Class ActionType
source code
object --+
|
GeneratedsSuper --+
|
ActionType
ActionType is intended to serve as a method for the characterization
of actions found or observed in malware. Actions can be thought of as
system state changes and similar operations that represent the
fundamental low-level operation of malware. Some examples include the
creation of a file, deletion of a registry key, and the sending of some
arbitrary packets on a socket.The type attribute is intended to
characterize the type of action that occurred, based on its activity.
Possible values: Login/Logon, Logout/Logoff, Start, Stop, Suspend/Pause,
Resume, Create, Remove/Delete, Access/Open, Close, Move, Copy/Duplicate,
Read, Write, Execute, Quarantine, Find, Clean, Block, Update, Upgrade,
Scan, Filter, Install, Allocate, Initialize, Save, Connect, Disconnect,
Audit, Replicate, Detect, Alert, Backup, Search, Restore, Get, Set,
Assign, Send, Receive, Transmit, Map, Load, Query, Enumerate, Bind, Free,
Kill, Encrypt, Decrypt, Encode, Decode, Pack, Unpack, Archive, Compress,
Decompress, Download, Upload, Load, Fork, Join,Merge, Interleave,
Schedule, Call, Compare, Wipe/Destroy/Purge, Throw/Raise, Lock, Unlock,
Synchronize, Hook, Unhook, Draw, Click, Press, Depress, Close(network),
Open(network), Callback, Drop, Accept, Deny, Modify, Listen,
Send,Start_Winsock, Other.The action_name attribute is intended to
contain the name of the action performed. Typically, this is composed of
the Action_Type concatenated with the type of object the action is
performed upon. For instance, the action name for creating a file would
be 'create_file', where the action_type is 'create'. If the object does
not exist in MAEC's object_type enumeration, it can still be included as
the second half of the action name. If a specific object attribute is
being used in the action, this attribute can be concatenated after the
object type. For instance, an action that sets a timestamp on a file
would 'set_file_timestamp'. Object modifiers can be used by including the
modifier in front of the object type. For instance, an action that
creates a remote thread would be 'create_remote_thread'.The
ordinal_position attribute is intended to reference the ordinal position
of the action with respect to the execution of the malware.The successful
attribute is used to describe whether the action was successful or
not.The timestamp attribute represents the local or relative time at
which the action occurred or was observed.
|
__init__(self,
successful=None,
timestamp=None,
action_name=None,
ordinal_position=None,
type_=None,
id=None,
Description=None,
Discovery_Method=None,
Action_Initiator=None,
Action_Implementation=None,
Objects=None,
Effects=None,
Related_Actions=None)
x.__init__(...) initializes x; see help(type(x)) for signature |
source code
|
|
|
|
|
|
|
|
|
set_Discovery_Method(self,
Discovery_Method) |
source code
|
|
|
|
|
set_Action_Initiator(self,
Action_Initiator) |
source code
|
|
|
|
|
set_Action_Implementation(self,
Action_Implementation) |
source code
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
set_ordinal_position(self,
ordinal_position) |
source code
|
|
|
|
|
|
|
|
|
|
|
export(self,
outfile,
level,
namespace_=' maec: ' ,
name_=' ActionType ' ,
namespacedef_='
' ) |
source code
|
|
|
exportAttributes(self,
outfile,
level,
already_processed,
namespace_=' maec: ' ,
name_=' ActionType ' ) |
source code
|
|
|
exportChildren(self,
outfile,
level,
namespace_=' maec: ' ,
name_=' ActionType ' ,
fromsubclass_=False) |
source code
|
|
|
|
|
exportLiteral(self,
outfile,
level,
name_=' ActionType ' ) |
source code
|
|
|
exportLiteralAttributes(self,
outfile,
level,
already_processed,
name_) |
source code
|
|
|
exportLiteralChildren(self,
outfile,
level,
name_) |
source code
|
|
|
|
|
buildAttributes(self,
node,
attrs,
already_processed) |
source code
|
|
|
buildChildren(self,
child_,
node,
nodeName_,
fromsubclass_=False) |
source code
|
|
Inherited from GeneratedsSuper :
gds_build_any ,
gds_format_boolean ,
gds_format_boolean_list ,
gds_format_double ,
gds_format_double_list ,
gds_format_float ,
gds_format_float_list ,
gds_format_integer ,
gds_format_integer_list ,
gds_format_string ,
gds_str_lower ,
gds_validate_boolean ,
gds_validate_boolean_list ,
gds_validate_double ,
gds_validate_double_list ,
gds_validate_float ,
gds_validate_float_list ,
gds_validate_integer ,
gds_validate_integer_list ,
gds_validate_string ,
get_class_obj_ ,
get_path_ ,
get_path_list_
Inherited from object :
__delattr__ ,
__format__ ,
__getattribute__ ,
__hash__ ,
__new__ ,
__reduce__ ,
__reduce_ex__ ,
__repr__ ,
__setattr__ ,
__sizeof__ ,
__str__ ,
__subclasshook__
|
Inherited from object :
__class__
|
__init__(self,
successful=None,
timestamp=None,
action_name=None,
ordinal_position=None,
type_=None,
id=None,
Description=None,
Discovery_Method=None,
Action_Initiator=None,
Action_Implementation=None,
Objects=None,
Effects=None,
Related_Actions=None)
(Constructor)
| source code
|
x.__init__(...) initializes x; see help(type(x)) for signature
- Overrides:
object.__init__
- (inherited documentation)
|