Technique Schema
Technique
Object containing the following properties:
| Property | Description | Type |
|---|---|---|
id (*) | any | |
type (*) | 'attack-pattern' | |
spec_version (*) | The version of the STIX specification used to represent this object. | '2.0' | '2.1' |
created (*) | The created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest millisecond. | any |
modified (*) | The modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest millisecond. | any |
created_by_ref | The created_by_ref property specifies the id property of the identity object that describes the entity that created this object. If this attribute is omitted, the source of this information is undefined. This may be used by object creators who wish to remain anonymous. | any |
labels | The labels property specifies a set of terms used to describe this object. | Array<string> |
revoked | The revoked property indicates whether the object has been revoked. | boolean |
confidence | number (int, ≥1, ≤99) | |
lang | Identifies the language of the text content in this object. | string |
external_references (*) | A list of external references which refers to non-STIX information. | Array of at least 1 objects:
|
object_marking_refs | The list of marking-definition objects to be applied to this object. | Array<any> |
granular_markings | The set of granular markings that apply to this object. | Array of objects:
|
extensions | Specifies any extensions of the object, as a dictionary. | Object with dynamic keys of type string and values of type Object with properties:
string and values of type unknown (optional & nullable) |
name (*) | The name of the object. | string (min length: 1) |
x_mitre_attack_spec_version (*) | The version of the ATT&CK spec used by the object. This field helps consuming software determine if the data format is supported. If the field is not present on an object, the spec version will be assumed to be 2.0.0. Refer to the ATT&CK CHANGELOG for all supported versions. | string |
x_mitre_version (*) | Represents the version of the object in a 'major.minor' format, where both 'major' and 'minor' are integers between 0 and 99. This versioning follows semantic versioning principles but excludes the patch number. The version number is incremented by ATT&CK when the content of the object is updated. This property does not apply to relationship objects. | any |
x_mitre_old_attack_id | Old ATT&CK IDs that may have been associated with this object | string |
x_mitre_deprecated | Indicates whether the object has been deprecated. | boolean |
kill_chain_phases | Array of objects:
| |
description | A description of the object. | string |
x_mitre_platforms | List of platforms that apply to the object. | Array<'Field Controller/RTU/PLC/IED' | 'Network' | 'Data Historian' | 'Google Workspace' | 'Office 365' | 'Containers' | 'Azure AD' | 'Engineering Workstation' | 'Control Server' | 'Human-Machine Interface' | 'Windows' | 'Linux' | 'IaaS' | 'None' | 'iOS' | 'PRE' | 'SaaS' | 'Input/Output Server' | 'macOS' | 'Android' | ...> (min: 1) |
x_mitre_detection | Strategies for identifying if a technique has been used by an adversary. | XMitreDetection |
x_mitre_is_subtechnique (*) | If true, this attack-pattern is a sub-technique. | XMitreIsSubtechnique |
x_mitre_data_sources | Sources of information that may be used to identify the action or result of the action being performed. | XMitreDataSources |
x_mitre_defense_bypassed | List of defensive tools, methodologies, or processes the technique can bypass. | XMitreDefenseBypasses |
x_mitre_contributors | People and organizations who have contributed to the object. Not found on relationship objects. | Array<string> |
x_mitre_permissions_required | The lowest level of permissions the adversary is required to be operating within to perform the technique on a system. | XMitrePermissionsRequired |
x_mitre_remote_support | If true, the technique can be used to execute something on a remote system. | XMitreRemoteSupport |
x_mitre_system_requirements | Additional information on requirements the adversary needs to meet or about the state of the system (software, patch level, etc.) that may be required for the technique to work. | XMitreSystemRequirements |
x_mitre_impact_type | Denotes if the technique can be used for integrity or availability attacks. | Array<'Availability' | 'Integrity'> |
x_mitre_effective_permissions | The level of permissions the adversary will attain by performing the technique. | XMitreEffectivePermissions |
x_mitre_network_requirements | boolean | |
x_mitre_tactic_type | "Post-Adversary Device Access", "Pre-Adversary Device Access", or "Without Adversary Device Access". | XMitreTacticType |
x_mitre_domains (*) | The technology domains to which the ATT&CK object belongs. | Array<'enterprise-attack' | 'mobile-attack' | 'ics-attack'> (min: 1) |
x_mitre_modified_by_ref | The STIX ID of the MITRE identity object. Used to track the identity of the MITRE organization, which created the current version of the object. Previous versions of the object may have been created by other individuals or organizations. | any |
(*) Required.
XMitreDataSource
A single data source in the format 'Data Source Name: Data Component Name'.
Any type.
XMitreDataSources
Sources of information that may be used to identify the action or result of the action being performed.
Array of XMitreDataSource items.
XMitreDefenseBypasses
List of defensive tools, methodologies, or processes the technique can bypass.
Array of at least 1 'Signature-based detection' | 'Multi-Factor Authentication' | 'Network Intrusion Detection System' | 'Application Control' | 'Host forensic analysis' | 'Exploit Prevention' | 'Signature-based Detection' | 'Data Execution Prevention' | 'Heuristic Detection' | 'File system access controls' | 'File Monitoring' | 'Digital Certificate Validation' | 'Logon Credentials' | 'Firewall' | 'Host Forensic Analysis' | 'Static File Analysis' | 'Heuristic detection' | 'Notarization' | 'System access controls' | 'Binary Analysis' | ... items.
XMitreDetection
Strategies for identifying if a technique has been used by an adversary.
String.
XMitreEffectivePermissions
The level of permissions the adversary will attain by performing the technique.
Array of at least 1 'Administrator' | 'SYSTEM' | 'User' | 'root' items.
XMitreIsSubtechnique
If true, this attack-pattern is a sub-technique.
Boolean.
XMitrePermissionsRequired
The lowest level of permissions the adversary is required to be operating within to perform the technique on a system.
Array of at least 1 'Remote Desktop Users' | 'SYSTEM' | 'Administrator' | 'root' | 'User' items.
XMitreRemoteSupport
If true, the technique can be used to execute something on a remote system.
Boolean.
XMitreSystemRequirements
Additional information on requirements the adversary needs to meet or about the state of the system (software, patch level, etc.) that may be required for the technique to work.
Array of string items.
XMitreTacticType
"Post-Adversary Device Access", "Pre-Adversary Device Access", or "Without Adversary Device Access".
Array of 'Post-Adversary Device Access' | 'Pre-Adversary Device Access' | 'Without Adversary Device Access' items.