EMA Semantic MediaWiki Guide to Form Fields
FIELD NAME |
APPLIES TO |
FIELD TYPE |
DESCRIPTION |
|
Name |
Capabilities, Subcapabilities, Behaviors, Obfuscation Methods, Attributes |
Free-form text |
The Name field captures the name assigned to the entity and should comprise one or more individual words, all in lowercase, with the exception of acronyms, which may be in uppercase. E.g., “prevent API unhooking”. |
|
Description |
All |
Free-form text |
The Description field captures a brief technical description of the entity. Ideally, descriptions should be limited to no more than a few sentences for the sake of brevity, and follow the format of “The ‘x’ Entity Name …” (where ‘x’ refers to the name of the entity being described, and Entity Name is the type of the entity, such as Behavior). E.g., “The 'prevent execution in VM' Behavior prevents the execution of the malware instance in a virtual machine (VM).” |
|
Associated Attributes |
Capabilities, Subcapabilities, Behaviors, Obfuscation Methods |
Selectable hierarchy (w/ check boxes) |
The Associated Attributes field captures Attributes that apply to the entity. |
|
Associated Capabilities |
Subcapabilities |
Text w/ autocomplete drop-down list |
The Associated Capabilities field captures Capabilities that are associated with the Subcapability, selectable from a drop-down list of existing Capabilities. Multiple Capabilities can be associated with a Subcapability in this manner. |
|
Associated Capabilities/Subcapabilities |
Behaviors |
Selectable hierarchy (w/ check boxes) |
The Associated Capabilities/Subcapabilities field captures Capabilities and Subcapabilities that are associated with the Behavior. Multiple selections can be made from a hierarchy view. A Behavior can be associated directly with a Capability or with that Capability’s Subcapabilities, but it should not be associated with both, as associating it with a Subcapability implicitly associates it with the parent Capability of the Subcapability. |
|
Aliases |
Capabilities, Subcapabilities, Behaviors, Obfuscation Methods |
Free-form text |
The Alias field captures any known aliases for the entity. Multiple aliases should be separated by commas. E.g., “c2, c^2”. |
|
Notes |
Capabilities, Subcapabilities, Behaviors, Obfuscation Methods |
Free-form text |
The Notes field captures any notes about the entity. |
|
References |
Capabilities, Subcapabilities, Behaviors, Obfuscation Methods |
|
The Reference field captures a reference associated with the entity and contains three optional subfields: Date, Malware Family, and URL (see below). Multiple references can be captured in separate Reference fields (by clicking “Add New Reference”). |
|
|
Date |
Free-form text w/ selectable calendar |
The Date field corresponds to the date of the reference (not the date the Reference field was added to the wiki). |
|
|
Malware Family |
Free-form text w/ selectable drop-down list |
The Malware Family field captures the name of the malware family associated with the entity. Previously used values are available via a drop-down list for selection or a new value can be created. E.g., “Stuxnet”. |
|
|
URL |
Free-form text |
The URL field captures a URL to an article, webpage, or report that provides some description of the Capability, Subcapability, Behavior, or Obfuscation Method. |
|
Type |
Attributes |
Radio button |
The Type field captures the type of the Attribute: ‘Free-Form String’ or ‘Enumerable List.’ |
|
Enumerable Values |
Attributes |
Selectable hierarchy (w/ check boxes) |
The Enumerable Values field is available for Attributes of Type ‘Enumerable List’ and captures attribute values that are valid for the Attribute. |