Extending STIX
There are three general ways that ATT&CK extends the STIX 2.1 specification:
- Custom Object Types: Prefixed with
x-mitre-, e.gx-mitre-matrix. - Custom Fields: Prefixed with
x_mitre_, e.gx_mitre_platformsinattack-patterns. - New Relationship Types: Not prefixed with
x_mitre_.
For more information on how STIX is customizable, here is the STIX documentation on customizing STIX (STIX 2.0, STIX 2.1). While it is deprecated, ATT&CK currently uses the STIX 2.0 method of extending STIX, which is valid even in STIX 2.1 bundles. We have aspirations to create STIX 2.1 Extension Definitions one day and hope to include them in future ATT&CK versions.
Custom Object Types
Object types prefixed with x-mitre-, e.g x-mitre-matrix, are custom STIX types extending the STIX 2.1 specification.
They follow the general STIX Domain Object pattern
(STIX 2.0, STIX 2.1)
but describe concepts not covered by types defined in STIX 2.1.
Custom Fields
Custom MITRE ATT&CK properties may exist on ATT&CK object's (custom or otherwise).
Such fields are prefixed with x_mitre_, e.g x_mitre_platforms in attack-patterns.
The following extended fields are common across ATT&CK types except where otherwise noted:
| Field | Type | Description |
|---|---|---|
x_mitre_version1 | string | The version of the object in format major.minor where major and minor are integers. ATT&CK increments this version number when the object content is updated. This is not included on relationship objects. |
x_mitre_contributors | string[] | People and organizations who have contributed to the object. Not found on objects of type relationship. |
x_mitre_modified_by_ref | string | The STIX ID of an identity object. Used to track the identity of the individual or organization which created the current version of the object. Previous versions of the object may have been created by other individuals or organizations. |
x_mitre_domains | string[] | Identifies the domains the object is found in. See domains for more information. Not found on objects of type relationship, identity, or marking-definition. |
x_mitre_attack_spec_version1 | string | The version of the ATT&CK specification used by the object. Consuming software can use this field to determine if the data format is supported. Current version is 3.3.0. |
1: For more information about specific version fields, head over to ATT&CK Versioning.
New relationship types
Unlike custom object types and extended fields, custom relationship types are not prefixed with x_mitre_. You can find a full list of relationship types in the Relationships section, which also mentions whether the type is a default STIX type.