WindowsServiceObjectTypeWin Service Object Schema

The WindowsServiceObjectType type is intended to characterize Windows services.


Fields

Field Name Type Description
@object_referenceoptional QName

The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.

Custom_Properties0..1 CustomPropertiesType

The Custom_Properties construct is optional and enables the specification of a set of custom Object Properties that may not be defined in existing Properties schemas.

@is_hiddenoptional boolean

The is_hidden field specifies whether the process is hidden or not.

PID0..1 UnsignedIntegerObjectPropertyType

The PID field specifies the Process ID, or PID, of the process.

Name0..1 StringObjectPropertyType

The Name field specifies the name of the process.

Creation_Time0..1 DateTimeObjectPropertyType

The Creation_Time field specifies the local date/time at which the process was created.

Parent_PID0..1 UnsignedIntegerObjectPropertyType

The Parent_PID field specifies the process ID (PID) of the parent process (i.e. the process that spawned this one), if applicable.

NOTE: this field will be deprecated in the next major version of this object, at which point the parent process of this process should be specified using a Related_Object with the "Child_Of" Relationship value.

Child_PID_List0..1 ChildPIDListType

The Child_PID_List field specifies any children spawned by the process being characterized, by way of a list of PIDs.

NOTE: this field will be deprecated in the next major version of this object, at which point child processes of this process should be specified using a Related_Object with the "Parent_Of" Relationship value.

Image_Info0..1 ImageInfoType

The Image_Info field specifies information about the image associated with the process, such as its file name and path.

Argument_List0..1 ArgumentListType

The Argument_List field is optional and specifies a list of arguments utilized in initiating the process.

Environment_Variable_List0..1 EnvironmentVariableListType

The Environment_Variable_List field specifies any environment variables associated with the process. This field imports and uses the EnvironmentVariableListType from the CybOX Common Types.

Kernel_Time0..1 DurationObjectPropertyType

The Kernel_Time field specifies the duration of time that the process has executed in kernel mode.

Port_List0..1 PortListType

The Port_List field is optional and specifies a list of ports owned by the process.

Network_Connection_List0..1 NetworkConnectionListType

The Network_Connection_List field specifies information about any network connections opened or initiated by the process.

Start_Time0..1 DateTimeObjectPropertyType

The Start_Time field specifies the local date/time at which the process was started.

Status0..1 ProcessStatusType

The Status field specifies the current status of the process. Since this is an operating system specific Object property, this is defined here as an abstract type which is then used as a base type in any OS-specific extensions.

Username0..1 StringObjectPropertyType

The Username field specifies the name of the user that created the process.

User_Time0..1 DurationObjectPropertyType

The User_Time field specifies the duration of time that the process has executed in user mode.

Extracted_Features0..1 ExtractedFeaturesType

A description of features extracted from the memory image of this process.

@aslr_enabledoptional boolean

The aslr_enabled field specifies whether Address Space Layout Randomization (ASLR) is enabled for the process.

@dep_enabledoptional boolean

The dep_enabled field specifies whether Data Execution Prevention (DEP) is enabled for the process.

Handle_List0..1 WindowsHandleListType

The Handle_List field specifies a list of Windows Handles opened or used by the process.

Priority0..1 StringObjectPropertyType

The Priority field specifies the current priority of the process in Windows.

Section_List0..1 MemorySectionListType

The Section_List field specifies the memory sections used by the process.

Security_ID0..1 StringObjectPropertyType

The Security_ID field specifies the Security ID (SID) value assigned to the process.

Startup_Info0..1 StartupInfoType

The Startup_Info field specifies the STARTUP_INFO struct used by the process.

Security_Type0..1 SIDType

The Security_Type field specifies the type of Security ID (SID) assigned to the process.

Window_Title0..1 StringObjectPropertyType

The Window_Title field specifies the title of the main window of the process.

Thread0..n WindowsThreadObjectType

The Thread field specifies a single thread created to execute within the virtual address space of the process.

@service_dll_signature_existsoptional boolean

Indicates whether or not the DLL is signed.

@service_dll_signature_verifiedoptional boolean

Indicates whether or not the DLL's signature was verified.

Description_List0..1 ServiceDescriptionListType

A list of description items for this service.

Display_Name0..1 StringObjectPropertyType

The Display_Name field specifies the displayed name of the service in Windows GUI controls. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms683228(v=vs.85).aspx.

Group_Name0..1 StringObjectPropertyType

The Group_Name field specifies the name of the load ordering group of which this service is a member.

Service_Name0..1 StringObjectPropertyType

The Name field specifies the name of the service. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms683229(v=vs.85).aspx.

Service_DLL0..1 StringObjectPropertyType

The Service_DLL field specifies name of the DLL instantiated in the service.

Service_DLL_Certificate_Issuer0..1 StringObjectPropertyType

The Certificate Authority (CA) that issued the certificate used to sign the service DLL.

Service_DLL_Certificate_Subject0..1 StringObjectPropertyType

The subject of the certifcate (the entity being authenticated).

Service_DLL_Hashes0..1 HashListType

Hashes for the Service DLL file.

Service_DLL_Signature_Description0..1 StringObjectPropertyType

The Service_DLL_Signature_Description field provides a description of the digital signature for the service DLL.

Startup_Command_Line0..1 StringObjectPropertyType

The Startup_Command_Line field specifies the full command line used to start the service.

Startup_Type0..1 ServiceModeType

Service start options. See http://msdn.microsoft.com/en-us/library/windows/desktop/ms682450(v=vs.85).aspx.

Service_Status0..1 ServiceStatusType

Status information for a service. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms685996(v=vs.85).aspx.

Service_Type0..1 ServiceType

The Type field specifies the type of the service.

Started_As0..1 StringObjectPropertyType

The Started_As field specifies the name of the account under which the service was started.