sra-stix2-validator
Version:
334 lines • 14.3 kB
JSON
{
"$id": "../observables/process.json",
"$schema": "http://json-schema.org/draft-06/schema#",
"title": "process",
"description": "The Process Object represents common properties of an instance of a computer program as executed on an operating system.",
"type": "object",
"allOf": [
{
"$ref": "../common/cyber-observable-core.json"
},
{
"properties": {
"type": {
"type": "string",
"description": "The value of this property MUST be `process`.",
"const": "process"
},
"extensions": {
"$ref": "#/definitions/process-extensions-dictionary",
"description": "The Process Object defines the following extensions. In addition to these, producers MAY create their own. Extensions: windows-process-ext, windows-service-ext."
},
"is_hidden": {
"type": "boolean",
"description": "Specifies whether the process is hidden."
},
"pid": {
"type": "integer",
"description": "Specifies the Process ID, or PID, of the process."
},
"name": {
"type": "string",
"description": "Specifies the name of the process."
},
"created": {
"$ref": "../common/timestamp.json",
"description": "Specifies the date/time at which the process was created."
},
"cwd": {
"type": "string",
"description": "Specifies the current working directory of the process."
},
"arguments": {
"type": "array",
"description": "Specifies the list of arguments used in executing the process.",
"items": {
"type": "string",
"pattern": "^((-{1,2}|\\/)[^\\s=]+ (?![-\\/]))?([^\\s\"'=|]+(=([^\\s\"'=|]+|\"([^\"]*)\"|'([^']*)'))?|\"([^\"]*)\"|'([^']*)')$"
},
"minItems": 1
},
"command_line": {
"type": "string",
"description": "Specifies the full command line used in executing the process, including the process name (depending on the operating system)."
},
"environment_variables": {
"$ref": "../common/dictionary.json",
"description": "Specifies the list of environment variables associated with the process as a dictionary."
},
"opened_connection_refs": {
"type": "array",
"description": "Specifies the list of network connections opened by the process, as a reference to one or more Network Traffic Objects.",
"items": {
"type": "string"
},
"minItems": 1
},
"creator_user_ref": {
"type": "string",
"description": "Specifies the user that created the process, as a reference to a User Account Object."
},
"binary_ref": {
"type": "string",
"description": "Specifies the executable binary that was executed as the process, as a reference to a File Object."
},
"parent_ref": {
"type": "string",
"description": "Specifies the other process that spawned (i.e. is the parent of) this one, as represented by a Process Object."
},
"child_refs": {
"type": "array",
"description": "Specifies the other processes that were spawned by (i.e. children of) this process, as a reference to one or more other Process Objects.",
"items": {
"type": "string"
},
"minItems": 1
}
}
},
{
"anyOf": [
{
"required": [
"extensions"
]
},
{
"required": [
"is_hidden"
]
},
{
"required": [
"pid"
]
},
{
"required": [
"name"
]
},
{
"required": [
"created"
]
},
{
"required": [
"cwd"
]
},
{
"required": [
"arguments"
]
},
{
"required": [
"command_line"
]
},
{
"required": [
"environment_variables"
]
},
{
"required": [
"opened_connection_refs"
]
},
{
"required": [
"creator_user_ref"
]
},
{
"required": [
"binary_ref"
]
},
{
"required": [
"parent_ref"
]
},
{
"required": [
"child_refs"
]
}
]
}
],
"definitions": {
"process-extensions-dictionary": {
"type": "object",
"patternProperties": {
"^windows-process-ext$": {
"type": "object",
"description": "The Windows Process extension specifies a default extension for capturing properties specific to Windows processes.",
"allOf": [
{
"properties": {
"aslr_enabled": {
"type": "boolean",
"description": "Specifies whether Address Space Layout Randomization (ASLR) is enabled for the process."
},
"dep_enabled": {
"type": "boolean",
"description": "Specifies whether Data Execution Prevention (DEP) is enabled for the process."
},
"priority": {
"type": "string",
"description": "Specifies the current priority class of the process in Windows."
},
"owner_sid": {
"type": "string",
"description": "Specifies the Security ID (SID) value of the owner of the process."
},
"window_title": {
"type": "string",
"description": "Specifies the title of the main window of the process."
},
"startup_info": {
"$ref": "#/definitions/startup-info-dictionary",
"description": "Specifies the STARTUP_INFO struct used by the process, as a dictionary."
}
}
},
{
"anyOf": [
{
"required": [
"aslr_enabled"
]
},
{
"required": [
"dep_enabled"
]
},
{
"required": [
"priority"
]
},
{
"required": [
"owner_sid"
]
},
{
"required": [
"window_title"
]
},
{
"required": [
"startup_info"
]
}
]
}
]
},
"^windows-service-ext$": {
"type": "object",
"description": "The Windows Service extension specifies a default extension for capturing properties specific to Windows services.",
"properties": {
"service_name": {
"type": "string",
"description": "Specifies the name of the service."
},
"descriptions": {
"type": "array",
"description": "Specifies the descriptions defined for the service.",
"items": {
"type": "string"
},
"minItems": 1
},
"display_name": {
"type": "string",
"description": "Specifies the displayed name of the service in Windows GUI controls."
},
"group_name": {
"type": "string",
"description": "Specifies the name of the load ordering group of which the service is a member."
},
"start_type": {
"type": "string",
"description": "Specifies the start options defined for the service. windows-service-start-enum",
"enum": [
"SERVICE_AUTO_START",
"SERVICE_BOOT_START",
"SERVICE_DEMAND_START",
"SERVICE_DISABLED",
"SERVICE_SYSTEM_ALERT"
]
},
"service_dll_refs": {
"type": "array",
"description": "Specifies the DLLs loaded by the service, as a reference to one or more File Objects.",
"items": {
"type": "string"
},
"minItems": 1
},
"service_type": {
"type": "string",
"description": "Specifies the type of the service. windows-service-enum",
"enum": [
"SERVICE_KERNEL_DRIVER",
"SERVICE_FILE_SYSTEM_DRIVER",
"SERVICE_WIN32_OWN_PROCESS",
"SERVICE_WIN32_SHARE_PROCESS"
]
},
"service_status": {
"type": "string",
"description": "Specifies the current status of the service. windows-service-status-enum",
"enum": [
"SERVICE_CONTINUE_PENDING",
"SERVICE_PAUSE_PENDING",
"SERVICE_PAUSED",
"SERVICE_RUNNING",
"SERVICE_START_PENDING",
"SERVICE_STOP_PENDING",
"SERVICE_STOPPED"
]
}
},
"required": [
"service_name"
]
}
},
"additionalProperties": {
"$ref": "../common/dictionary.json",
"description": "Custom file extension"
}
},
"startup-info-dictionary": {
"type": "object",
"patternProperties": {
"^lpDesktop|lpTitle|dwFillAttribute|dwFlags|wShowWindow|hStdInput|hStdOutput|hStdError$": {
"type": "string"
},
"^lpReserved|lpReserved2$": {
"type": "null"
},
"^cb|dwX|dwY|dwXSize|dwYSize|dwXCountChars|dwYCountChars$": {
"type": "integer"
},
"^cbReserved2$": {
"type": "integer",
"minimum": 0,
"maximum": 0
}
},
"additionalProperties": false
}
}
}