0'
a.associated_objects = AssociatedObjects()
a.associated_objects.append(ao)
b.add_action(a)
print b.to_xml(include_namespaces = False)
<maecBundle:MAEC_Bundle defined_subject="false" id="example:bundle-1" schema_version="4.1">
<maecBundle:Actions>
<maecBundle:Action id="example:action-2">
<cybox:Name xsi:type="maecVocabs:FileActionNameVocab-1.0">create file</cybox:Name>
<cybox:Associated_Objects>
<cybox:Associated_Object id="example:Object-1">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File_Name>badware.exe</FileObj:File_Name>
<FileObj:Size_In_Bytes>123456</FileObj:Size_In_Bytes>
</cybox:Properties>
<cybox:Association_Type xsi:type="maecVocabs:ActionObjectAssociationTypeVocab-1.0">output</cybox:Association_Type>
</cybox:Associated_Object>
</cybox:Associated_Objects>
</maecBundle:Action>
</maecBundle:Actions>
</maecBundle:MAEC_Bundle>