Categorygithub.com/panther-labs/stix2
modulepackage
0.1.1
Repository: https://github.com/panther-labs/stix2.git
Documentation: pkg.go.dev
Overview
Versions
1
Dependencies
13
Dependents
0
Files
7.8k SLOC

# README

stix2

A pure Go library for working with Structured Threat Information Expression (STIX™) version 2.x data.

Note: This pkg was ported over from https://github.com/TcM1911/stix2 with some modifications

Parsing STIX JSON data

The library provides a helper function to parse STIX JSON. It can handle both the bundle object and JSON objects as a JSON array. The function returns a Collection object that holds all the extracted STIX objects.

collection, err := stix2.FromJSON(jsonData)

collection, err := stix2.FromReader(yourReader)

Creating a STIX Bundle

Creating a STIX Bundle, is as easy as creating a set of STIX objects and add them to the Collection. The Bundle can be created by calling the ToBundle method on the Collection object. The Bundle can be serialized to JSON using the JSON encoder in the standard library.

c := stix2.New()
ip, err := stix2.NewIPv4Address("10.0.0.1")
c.Add(ip)
ip, err = stix2.NewIPv4Address("10.0.0.2")
c.Add(ip)
b, err := c.ToBundle()
data, err := json.Marshal(b)

Example of a malware using an infrastructure

Taken from: https://docs.oasis-open.org/cti/stix/v2.1/csprd02/stix-v2.1-csprd02.html#_Toc26789941

collection := stix2.New()
domain, err := stix2.NewDomainName("example.com")
collection.Add(domain)

mal, err := stix2.NewMalware(
	false,
	stix2.OptionName("IMDDOS"),
	stix2.OptionTypes([]string{stix2.MalwareTypeBot}),
)
collection.Add(mal)

infra, err := stix2.NewInfrastructure(
	"Example Target List Host",
	[]string{stix2.InfrastructureTypeHostingTargetLists},
)
collection.Add(infra)

ref, err := mal.AddUses(infra.ID)
collection.Add(ref)

ref, err = infra.AddConsistsOf(domain.ID)
collection.Add(ref)

b, err := collection.ToBundle()
data, err := json.MarshalIndent(b, "", "\t")

Extensions and Customization

With the release of version 2.1 of the specification custom properties has been deprecated. Instead, property-extension functionality should be used. This library supports parsing objects with old custom properties for backwards compatibility. The fields can be accessed via the GetExtendedTopLevelProperties method.

See the examples in the documentation on how to work with extensions.

# Functions

No description provided by the author
FromJSON parses JSON data and returns a Collection with the extracted objects.
FromReader creates a collection from a reader.
HasValidIdentifier checks that the STIXObject has a valid identifier.
IsValidIdentifier checks if the Identifier is of valid format.
New creates a new Collection.
NewArtifact creates a new Artifact object.
NewAttackPattern creates a new AttackPattern object.
NewAutonomousSystem creates a new AutonomousSystem object.
NewBundle creates a new STIX Bundle.
NewCampaign creates a new Campaign object.
NewCourseOfAction creates a new CourseOfAction object.
NewDirectory creates a new Directory object.
NewDomainName creates a new DomainName object.
NewEmailAddress creates a new EmailAddress object.
NewEmailMessage creates a new EmailMessage object.
NewExtensionDefinition creates a new ExtensionDefinition object.
NewExternalReference creates a new external reference.
NewFile creates a new File object.
NewGrouping creates a new Grouping object.
NewIdentifier creates a new Identifier.
NewIdentity creates a new Identity object.
NewIndicator creates a new Indicator object.
NewInfrastructure creates a new Infrastructure object.
NewIntrusionSet creates a new IntrusionSet object.
NewIPv4Address creates a new IPv4Address object.
NewIPv6Address creates a new IPv6Address object.
NewKillChainPhase creates a new KillChainPhase, both arguments are required.
NewLanguageContent creates a new LanguageContent object.
NewLocation creates a new Location object.
NewMACAddress creates a new MACAddress object.
NewMalware creates a new Malware object.
NewMalwareAnalysis creates a new MalwareAnalysis object.
NewMarkingDefinition creates a new MarkingDefinition object.
NewMutex creates a new Mutex object.
NewNetworkTraffic creates a new NetworkTraffic object.
NewNote creates a new Note object.
NewObservableIdentifier creates a new STIX Cyber-observable Object identifier.
NewObservedData creates a new ObservedData object.
NewOpinion creates a new Opinion object.
NewProcess creates a new Process object.
NewRegistryKey creates a new RegistryKey object.
NewRelationship creates a new Relationship object.
NewReport creates a new Report object.
NewSighting creates a new Sighting of seen (s) Identifier.
NewSoftware creates a new Software object.
NewThreatActor creates a new ThreatActor object.
NewTool creates a new Tool object.
NewURL creates a new URL object.
NewUserAccount creates a new UserAccount object.
NewVulnerability creates a new Vulnerability object.
NewX509Certificate creates a new X509Certificate object.
NoSortOption instructs the collection to not track the order items have been added.
No description provided by the author
OptionAbstract sets the abstract attribute.
OptionAccountCreated sets the account created attribute.
OptionAccountExpires sets the account expires attribute.
OptionAccountFirstLogin sets the account first login attribute.
OptionAccountLastLogin sets the account last login attribute.
OptionAccountLogin sets the account login attribute.
OptionAccountType sets the account type attribute.
OptionAdditionalHeaderFields sets the additional header fields attribute.
OptionAdministrativeArea sets the administrative area attribute.
OptionAliases sets the aliases attribute.
OptionAnalysisDefinitionVersion sets the analysis definition version attribute.
OptionAnalysisEnded sets the analysis ended attribute.
OptionAnalysisEngineVersion sets the analysis engine version attribute.
OptionAnalysisStarted sets the analysis started attribute.
OptionArchitecture sets the architecture attribute.
OptionAtime sets the atime attribute.
OptionAuthors sets the authors attribute.
OptionBCC sets the BCC attribute.
OptionBelongsTo sets the belongs to attribute.
OptionBody sets the body attribute.
OptionBodyMultipart sets the body multipart attribute.
OptionCanEscalatePrivs sets the can escalate privs attribute.
OptionCapabilities sets the capabilities attribute.
OptionCC sets the CC attribute.
OptionChild sets the child attribute.
OptionCity sets the city attribute.
OptionClass sets the identity class attribute.
OptionCommandLine sets the command line attribute.
OptionConfidence sets the confidence attribute.
OptionConfigurationVersion sets the configuration version This option is valid for the types: - MalwareAnalysis attribute.
OptionContactInformation sets the contact information attribute.
OptionContains sets the contains attribute.
OptionContent sets the content attribute.
OptionContentType sets the content type attribute.
OptionCount sets the count attribute.
OptionCPE sets the CPE attribute.
OptionCreated sets the created attribute.
OptionCreatedBy sets the created by by attribute.
OptionCreatedTime sets the created time attribute.
OptionCreatorUser sets the creator user attribute.
OptionCredential sets the credential attribute.
OptionCredentialLastChanged sets the credential last changed attribute.
OptionCtime sets the ctime attribute.
OptionCwd sets the cwd attribute.
OptionDate sets the date attribute.
OptionDefanged sets the defanged attribute.
OptionDescription sets the description attribute.
OptionDisplayName sets the display name attribute.
OptionDst sets the dst attribute.
OptionDstByteCount sets the dst byte count attribute.
OptionDstPackets sets the dst packets attribute.
OptionDstPayload sets the src payload attribute.
OptionDstPort sets the dst port attribute.
OptionEncapsulated sets the encapsulated attribute.
OptionEncapsulates sets the encapsulates attribute.
OptionEncryption sets the encryption algorithm attribute.
OptionEnd sets the end attribute.
OptionEnvVars sets the environment variables attribute.
OptionExplanation sets the explanation attribute.
OptionExtension adds an extension.
OptionExtensionProperties adds an extension.
OptionExternalReferences sets the external references attribute.
OptionFirstSeen sets the first seen attribute.
OptionFrom sets the from attribute.
OptionGoals sets the goals attribute.
OptionGranularMarking sets the granular marking attribute.
OptionHashes sets the hashes attribute.
OptionHostVM sets the host VM attribute.
OptionImage sets the image attribute.
OptionInstalledSoftware sets the installed software attribute.
OptionIPFIX sets the IPFIX attribute.
OptionIsActive sets the is active attribute.
OptionIsDisabled sets the is disabled attribute.
OptionIsHidden sets the is hidden attribute.
OptionIsPrivileged sets the is privileged attribute.
OptionIsServiceAccount sets the is service account attribute.
OptionIssuer sets the issuer attribute.
OptionKey sets the decryption key attribute.
OptionKillChainPhase sets the kill chain phase attribute.
OptionLabels sets the labels attribute.
OptionLang sets the lang attribute.
OptionLanguages sets the languages attribute.
OptionLastSeen sets the last seen attribute.
OptionMagicNumber sets the magic number attribute.
OptionMessageID sets the message ID attribute.
OptionMimeType sets the mime type attribute.
OptionModified sets the modified attribute.
OptionModifiedTime sets the modified time attribute.
OptionModules sets the modules attribute.
OptionMtime sets the mtime attribute.
OptionName sets the name attribute.
OptionNameEnc sets the name encoding attribute.
OptionNumberOfSubkeys sets the number of subkeys attribute.
OptionObjective sets the objective attribute.
OptionObjectMarking sets the object marking attribute.
OptionObjectModified sets the object modified attribute.
OptionObservedData sets the ObservedData attribute.
OptionOpenedConnections sets the opened connections attribute.
OptionOperatingSystem sets the OS attribute.
OptionOperatingSystems sets the OS attribute.
OptionParent sets the parent attribute.
OptionParentDirectory sets the parent directory attribute.
OptionPathEncoding sets the path encoding attribute.
OptionPatternVersion sets the pattern version attribute.
OptionPayload sets the payload attribute.
OptionPersonalMotivations sets the personal motivations attribute.
OptionPID sets the PID attribute.
OptionPostalCode sets the postal code attribute.
OptionPrecision sets the precision attribute.
OptionPrimaryMotivation sets the primary motivation attribute.
OptionRawEmail sets the raw email attribute.
OptionReceivedLines sets the received lines attribute.
OptionResolvesTo sets the resolves to attribute.
OptionResourceLevel sets the resource level attribute.
OptionResultName sets the analysis result name attribute.
OptionRevoked sets the revoked attribute.
OptionRIR sets the rir attribute.
OptionRoles sets the roles attribute.
OptionSample sets the analysis sample attribute.
OptionSamples sets the samples attribute.
OptionSecondaryMotivations sets the secondary motivation attribute.
OptionSectors sets the sectors attribute.
OptionSelfSigned sets the self-signed attribute.
OptionSender sets the sender attribute.
OptionSerialNumber sets the serial number attribute.
OptionSignatureAlgorithm sets the signature algorithm attribute.
OptionSize sets the size attribute.
OptionSophistication sets the sophistication attribute.
OptionSpecVersion sets the STIX spec version.
OptionSrc sets the src attribute.
OptionSrcByteCount sets the src byte count attribute.
OptionSrcPackets sets the src packets attribute.
OptionSrcPayload sets the src payload attribute.
OptionSrcPort sets the src port attribute.
OptionStart sets the start attribute.
OptionStartTime sets the start time attribute.
OptionStopTime sets the stop time attribute.
OptionStreetAddress sets the street address attribute.
OptionSubject sets the subject attribute.
OptionSubjectPublicKeyAlgorithm sets the subject public key algorithm attribute.
OptionSubjectPublicKeyExponent sets the subject public key exponent attribute.
OptionSubjectPublicKeyModulus sets the subject public key modulus attribute.
OptionSubmitted sets the submitted attribute.
OptionSummary sets the summary attribute.
OptionSWID sets the SWID attribute.
OptionTo sets the to attribute.
OptionTypes sets the indicator types attribute.
OptionURL sets the URL attribute.
OptionUserID sets the user id attribute.
OptionV3Extensions sets the x.509v3 extensions attribute.
OptionValidityNotAfter sets the validity not after attribute.
OptionValidityNotBefore sets the validity not before attribute.
OptionValidUntil sets the valid until attribute.
OptionValues sets the values attribute.
OptionVendor sets the vendor attribute.
OptionVersion sets the version attribute.
OptionWhereSighted sets the WhereSighted attribute.
ParseExternalReference parses external reference JSON data to *ExternalReference struct.
ParseKillChainPhase parses a KillChainPhase object from the JSON data.

# Constants

AccountFacebook specifies a Facebook account.
AccountLdap specifies an LDAP account.
AccountNis specifies a NIS account.
AccountOpenid specifies an OpenID account.
AccountRadius specifies a RADIUS account.
AccountSkype specifies a Skype account.
AccountTacacs specifies a TACACS account.
AccountTwitter specifies a Twitter account.
AccountUnix specifies a POSIX account.
AccountWindowsDomain specifies a Windows domain account.
AccountWindowsLocal specifies a Windows local account.
ArchitectureAlpha specifies the Alpha architecture.
ArchitectureArm specifies the ARM architecture.
ArchitectureIA64 specifies the 64-bit IA (Itanium) architecture.
ArchitectureMIPS specifies the MIPS architecture.
ArchitecturePowerPC specifies the PowerPC architecture.
ArchitectureSPARC specifies the SPARC architecture.
ArchitectureX86 specifies the 32-bit x86 architecture.
ArchitectureX8664 specifies the 64-bit x86 architecture.
AttackMotivationAccidental indicates non-hostile actor whose benevolent or harmless intent inadvertently causes harm.
AttackMotivationCoercion indicates being forced to act on someone else's behalf.
AttackMotivationDominance indicates a desire to assert superiority over someone or something else.
AttackMotivationIdeology indicates a passion to express a set of ideas, beliefs, and values that may shape and drive harmful and illegal acts.
AttackMotivationNotoriety indicates seeking prestige or to become well known through some activity.
AttackMotivationOrganizationalGain indicates seeking advantage over a competing organization, including a military organization.
AttackMotivationPersonalGain indicates the desire to improve one’s own financial status.
AttackMotivationPersonalSatisfaction indicates a desire to satisfy a strictly personal goal, including curiosity, thrill-seeking, amusement, etc.
AttackMotivationRevenge indicates a desire to avenge perceived wrongs through harmful actions such as sabotage, violence, theft, fraud, or embarrassing certain individuals or the organization.
AttackMotivationUnpredictable indicates acting without identifiable reason or purpose and creating unpredictable events.
AttackResourceLevelClub indicates members interact on a social and volunteer basis, often with little personal interest in the specific target.
AttackResourceLevelContest indicates a short-lived and perhaps anonymous interaction that concludes when the participants have achieved a single goal.
AttackResourceLevelGovernment indicates controls public assets and functions within a jurisdiction; very well resourced and persists long term.
AttackResourceLevelIndividual indicates resources limited to the average individual; Threat Actor acts independently.
AttackResourceLevelOrganization indicates a larger and better resourced than a team; typically, a company or crime syndicate.
AttackResourceLevelTeam indicates a formally organized group with a leader, typically motivated by a specific goal and organized around that goal.
EncryptionAlgorithmAES256GCM the AES-256-GCM cipher.
EncryptionAlgorithmChaCha20Poly1305 the ChaCha20-Poly1305 stream cipher.
EncryptionAlgorithmMimeTypeIndicated mean encryption algorithm is self-defined by the artifact's data.
EncryptionAlgorithmNone no encryption is used.
ExtArchive is used as key for archive extension.
ExtensionTypeInvalid indicates that the extension type used is invalid.
ExtensionTypeNewSCO specifies that the Extension includes a new SCO.
ExtensionTypeNewSDO specifies that the Extension includes a new SDO.
ExtensionTypeNewSRO specifies that the Extension includes a new SDO.
ExtensionTypePropertyExtension specifies that the extension includes additional properties for a given STIX object.
ExtensionTypeToplevelPropertyExtension specifies that the Extension includes additional properties for a given STIX Object at the top-level.
ExtHTTPRequest is used for HTTP request extension.
ExtICMP is used for ICMP extension.
ExtNTFS is used as key for ntfs extension.
ExtPDF is used as key for pdf extension.
ExtRasterImage is used as key for raster image extension.
ExtSocket is used for socket extension.
ExtTCP is used for TCP extension.
ExtUnixAccount is used for UNIX user account extension.
ExtWindowsPEBinary is used as key for Windows PE binary extension.
ExtWindowsProcess is used for Windows process extension.
ExtWindowsService is used for Windows service extension.
GroupingContextMalwareAnalysis is a set of STIX content related to a particular malware instance or family.
GroupingContextSuspiciousActivity is a et of STIX content related to a particular suspicious activity event.
GroupingContextUnspecified is a set of STIX content contextually related but without any precise characterization of the contextual relationship between the objects.
IdentityClassClass represents a class of entities, such as all hospitals, all Europeans, or the Domain Administrators in a system.
IdentityClassGroup represents an informal collection of people, without formal governance, such as a distributed hacker group.
IdentityClassIndividual represents a single person.
IdentityClassOrganization represents a formal organization of people, with governance, such as a company or country.
IdentityClassSystem represents a computer system, such as a SIEM.
IdentityClassUnknown is unknown whether the classification is an individual, group, system, organization, or class.
IdentitySectorAerospace represents the aerospace sector.
IdentitySectorAgriculture represents the agriculture sector.
IdentitySectorAutomotive represents the automotive sector.
IdentitySectorChemical represents the chemical sector.
IdentitySectorCommercial represents the commercial sector.
IdentitySectorCommunications represents the communications sector.
IdentitySectorConstruction represents the construction sector.
IdentitySectorDefence represents the defence sector.
IdentitySectorEducation represents the education sector.
IdentitySectorEmergencyServices represents the emergency services.
IdentitySectorEnergy represents the energy sector.
IdentitySectorEntertainment represents the entertainment sector.
IdentitySectorFinancialServices represents the financial service sector.
IdentitySectorGovernment represents the government.
IdentitySectorGovernmentLocal represents the local government.
IdentitySectorGovernmentNational represents the national government.
IdentitySectorGovernmentPublicServices represents the public services.
IdentitySectorGovernmentRegional represents the regional government.
IdentitySectorHealthcare represents the healthcare sector.
IdentitySectorHospitalityLeisure represents the hospitality sector.
IdentitySectorInfrastructure represents the infrastructure sector.
IdentitySectorInfrastructureDams represents the dams infrastructure sector.
IdentitySectorInfrastructureNuclear represents the nuclear infrastructure sector.
IdentitySectorInfrastructureWater represents the water infrastructure sector.
IdentitySectorInsurance represents the insurance sector.
IdentitySectorManufacturing represents the manufacturing sector.
IdentitySectorMining represents the mining sector.
IdentitySectorNonProfit represents the non-profit sector.
IdentitySectorPharmaceuticals represents the pharmaceuticals sector.
IdentitySectorRetail represents the retail sector.
IdentitySectorTechnology represents the technology sector.
IdentitySectorTelecommunications represents the telecommunications sector.
IdentitySectorTransportation represents the transportation sector.
IdentitySectorUtilities represents the utilities sector.
ImplementationLanguageApplescript specifies the AppleScript programming language.
ImplementationLanguageBash specifies the Bash programming language.
ImplementationLanguageC specifies the C programming language.
ImplementationLanguageCpp specifies the C++ programming language.
ImplementationLanguageCsharp specifies the C# programming language.
ImplementationLanguageGo specifies the Go (sometimes referred to as golang) programming language.
ImplementationLanguageJava specifies the JAVA programming language.
ImplementationLanguageJavascript specifies the JavaScript programming language.
ImplementationLanguageLua specifies the Lua programming language.
ImplementationLanguageObjectiveC specifies the Objective-C programming language.
ImplementationLanguagePerl specifies the Perl programming language.
ImplementationLanguagePHP specifies the PHP programming language.
ImplementationLanguagePowershell specifies the Windows Powershell programming language.
ImplementationLanguagePython specifies the Python programming language.
ImplementationLanguageRuby specifies the Ruby programming language.
ImplementationLanguageScala specifies the Scala programming language.
ImplementationLanguageSwift specifies the Swift programming language.
ImplementationLanguageTypeScript specifies the TypeScript programming language.
ImplementationLanguageVisualBasic specifies the Visual Basic programming language.
ImplementationLanguageX8632 specifies the x86 32-bit Assembly programming language.
ImplementationLanguageX8664 specifies the x86 64-bit Assembly programming language.
IndicatorTypeAnomalousActivity is unexpected, or unusual activity that may not necessarily be malicious or indicate compromise.
IndicatorTypeAnonymization is a suspected anonymization tools or infrastructure (proxy, TOR, VPN, etc.).
IndicatorTypeAttribution is patterns of behavior that indicate attribution to a particular Threat Actor or Campaign.
IndicatorTypeBenign is an activity that is not suspicious or malicious in and of itself, but when combined with other activity may indicate suspicious or malicious behavior.
IndicatorTypeCompromised is an assets that are suspected to be compromised.
IndicatorTypeMaliciousActivity is patterns of suspected malicious objects and/or activity.
IndicatorTypeUnknown indicates there is not enough information available to determine the type of indicator.
InfrastructureTypeAmplification specifies infrastructure used for conducting amplification attacks.
InfrastructureTypeAnonymization specific infrastructure used for anonymization, such as a proxy.
InfrastructureTypeBotnet specifies the membership/makeup of a botnet, in terms of the network addresses of the hosts that comprise the botnet.
InfrastructureTypeCommandAndControl specifies infrastructure used for command and control (C2).
InfrastructureTypeExfiltration specifies infrastructure used as an endpoint for data exfiltration.
InfrastructureTypeHostingMalware specifies infrastructure used for hosting malware.
InfrastructureTypeHostingTargetLists specifies infrastructure used for hosting a list of targets for DDOS attacks, phishing, and other malicious activities.
InfrastructureTypePhishing specifies infrastructure used for conducting phishing attacks.
InfrastructureTypeReconnaissance specifies infrastructure used for conducting reconnaissance activities.
InfrastructureTypeStaging specifies infrastructure used for staging.
InfrastructureTypeUndefined specifies an infrastructure of some undefined type.
InfrastructureTypeWorkstation specifies an endpoint machine used for work by an organization that needs protection.
IntegrityLevelHigh represents a high level of integrity.
IntegrityLevelLow represents a low level of integrity.
IntegrityLevelMedium represents a medium level of integrity.
IntegrityLevelSystem represents a system level of integrity.
IntegrityLevelUnknown is an unknown integrity value.
LockheedMartinCyberKillChain is the kill chain name for Lockheed Martin Cyber Kill Chain™.
MalwareCapabilitiesAccessesRemoteMachines indicates that the malware instance or family is able to access one or more remote machines.
MalwareCapabilitiesAntiDebugging indicates that the malware instance or family is able to prevent itself from being debugged and/or from being run in a debugger or is able to make debugging more difficult.
MalwareCapabilitiesAntiDisassembly indicates that the malware instance or family is able to prevent itself from being disassembled or make disassembly more difficult.
MalwareCapabilitiesAntiEmulation indicates that the malware instance or family is able to prevent its execution inside of an emulator or is able to make emulation more difficult.
MalwareCapabilitiesAntiMemoryForensics indicates that the malware instance or family is able to prevent or make memory forensics more difficult.
MalwareCapabilitiesAntiSandbox indicates that the malware instance or family is able to prevent sandbox-based behavioral analysis or make it more difficult.
MalwareCapabilitiesAntiVM indicates that the malware instance or family is able to prevent virtual machine (VM) based behavioral analysis or make it more difficult.
MalwareCapabilitiesCapturesInputPeripherals indicates that the malware instance or family is able to capture data from a system's input peripheral devices, such as a keyboard or mouse.
MalwareCapabilitiesCapturesOutputPeripherals indicates that the malware instance or family captures data sent to a system's output peripherals, such as a display.
MalwareCapabilitiesCapturesSystemStateData indicates that the malware instance or family is able to capture information about a system's state (e.g., data currently in its RAM).
MalwareCapabilitiesCleansTracesOfInfection indicates that the malware instance or family is able to clean traces of its infection (e.g., file system artifacts) from a system.
MalwareCapabilitiesCommitsFraud indicates that the malware instance or family commits fraud, such as click fraud (for example).
MalwareCapabilitiesCommunicatesWithC2 indicates that the malware instance or family is able to communicate (i.e., send or receive data) with a command and control (C2) server.
MalwareCapabilitiesCompromisesDataAvailability indicates that the malware instance or family is able to compromise the availability of data on the local system on which it is executing and/or one or more remote systems.
MalwareCapabilitiesCompromisesDataIntegrity indicates that the malware instance or family is able to compromise the integrity of some data that resides on (e.g., in the case of files) or is received/transmitted (e.g., in the case of network traffic) by the system on which it is executing.
MalwareCapabilitiesCompromisesSystemAvailability indicates that the malware instance or family is able to consume system resources for its malicious purposes, such as password cracking or participating in a DDoS botnet, thereby compromising the availability of the local system and/or one or more remote systems.
MalwareCapabilitiesControlsLocalMachine indicates that the malware instance or family is able to control the machine on which it is executing (e.g., RATs).
MalwareCapabilitiesDegradesSecuritySoftware indicates that the malware instance or family is able to bypass or disable security programs or operating system security features on a system (including mobile devices), either by stopping them from executing or by making changes to their code or configuration parameters.
MalwareCapabilitiesDegradesSystemUpdates indicates that the malware instance or family is able to disable the downloading and installation of system updates and patches.
MalwareCapabilitiesDeterminesC2Server indicates that the malware instance or family is able to identify one or more command and control (C2) servers with which to communicate (e.g., DGA).
MalwareCapabilitiesEmailsSpam indicates that the malware instance or family is able to send spam email messages.
MalwareCapabilitiesEscalatesPrivileges indicates that the malware instance or family is able to escalate the privileges under which it is executing.
MalwareCapabilitiesEvadesAV indicates that the malware instance or family is able to evade detection by antivirus tools.
MalwareCapabilitiesExfiltratesData indicates that the malware instance or family is able to gather, prepare, (possibly obfuscate) data and transmit it to exfiltration points.
MalwareCapabilitiesFingerprintsHost indicates that the malware instance or family is able to fingerprint or probe the configuration of the host system on which it is executing for the purpose of altering its behavior based on this environment.
MalwareCapabilitiesHidesArtifacts indicates that the malware instance or family is able to hide its artifacts, such as files and open ports.
MalwareCapabilitiesHidesExecutingCode indicates that the malware instance or family is able to hide its code by compromising the bootloader, kernel modules, hypervisor, etc.
MalwareCapabilitiesInfectsFiles indicates that the malware instance or family is able to infect one or more files on the system on which it executes.
MalwareCapabilitiesInfectsRemoteMachines indicates that the malware instance or family is able to self-propagate to a remote machine or infect a remote machine with malware that is different than itself.
MalwareCapabilitiesInstallsOtherComponents indicates that the malware instance or family is able to install additional components.
MalwareCapabilitiesPersistsAfterSystemReboot indicates that the malware instance or family is able to continue executing after the reboot of the system on which it is resident.
MalwareCapabilitiesPreventsArtifactAccess indicates that the malware instance or family is able to prevent its artifacts (e.g., files, registry keys, etc.) from being accessed.
MalwareCapabilitiesPreventsArtifactDeletion indicates that the malware instance or family is able to prevent its artifacts (e.g., files, registry keys, etc.) from being deleted.
MalwareCapabilitiesProbesNetworkEnvironment indicates that the malware instance or family is able to probe the properties of its network environment, e.g.
MalwareCapabilitiesSelfModifies indicates that the malware instance or family is able to modify itself.
MalwareCapabilitiesStealsAuthenticationCredentials indicates that the malware instance is able to steal authentication credentials.
MalwareCapabilitiesViolatesSystemOperationalIntegrity indicates that the malware instance or family is able to compromise the operational integrity of the system on which it is executing and/or one or more remote systems, e.g., by causing them to operate beyond their set of specified operational parameters.
MalwareResultBenign AV tool reported the malware binary as benign.
MalwareResultMalicious AV tool reported the malware binary as malicious.
MalwareResultSuspicious AV tool reported the malware binary as suspicious but not definitively malicious.
MalwareResultUnknown AV tool was unable to determine whether the malware binary is malicious.
MalwareTypeAdware is any software that is funded by advertising.
MalwareTypeBackdoor is a malicious program that allows an attacker to perform actions on a remote system, such as transferring files, acquiring passwords, or executing arbitrary commands.
MalwareTypeBootkit is a malicious program which targets the Master Boot Record of the target computer.
MalwareTypeBot is a program that resides on an infected system, communicating with and forming part of a botnet.
MalwareTypeDDoS is a program that is used to perform a distributed denial of service attack.
MalwareTypeDownloader is a small trojan file programmed to download and execute other files, usually more complex malware.
MalwareTypeDropper is a type of trojan that deposits an enclosed payload (generally, other malware) onto the target computer.
MalwareTypeExploitKit is a software toolkit to target common vulnerabilities.
MalwareTypeKeylogger is a type of malware that surreptitiously monitors keystrokes and either records them for later retrieval or sends them back to a central collection point.
MalwareTypeRansomware is a type of malware that encrypts files on a victim's system, demanding payment of ransom in return for the access codes required to unlock files.
MalwareTypeRemoteAccessTrojan is a remote access trojan program (or RAT), is a trojan horse capable of controlling a machine through commands issued by a remote attacker.
MalwareTypeResourceExploitation is a type of malware that steals a system's resources (e.g., CPU cycles), such as a malicious bitcoin miner.
MalwareTypeRogueSecuritySoftware is a fake security product that demands money to clean phony infections.
MalwareTypeRootkit is a type of malware that hides its files or processes from normal methods of monitoring in order to conceal its presence and activities.
MalwareTypeScreenCapture is a type of malware used to capture images from the target systems screen, used for exfiltration and command and control.
MalwareTypeSpyware is a software that gathers information on a user's system without their knowledge and sends it to another party.
MalwareTypeTrojan is any malicious computer program which is used to hack into a computer by misleading users of its true intent.
MalwareTypeUnknown is used if not enough information available to determine the type of malware.
MalwareTypeVirus is a malicious computer program that replicates by reproducing itself or infecting other programs by modifying them.
MalwareTypeWebshell is a malicious script used by an attacker with theintent to escalate and maintain persistent access on an alreadycompromised web application.
MalwareTypeWiper is a piece of malware whose primary aim is to delete files or entire disks on a machine.
MalwareTypeWorm is a self-replicating, self-contained program that usually executes itself without user intervention.
MD5 is the MD5 message digest algorithm.
OpinionAgree means the creator agrees with the information and believes that it is accurate and correct.
OpinionDisagree means the creator disagrees with the information and believes it is inaccurate or incorrect.
OpinionNeutral means the creator is neutral about the accuracy or correctness of the information.
OpinionStronglyAgree means the creator strongly agrees with the information and believes that it is accurate and correct.
OpinionStronglyDisagree means the creator strongly disagrees with the information and believes it is inaccurate or incorrect.
PatternTypePCRE specifies the Perl Compatible Regular Expressions language.
PatternTypeSigma specifies the SIGMA language.
PatternTypeSnort specifies the SNORT language.
PatternTypeSTIX specifies the STIX pattern language.
PatternTypeSuricata specifies the SURICATA language.
PatternTypeYara specifies the YARA language.
RegBinary is binary data in any form.
RegDword is a 32-bit number.
RegDwordBigEndian is a 32-bit number in big-endian format.
RegDwordLittleEndian is a 32-bit number in little-endian format.
RegExpandSz is a null-terminated string that contains unexpanded references to environment variables (for example, "%PATH%").
RegFullResourceDescription is a series of nested lists designed to store a resource list used by a physical hardware device.
RegInvalidType specifies an invalid key.
RegionAfrica is a region identifier for Africa.
RegionAmericas is a region identifier for Americas.
RegionAntarctica is a region identifier for Antarctica.
RegionAsia is a region identifier for Asia.
RegionAustraliaNewZealand is a region identifier for Australia and New Zealand.
RegionCaribbean is a region identifier for Caribbean.
RegionCentralAmerica is a region identifier for Central America.
RegionCentralAsia is a region identifier for Central Asia.
RegionEasternAfrica is a region identifier for Eastern Africa.
RegionEasternAsia is a region identifier for Eastern Asia.
RegionEasternEurope is a region identifier for Eastern Europe.
RegionEurope is a region identifier for Europe.
RegionLatinAmericaCaribbean is a region identifier for Latin America and Caribbean.
RegionMelanesia is a region identifier for Melanesia.
RegionMicronesia is a region identifier for Micronesia.
RegionMiddleAfrica is a region identifier for Middle Africa.
RegionNorthernAfrica is a region identifier for Northern Africa.
RegionNorthernAmerica is a region identifier for Northern America.
RegionNorthernEurope is a region identifier for Northern Europe,.
RegionOceania is a region identifier for Oceania.
RegionPolynesia is a region identifier for Polynesia.
RegionSouthAmerica is a region identifier for South America.
RegionSouthernAfrica is a region identifier for Southern Africa.
RegionSouthernAsia is a region identifier for Southern Asia.
RegionSouthernEurope is a region identifier for Southern Europe.
RegionWesternAfrica is a region identifier for Western Africa.
RegionWesternAsia is a region identifier for Western Asia.
RegionWesternEurope is a region identifier for Western Europe.
RegLink is a null-terminated Unicode string that contains the target path of a symbolic link.
RegMultiSz is a sequence of null-terminated strings, terminated by an empty string (\0).
RegNone is a no defined value type.
RegQword is a 64-bit number.
RegResourceList is a series of nested lists designed to store a resource list used by a hardware device driver or one of the physical devices it controls.
RegResourceRequirementsList is a device driver list of hardware resource requirements in Resource Map tree.
RegSz is a null-terminated string.
RegUnknownValue is used for unknown type values.
RelationshipTypeAnalysisOf is an analysis of relationship.
RelationshipTypeAttributedTo is an attributed to relationship.
RelationshipTypeAuthoredBy is an authored by relationship.
RelationshipTypeBasedOn is a based on relationship.
RelationshipTypeBeaconsTo is a beacons to relationship.
RelationshipTypeBelongsTo is a belongs to relationship.
RelationshipTypeCharacterizes is a characterizes relationship.
RelationshipTypeCommunicatesWith is a communicates with relationship.
RelationshipTypeCompromises is a compromises relationship.
RelationshipTypeConsistsOf is a consists of relationship.
RelationshipTypeControls is a controls relationship.
RelationshipTypeDelivers is a delivers relationship.
RelationshipTypeDerivedFrom is a derived from relationship.
RelationshipTypeDownloads is a downloads relationship.
RelationshipTypeDrops is a drops relationship.
RelationshipTypeDuplicateOf is a duplicate of relationship.
RelationshipTypeDynamicAnalysisOf is a dynamic analysis of relationship.
RelationshipTypeExfiltratesTo is an exfiltrates to relationship.
RelationshipTypeExploits is a exploits relationship.
RelationshipTypeHas is a has relationship.
RelationshipTypeHosts is a hosts relationship.
RelationshipTypeImpersonates is an impersonates relationship.
RelationshipTypeIndicates is an indicates relationship.
RelationshipTypeLocatedAt is a located at relationship.
RelationshipTypeMitigates is a mitigates relationship.
RelationshipTypeOriginatesFrom is an originates from relationship.
RelationshipTypeOwns is an owns relationship.
RelationshipTypeRelatedTo is a related to relationship.
RelationshipTypeResolvesTo is a resolves to relationship.
RelationshipTypeStaticAnalysisOf is a static analysis of relationship.
RelationshipTypeTargets is a targets relationship.
RelationshipTypeUses is a uses relationship.
RelationshipTypeVariantOf is a variant of relationship.
ReportTypeAttackPattern subject is a characterization of one or more attack patterns and related information.
ReportTypeCampaign subject is a characterization of one or more campaigns and related information.
ReportTypeIdentity subject is a characterization of one or more identities and related information.
ReportTypeIndicator subject is a characterization of one or more indicators and related information.
ReportTypeIntrusionSet subject is a characterization of one or more intrusion sets and related information.
ReportTypeMalware subject is a characterization of one or more malware instances and related information.
ReportTypeObservedData subject is a characterization of observed data and related information.
ReportTypeThreatActor subject is a characterization of one or more threat actors and related information.
ReportTypeThreatReport subject is a broad characterization of a threat across multiple facets.
ReportTypeTool subject is a characterization of one or more tools and related information.
ReportTypeVulnerability subject is a characterization of one or more vulnerabilities and related information.
ServiceFileSystemDriver is a file system driver.
ServiceKernelDriver is a device driver.
ServiceStartAuto is a service started automatically by the service control manager during system startup.
ServiceStartBoot is a device driver started by the system loader.
ServiceStartDemand is a service started by the service control manager when a process calls the StartService function.
ServiceStartDisabled is a service that cannot be started.
ServiceStartSystem is a device driver started by the IoInitSystem function.
ServiceStartUnknown is an unknown service start value.
ServiceStatusContinuePending represents service continue is pending.
ServiceStatusPaused represents service is paused.
ServiceStatusPausePending represents service pause is pending.
ServiceStatusRunning represents service is running.
ServiceStatusStartPending represents service is starting.
ServiceStatusStopped represents service is not running.
ServiceStatusStopPending represents service is stopping.
ServiceStatusUnknown is an unknown service status value.
ServiceUnknown is an unknown service value.
ServiceWin32OwnProcess runs in its own process.
ServiceWin32ShareProcess shares a process with other services.
SHA1 is the SHA­-1 (secure-­hash algorithm 1) cryptographic hash function.
SHA256 is the SHA-­256 cryptographic hash function (part of the SHA­2 family).
SHA3256 is the SHA3-256 cryptographic hash function.
SHA3512 is the SHA3-512 cryptographic hash function.
SHA512 is the SHA-­512 cryptographic hash function (part of the SHA­2 family).
SocketFamilyAPPLETALK specifies the APPLETALK DDP address family.
SocketFamilyBTH specifies BTH sockets.
SocketFamilyINET specifies the IPv4 address family.
SocketFamilyINET6 specifies the IPv6 address family.
SocketFamilyIPX specifies the IPX (Novell Internet Protocol) address family.
SocketFamilyIRDA specifies IRDA sockets.
SocketFamilyNETBIOS specifies the NETBIOS address family.
SocketFamilyUnknownValue is an unknown socket family value.
SocketFamilyUNSPEC specifies an unspecified address family.
SocketTypeDgram specifies a socket in which individually-addressed packets are sent (datagram).
SocketTypeRaw specifies raw sockets which allow new IP protocols to be implemented in user space.
SocketTypeRdm specifies a socket indicating a reliably-delivered message.
SocketTypeSeqpacket specifies a datagram congestion control protocol socket.
SocketTypeStream specifies a pipe-like socket which operates over a connection with a particular remote socket and transmits data reliably as a stream of bytes.
SocketTypeUnknown is an unknown socket type value.
SpecVersion20 is the spec_version string for STIX™ 2.0.
SpecVersion21 is the spec_version string for STIX™ 2.1.
SSDEEP is the ssdeep fuzzy hashing algorithm.
ThreatActorRoleAgent executes attacks either on behalf of themselves or at the direction of someone else.
ThreatActorRoleDirector directs the activities, goals, and objectives of the malicious activities.
ThreatActorRoleIndependent s a threat actor acting by themselves.
ThreatActorRoleInfrastructureArchitect is someone who designs the battle space.
ThreatActorRoleInfrastructureOperator provides and supports the attack infrastructure that is used to deliver the attack (botnet providers, cloud services, etc.).
ThreatActorRoleMalwareAuthor authors malware or other malicious tools.
ThreatActorRoleSponsor funds the malicious activities.
ThreatActorSophisticationAdvanced can develop their own tools or scripts from publicly known vulnerabilities to target systems and users.
ThreatActorSophisticationExpert can focus on the discovery and use of unknown malicious code, are is adept at installing user and kernel mode rootkits, frequently use data mining tools, target corporate executives and key users (government and industry) for the purpose of stealing personal and corporate data.
ThreatActorSophisticationInnovator typically, criminal or state actors who are organized, highly technical, proficient, well-funded professionals working in teams to discover new vulnerabilities and develop exploits.
ThreatActorSophisticationIntermediate can proficiently use existing attack frameworks and toolkits to search for and exploit vulnerabilities in computers or systems.
ThreatActorSophisticationMinimal can minimally use existing and frequently well known and easy-to-find techniques and programs or scripts to search for and exploit weaknesses in other computers.
ThreatActorSophisticationNone can carry out random acts of disruption or destruction by running tools they do not understand.
ThreatActorSophisticationStrategic is a state actors who create vulnerabilities through an active program to “influence” commercial products and services during design, development or manufacturing, or with the ability to impact products while in the supply chain to enable exploitation of networks and systems of interest.
ThreatActorTypeActivist are highly motivated, potentially destructive supporter of a social or political cause (e.g., trade, labor, environment, etc.) that attempts to disrupt an organization's business model or damage their image.
ThreatActorTypeCompetitor is an organization that competes in the same economic marketplace.
ThreatActorTypeCrimeSyndicate is an enterprise organized to conduct significant, large-scale criminal activity for profit.
ThreatActorTypeCriminal is an individual who commits computer crimes, often for personal financial gain and often involves the theft of something valuable.
ThreatActorTypeHacker is an individual that tends to break into networks for the thrill or the challenge of doing so.
ThreatActorTypeInsiderAccidental is a non-hostile insider who unintentionally exposes the organization to harm.
ThreatActorTypeInsiderDisgruntled is a current or former insiders who seek revengeful and harmful retaliation for perceived wrongs.
ThreatActorTypeNationState are entities who work for the government or military of a nation state or who work at their direction.
ThreatActorTypeSensationalist seeks to cause embarrassment and brand damage by exposing sensitive information in a manner designed to cause a public relations crisis.
ThreatActorTypeSpy secretly collects sensitive information for use, dissemination, or sale.
ThreatActorTypeTerrorist uses extreme violence to advance a social or political agenda as well as monetary crimes to support its activities.
ThreatActorTypeUnknown is used if there is not enough information available to determine the type of threat actor.
TLSH is the TLSH fuzzy hashing algorithm.
ToolTypeCredentialExploitation is used to crack password databases or otherwise exploit/discover credentials, either locally or remotely, such as John the Ripper and NCrack.nolint:gosec.
ToolTypeDenialOfService is used to perform denial of service attacks or DDoS attacks, such as Low Orbit Ion Cannon (LOIC) and DHCPig.
ToolTypeExploitation is used to exploit software and systems, such as sqlmap and Metasploit.
ToolTypeInformationGathering is used to enumerate system and network information, e.g., NMAP.
ToolTypeNetworkCapture is used to capture network traffic, such as Wireshark and Kismet.
ToolTypeRemoteAccess is used to access machines remotely, such as VNC and Remote Desktop.
ToolTypeUnknown if there is not enough information available to determine the type of tool.
ToolTypeVulnerabilityScanning is used to scan systems and networks for vulnerabilities, e.g., Nessus.
TypeArtifact is used for artifact type.
TypeAttackPattern is used for attack-pattern type.
TypeAutonomousSystem is used for AS type.
TypeBundle is used for the bundle type.
TypeCampaign is used for campaign type.
TypeCourseOfAction is used for course of action type.
TypeDirectory is used for directory type.
TypeDomainName is used for domain name types.
TypeEmailAddress is used for email address type.
TypeEmailMessage is used for email message type.
TypeEmailMIME is used for email Mime type.
TypeExtensionDefinition is used for extension definition type.
TypeFile is used for file types.
TypeGrouping is used for grouping type.
TypeIdentity is used for identity types.
TypeIndicator is used for indicator types.
TypeInfrastructure is used for infrastructure type.
TypeIntrusionSet is used for intrusion set type.
TypeIPv4Addr is used for IPv4 address types.
TypeIPv6Addr is used for IPv6 address types.
TypeLanguageContent is used for language content type.
TypeLocation is used for location type.
TypeMACAddress is used for MAC address type.
TypeMalware is used for malware type.
TypeMalwareAnalysis is used for file types.
TypeMarkingDefinition is used for marking definition type.
TypeMitreCollection is used for mitre collection types.
TypeMitreMatrix is used for mitre matrix types.
TypeMitreTactic is used for mitre tactic types.
TypeMutex is used for mutex type.
TypeNetworkTraffic is used for network traffic type.
TypeNote is used for the note type.
TypeObservedData is used for observed data type.
TypeOpinion is used for the opinion type.
TypeProcess is used for process type.
TypeRegistryKey is used for registry key type.
TypeRelationship is used for relationship types.
TypeReport is used for the report type.
TypeSighting is used for sighting types.
TypeSoftware is used for software type.
TypeThreatActor is used for threat actor type.
TypeTool is used for tool type.
TypeURL is used for URL types.
TypeUserAccount is used for user account type.
TypeVulnerability is used for vulnerability type.
TypeX509Certificate is used for X.509 certificate type.
WindowsPEDLL specifies that the PE binary is a dynamically linked library (DLL).
WindowsPEExe specifies that the PE binary is an executable image (i.e., not an OBJ or DLL).
WindowsPESys specifies that the PE binary is a device driver (SYS).

# Variables

AllTypes is a list of all STIX types.
CyberObservableNamespace is the UUIDv5 namespace for for STIX Cyber-observable Object.
ErrInvalidParameter is returned if function is called with an invalid function parameter.
ErrInvalidProperty is returned if the value for a property is invalid.
ErrPropertyMissing is returned if not at least one of the required properties are missing.
TLPAmber is the TLP:AMBER marking as defined by STIX 2.1.
TLPGreen is the TLP:GREEN marking as defined by STIX 2.1.
TLPRed is the TLP:RED marking as defined by STIX 2.1.
TLPWhite is the TLP:WHITE marking as defined by STIX 2.1.

# Structs

AltDataStream represents an NTFS alternate data stream.
ArchiveFileExtension specifies a default extension for capturing properties specific to archive files.
Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload.
AttackPattern is a type of TTP that describe ways that adversaries attempt to compromise targets.
AutonomousSystem object represents the properties of an Autonomous System (AS).
Bundle is a collection of arbitrary STIX Objects grouped together in a single container.
Campaign is a grouping of adversarial behaviors that describes a set of malicious activities or attacks (sometimes called waves) that occur over a period of time against a specific set of targets.
Collection is a collection of STIX objects.
CourseOfAction (CoA) is a recommendation from a producer of intelligence to a consumer on the actions that they might take in response to that intelligence.
Directory object represents the properties common to a file system directory.
DomainName object represents the properties of a network domain name.
EmailAddress object represents a single email address.
EmailMessage rrepresents an instance of an email message, corresponding to the internet message format described in RFC5322 and related RFCs.
EmailMIME specifies one component of a multi-part email body.
No description provided by the author
ExternalReference is used to describe pointers to information represented outside of STIX.
File object represents the properties of a file.
GranularMarking defines how the marking-definition object referenced by the Marking property or a language specified by the Lang property applies to a set of content identified by the list of selectors in the Selectors property.
Grouping object explicitly asserts that the referenced STIX Objects have a shared context, unlike a STIX Bundle (which explicitly conveys no context).
HTTPRequestExtension specifies a default extension for capturing network traffic properties specific to HTTP requests.
ICMPExtension specifies a default extension for capturing network traffic properties specific to ICMP.
Identity can represent actual individuals, organizations, or groups (e.g., ACME, Inc.) as well as classes of individuals, organizations, systems or groups (e.g., the finance sector).
Indicator contain a pattern that can be used to detect suspicious or malicious cyber activity.
Infrastructure SDO represents a type of TTP and describes any systems, software services and any associated physical or virtual resources intended to support some purpose (e.g., C2 servers used as part of an attack, device or server that are part of defence, database servers targeted by an attack, etc.).
IntrusionSet is a grouped set of adversarial behaviors and resources with common properties that is believed to be orchestrated by a single organization.
IPv4Address represents one or more IPv4 addresses expressed using CIDR notation.
IPv6Address represents one or more IPv6 addresses expressed using CIDR notation.
KillChainPhase represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives.
LanguageContent represents text content for STIX Objects represented in languages other than that of the original object.
Location represents a geographic location.
MACAddress represents a single Media Access Control (MAC) address.
Malware is a type of TTP that represents malicious code.
MalwareAnalysis captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family.
MarkingDefinition represents a specific marking.
MitreCollection represents a MITRE collection.
MitreMatrix represents a MITRE matrix.
MitreTactic represents a MITRE tactic.
Mutex represents the properties of a mutual exclusion (mutex) object.
NetworkTraffic represents arbitrary network traffic that originates from a source and is addressed to a destination.
Note is intended to convey informative text to provide further context and/or to provide additional analysis not contained in the STIX Objects, Marking Definition objects, or Language Content objects which the Note relates to.
NTFSFileExtension specifies a default extension for capturing properties specific to the storage of the file on the NTFS file system.
ObservedData conveys information about cyber security related entities such as files, systems, and networks using the STIX Cyber-observable Objects (SCOs).
Opinion is an assessment of the correctness of the information in a STIX Object produced by a different entity.
PDFExtension specifies a default extension for capturing properties specific to PDF files.
Process represents common properties of an instance of a computer program as executed on an operating system.
RasterImageExtension specifies a default extension for capturing properties specific to raster image files.
RegistryKey object represents the properties of a Windows registry key.
RegistryValue captures the properties of a Windows Registry Key Value.
Relationship object is used to link together two SDOs or SCOs in order to describe how they are related to each other.
Report is a collection of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details.
Sighting denotes the belief that something in CTI (e.g., an indicator, malware, tool, threat actor, etc.) was seen.
SocketExtension sp.
Software object represents high-level properties associated with software, including software products.
StatementMarking type defines the representation of a textual marking statement (e.g., copyright, terms of use, etc.) in a definition.
STIXCyberObservableObject represent observed facts about a network or host that may be used and related to higher level intelligence to form a more complete understanding of the threat landscape.
STIXDomainObject are higher Level Intelligence Objects that represent behaviors and constructs that threat analysts would typically create or work with while understanding the threat landscape.
STIXRelationshipObject is objects that connect STIX Domain Objects together, STIX Cyber-observable Objects together, and connect STIX Domain Objects and STIX Cyber-observable Objects together to form a more complete understanding of the threat landscape.
TCPExtension specifies a default extension for capturing network traffic properties specific to TCP.
ThreatActor is an actual individuals, groups, or organizations believed to be operating with malicious intent.
Timestamp is a RFC 3339-formatted timestamp.
TLPMarking marking type defines how you would represent a Traffic Light Protocol (TLP) marking in a definition property.
Tool is a legitimate software that can be used by threat actors to perform attacks.
UNIXAccountExtension specifies a default extension for capturing the additional information for an account on a UNIX system.
URL object represents the properties of a uniform resource locator (URL).
UserAccount object represents an instance of any type of user account, including but not limited to operating system, device, messaging service, and social media platform accounts.
Vulnerability is "a mistake in software that can be directly used by a hacker to gain access to a system or network".
WindowsPEBinaryExtension specifies a default extension for capturing properties specific to Windows portable executable (PE) files.
WindowsPEOptionalHeader represents the properties of the PE optional header.
WindowsPESection specifies metadata about a PE file section.
WindowsProcessExtension specifies a default extension for capturing properties specific to Windows processes.
WindowsServiceExtension specifies a default extension for capturing properties specific to Windows services.
X509Certificate object represents the properties of an X.509 certificate, as defined by ITU recommendation X.509 [X.509].
X509v3Extension captures properties associated with X.509 v3 extensions, which serve as a mechanism for specifying additional information such as alternative subject names.

# Interfaces

STIXObject is a generic representation of a STIX object.

# Type aliases

Binary data type represents a sequence of bytes.
CollectionOption is an optional parameter when constructing a Colletion.
CustomObject is a custom STIX object that allows for extending the specification by creating a new type.
EncryptionAlgorithm is the encryption algorithms used for sharing defanged and/or confidential artifacts.
No description provided by the author
ExtensionType describes what type of extension it is.
HashAlgorithm is a vocabulary of hashing algorithms.
Hashes represents one or more cryptographic hashes, as a special set of key/value pairs.
Hex type encodes an array of octets (8-bit bytes) as hexadecimal.
Identifier uniquely identifies a STIX Object and MAY do so in a deterministic way.
OpinionValue aptures a degree of agreement with the information in a STIX Object.
RegistryDataType is a type of registry data type.
RelationshipType describes how the source and the target are related.
SocketAddressFamily is a network socket address family type.
SocketType is a network socket type.
STIXOption is an optional parameter when constructing an STIX object.
STIXType is type strings used in STIX objects.
WindowsIntegrityLevel is a security feature and represent the trustworthiness of an object.
WindowsPEBinaryType is a PE binary type.
WindowsServiceStartType is a Windows service start type.
WindowsServiceStatusType is a Windows service status type.
WindowsServiceType is a Windows service type.