Relationship Types
Relationships
ATT&CK objects are interconnected through STIX
relationship (STIX 2.0, STIX 2.1)
objects that capture associations between groups, techniques, software, and other entities.
These relationships enable analysis of adversary behaviors, defensive capabilities, and organizational structures within the ATT&CK framework.
Relationship objects frequently include description fields that provide contextual details about the specific association between objects.
Transitive relationships:
-
Groups can be considered indirect users of techniques employed by their software, creating a transitive relationship chain:
intrusion-set→uses→malware/tool→uses→attack-pattern. -
Campaigns can also be considered indirect users of techniques employed by their software, creating a transitive relationship chain:
campaign→uses→malware/tool→uses→attack-pattern.
Uses
Procedures
Procedures describe specific instances of technique implementation by adversaries.
Unlike other ATT&CK concepts, procedures are not represented by dedicated STIX Domain objects.
Instead, they are modeled as STIX uses relationships where the target_ref points to a technique (attack-pattern).
Procedure details are captured in the relationship's description field
| Source Type | Relationship Type | Target Type | Custom Type? | About |
|---|---|---|---|---|
intrusion-set | uses | attack-pattern | No | Group using a technique |
malware or tool | uses | attack-pattern | No | Software using a technique |
campaign | uses | attack-pattern | No | Campaign using a technique |
Software usage
Not all STIX uses relationships are used to describe procedure relationships. Some uses relationships are used to describe software usage.
| Source Type | Relationship Type | Target Type | Custom Type? | About |
|---|---|---|---|---|
intrusion-set | uses | malware or tool | No | Group using a software. |
campaign | uses | malware or tool | No | Campaign using a software. |
Mitigates
Mitigation mitigating technique.
| Source Type | Relationship Type | Target Type | Custom Type? |
|---|---|---|---|
course-of-action | mitigates | attack-pattern | No |
Subtechnique-of
Sub-technique of a technique, where the source_ref is the sub-technique and the target_ref is the parent technique.
| Source Type | Relationship Type | Target Type | Custom Type? |
|---|---|---|---|
attack-pattern | subtechnique-of | attack-pattern | Yes |
Domain availability: Sub-techniques are available only in the Enterprise and Mobile domains.
Detects
Detection strategy for detecting a technique.
| Source Type | Relationship Type | Target Type | Custom Type? | About |
|---|---|---|---|---|
x-mitre-data-component | detects | attack-pattern | Yes | Deprecated as of ATT&CK Specification 3.3.0. Data component detecting a technique. This relationship type will be removed in ATT&CK Specification 4.0.0. |
x-mitre-detection-strategy | detects | attack-pattern | Yes |
Attributed-to
Campaign attributed to a group.
| Source Type | Relationship Type | Target Type | Custom Type? |
|---|---|---|---|
campaign | attributed-to | intrusion-set | No |
Targets
Techniques target assets.
| Source Type | Relationship Type | Target Type | Custom Type? |
|---|---|---|---|
attack-pattern | targets | x-mitre-asset | Yes |
Revoked-by
The target object is a replacement for the source object.
Only occurs where the objects are of the same type, and the source object will have the property revoked = true.
| Source Type | Relationship Type | Target Type | Custom Type? |
|---|---|---|---|
| any type | revoked-by | any type | Yes |