stix_schema_spy 1.0 → 1.1

data/config/1.1.1/stix/cybox/objects/Win_Network_Share_Object.xsd

@@ -0,0 +1,205 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:WinNetworkShareObj="http://cybox.mitre.org/objects#WinNetworkShareObject-2" xmlns:cyboxCommon="http://cybox.mitre.org/common-2" targetNamespace="http://cybox.mitre.org/objects#WinNetworkShareObject-2" elementFormDefault="qualified" attributeFormDefault="unqualified" version="2.1">
+	<xs:annotation>
+		<xs:documentation>This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.</xs:documentation>
+		<xs:appinfo>
+			<schema>Win_Network_Share_Object</schema>
+			<version>2.1</version>
+			<date>01/22/2014</date>			
+			<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
+			<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
+		</xs:appinfo>
+	</xs:annotation>
+	<xs:import namespace="http://cybox.mitre.org/common-2" schemaLocation="../cybox_common.xsd"/>
+	<xs:element name="Windows_Network_Share" type="WinNetworkShareObj:WindowsNetworkShareObjectType">
+		<xs:annotation>
+			<xs:documentation>he Windows_Network_Share object is intended to characterize Windows network shares.</xs:documentation>
+		</xs:annotation>
+	</xs:element>
+	<xs:complexType name="WindowsNetworkShareObjectType" mixed="false">
+		<xs:annotation>
+			<xs:documentation>The WindowsNetworkShareObjectType type is intended to characterize Windows network shares.</xs:documentation>
+		</xs:annotation>
+		<xs:complexContent>
+			<xs:extension base="cyboxCommon:ObjectPropertiesType">
+				<xs:sequence>
+					<xs:element name="Current_Uses" type="cyboxCommon:NonNegativeIntegerObjectPropertyType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>The Current_Uses field specifies the current number of uses of the network share.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Local_Path" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>The Local_Path field specifies the fully-qualified path on the local system to the network share.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Max_Uses" type="cyboxCommon:NonNegativeIntegerObjectPropertyType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>The Max_Uses field specifies the maximum number of concurrent connections to the network share.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Netname" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>The Netname field specifies the network name of the network share.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Type" type="WinNetworkShareObj:SharedResourceType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>The Type field specifies the type of the network share.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+				</xs:sequence>
+				<xs:attributeGroup ref="WinNetworkShareObj:AccessPermissionsGroup"/>
+			</xs:extension>
+		</xs:complexContent>
+	</xs:complexType>
+	<xs:complexType name="SharedResourceType">
+		<xs:annotation>
+			<xs:documentation>SharedResourceType specifies Windows shared resource types via a union of the SharedResourceTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.</xs:documentation>
+		</xs:annotation>
+		<xs:simpleContent>
+			<xs:restriction base="cyboxCommon:BaseObjectPropertyType">
+				<xs:simpleType>
+					<xs:union memberTypes="WinNetworkShareObj:SharedResourceTypeEnum xs:string"/>
+				</xs:simpleType>
+				<xs:attribute name="datatype" type="cyboxCommon:DatatypeEnum" fixed="string">
+					<xs:annotation>
+						<xs:documentation>This attribute is optional and specifies the expected type for the value of the specified property.</xs:documentation>
+					</xs:annotation>
+				</xs:attribute>
+			</xs:restriction>
+		</xs:simpleContent>
+	</xs:complexType>
+	<xs:simpleType name="SharedResourceTypeEnum">
+		<xs:annotation>
+			<xs:documentation>The SharedResourceTypeEnum type is an enumeration of Windows that specifies shared resource types for shared devices. These can be checked via the NetShareCheck function. See http://msdn.microsoft.com/en-us/library/windows/desktop/bb525385(v=vs.85).aspx for more information.</xs:documentation>
+		</xs:annotation>
+		<xs:restriction base="xs:string">
+			<xs:enumeration value="STYPE_DISKTREE">
+				<xs:annotation>
+					<xs:documentation>Specifies that the shared device is a disk drive.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="STYPE_DISKTREE_SPECIAL">
+				<xs:annotation>
+					<xs:documentation>Specifies that the shared device is a disk drive with special share reserved for interprocess communication (IPC$) or remote administration of the server (ADMIN$). Can also refer to administrative shares such as C$, D$, E$, and so forth. For more information, see http://msdn.microsoft.com/en-us/library/windows/desktop/bb525391(v=vs.85).aspx.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="STYPE_DISKTREE_TEMPORARY">
+				<xs:annotation>
+					<xs:documentation>Specifies that the shared device is a disk drive and serves as a temporary share.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="STYPE_DISKTREE_SPECIAL_TEMPORARY">
+				<xs:annotation>
+					<xs:documentation>Specifies that the shared device is a disk drive with special share reserved for interprocess communication (IPC$) or remote administration of the server (ADMIN$) and serves a temporary share. Can also refer to administrative shares such as C$, D$, E$, and so forth. For more information, see http://msdn.microsoft.com/en-us/library/windows/desktop/bb525391(v=vs.85).aspx.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="STYPE_PRINTQ">
+				<xs:annotation>
+					<xs:documentation>Specifies that the shared device is a print queue.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="STYPE_PRINTQ_SPECIAL">
+				<xs:annotation>
+					<xs:documentation>Specifies that the shared device is a disk drive with special share reserved for interprocess communication (IPC$) or remote administration of the server (ADMIN$). Can also refer to administrative shares such as C$, D$, E$, and so forth. For more information, see http://msdn.microsoft.com/en-us/library/windows/desktop/bb525391(v=vs.85).aspx.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="STYPE_PRINTQ_TEMPORARY">
+				<xs:annotation>
+					<xs:documentation>Specifies that the shared device is a print queue and serves as a temporary share.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="STYPE_PRINTQ_SPECIAL_TEMPORARY">
+				<xs:annotation>
+					<xs:documentation>Specifies that the shared device is a print queue with special share reserved for interprocess communication (IPC$) or remote administration of the server (ADMIN$) and serves a temporary share. Can also refer to administrative shares such as C$, D$, E$, and so forth. For more information, see http://msdn.microsoft.com/en-us/library/windows/desktop/bb525391(v=vs.85).aspx.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="STYPE_DEVICE">
+				<xs:annotation>
+					<xs:documentation>Specifies that the shared device is a communications device.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="STYPE_DEVICE_SPECIAL">
+				<xs:annotation>
+					<xs:documentation>Specifies that the shared device is a communications device with special share reserved for interprocess communication (IPC$) or remote administration of the server (ADMIN$). Can also refer to administrative shares such as C$, D$, E$, and so forth. For more information, see http://msdn.microsoft.com/en-us/library/windows/desktop/bb525391(v=vs.85).aspx.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="STYPE_DEVICE_TEMPORARY">
+				<xs:annotation>
+					<xs:documentation>Specifies that the shared device is a communications device and serves as a temporary share.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="STYPE_DEVICE_SPECIAL_TEMPORARY">
+				<xs:annotation>
+					<xs:documentation>Specifies that the shared device is a communications device with special share reserved for interprocess communication (IPC$) or remote administration of the server (ADMIN$) and serves a temporary share. Can also refer to administrative shares such as C$, D$, E$, and so forth. For more information, see http://msdn.microsoft.com/en-us/library/windows/desktop/bb525391(v=vs.85).aspx.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="STYPE_IPC">
+				<xs:annotation>
+					<xs:documentation>Specifies that the shared device is an Interprocess Communication (IPC) device.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="STYPE_IPC_SPECIAL">
+				<xs:annotation>
+					<xs:documentation>Specifies that the shared device is an Interprocess Communication (IPC) device with special share reserved for interprocess communication (IPC$) or remote administration of the server (ADMIN$). Can also refer to administrative shares such as C$, D$, E$, and so forth. For more information, see http://msdn.microsoft.com/en-us/library/windows/desktop/bb525391(v=vs.85).aspx.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="STYPE_IPC_TEMPORARY">
+				<xs:annotation>
+					<xs:documentation>Specifies that the shared device is an Interprocess Communication (IPC) device and serves as a temporary share.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="STYPE_IPC_SPECIAL_TEMPORARY">
+				<xs:annotation>
+					<xs:documentation>Specifies that the shared device is an Interprocess Communication (IPC) device with special share reserved for interprocess communication (IPC$) or remote administration of the server (ADMIN$) and serves a temporary share. Can also refer to administrative shares such as C$, D$, E$, and so forth. For more information, see http://msdn.microsoft.com/en-us/library/windows/desktop/bb525391(v=vs.85).aspx.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+		</xs:restriction>
+	</xs:simpleType>
+	<xs:attributeGroup name="AccessPermissionsGroup">
+		<xs:annotation>
+			<xs:documentation>The accesspermissions group specifies the various permissions for Windows network shares.</xs:documentation>
+		</xs:annotation>
+		<xs:attribute name="ACCESS_READ" type="xs:boolean">
+			<xs:annotation>
+				<xs:documentation>The ACCESS_READ field specifies the permission to read data from a resource and, by default, to execute the resource.</xs:documentation>
+			</xs:annotation>
+		</xs:attribute>
+		<xs:attribute name="ACCESS_WRITE" type="xs:boolean">
+			<xs:annotation>
+				<xs:documentation>The ACCESS_WRITE field specifies the permission to write data to the resource.</xs:documentation>
+			</xs:annotation>
+		</xs:attribute>
+		<xs:attribute name="ACCESS_CREATE" type="xs:boolean">
+			<xs:annotation>
+				<xs:documentation>The ACCESS_CREATE field specifies the permission to create an instance of the resource (such as a file); data can be written to the resource as the resource is created.</xs:documentation>
+			</xs:annotation>
+		</xs:attribute>
+		<xs:attribute name="ACCESS_EXEC" type="xs:boolean">
+			<xs:annotation>
+				<xs:documentation>The ACCESS_EXEC field specifies the permission to execute the resource.</xs:documentation>
+			</xs:annotation>
+		</xs:attribute>
+		<xs:attribute name="ACCESS_DELETE" type="xs:boolean">
+			<xs:annotation>
+				<xs:documentation>The ACCESS_DELETE field specifies the permission to delete the resource.</xs:documentation>
+			</xs:annotation>
+		</xs:attribute>
+		<xs:attribute name="ACCESS_ATRIB" type="xs:boolean">
+			<xs:annotation>
+				<xs:documentation>The ACCESS_ATRIB field specifies the permission to modify the resource's attributes (such as the date and time when a file was last modified).</xs:documentation>
+			</xs:annotation>
+		</xs:attribute>
+		<xs:attribute name="ACCESS_PERM" type="xs:boolean">
+			<xs:annotation>
+				<xs:documentation>The ACCESS_PERM field specifies the permission to modify the permissions (read, write, create, execute, and delete) assigned to a resource for a user or application.</xs:documentation>
+			</xs:annotation>
+		</xs:attribute>
+		<xs:attribute name="ACCESS_ALL" type="xs:boolean">
+			<xs:annotation>
+				<xs:documentation>The ACCESS_ALL field specifies the permission to read, write, create, execute, and delete resources, and to modify their attributes and permissions.</xs:documentation>
+			</xs:annotation>
+		</xs:attribute>
+	</xs:attributeGroup>
+</xs:schema>

data/config/1.1.1/stix/cybox/objects/Win_Pipe_Object.xsd

@@ -0,0 +1,73 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:WinPipeObj="http://cybox.mitre.org/objects#WinPipeObject-2" xmlns:cyboxCommon="http://cybox.mitre.org/common-2" xmlns:WinHandleObj="http://cybox.mitre.org/objects#WinHandleObject-2" xmlns:PipeObj="http://cybox.mitre.org/objects#PipeObject-2" targetNamespace="http://cybox.mitre.org/objects#WinPipeObject-2" elementFormDefault="qualified" attributeFormDefault="unqualified" version="2.1">
+	<xs:annotation>
+		<xs:documentation>This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.</xs:documentation>
+		<xs:appinfo>
+			<schema>Win_Pipe_Object</schema>
+			<version>2.1</version>
+			<date>01/22/2014</date>			
+			<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
+			<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
+		</xs:appinfo>
+	</xs:annotation>
+	<xs:import namespace="http://cybox.mitre.org/objects#WinHandleObject-2" schemaLocation="Win_Handle_Object.xsd"/>
+	<xs:import namespace="http://cybox.mitre.org/objects#PipeObject-2" schemaLocation="Pipe_Object.xsd"/>
+	<xs:import namespace="http://cybox.mitre.org/common-2" schemaLocation="../cybox_common.xsd"/>
+
+	<xs:element name="Windows_Pipe" type="WinPipeObj:WindowsPipeObjectType">
+		<xs:annotation>
+			<xs:documentation>Windows_Pipe object characterizes windows pipes. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa365590(v=vs.85).aspx.</xs:documentation>
+		</xs:annotation>
+	</xs:element>
+	<xs:complexType name="WindowsPipeObjectType" mixed="false">
+		<xs:annotation>
+			<xs:documentation>The WindowsPipeObjectType type is intended to characterize Windows pipes.</xs:documentation>
+		</xs:annotation>
+		<xs:complexContent mixed="false">
+			<xs:extension base="PipeObj:PipeObjectType">
+				<xs:sequence>
+					<xs:element minOccurs="0" name="Default_Time_Out" type="cyboxCommon:NonNegativeIntegerObjectPropertyType">
+						<xs:annotation>
+							<xs:documentation>The Default_Time_Out field specifies the default time-out value for the pipe, in milliseconds.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Handle" minOccurs="0" type="WinHandleObj:WindowsHandleObjectType">
+						<xs:annotation>
+							<xs:documentation>The Handle field specifies the open Windows handle to the pipe. It imports and uses the WindowsHandleObjectType from the CybOX Windows Handle Object.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element minOccurs="0" name="In_Buffer_Size" type="cyboxCommon:NonNegativeIntegerObjectPropertyType">
+						<xs:annotation>
+							<xs:documentation>The In_Buffer_Size field specifies the number of bytes to reserve for the input buffer of the pipe.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element minOccurs="0" name="Max_Instances" type="cyboxCommon:NonNegativeIntegerObjectPropertyType">
+						<xs:annotation>
+							<xs:documentation>The Max_Instances field specifies the maximum number of instances that can be created for this pipe.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element minOccurs="0" name="Open_Mode" type="cyboxCommon:HexBinaryObjectPropertyType">
+						<xs:annotation>
+							<xs:documentation>The Open_Mode field specifies the open mode used for the pipe.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element minOccurs="0" name="Out_Buffer_Size" type="cyboxCommon:NonNegativeIntegerObjectPropertyType" form="qualified">
+						<xs:annotation>
+							<xs:documentation>The Out_Buffer_Size field specifies the number of bytes to reserve for the output buffer of the pipe.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element minOccurs="0" name="Pipe_Mode" type="cyboxCommon:HexBinaryObjectPropertyType">
+						<xs:annotation>
+							<xs:documentation>The Pipe_Mode field specifies the mode used for the pipe.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element minOccurs="0" name="Security_Attributes" type="cyboxCommon:StringObjectPropertyType">
+						<xs:annotation>
+							<xs:documentation>The Security_Attributes field specifies the Windows security attributes for the pipe.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+				</xs:sequence>
+			</xs:extension>
+		</xs:complexContent>
+	</xs:complexType>
+</xs:schema>

data/config/1.1.1/stix/cybox/objects/Win_Prefetch_Object.xsd

@@ -0,0 +1,113 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:WinPrefetchObj="http://cybox.mitre.org/objects#WinPrefetchObject-2" xmlns:cyboxCommon="http://cybox.mitre.org/common-2" xmlns:DeviceObj="http://cybox.mitre.org/objects#DeviceObject-2" xmlns:WinVolumeObj="http://cybox.mitre.org/objects#WinVolumeObject-2" targetNamespace="http://cybox.mitre.org/objects#WinPrefetchObject-2" elementFormDefault="qualified" attributeFormDefault="unqualified" version="2.1">
+	<xs:annotation>
+		<xs:documentation>This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.</xs:documentation>
+		<xs:appinfo>
+			<schema>Win_Prefetch_Object</schema>
+			<version>2.1</version>
+			<date>01/22/2014</date>			
+			<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
+			<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
+		</xs:appinfo>
+	</xs:annotation>
+	<xs:import namespace="http://cybox.mitre.org/common-2" schemaLocation="../cybox_common.xsd"/>
+	<xs:import namespace="http://cybox.mitre.org/objects#WinVolumeObject-2" schemaLocation="Win_Volume_Object.xsd"/>
+	<xs:import namespace="http://cybox.mitre.org/objects#DeviceObject-2" schemaLocation="Device_Object.xsd"/>
+	<xs:element name="Windows_Prefetch_Entry" type="WinPrefetchObj:WindowsPrefetchObjectType">
+		<xs:annotation>
+			<xs:documentation>The Windows_Prefetch_Entry object is intended to characterize entries in the Windows prefetch files. Starting with Windows XP, prefetching was introduced to speed up application startup. The prefetch object draws upon the descriptions and XML sample at http://www.forensicswiki.org/wiki/Prefetch_XML.</xs:documentation>
+		</xs:annotation>
+	</xs:element>
+	<xs:complexType name="WindowsPrefetchObjectType">
+		<xs:annotation>
+			<xs:documentation>The WindowsPrefetchObjectType type is intended to characterize entries in the Windows prefetch files. Starting with Windows XP, prefetching was introduced to speed up application startup. The prefetch object draws upon the descriptions and XML sample at http://www.forensicswiki.org/wiki/Prefetch_XML.</xs:documentation>
+		</xs:annotation>
+		<xs:complexContent>
+			<xs:extension base="cyboxCommon:ObjectPropertiesType">
+				<xs:sequence>
+					<xs:element name="Application_File_Name" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>Name of the executable of the prefetch file.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Prefetch_Hash" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>An eight character hash of the location from which the application was run.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Times_Executed" type="cyboxCommon:LongObjectPropertyType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>The number of times the prefetch application has executed.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="First_Run" type="cyboxCommon:DateTimeObjectPropertyType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>Timestamp of when the prefetch application was first run.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Last_Run" type="cyboxCommon:DateTimeObjectPropertyType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>Timestamp of when the prefetch application was last run.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Volume" type="WinPrefetchObj:VolumeType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>The volume from which the prefetch application was run. If the applicatin was run from multiple volumes, there will be a separate prefetch file for each.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Accessed_File_List" type="WinPrefetchObj:AccessedFileListType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>Files (e.g., DLLs and other support files) used by the application during startup.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Accessed_Directory_List" type="WinPrefetchObj:AccessedDirectoryListType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>Directories accessed by the prefetch application during startup.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+				</xs:sequence>
+			</xs:extension>
+		</xs:complexContent>
+	</xs:complexType>
+	<xs:complexType name="AccessedFileListType">
+		<xs:annotation>
+			<xs:documentation>The AccessedFileListType specifies a list of files accessed by a prefetch application.</xs:documentation>
+		</xs:annotation>
+		<xs:sequence>
+			<xs:element name="Accessed_Filename" type="cyboxCommon:StringObjectPropertyType" minOccurs="1" maxOccurs="unbounded">
+				<xs:annotation>
+					<xs:documentation>Specifies the filename of the accessed file.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+		</xs:sequence>
+	</xs:complexType>
+	<xs:complexType name="AccessedDirectoryListType">
+		<xs:annotation>
+			<xs:documentation>The AccessedDirectoryListType specifies a list of directories accessed by a prefetch application.</xs:documentation>
+		</xs:annotation>
+		<xs:sequence>
+			<xs:element name="Accessed_Directory" type="cyboxCommon:StringObjectPropertyType" minOccurs="1" maxOccurs="unbounded">
+				<xs:annotation>
+					<xs:documentation>Specifies the pathname of the accessed directory.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+		</xs:sequence>
+	</xs:complexType>
+	<xs:complexType name="VolumeType">
+		<xs:annotation>
+			<xs:documentation>VolumeType characterizes the volume information in the Windows prefetch file.</xs:documentation>
+		</xs:annotation>
+		<xs:sequence>
+			<xs:element name="VolumeItem" type="WinVolumeObj:WindowsVolumeObjectType" minOccurs="0" maxOccurs="unbounded">
+				<xs:annotation>
+					<xs:documentation>The volume that the prefetch application was run from. The only item in the prefecth file is the volume name.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+			<xs:element name="DeviceItem" type="DeviceObj:DeviceObjectType" minOccurs="0" maxOccurs="unbounded">
+				<xs:annotation>
+					<xs:documentation>The device that the prefetch application was run from. The only item in the prefetch file is the device serial number.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+		</xs:sequence>
+	</xs:complexType>
+</xs:schema>

data/config/1.1.1/stix/cybox/objects/Win_Process_Object.xsd

@@ -0,0 +1,174 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:WinProcessObj="http://cybox.mitre.org/objects#WinProcessObject-2" xmlns:WinThreadObj="http://cybox.mitre.org/objects#WinThreadObject-2" xmlns:cyboxCommon="http://cybox.mitre.org/common-2" xmlns:MemoryObj="http://cybox.mitre.org/objects#MemoryObject-2" xmlns:WinHandleObj="http://cybox.mitre.org/objects#WinHandleObject-2" xmlns:ProcessObj="http://cybox.mitre.org/objects#ProcessObject-2" targetNamespace="http://cybox.mitre.org/objects#WinProcessObject-2" elementFormDefault="qualified" attributeFormDefault="unqualified" version="2.1">
+	<xs:annotation>
+		<xs:documentation>This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.</xs:documentation>
+		<xs:appinfo>
+			<schema>Win_Process_Object</schema>
+			<version>2.1</version>
+			<date>01/22/2014</date>			
+			<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
+			<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
+		</xs:appinfo>
+	</xs:annotation>
+	<xs:import namespace="http://cybox.mitre.org/objects#WinHandleObject-2" schemaLocation="Win_Handle_Object.xsd"/>
+	<xs:import namespace="http://cybox.mitre.org/objects#MemoryObject-2" schemaLocation="Memory_Object.xsd"/>
+	<xs:import namespace="http://cybox.mitre.org/objects#ProcessObject-2" schemaLocation="Process_Object.xsd"/>
+	<xs:import namespace="http://cybox.mitre.org/common-2" schemaLocation="../cybox_common.xsd"/>
+	<xs:import namespace="http://cybox.mitre.org/objects#WinThreadObject-2" schemaLocation="Win_Thread_Object.xsd"/>
+	<xs:element name="Windows_Process" type="WinProcessObj:WindowsProcessObjectType">
+
+		<xs:annotation>
+			<xs:documentation>Windows_Process object is intended to characterize Windows processes.</xs:documentation>
+		</xs:annotation>
+	</xs:element>
+	<xs:complexType name="WindowsProcessObjectType" mixed="false">
+		<xs:annotation>
+			<xs:documentation>The WindowsProcessObjectType type is intended to characterize Windows processes.</xs:documentation>
+		</xs:annotation>
+		<xs:complexContent>
+			<xs:extension base="ProcessObj:ProcessObjectType">
+				<xs:sequence>
+					<xs:element name="Handle_List" type="WinHandleObj:WindowsHandleListType" minOccurs="0" maxOccurs="1">
+						<xs:annotation>
+							<xs:documentation>The Handle_List field specifies a list of Windows Handles opened or used by the process.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Priority" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>The Priority field specifies the current priority of the process in Windows.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Section_List" type="WinProcessObj:MemorySectionListType" minOccurs="0" maxOccurs="1">
+						<xs:annotation>
+							<xs:documentation>The Section_List field specifies the memory sections used by the process.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Security_ID" type="cyboxCommon:StringObjectPropertyType" minOccurs="0" maxOccurs="1">
+						<xs:annotation>
+							<xs:documentation>The Security_ID field specifies the Security ID (SID) value assigned to the process.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Startup_Info" type="WinProcessObj:StartupInfoType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>The Startup_Info field specifies the STARTUP_INFO struct used by the process.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Security_Type" type="cyboxCommon:SIDType" minOccurs="0" maxOccurs="1">
+						<xs:annotation>
+							<xs:documentation>The Security_Type field specifies the type of Security ID (SID) assigned to the process.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Window_Title" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>The Window_Title field specifies the title of the main window of the process.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Thread" maxOccurs="unbounded" minOccurs="0" type="WinThreadObj:WindowsThreadObjectType">
+						<xs:annotation>
+							<xs:documentation>The Thread field specifies a single thread created to execute within the virtual address space of the process.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+				</xs:sequence>
+				<xs:attribute name="aslr_enabled" type="xs:boolean">
+					<xs:annotation>
+						<xs:documentation>The aslr_enabled field specifies whether Address Space Layout Randomization (ASLR) is enabled for the process.</xs:documentation>
+					</xs:annotation>
+				</xs:attribute>
+				<xs:attribute name="dep_enabled" type="xs:boolean">
+					<xs:annotation>
+						<xs:documentation>The dep_enabled field specifies whether Data Execution Prevention (DEP) is enabled for the process.</xs:documentation>
+					</xs:annotation>
+				</xs:attribute>
+			</xs:extension>
+		</xs:complexContent>
+	</xs:complexType>
+	<xs:complexType name="MemorySectionListType">
+		<xs:annotation>
+			<xs:documentation>The MemorySectionListType type specifies a list of memory sections used by the process.</xs:documentation>
+		</xs:annotation>
+		<xs:sequence>
+			<xs:element name="Memory_Section" type="MemoryObj:MemoryObjectType" minOccurs="1" maxOccurs="unbounded">
+				<xs:annotation>
+					<xs:documentation>The Memory_Section field specifies a memory section used by the process. It imports and uses the MemoryObjectType from the CybOX Memory Object.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+		</xs:sequence>
+	</xs:complexType>
+	<xs:complexType name="StartupInfoType">
+		<xs:annotation>
+			<xs:documentation>The StartupInfoType type encapsulates the information contained in the STARTUPINFO struct for the process.</xs:documentation>
+		</xs:annotation>
+		<xs:sequence>
+			<xs:element name="lpDesktop" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>The lpDesktop field specifies the name of the desktop, or the name of both the desktop and window station for this process.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+			<xs:element name="lpTitle" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>The lpTitle field specifies the title displayed in the title bar if a new console window is created.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+			<xs:element name="dwX" type="cyboxCommon:IntegerObjectPropertyType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>The dwX field specifies the x offset of the upper left corner of a window if a new window is created, in pixels.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+			<xs:element name="dwY" type="cyboxCommon:IntegerObjectPropertyType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>The dwY field specifies the y offset of the upper left corner of a window if a new window is created, in pixels.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+			<xs:element name="dwXSize" type="cyboxCommon:PositiveIntegerObjectPropertyType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>The dwXSize field specifies the width of the window if a new window is created, in pixels.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+			<xs:element name="dwYSize" type="cyboxCommon:PositiveIntegerObjectPropertyType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>The dwYSize field specifies the height of the window if a new window is created, in pixels.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+			<xs:element name="dwXCountChars" type="cyboxCommon:PositiveIntegerObjectPropertyType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>The dwXCountChars field specifies the screen buffer width, in character columns.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+			<xs:element name="dwYCountChars" type="cyboxCommon:PositiveIntegerObjectPropertyType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>The dwYCountChars field specifies the screen buffer height, in character rows.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+			<xs:element name="dwFillAttribute" type="cyboxCommon:IntegerObjectPropertyType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>The dwFillAttribute field specifies the initial text and background colors if a new console window is created in a console application.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+			<xs:element name="dwFlags" type="cyboxCommon:IntegerObjectPropertyType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>The dwFlags field specifies a bitfield that determines whether certain STARTUPINFO members are used when the process creates a window.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+			<xs:element name="wShowWindow" type="cyboxCommon:IntegerObjectPropertyType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>The wShowWindow field specifies STARTF_USESHOWWINDOW, this member can be any of the values that can be specified in the nCmdShow parameter for the ShowWindow function, except for SW_SHOWDEFAULT.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+			<xs:element name="hStdInput" type="WinHandleObj:WindowsHandleObjectType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>The hStdInput field specifies the standard input handle for the process.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+			<xs:element name="hStdOutput" type="WinHandleObj:WindowsHandleObjectType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>The hStdOutput field specifies the standard output handle for the process.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+			<xs:element name="hStdError" type="WinHandleObj:WindowsHandleObjectType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>The hStdError field specifies the standard error handle for the process.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+		</xs:sequence>
+	</xs:complexType>
+</xs:schema>