-
Notifications
You must be signed in to change notification settings - Fork 18
Expand file tree
/
Copy pathexploit-target.xsd
More file actions
349 lines (349 loc) · 23.5 KB
/
exploit-target.xsd
File metadata and controls
349 lines (349 loc) · 23.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:et="http://docs.oasis-open.org/cti/ns/stix/exploit-target-1" xmlns:stixCommon="http://docs.oasis-open.org/cti/ns/stix/common-1" xmlns:marking="http://docs.oasis-open.org/cti/ns/stix/data-marking-1" xmlns:cybox="http://docs.oasis-open.org/cti/ns/cybox/core-2" targetNamespace="http://docs.oasis-open.org/cti/ns/stix/exploit-target-1" elementFormDefault="qualified" attributeFormDefault="unqualified" version="1.2.1" xml:lang="en">
<xs:annotation>
<xs:documentation> STIX[TM] Version 1.2.1. Committee Specification Draft 01 / Public Review Draft 01</xs:documentation>
<xs:appinfo>
<schema>STIX Exploit Target</schema>
<version>1.2.1</version>
<date>12/15/2015 9:00:00 AM</date>
<short_description>Structured Threat Information eXpression (STIX) - ExploitTarget - Schematic implementation for the ExploitTarget construct within the STIX structured cyber threat expression language architecture</short_description>
<terms_of_use>Copyright (c) OASIS Open 2016. All Rights Reserved.
Distributed under the terms of the OASIS IPR Policy, [http://www.oasis-open.org/policies-guidelines/ipr], AS-IS, WITHOUT ANY IMPLIED OR EXPRESS WARRANTY; there is no warranty of MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE or NONINFRINGEMENT of the rights of others.</terms_of_use>
<terms_of_use> Portions copyright (c) United States Government 2012-2016. All Rights Reserved.
Source: http://docs.oasis-open.org/cti/stix/v1.2.1/csprd01/schemas/
Latest version of the specification: REPLACE_WITH_SPECIFICATION_URL
TC IPR Statement: https://www.oasis-open.org/committees/cti/ipr.php
</terms_of_use>
</xs:appinfo>
</xs:annotation>
<xs:import namespace="http://docs.oasis-open.org/cti/ns/stix/common-1" schemaLocation="common.xsd"/>
<xs:import namespace="http://docs.oasis-open.org/cti/ns/stix/data-marking-1" schemaLocation="data-marking.xsd"/>
<xs:import namespace="http://docs.oasis-open.org/cti/ns/cybox/core-2" schemaLocation="cybox/core.xsd"/>
<xs:element name="Exploit_Target" type="et:ExploitTargetType">
<xs:annotation>
<xs:documentation>The ExploitTargetType characterizes potential targets for exploitation by capturing characteristics of targeted victims that may make them vulnerable to attack. ExploitTargetType extends ExploitTargetBaseType from the Common data model, which provides the essential identifier (id) and identifier reference (idref) properties.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:complexType name="ExploitTargetType">
<xs:annotation>
<xs:documentation>Represents a single STIX Exploit Target.</xs:documentation>
<xs:documentation>ExploitTargets are vulnerabilities or weaknesses in software, systems, networks or configurations that are targeted for exploitation by the TTP of a ThreatActor. In a structured sense, ExploitTargets consist of vulnerability identifications or characterizations, weakness identifications or characterizations, configuration identifications or characterizations, potential Courses of Action, source of the ExploitTarget information, handling guidance, etc.</xs:documentation>
</xs:annotation>
<xs:complexContent>
<xs:extension base="stixCommon:ExploitTargetBaseType">
<xs:sequence>
<xs:element name="Title" type="xs:string" minOccurs="0">
<xs:annotation>
<xs:documentation>The Title property captures a title for the Exploit Target and reflects what the content producer thinks the Exploit Target as a whole should be called. The Title property is typically used by humans to reference a particular Exploit Target; however, it is not suggested for correlation.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Description property captures a textual description of the Exploit Target. Any length is permitted. Optional formatting is supported via the structuring_format property.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Short_Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Short_Description property captures a short textual description of the objective of this CourseOfAction. This property is secondary and should only be used if the Description property is already populated and another, shorter description is available.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Vulnerability" type="et:VulnerabilityType" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Vulnerability property characterizes a vulnerability that is a potential target for exploitation. Examples of information captured include a description of the vulnerability (in a structured or unstructured fashion), a CVE identifier, an OSVDB identifier, and CVSS information.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Weakness" type="et:WeaknessType" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Weakness property characterizes a weakness that is a potential target for exploitation. Examples of information captured include a description of the weakness and a CWE identifier.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Configuration" type="et:ConfigurationType" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Configuration property characterizes a configuration that is a potential target for exploitation. Examples of information captured include a description of the configuration issue and a CCE identifier.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Potential_COAs" type="et:PotentialCOAsType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Potential_COAs property specifies a set of one or more Course of Actions that may be relevant for the remediation or mitigation of this Exploit Target.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Information_Source" type="stixCommon:InformationSourceType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Information_Source property characterizes the source of the Exploit Target information. Examples of details captured include identitifying characteristics, time-related attributes, and a list of tools used to collect the information.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Handling" type="marking:MarkingType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Handling property specifies the appropriate data handling markings for the properties of this Exploit Target. The marking scope is limited to the Exploit Target and the content it contains. Note that data handling markings can also be specified at a higher level.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Related_Exploit_Targets" type="et:RelatedExploitTargetsType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Related_Exploit_Targets property specifies a set of one or more other Exploit Targets related to this Exploit Target.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Related_Packages" type="stixCommon:RelatedPackageRefsType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Related_Packages property specifies a set of one or more STIX Packages that are related to the Exploit Target.</xs:documentation>
<xs:documentation>DEPRECATED: This property is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.</xs:documentation>
<xs:appinfo>
<deprecated>true</deprecated>
</xs:appinfo>
</xs:annotation>
</xs:element>
</xs:sequence>
<xs:attribute name="version" type="et:ExploitTargetVersionType">
<xs:annotation>
<xs:documentation>The version property specifies the version identifier of the STIX Exploit Target data model used to capture the information associated with the Exploit Target.</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<!---->
<xs:simpleType name="ExploitTargetVersionType">
<xs:annotation>
<xs:documentation>The ExploitTargetVersionType enumeration is an inventory of all versions of the Exploit Target data model for the current release of STIX.</xs:documentation>
</xs:annotation>
<xs:restriction base="xs:string">
<xs:enumeration value="stix-1.2.1" />
</xs:restriction>
</xs:simpleType>
<xs:complexType name="VulnerabilityType">
<xs:annotation>
<xs:documentation>Characterizes an individual vulnerability.</xs:documentation>
<xs:documentation>In addition to capturing basic information and references to vulnerability registries, this type is intended to be extended to enable the structured description of a vulnerability by using the XML Schema extension feature. The STIX default extension uses the Common Vulnerability Reporting Format (CVRF) schema to do so. The extension that defines this is captured in the CVRF1.1InstanceType in the http://docs.oasis-open.org/cti/ns/stix/extensions/test-mechanism/cvrf-1 namespace. This type is defined in the extensions/vulnerability/cvrf-1.1-vulnerability.xsd file or at the URL http://docs.oasis-open.org/cti/stix-1.2.1-xml-binding/v1.0/csd01/schemas/extensions/vulnerability/cvrf-1.1-vulnerability.xsd.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element name="Title" type="xs:string" minOccurs="0">
<xs:annotation>
<xs:documentation>The Title property captures a title for the vulnerability and reflects what the content producer thinks the vulnerability as a whole should be called. The Title property is typically used by humans to reference a particular vulnerability; however, it is not suggested for correlation. </xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Description property captures a textual description of the vulnerability. Any length is permitted. Optional formatting is supported via the structuring_format property of the StructuredTextType type.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Short_Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Short_Description property captures a short textual description of the vulnerability. This property is secondary and should only be used if the Description property is already populated and another, shorter description is available.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="CVE_ID" minOccurs="0">
<xs:annotation>
<xs:documentation>The CVE_ID property specifies a Common Vulnerability and Exposures (CVE) identifier for the vulnerability.</xs:documentation>
</xs:annotation>
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:pattern value="CVE-\d\d\d\d-\d+"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="OSVDB_ID" type="xs:positiveInteger" minOccurs="0">
<xs:annotation>
<xs:documentation>The OSVDB_ID property specifies an Open Source Vulnerability Database (OSVDB) identifier for the vulnerability.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Source" type="xs:string" minOccurs="0">
<xs:annotation>
<xs:documentation>The Source property captures a textual description or a URL of the original source of the vulnerability information.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="CVSS_Score" type="et:CVSSVectorType" minOccurs="0">
<xs:annotation>
<xs:documentation>The CVSS_Score property captures the full Common Vulnerability Scoring System (CVSS) v2.0 base, temporal, and environmental vectors.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Discovered_DateTime" type="stixCommon:DateTimeWithPrecisionType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Discovered_DateTime property specifies the date and time at which the vulnerability was discovered. To avoid ambiguity, all timestamps SHOULD include a specification of the time zone. In addition to specifying a date and time, the Date_Time property may also capture a precision property to specify the granularity with which the time should be considered, as specified by the DateTimePrecisionEnum enumeration (e.g., 'hour,' 'minute'). If omitted, the default precision is 'second.' Digits in a timestamp that are beyond the specified precision SHOULD be zeroed out.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Published_DateTime" type="stixCommon:DateTimeWithPrecisionType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Published_DateTime property specifies the date and time at which information about the vulnerability was published. To avoid ambiguity, all timestamps SHOULD include a specification of the time zone. In addition to specifying a date and time, the Date_Time property may also capture a precision property to specify the granularity with which the time should be considered, as specified by the DateTimePrecisionEnum enumeration (e.g., 'hour,' 'minute'). If omitted, the default precision is 'second.' Digits in a timestamp that are beyond the specified precision SHOULD be zeroed out.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Affected_Software" type="et:AffectedSoftwareType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Affected_Software property specifies a set of one or more software products that is affected by this vulnerability. It leverages CybOX ObservableType.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="References" type="stixCommon:ReferencesType" minOccurs="0">
<xs:annotation>
<xs:documentation>The References property specifies a set of one or more related references associated with the vulnerability.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
<xs:attribute name="is_known" type="xs:boolean">
<xs:annotation>
<xs:documentation>The is_known property specifies whether or not the vulnerability is known (i.e., not a 0-day) or unknown (i.e., a 0-day) at the time it is characterized.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="is_publicly_acknowledged" type="xs:boolean">
<xs:annotation>
<xs:documentation>The is_publicly_acknowledged property specifies whether or not the vulnerability is publicly acknowledged by the vendor at the time it is characterized.</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:complexType>
<xs:complexType name="PotentialCOAsType">
<xs:annotation>
<xs:documentation>The PotentialCOAsType specifies a set of one or more potential Course of Actions (COAs) for the Exploit Target. It extends GenericRelationShipListType defined in the STIX Common data model, which specifies the scope (whether the elements of the set are related individually or as a group).
</xs:documentation>
</xs:annotation>
<xs:complexContent>
<xs:extension base="stixCommon:GenericRelationshipListType">
<xs:sequence>
<xs:element name="Potential_COA" type="stixCommon:RelatedCourseOfActionType" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Potential_COA property specifies a Course of Action potentially relevant for the remediation or mitigation of this Exploit Target and characterizes this relevance relationship by capturing information such as the level of confidence that the Course of Action and the Exploit Target are related, the source of the relationship information, and the type of relationship.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<xs:complexType name="ConfigurationType">
<xs:annotation>
<xs:documentation>The ConfigurationType characterizes a software or hardware configuration as a potential Exploit Target.
</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Description property captures a textual description of the configuration. Any length is permitted. Optional formatting is supported via the structuring_format property.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Short_Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Short_Description property captures a short textual description of the configuration. This property is secondary and should only be used if the Description property is already populated and another, shorter description is available.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="CCE_ID" minOccurs="0">
<xs:annotation>
<xs:documentation>The CCE_ID property specifies a Common Configuration Enumeration (CCE) identifier for a particular configuration item.</xs:documentation>
</xs:annotation>
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:pattern value="CCE-\d+-\d"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="WeaknessType">
<xs:annotation>
<xs:documentation>The WeaknessType characterizes a weakness as a potential Exploit Target.
</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Description property captures a textual description of the weakness. Any length is permitted. Optional formatting is supported via the structuring_format property.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="CWE_ID" minOccurs="0">
<xs:annotation>
<xs:documentation>The CWE_ID property specifies a Common Weakness Enumeration (CWE) identifier for a particular weakness.</xs:documentation>
</xs:annotation>
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:pattern value="CWE-\d+"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="AffectedSoftwareType">
<xs:annotation>
<xs:documentation>The AffectedSoftwareType specifies a set of platforms and software that are affected by a vulnerability. It extends GenericRelationShipListType defined in the STIX Common data model, which specifies the scope (whether the elements of the set are related individually or as a group). </xs:documentation>
</xs:annotation>
<xs:complexContent>
<xs:extension base="stixCommon:GenericRelationshipListType">
<xs:sequence>
<xs:element name="Affected_Software" type="stixCommon:RelatedObservableType" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Affected_Software property characterizes a single software product or platform affected by this vulnerability.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<xs:complexType name="CVSSVectorType">
<xs:sequence>
<xs:element name="Overall_Score" type="et:CVSSScoreType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Overall_Score property specifies the CVSS 2.0 overall score. Note that this is not the same as the unadjusted CVSS base score, which should be specified in the Base_Score property.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Base_Score" type="et:CVSSScoreType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Base_Score property specifies the unadjusted CVSS 2.0 base score.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Base_Vector" type="et:CVSSBaseVectorType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Base_Vector property specifies the CVSS 2.0 base vector</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Temporal_Score" type="et:CVSSScoreType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Temporal_Score property specifies the CVSS 2.0 temporal score.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Temporal_Vector" type="et:CVSSTemporalVectorType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Temporal_Vector property specifies the CVSS 2.0 temporal vector.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Environmental_Score" type="et:CVSSScoreType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Environmental_Score property specifies the CVSS 2.0 environmental score.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Environmental_Vector" type="et:CVSSEnvironmentalVectorType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Environmental_Vector property specifies the CVSS 2.0 environmental vector.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:simpleType name="CVSSScoreType">
<xs:restriction base="xs:string">
<xs:pattern value="((10)|[0-9])\.[0-9]"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="CVSSBaseVectorType">
<xs:restriction base="xs:string">
<xs:pattern value="AV:[LAN]/AC:[HML]/Au:[MSN]/C:[NPC]/I:[NPC]/A:[NPC]"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="CVSSTemporalVectorType">
<xs:restriction base="xs:string">
<xs:pattern value="E:([UFH]|(POC)|(ND))/RL:([WU]|(OF)|(TF)|(ND))/RC:([C]|(UC)|(UR)|(ND))"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="CVSSEnvironmentalVectorType">
<xs:restriction base="xs:string">
<xs:pattern value="CDP:([NLH]|(LM)|(MH)|(ND))/TD:([NLMH]|(ND))/CR:([LMH]|(ND))/IR:([LMH]|(ND))/AR:([LMH]|(ND))"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="RelatedExploitTargetsType">
<xs:annotation>
<xs:documentation>The RelatedExploitTargetsType specifies a set of one or more other Exploit Targets asserted as related to this Exploit Target and therefore is a self-referential relationship. It extends GenericRelationshipListType defined in the STIX Common data model, which specifies the scope (whether the elements of the set are related individually or as a group).</xs:documentation>
</xs:annotation>
<xs:complexContent>
<xs:extension base="stixCommon:GenericRelationshipListType">
<xs:sequence>
<xs:element name="Related_Exploit_Target" type="stixCommon:RelatedExploitTargetType" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Related_Exploit_Target property specifies another Exploit Target associated with this Exploit Target and characterizes the relationship between the Exploit Targets by capturing information such as the level of confidence that the Exploit Targets are related, the source of the relationship information, and type of the relationship. A relationship between Exploit Targets may represent assertions of general associativity or different versions of the same Exploit Target.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:schema>