stix_schema_spy 1.0

data/config/1.1/stix/cybox/objects/Win_Pipe_Object.xsd

@@ -0,0 +1,73 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:WinPipeObj="http://cybox.mitre.org/objects#WinPipeObject-2" xmlns:cyboxCommon="http://cybox.mitre.org/common-2" xmlns:WinHandleObj="http://cybox.mitre.org/objects#WinHandleObject-2" xmlns:PipeObj="http://cybox.mitre.org/objects#PipeObject-2" targetNamespace="http://cybox.mitre.org/objects#WinPipeObject-2" elementFormDefault="qualified" attributeFormDefault="unqualified" version="2.1">
+	<xs:annotation>
+		<xs:documentation>This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.</xs:documentation>
+		<xs:appinfo>
+			<schema>Win_Pipe_Object</schema>
+			<version>2.1</version>
+			<date>01/22/2014</date>			
+			<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
+			<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
+		</xs:appinfo>
+	</xs:annotation>
+	<xs:import namespace="http://cybox.mitre.org/objects#WinHandleObject-2" schemaLocation="Win_Handle_Object.xsd"/>
+	<xs:import namespace="http://cybox.mitre.org/objects#PipeObject-2" schemaLocation="Pipe_Object.xsd"/>
+	<xs:import namespace="http://cybox.mitre.org/common-2" schemaLocation="../cybox_common.xsd"/>
+
+	<xs:element name="Windows_Pipe" type="WinPipeObj:WindowsPipeObjectType">
+		<xs:annotation>
+			<xs:documentation>Windows_Pipe object characterizes windows pipes. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa365590(v=vs.85).aspx.</xs:documentation>
+		</xs:annotation>
+	</xs:element>
+	<xs:complexType name="WindowsPipeObjectType" mixed="false">
+		<xs:annotation>
+			<xs:documentation>The WindowsPipeObjectType type is intended to characterize Windows pipes.</xs:documentation>
+		</xs:annotation>
+		<xs:complexContent mixed="false">
+			<xs:extension base="PipeObj:PipeObjectType">
+				<xs:sequence>
+					<xs:element minOccurs="0" name="Default_Time_Out" type="cyboxCommon:NonNegativeIntegerObjectPropertyType">
+						<xs:annotation>
+							<xs:documentation>The Default_Time_Out field specifies the default time-out value for the pipe, in milliseconds.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Handle" minOccurs="0" type="WinHandleObj:WindowsHandleObjectType">
+						<xs:annotation>
+							<xs:documentation>The Handle field specifies the open Windows handle to the pipe. It imports and uses the WindowsHandleObjectType from the CybOX Windows Handle Object.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element minOccurs="0" name="In_Buffer_Size" type="cyboxCommon:NonNegativeIntegerObjectPropertyType">
+						<xs:annotation>
+							<xs:documentation>The In_Buffer_Size field specifies the number of bytes to reserve for the input buffer of the pipe.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element minOccurs="0" name="Max_Instances" type="cyboxCommon:NonNegativeIntegerObjectPropertyType">
+						<xs:annotation>
+							<xs:documentation>The Max_Instances field specifies the maximum number of instances that can be created for this pipe.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element minOccurs="0" name="Open_Mode" type="cyboxCommon:HexBinaryObjectPropertyType">
+						<xs:annotation>
+							<xs:documentation>The Open_Mode field specifies the open mode used for the pipe.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element minOccurs="0" name="Out_Buffer_Size" type="cyboxCommon:NonNegativeIntegerObjectPropertyType" form="qualified">
+						<xs:annotation>
+							<xs:documentation>The Out_Buffer_Size field specifies the number of bytes to reserve for the output buffer of the pipe.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element minOccurs="0" name="Pipe_Mode" type="cyboxCommon:HexBinaryObjectPropertyType">
+						<xs:annotation>
+							<xs:documentation>The Pipe_Mode field specifies the mode used for the pipe.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element minOccurs="0" name="Security_Attributes" type="cyboxCommon:StringObjectPropertyType">
+						<xs:annotation>
+							<xs:documentation>The Security_Attributes field specifies the Windows security attributes for the pipe.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+				</xs:sequence>
+			</xs:extension>
+		</xs:complexContent>
+	</xs:complexType>
+</xs:schema>

data/config/1.1/stix/cybox/objects/Win_Prefetch_Object.xsd

@@ -0,0 +1,113 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:WinPrefetchObj="http://cybox.mitre.org/objects#WinPrefetchObject-2" xmlns:cyboxCommon="http://cybox.mitre.org/common-2" xmlns:DeviceObj="http://cybox.mitre.org/objects#DeviceObject-2" xmlns:WinVolumeObj="http://cybox.mitre.org/objects#WinVolumeObject-2" targetNamespace="http://cybox.mitre.org/objects#WinPrefetchObject-2" elementFormDefault="qualified" attributeFormDefault="unqualified" version="2.1">
+	<xs:annotation>
+		<xs:documentation>This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.</xs:documentation>
+		<xs:appinfo>
+			<schema>Win_Prefetch_Object</schema>
+			<version>2.1</version>
+			<date>01/22/2014</date>			
+			<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
+			<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
+		</xs:appinfo>
+	</xs:annotation>
+	<xs:import namespace="http://cybox.mitre.org/common-2" schemaLocation="../cybox_common.xsd"/>
+	<xs:import namespace="http://cybox.mitre.org/objects#WinVolumeObject-2" schemaLocation="Win_Volume_Object.xsd"/>
+	<xs:import namespace="http://cybox.mitre.org/objects#DeviceObject-2" schemaLocation="Device_Object.xsd"/>
+	<xs:element name="Windows_Prefetch_Entry" type="WinPrefetchObj:WindowsPrefetchObjectType">
+		<xs:annotation>
+			<xs:documentation>The Windows_Prefetch_Entry object is intended to characterize entries in the Windows prefetch files. Starting with Windows XP, prefetching was introduced to speed up application startup. The prefetch object draws upon the descriptions and XML sample at http://www.forensicswiki.org/wiki/Prefetch_XML.</xs:documentation>
+		</xs:annotation>
+	</xs:element>
+	<xs:complexType name="WindowsPrefetchObjectType">
+		<xs:annotation>
+			<xs:documentation>The WindowsPrefetchObjectType type is intended to characterize entries in the Windows prefetch files. Starting with Windows XP, prefetching was introduced to speed up application startup. The prefetch object draws upon the descriptions and XML sample at http://www.forensicswiki.org/wiki/Prefetch_XML.</xs:documentation>
+		</xs:annotation>
+		<xs:complexContent>
+			<xs:extension base="cyboxCommon:ObjectPropertiesType">
+				<xs:sequence>
+					<xs:element name="Application_File_Name" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>Name of the executable of the prefetch file.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Prefetch_Hash" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>An eight character hash of the location from which the application was run.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Times_Executed" type="cyboxCommon:LongObjectPropertyType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>The number of times the prefetch application has executed.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="First_Run" type="cyboxCommon:DateTimeObjectPropertyType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>Timestamp of when the prefetch application was first run.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Last_Run" type="cyboxCommon:DateTimeObjectPropertyType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>Timestamp of when the prefetch application was last run.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Volume" type="WinPrefetchObj:VolumeType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>The volume from which the prefetch application was run. If the applicatin was run from multiple volumes, there will be a separate prefetch file for each.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Accessed_File_List" type="WinPrefetchObj:AccessedFileListType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>Files (e.g., DLLs and other support files) used by the application during startup.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Accessed_Directory_List" type="WinPrefetchObj:AccessedDirectoryListType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>Directories accessed by the prefetch application during startup.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+				</xs:sequence>
+			</xs:extension>
+		</xs:complexContent>
+	</xs:complexType>
+	<xs:complexType name="AccessedFileListType">
+		<xs:annotation>
+			<xs:documentation>The AccessedFileListType specifies a list of files accessed by a prefetch application.</xs:documentation>
+		</xs:annotation>
+		<xs:sequence>
+			<xs:element name="Accessed_Filename" type="cyboxCommon:StringObjectPropertyType" minOccurs="1" maxOccurs="unbounded">
+				<xs:annotation>
+					<xs:documentation>Specifies the filename of the accessed file.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+		</xs:sequence>
+	</xs:complexType>
+	<xs:complexType name="AccessedDirectoryListType">
+		<xs:annotation>
+			<xs:documentation>The AccessedDirectoryListType specifies a list of directories accessed by a prefetch application.</xs:documentation>
+		</xs:annotation>
+		<xs:sequence>
+			<xs:element name="Accessed_Directory" type="cyboxCommon:StringObjectPropertyType" minOccurs="1" maxOccurs="unbounded">
+				<xs:annotation>
+					<xs:documentation>Specifies the pathname of the accessed directory.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+		</xs:sequence>
+	</xs:complexType>
+	<xs:complexType name="VolumeType">
+		<xs:annotation>
+			<xs:documentation>VolumeType characterizes the volume information in the Windows prefetch file.</xs:documentation>
+		</xs:annotation>
+		<xs:sequence>
+			<xs:element name="VolumeItem" type="WinVolumeObj:WindowsVolumeObjectType" minOccurs="0" maxOccurs="unbounded">
+				<xs:annotation>
+					<xs:documentation>The volume that the prefetch application was run from. The only item in the prefecth file is the volume name.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+			<xs:element name="DeviceItem" type="DeviceObj:DeviceObjectType" minOccurs="0" maxOccurs="unbounded">
+				<xs:annotation>
+					<xs:documentation>The device that the prefetch application was run from. The only item in the prefetch file is the device serial number.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+		</xs:sequence>
+	</xs:complexType>
+</xs:schema>

data/config/1.1/stix/cybox/objects/Win_Process_Object.xsd

@@ -0,0 +1,174 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:WinProcessObj="http://cybox.mitre.org/objects#WinProcessObject-2" xmlns:WinThreadObj="http://cybox.mitre.org/objects#WinThreadObject-2" xmlns:cyboxCommon="http://cybox.mitre.org/common-2" xmlns:MemoryObj="http://cybox.mitre.org/objects#MemoryObject-2" xmlns:WinHandleObj="http://cybox.mitre.org/objects#WinHandleObject-2" xmlns:ProcessObj="http://cybox.mitre.org/objects#ProcessObject-2" targetNamespace="http://cybox.mitre.org/objects#WinProcessObject-2" elementFormDefault="qualified" attributeFormDefault="unqualified" version="2.1">
+	<xs:annotation>
+		<xs:documentation>This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.</xs:documentation>
+		<xs:appinfo>
+			<schema>Win_Process_Object</schema>
+			<version>2.1</version>
+			<date>01/22/2014</date>			
+			<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
+			<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
+		</xs:appinfo>
+	</xs:annotation>
+	<xs:import namespace="http://cybox.mitre.org/objects#WinHandleObject-2" schemaLocation="Win_Handle_Object.xsd"/>
+	<xs:import namespace="http://cybox.mitre.org/objects#MemoryObject-2" schemaLocation="Memory_Object.xsd"/>
+	<xs:import namespace="http://cybox.mitre.org/objects#ProcessObject-2" schemaLocation="Process_Object.xsd"/>
+	<xs:import namespace="http://cybox.mitre.org/common-2" schemaLocation="../cybox_common.xsd"/>
+	<xs:import namespace="http://cybox.mitre.org/objects#WinThreadObject-2" schemaLocation="Win_Thread_Object.xsd"/>
+	<xs:element name="Windows_Process" type="WinProcessObj:WindowsProcessObjectType">
+
+		<xs:annotation>
+			<xs:documentation>Windows_Process object is intended to characterize Windows processes.</xs:documentation>
+		</xs:annotation>
+	</xs:element>
+	<xs:complexType name="WindowsProcessObjectType" mixed="false">
+		<xs:annotation>
+			<xs:documentation>The WindowsProcessObjectType type is intended to characterize Windows processes.</xs:documentation>
+		</xs:annotation>
+		<xs:complexContent>
+			<xs:extension base="ProcessObj:ProcessObjectType">
+				<xs:sequence>
+					<xs:element name="Handle_List" type="WinHandleObj:WindowsHandleListType" minOccurs="0" maxOccurs="1">
+						<xs:annotation>
+							<xs:documentation>The Handle_List field specifies a list of Windows Handles opened or used by the process.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Priority" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>The Priority field specifies the current priority of the process in Windows.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Section_List" type="WinProcessObj:MemorySectionListType" minOccurs="0" maxOccurs="1">
+						<xs:annotation>
+							<xs:documentation>The Section_List field specifies the memory sections used by the process.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Security_ID" type="cyboxCommon:StringObjectPropertyType" minOccurs="0" maxOccurs="1">
+						<xs:annotation>
+							<xs:documentation>The Security_ID field specifies the Security ID (SID) value assigned to the process.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Startup_Info" type="WinProcessObj:StartupInfoType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>The Startup_Info field specifies the STARTUP_INFO struct used by the process.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Security_Type" type="cyboxCommon:SIDType" minOccurs="0" maxOccurs="1">
+						<xs:annotation>
+							<xs:documentation>The Security_Type field specifies the type of Security ID (SID) assigned to the process.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Window_Title" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>The Window_Title field specifies the title of the main window of the process.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Thread" maxOccurs="unbounded" minOccurs="0" type="WinThreadObj:WindowsThreadObjectType">
+						<xs:annotation>
+							<xs:documentation>The Thread field specifies a single thread created to execute within the virtual address space of the process.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+				</xs:sequence>
+				<xs:attribute name="aslr_enabled" type="xs:boolean">
+					<xs:annotation>
+						<xs:documentation>The aslr_enabled field specifies whether Address Space Layout Randomization (ASLR) is enabled for the process.</xs:documentation>
+					</xs:annotation>
+				</xs:attribute>
+				<xs:attribute name="dep_enabled" type="xs:boolean">
+					<xs:annotation>
+						<xs:documentation>The dep_enabled field specifies whether Data Execution Prevention (DEP) is enabled for the process.</xs:documentation>
+					</xs:annotation>
+				</xs:attribute>
+			</xs:extension>
+		</xs:complexContent>
+	</xs:complexType>
+	<xs:complexType name="MemorySectionListType">
+		<xs:annotation>
+			<xs:documentation>The MemorySectionListType type specifies a list of memory sections used by the process.</xs:documentation>
+		</xs:annotation>
+		<xs:sequence>
+			<xs:element name="Memory_Section" type="MemoryObj:MemoryObjectType" minOccurs="1" maxOccurs="unbounded">
+				<xs:annotation>
+					<xs:documentation>The Memory_Section field specifies a memory section used by the process. It imports and uses the MemoryObjectType from the CybOX Memory Object.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+		</xs:sequence>
+	</xs:complexType>
+	<xs:complexType name="StartupInfoType">
+		<xs:annotation>
+			<xs:documentation>The StartupInfoType type encapsulates the information contained in the STARTUPINFO struct for the process.</xs:documentation>
+		</xs:annotation>
+		<xs:sequence>
+			<xs:element name="lpDesktop" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>The lpDesktop field specifies the name of the desktop, or the name of both the desktop and window station for this process.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+			<xs:element name="lpTitle" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>The lpTitle field specifies the title displayed in the title bar if a new console window is created.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+			<xs:element name="dwX" type="cyboxCommon:IntegerObjectPropertyType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>The dwX field specifies the x offset of the upper left corner of a window if a new window is created, in pixels.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+			<xs:element name="dwY" type="cyboxCommon:IntegerObjectPropertyType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>The dwY field specifies the y offset of the upper left corner of a window if a new window is created, in pixels.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+			<xs:element name="dwXSize" type="cyboxCommon:PositiveIntegerObjectPropertyType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>The dwXSize field specifies the width of the window if a new window is created, in pixels.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+			<xs:element name="dwYSize" type="cyboxCommon:PositiveIntegerObjectPropertyType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>The dwYSize field specifies the height of the window if a new window is created, in pixels.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+			<xs:element name="dwXCountChars" type="cyboxCommon:PositiveIntegerObjectPropertyType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>The dwXCountChars field specifies the screen buffer width, in character columns.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+			<xs:element name="dwYCountChars" type="cyboxCommon:PositiveIntegerObjectPropertyType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>The dwYCountChars field specifies the screen buffer height, in character rows.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+			<xs:element name="dwFillAttribute" type="cyboxCommon:IntegerObjectPropertyType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>The dwFillAttribute field specifies the initial text and background colors if a new console window is created in a console application.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+			<xs:element name="dwFlags" type="cyboxCommon:IntegerObjectPropertyType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>The dwFlags field specifies a bitfield that determines whether certain STARTUPINFO members are used when the process creates a window.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+			<xs:element name="wShowWindow" type="cyboxCommon:IntegerObjectPropertyType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>The wShowWindow field specifies STARTF_USESHOWWINDOW, this member can be any of the values that can be specified in the nCmdShow parameter for the ShowWindow function, except for SW_SHOWDEFAULT.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+			<xs:element name="hStdInput" type="WinHandleObj:WindowsHandleObjectType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>The hStdInput field specifies the standard input handle for the process.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+			<xs:element name="hStdOutput" type="WinHandleObj:WindowsHandleObjectType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>The hStdOutput field specifies the standard output handle for the process.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+			<xs:element name="hStdError" type="WinHandleObj:WindowsHandleObjectType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>The hStdError field specifies the standard error handle for the process.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+		</xs:sequence>
+	</xs:complexType>
+</xs:schema>

data/config/1.1/stix/cybox/objects/Win_Registry_Key_Object.xsd

@@ -0,0 +1,290 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:WinRegistryKeyObj="http://cybox.mitre.org/objects#WinRegistryKeyObject-2" xmlns:cyboxCommon="http://cybox.mitre.org/common-2" xmlns:WinHandleObj="http://cybox.mitre.org/objects#WinHandleObject-2" targetNamespace="http://cybox.mitre.org/objects#WinRegistryKeyObject-2" elementFormDefault="qualified" attributeFormDefault="unqualified" version="2.1">
+	<xs:annotation>
+		<xs:documentation>This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.</xs:documentation>
+		<xs:appinfo>
+			<schema>Win_Registry_Key_Object</schema>
+			<version>2.1</version>
+			<date>01/22/2014</date>			
+			<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
+			<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
+		</xs:appinfo>
+	</xs:annotation>
+	<xs:import namespace="http://cybox.mitre.org/common-2" schemaLocation="../cybox_common.xsd"/>
+	<xs:import namespace="http://cybox.mitre.org/objects#WinHandleObject-2" schemaLocation="Win_Handle_Object.xsd"/>
+	<xs:element name="Windows_Registry_Key" type="WinRegistryKeyObj:WindowsRegistryKeyObjectType">
+		<xs:annotation>
+			<xs:documentation>Windows_Registry_Key object characterizes windows registry objects, including Keys and Key/Value pairs. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms724871(v=vs.85).aspx.</xs:documentation>
+		</xs:annotation>
+	</xs:element>
+	<xs:complexType name="WindowsRegistryKeyObjectType" mixed="false">
+		<xs:annotation>
+			<xs:documentation>The WindowsRegistryObjectType type is intended to characterize Windows registry objects, including Keys and Key/Value pairs.</xs:documentation>
+		</xs:annotation>
+		<xs:complexContent>
+			<xs:extension base="cyboxCommon:ObjectPropertiesType">
+				<xs:sequence>
+					<xs:element name="Key" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>The Key field specifies the full key to the Windows registry object, not including the hive.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Hive" type="WinRegistryKeyObj:RegistryHiveType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>The Hive field specifies the Windows registry hive to which the registry object belongs to.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Number_Values" type="cyboxCommon:UnsignedIntegerObjectPropertyType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>The Number_Values field specifies the number of values found in the registry key.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Values" type="WinRegistryKeyObj:RegistryValuesType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>The Values field specifies the values (with their name/data pairs) held within the registry key.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Modified_Time" type="cyboxCommon:DateTimeObjectPropertyType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>The Modified_Time field specifies the last date/time that the registry object was modified.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Creator_Username" type="cyboxCommon:StringObjectPropertyType" minOccurs="0" maxOccurs="1">
+						<xs:annotation>
+							<xs:documentation>The Creator_Username field specifies the name of the user who created the registry object.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Handle_List" type="WinHandleObj:WindowsHandleListType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>The Handle_List field specifies a list of open Handles for this registry object.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Number_Subkeys" type="cyboxCommon:UnsignedIntegerObjectPropertyType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>The Number_Subkeys field specifies the number of subkeys contained under the registry key.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Subkeys" type="WinRegistryKeyObj:RegistrySubkeysType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>The Subkeys field specifies the set of subkeys contained under the registry key.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+					<xs:element name="Byte_Runs" type="cyboxCommon:ByteRunsType" minOccurs="0">
+						<xs:annotation>
+							<xs:documentation>The Byte_Runs field contains a list of byte runs from the raw registry.</xs:documentation>
+						</xs:annotation>
+					</xs:element>
+				</xs:sequence>
+			</xs:extension>
+		</xs:complexContent>
+	</xs:complexType>
+	<xs:complexType name="RegistryValueType">
+		<xs:annotation>
+			<xs:documentation>The RegistryValueType type is intended to characterize Windows registry Value name/data pairs.</xs:documentation>
+		</xs:annotation>
+		<xs:sequence>
+			<xs:element name="Name" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>The Name field specifies the name of the registry value. For specifying the default value in a registry key, an empty string should be used. </xs:documentation>
+				</xs:annotation>
+			</xs:element>
+			<xs:element name="Data" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>The Data field specifies the data contained in the registry value.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+			<xs:element name="Datatype" type="WinRegistryKeyObj:RegistryDatatypeType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>The Datatype field specifies the registry (REG_*) datatype used in the registry value.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+			<xs:element name="Byte_Runs" type="cyboxCommon:ByteRunsType" minOccurs="0">
+				<xs:annotation>
+					<xs:documentation>The Byte_Runs field contains a list of byte runs from the raw registry key entry.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+		</xs:sequence>
+	</xs:complexType>
+	<xs:complexType name="RegistryDatatypeType">
+		<xs:annotation>
+			<xs:documentation>Registry_Datatype specifies Windows registry datatypes via a union of the RegistryDataTypesEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.</xs:documentation>
+		</xs:annotation>
+		<xs:simpleContent>
+			<xs:restriction base="cyboxCommon:BaseObjectPropertyType">
+				<xs:simpleType>
+					<xs:union memberTypes="WinRegistryKeyObj:RegistryDataTypesEnum xs:string"/>
+				</xs:simpleType>
+				<xs:attribute name="datatype" type="cyboxCommon:DatatypeEnum" fixed="string">
+					<xs:annotation>
+						<xs:documentation>This attribute is optional and specifies the expected type for the value of the specified property.</xs:documentation>
+					</xs:annotation>
+				</xs:attribute>
+			</xs:restriction>
+		</xs:simpleContent>
+	</xs:complexType>
+	<xs:complexType name="RegistryHiveType">
+		<xs:annotation>
+			<xs:documentation>RegistryHiveType specifies Windows registry hive types via a union of the RegistryHiveEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.</xs:documentation>
+		</xs:annotation>
+		<xs:simpleContent>
+			<xs:restriction base="cyboxCommon:BaseObjectPropertyType">
+				<xs:simpleType>
+					<xs:union memberTypes="WinRegistryKeyObj:RegistryHiveEnum xs:string"/>
+				</xs:simpleType>
+				<xs:attribute name="datatype" type="cyboxCommon:DatatypeEnum" fixed="string">
+					<xs:annotation>
+						<xs:documentation>This attribute is optional and specifies the expected type for the value of the specified property.</xs:documentation>
+					</xs:annotation>
+				</xs:attribute>
+			</xs:restriction>
+		</xs:simpleContent>
+	</xs:complexType>
+	<xs:simpleType name="RegistryDataTypesEnum">
+		<xs:annotation>
+			<xs:documentation>The RegistryDataTypesEnum type is an enumeration of Windows registry datatypes (REG_*). See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms724884(v=vs.85).aspx See also: http://pubs.logicalexpressions.com/Pub0009/LPMArticle.asp?ID=361.</xs:documentation>
+		</xs:annotation>
+		<xs:restriction base="xs:string">
+			<xs:enumeration value="REG_NONE">
+				<xs:annotation>
+					<xs:documentation>No defined value type.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="REG_SZ">
+				<xs:annotation>
+					<xs:documentation>A null-terminated string. This will be either a Unicode or an ANSI string, depending on whether you use the Unicode or ANSI functions.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="REG_EXPAND_SZ">
+				<xs:annotation>
+					<xs:documentation>A null-terminated string that contains unexpanded references to environment variables (for example, "%PATH%"). It will be a Unicode or ANSI string depending on whether you use the Unicode or ANSI functions.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="REG_BINARY">
+				<xs:annotation>
+					<xs:documentation>Binary data in any form.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="REG_DWORD">
+				<xs:annotation>
+					<xs:documentation>A 32-bit number.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="REG_DWORD_BIG_ENDIAN">
+				<xs:annotation>
+					<xs:documentation>A 32-bit number in big-endian format. Some UNIX systems support big-endian architectures.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="REG_LINK">
+				<xs:annotation>
+					<xs:documentation>A null-terminated Unicode string that contains the target path of a symbolic link.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="REG_MULTI_SZ">
+				<xs:annotation>
+					<xs:documentation>A sequence of null-terminated strings, terminated by an empty string (\0).</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="REG_RESOURCE_LIST">
+				<xs:annotation>
+					<xs:documentation>A series of nested arrays designed to store a resource list used by a hardware device driver or one of the physical devices it controls. This data is detected and written into the ResourceMap tree by the system and is displayed in Registry Editor in hexadecimal format as a Binary Value.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="REG_FULL_RESOURCE_DESCRIPTOR">
+				<xs:annotation>
+					<xs:documentation>A series of nested arrays designed to store a resource list used by a physical hardware device. This data is detected and written into the HardwareDescription tree by the system and is displayed in Registry Editor in hexadecimal format as a Binary Value.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="REG_RESOURCE_REQUIREMENTS_LIST">
+				<xs:annotation>
+					<xs:documentation>Device driver list of hardware resource requirements in Resource Map tree. See http://www.mdgx.com/reg.htm.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="REG_QWORD">
+				<xs:annotation>
+					<xs:documentation>A 64-bit number.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="REG_INVALID_TYPE">
+				<xs:annotation>
+					<xs:documentation>Specifies an invalid key.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+		</xs:restriction>
+	</xs:simpleType>
+	<xs:simpleType name="RegistryHiveEnum">
+		<xs:annotation>
+			<xs:documentation>The RegistryHiveEnum type is an enumeration of Windows registry hives (HKEY_*). See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms724836(v=vs.85).aspx.</xs:documentation>
+		</xs:annotation>
+		<xs:restriction base="xs:string">
+			<xs:enumeration value="HKEY_CLASSES_ROOT">
+				<xs:annotation>
+					<xs:documentation>Registry entries subordinate to this key define types (or classes) of documents and the properties associated with those types. Shell and COM applications use the information stored under this key.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="HKEY_CURRENT_CONFIG">
+				<xs:annotation>
+					<xs:documentation>Contains information about the current hardware profile of the local computer system. The information under HKEY_CURRENT_CONFIG describes only the differences between the current hardware configuration and the standard configuration.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="HKEY_CURRENT_USER">
+				<xs:annotation>
+					<xs:documentation>Registry entries subordinate to this key define the preferences of the current user. These preferences include the settings of environment variables, data about program groups, colors, printers, network connections, and application preferences. This key makes it easier to establish the current user's settings; the key maps to the current user's branch in HKEY_USERS.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="HKEY_LOCAL_MACHINE">
+				<xs:annotation>
+					<xs:documentation>Registry entries subordinate to this key define the physical state of the computer, including data about the bus type, system memory, and installed hardware and software.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="HKEY_USERS">
+				<xs:annotation>
+					<xs:documentation>Registry entries subordinate to this key define the default user configuration for new users on the local computer and the user configuration for the current user.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="HKEY_CURRENT_USER_LOCAL_SETTINGS">
+				<xs:annotation>
+					<xs:documentation>Registry entries subordinate to this key define preferences of the current user that are local to the machine. These entries are not included in the per-user registry portion of a roaming user profile.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="HKEY_PERFORMANCE_DATA">
+				<xs:annotation>
+					<xs:documentation>Registry entries subordinate to this key allow you to access performance data. The data is not actually stored in the registry; the registry functions cause the system to collect the data from its source.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="HKEY_PERFORMANCE_NLSTEXT">
+				<xs:annotation>
+					<xs:documentation>Registry entries subordinate to this key reference the text strings that describe counters in the local language of the area in which the computer system is running. These entries are not available to Regedit.exe and Regedt32.exe.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			<xs:enumeration value="HKEY_PERFORMANCE_TEXT">
+				<xs:annotation>
+					<xs:documentation>Registry entries subordinate to this key reference the text strings that describe counters in US English. These entries are not available to Regedit.exe and Regedt32.exe.</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+		</xs:restriction>
+	</xs:simpleType>
+	<xs:complexType name="RegistryValuesType">
+		<xs:annotation>
+			<xs:documentation>The RegistryValuesType type specifies the values (with their name/data pairs) held within the registry key.</xs:documentation>
+		</xs:annotation>
+		<xs:sequence>
+			<xs:element name="Value" type="WinRegistryKeyObj:RegistryValueType" maxOccurs="unbounded">
+				<xs:annotation>
+					<xs:documentation>The Value field specifies the value (with name/data pair) held within the registry key.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+		</xs:sequence>
+	</xs:complexType>
+	<xs:complexType name="RegistrySubkeysType">
+		<xs:annotation>
+			<xs:documentation>The RegistrySubkeysType specifies the set of subkeys contained under the registry key.</xs:documentation>
+		</xs:annotation>
+		<xs:sequence>
+			<xs:element name="Subkey" type="WinRegistryKeyObj:WindowsRegistryKeyObjectType" maxOccurs="unbounded">
+				<xs:annotation>
+					<xs:documentation>The Subkey field specifies a single subkey contained under the registry key.</xs:documentation>
+				</xs:annotation>
+			</xs:element>
+		</xs:sequence>
+	</xs:complexType>
+</xs:schema>