The ATT&CK Specification

The ATT&CK specification is built atop the STIX 2.1 specification. It is a codified expression of the concepts outlined in the MITRE ATT&CK Philosophy Paper, expressed in the ATT&CK Data Model (ADM).

ATT&CK uses a mix of predefined and custom STIX objects to implement ATT&CK concepts. The following table is a mapping of ATT&CK concepts to STIX 2.1 objects:

STIX Bundle Object

A STIX Bundle Object is not a STIX Object, rather it is a collection of arbitrary STIX Objects grouped together in a single container. ATT&CK distributes a STIX bundle for each ATT&CK domain.

ATT&CK Concept	STIX Object
STIX Bundle	bundle (STIX 2.0, STIX 2.1)

Schema Reference

Current ATT&CK Spec Version: 3.3.0

STIX Domain Objects

ATT&CK Concept	STIX Object	Notes
Analytic	x-mitre-analytic
Asset	x-mitre-asset
Campaign	campaign (STIX 2.0, STIX 2.1)
Collection	x-mitre-collection	This type was added in the upgrade to STIX 2.1 and is not available in the STIX 2.0 dataset.
Data Component	x-mitre-data-component
Data Source	x-mitre-data-source
Detection Strategy	x-mitre-detection-strategy
Group	intrusion-set (STIX 2.0, STIX 2.1)
Identity	identity (STIX 2.0, STIX 2.1)	Referenced by created_by_ref and x_mitre_modified_by_ref to convey the creator and most recent modifier of each object
Matrix	x-mitre-matrix
Mitigation	course-of-action (STIX 2.0, STIX 2.1)
Software	malware (STIX 2.0, STIX 2.1) or tool (STIX 2.0, STIX 2.1)
Tactic	x-mitre-tactic
Technique	attack-pattern (STIX 2.0, STIX 2.1)

STIX Relationship Objects

ATT&CK Concept	STIX Object	Notes
Relationship	relationship (STIX 2.0, STIX 2.1)	ATT&CK uses many relationship types. Refer to them here.

STIX Meta Objects

ATT&CK Concept	STIX Object	Notes
Marking Definition	marking-definition (STIX 2.0, STIX 2.1)	Referenced in the object_marking_refs of all objects to express the MITRE Corporation copyright

---