Software Schema
Software
Software represents tools and malicious code used by adversaries to accomplish their objectives. ATT&CK models software using two STIX object types: malware and tool.
Union of the following possible types:
Malware
Object containing the following properties:
| Property | Description | Type |
|---|---|---|
id (*) | The unique identifier for this Malware object. | string |
type (*) | The STIX object type for this object, which is always "malware". | 'malware' |
spec_version (*) | The version of the STIX specification used to represent this object. | '2.1' |
created (*) | The created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest millisecond. | string (ISO 8601) |
modified (*) | The modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest millisecond. | string (ISO 8601) |
created_by_ref (*) | The ID of the Source object that describes who created this object. | string |
labels | The labels property specifies a set of terms used to meta this object. | Array<string (_min length: 1_)> (min: 1) |
revoked | The revoked property indicates whether the object has been revoked. | boolean |
confidence | Identifies the confidence that the creator has in the correctness of their data. | number (int, ≥1, ≤99) |
lang | Identifies the language of the text content in this object. | string (min length: 1) |
external_references (*) | A list of external references which refers to non-STIX information. | Array of at least 1 objects:
|
object_marking_refs | The list of marking-definition objects to be applied to this object. | Array<string (_startsWith: marking-definition--_)> |
granular_markings | The set of granular markings that apply to this object. | Array of objects:
|
extensions | Specifies any extensions of the object, as a dictionary where keys are extension definition UUIDs | Object with dynamic keys of type string (min length: 1) and values of type Object with properties:
string (min length: 1) and values of type unknown |
name (*) | The name of the object. | string (min length: 1) |
x_mitre_attack_spec_version (*) | The version of the ATT&CK spec used by the object. This field helps consuming software determine if the data format is supported. If the field is not present on an object, the spec version will be assumed to be 2.0.0. Refer to the ATT&CK CHANGELOG for all supported versions. | string (min length: 1, regex: /^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)$/) |
x_mitre_version (*) | Represents the version of the object in a 'major.minor' format, where both 'major' and 'minor' are integers between 0 and 99. This versioning follows semantic versioning principles but excludes the patch number. The version number is incremented by ATT&CK when the content of the object is updated. This property does not apply to relationship objects. | string (min length: 1, regex: /^(\d{1,2})\.(\d{1,2})$/) |
x_mitre_old_attack_id | Old ATT&CK IDs that have been replaced by the current ATT&CK ID. | string (min length: 1) |
x_mitre_deprecated | Indicates whether the object has been deprecated. | boolean |
description (*) | A description that provides more details and context about the Malware. | string (min length: 1) |
x_mitre_platforms | The platforms that the malware targets. | Array<'Field Controller/RTU/PLC/IED' | 'Network Devices' | 'Data Historian' | 'Google Workspace' | 'Office Suite' | 'ESXi' | 'Identity Provider' | 'Containers' | 'Azure AD' | 'Engineering Workstation' | 'Control Server' | 'Human-Machine Interface' | 'Windows' | 'Linux' | 'IaaS' | 'None' | 'iOS' | 'PRE' | 'SaaS' | 'Input/Output Server' | ...> (min: 1) |
x_mitre_contributors | People and organizations who have contributed to this object. | Array<string (_min length: 1_)> (min: 1) |
x_mitre_aliases | Alternative names used to identify this software. The first alias must match the object's name. | Array<string (_min length: 1_)> (min: 1) |
x_mitre_modified_by_ref (*) | The STIX ID of the identity that last modified this object. | 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5' |
x_mitre_domains (*) | The ATT&CK domains this object belongs to. | Array<'enterprise-attack' | 'mobile-attack' | 'ics-attack'> (min: 1) |
aliases | Alternative names used to identify this software. | Array<string (_min length: 1_)> (min: 1) |
is_family (*) | Whether the object represents a malware family (if true) or a malware instance (if false) | boolean |
malware_types | A set of categorizations for the malware being described. | Array<'adware' | 'backdoor' | 'bot' | 'bootkit' | 'ddos' | 'downloader' | 'dropper' | 'exploit-kit' | 'keylogger' | 'ransomware' | 'remote-access-trojan' | 'resource-exploitation' | 'rogue-security-software' | 'rootkit' | 'screen-capture' | 'spyware' | 'trojan' | 'virus' | 'webshell' | 'wiper' | ...> (min: 1) |
kill_chain_phases | The list of Kill Chain Phases for which this malware can be used. | Array of at least 1 objects:
|
first_seen | The time that this malware instance or malware family was first seen. | string (ISO 8601) |
last_seen | The time that this malware family or malware instance was last seen. | string (ISO 8601) |
architecture_execution_envs | The processor architectures (e.g., x86, ARM, etc.) that the malware instance or family is executable on. | Array<'alpha' | 'arm' | 'ia-64' | 'mips' | 'powerpc' | 'sparc' | 'x86' | 'x86-64'> (min: 1) |
implementation_languages | The programming language(s) used to implement the malware instance or family. | Array<'applescript' | 'bash' | 'c' | 'c++' | 'c#' | 'go' | 'java' | 'javascript' | 'lua' | 'objective-c' | 'perl' | 'php' | 'powershell' | 'python' | 'ruby' | 'scala' | 'swift' | 'typescript' | 'visual-basic' | 'x86-32' | ...> (min: 1) |
capabilities | Any of the capabilities identified for the malware instance or family. | Array<'accesses-remote-machines' | 'anti-debugging' | 'anti-disassembly' | 'anti-emulation' | 'anti-memory-forensics' | 'anti-sandbox' | 'anti-vm' | 'captures-input-peripherals' | 'captures-output-peripherals' | 'captures-system-state-data' | 'cleans-traces-of-infection' | 'commits-fraud' | 'communicates-with-c2' | 'compromises-data-integrity' | 'compromises-data-availability' | 'compromises-system-availability' | 'controls-local-machine' | 'degrades-security-software' | 'degrades-system-updates' | 'determines-c2-server' | ...> (min: 1) |
sample_refs | The sample_refs property specifies a list of identifiers of the SCO file or artifact objects associated with this malware instance(s) or family. | Array<[StixArtifactType](#stixartifacttype) _or_ [StixFileType](#stixfiletype)> (min: 1) |
operating_system_refs | The operating systems that the malware family or malware instance is executable on. This applies to virtualized operating systems as well as those running on bare metal. The value of this property MUST be the identifier for a SCO software object. | Array<'malware' | 'tool'> (min: 1) |
(*) Required.
StixArtifactType
Used to specify the artifact stixType of the sample_refs property.
String.
StixFileType
Used to specify the file stixType of the sample_refs property.
String.
Tool
Object containing the following properties:
| Property | Description | Type |
|---|---|---|
id (*) | string | |
type (*) | 'tool' | |
spec_version (*) | The version of the STIX specification used to represent this object. | '2.1' |
created (*) | The created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest millisecond. | string (ISO 8601) |
modified (*) | The modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest millisecond. | string (ISO 8601) |
created_by_ref (*) | The ID of the Source object that describes who created this object. | string |
labels | The labels property specifies a set of terms used to meta this object. | Array<string (_min length: 1_)> (min: 1) |
revoked | The revoked property indicates whether the object has been revoked. | boolean |
confidence | Identifies the confidence that the creator has in the correctness of their data. | number (int, ≥1, ≤99) |
lang | Identifies the language of the text content in this object. | string (min length: 1) |
external_references (*) | A list of external references with the first containing a valid ATT&CK ID | Array of at least 1 objects:
|
object_marking_refs | The list of marking-definition objects to be applied to this object. | Array<string (_startsWith: marking-definition--_)> |
granular_markings | The set of granular markings that apply to this object. | Array of objects:
|
extensions | Specifies any extensions of the object, as a dictionary where keys are extension definition UUIDs | Object with dynamic keys of type string (min length: 1) and values of type Object with properties:
string (min length: 1) and values of type unknown |
name (*) | The name of the object. | string (min length: 1) |
x_mitre_attack_spec_version (*) | The version of the ATT&CK spec used by the object. This field helps consuming software determine if the data format is supported. If the field is not present on an object, the spec version will be assumed to be 2.0.0. Refer to the ATT&CK CHANGELOG for all supported versions. | string (min length: 1, regex: /^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)$/) |
x_mitre_version (*) | Represents the version of the object in a 'major.minor' format, where both 'major' and 'minor' are integers between 0 and 99. This versioning follows semantic versioning principles but excludes the patch number. The version number is incremented by ATT&CK when the content of the object is updated. This property does not apply to relationship objects. | string (min length: 1, regex: /^(\d{1,2})\.(\d{1,2})$/) |
x_mitre_old_attack_id | string (min length: 1) | |
x_mitre_deprecated | Indicates whether the object has been deprecated. | boolean |
description (*) | A description of the object. | string (min length: 1) |
x_mitre_platforms | List of platforms that apply to the object. | Array<'Field Controller/RTU/PLC/IED' | 'Network Devices' | 'Data Historian' | 'Google Workspace' | 'Office Suite' | 'ESXi' | 'Identity Provider' | 'Containers' | 'Azure AD' | 'Engineering Workstation' | 'Control Server' | 'Human-Machine Interface' | 'Windows' | 'Linux' | 'IaaS' | 'None' | 'iOS' | 'PRE' | 'SaaS' | 'Input/Output Server' | ...> (min: 1) |
x_mitre_contributors | People and organizations who have contributed to the object. Not found on objects of type relationship. | Array<string (_min length: 1_)> (min: 1) |
x_mitre_aliases | Alternative names used to identify this software. The first alias must match the object's name. | Array<string (_min length: 1_)> (min: 1) |
x_mitre_modified_by_ref (*) | The STIX ID of the MITRE identity object. Used to track the identity of the MITRE organization, which created the current version of the object. Previous versions of the object may have been created by other individuals or organizations. | 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5' |
x_mitre_domains (*) | The technology domains to which the ATT&CK object belongs. | Array<'enterprise-attack' | 'mobile-attack' | 'ics-attack'> (min: 1) |
aliases | Alternative names used to identify this software. | Array<string (_min length: 1_)> (min: 1) |
tool_types | The kind(s) of tool(s) being described. | Array<'denial-of-service' | 'exploitation' | 'information-gathering' | 'network-capture' | 'credential-exploitation' | 'remote-access' | 'vulnerability-scanning' | 'unknown'> (min: 1) |
kill_chain_phases | The list of kill chain phases for which this Tool can be used. | Array of at least 1 objects:
|
tool_version | The version identifier associated with the Tool | string (min length: 1) |
(*) Required.