Where can I find more info on the Malware Behavior STIX 2.1 SDO?

I recently saw a few malware-behaviour objects in a STIX bundle.

    "type": "bundle",
    "id": "bundle--6b32c658-f907-4a02-bd68-d971d0c83822",
    "objects": [
            "type": "malware-behavior",
            "spec_version": "2.1",
            "id": "malware-behavior--0a11a488-9138-4341-a879-32a2c251e01f",
            "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf",
            "created": "2020-08-14T00:00:00.000Z",
            "modified": "2023-12-05T00:00:00.000Z",
            "name": "Heap Spray",
            "obj_defn": {
                "description": "Malware may use heap spraying to write a sequence of bytes on the heap section of a process.",
                "external_id": "C0006",
                "source_name": "mitre-mbc",
                "url": "https://github.com/MBCProject/mbc-markdown/blob/main/micro-behaviors/memory/heap-spray.md"
            "objective_refs": [
            "obj_version": "2.1",
            "object_marking_refs": [
            "extensions": {
                "extension-definition--d57b7c9c-7fa6-436b-b82c-8e6f69cdc3d0": {
                    "extension_type": "new-sdo"

Using the url listed in the object, I found this repo

The MBC project looks very interesting. Is anyone using it with STIX? If so, do you have any guides to get started?

I’ll caveat this post by saying I’m no expert here, but have come across the Malware Behavior Catalog (MBC) STIX objects before.

This video was super useful as an introduction:

At 7:12 there is a good example of the structure.

That diagram will also explain the 4 main types of STIX objects in the repo

  1. malware: the actual malware classified by MBC which implements…
  2. malware-method: which refines…
  3. malware-behavior: which accomplishes…
  4. malware-objective

In that repo you’ll see the relationship STIX objects link them together using the relationships defined above.

You’ll also note that the relationships also link out to ATT&CK technique objects to describe the Malware.

Where I am still a little unsure is how the two live together. ATT&CK has its own knowledge-base of Malware (software in ATT&CK terms: Software | MITRE ATT&CK®).

I suspect the MBC includes new strings or strings with more information than the ATT&CK representation (because ATT&CK does not use the MBC framework).

Oh, I’d also recommend checking out the spec in the OASIS Open Repo.

Specifically the extension standard doc…

That doc contains all the schemas and some good examples.

One part I found particularly helpful in it was this diagram explaining the structure/content of the objects;


Which helps to explain the fact the malware-behaviour object can also contain a snippet of the malware relevant to the behaviour, and a detection for it, e.g.

    "type": "malware-behavior",
    "spec_version": "2.1",
    "id": "malware-behavior--7fd7253f-274e-4156-be58-7ac900fc221a",
    "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf",
    "created": "2019-08-01T00:00:00.000Z",
    "modified": "2022-11-21T00:00:00.000Z",
    "name": "Sandbox Detection",
    "obj_defn": {
        "source_name": "mbc",
        "description": "Detects whether the malware instance is being executed <snip>",
        "url": "https://github.com/MBCProject/mbc-markdown <snip> /sandbox-detection.md",
        "external_id": "B0007"
    "obj_version": "2.0",
    "related_object_refs": [
    "tags": {"Anti-Analysis-Type": "Detection"},
    "objective_refs": ["malware-objective--a6de0a96-50b6-441f-8e62-06eb6db84183"],
    "detection_rules": [{
        "rule_type": "capa",
        "rule_name": "check for sandbox and av modules",
        "url": "https://github.com/capa-rules...check-for-sandbox-and-av-modules.yml",
        "api_fncs": ["GetModuleHandle"],
        "detect_ref": "malware-method--5650472c-6f90-44c3-8944-f763507e9220"
    "snippets": [{
        "snippet": "push ebx, \n add esp, \n 0FFFFFEF4h, \n xor ebx, \n ebx <snip>",
        "language": "asm",
        "exemplify_ref": "malware-method--5650472c-6f90-44c3-8944-f763507e9220"
    "external_references": [
"source_name": "cisco",
"url": "https://blogs.cisco.com/security/talos/rombertik",
"description": "B. Baker and A. Chiu, \"Threat Spotlight: Rombertik - Gazing Past the Smoke, Mirrors, and Trapdoors,\" Cisco Threat Research, blog, May 4, 2013 [Online]."
"source_name": "lordnoteworthy"
"url": "https://github.com/LordNoteworthy/al-khaser"
"description": "A. Faouzi (LordNoteworthy), \"README.md,\" Al-Khaser v0.81. Accessed Apr. 29, 2023 [Online].
    "extensions": {
        "extension-definition--d57b7c9c-7fa6-436b-b82c-8e6f69cdc3d0" : {
            "extension_type" : "new-sdo"