{
  "namespace": "stealth_malware",
  "description": "Classification based on malware stealth techniques. Described in https://vxheaven.org/lib/pdf/Introducing%20Stealth%20Malware%20Taxonomy.pdf",
  "version": 1,
  "refs": [
    "https://vxheaven.org/lib/pdf/Introducing%20Stealth%20Malware%20Taxonomy.pdf"
  ],
  "predicates": [
    {
      "value": "type",
      "expanded": "Stealth technique type"
    }
  ],
  "values": [
    {
      "predicate": "type",
      "entry": [
        {
          "value": "0",
          "expanded": "No OS or system compromise. The malware runs as a normal user process using only official API calls."
        },
        {
          "value": "I",
          "expanded": "The malware modifies constant sections of the kernel and/or processes such as code sections."
        },
        {
          "value": "II",
          "expanded": "The malware does not modify constant sections but only the dynamic sections of the kernel and/or processes such as data sections."
        },
        {
          "value": "III",
          "expanded": "The malware does not modify any sections of the kernel and/or processes but influences the system without modifying the OS. For example using hardware virtualization techniques."
        }
      ]
    }
  ]
}