Technique Schema
Technique
Techniques describe specific methods adversaries use to achieve tactical objectives and are represented as attack-pattern objects following the STIX 2.1 specification.
Sub-Techniques
Sub-techniques are specialized implementations of parent techniques, providing more granular detail about adversary methods.
They are represented as attack-pattern objects with the same structure as techniques but include additional constraints and relationships.
Sub-technique characteristics:
- Identification: Marked by
x_mitre_is_subtechnique = true - Parent relationship: Connected via
subtechnique-ofrelationship wheresource_refis the sub-technique andtarget_refis the parent technique - Cardinality: Each sub-technique has exactly one parent technique; parent techniques may have multiple sub-techniques
Inheritance rules:
- ATT&CK ID format: Sub-technique IDs follow the pattern
Txxxx.yyy, whereTxxxxis the parent technique ID andyyyis the unique sub-technique identifier - STIX ID uniqueness: Sub-techniques maintain globally unique STIX IDs despite sharing parent ID prefixes
- Tactic inheritance: Sub-techniques inherit all tactics from their parent technique
- Platform constraints: Sub-techniques must use a subset of their parent technique's platforms
Object containing the following properties:
| Property | Description | Type |
|---|---|---|
id (*) | string | |
type (*) | 'attack-pattern' | |
spec_version (*) | The version of the STIX specification used to represent this object. | '2.1' |
created (*) | The created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest millisecond. | string (ISO 8601) |
modified (*) | The modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest millisecond. | string (ISO 8601) |
created_by_ref | The created_by_ref property specifies the id property of the identity object that describes the entity that created this object. If this attribute is omitted, the source of this information is undefined. This may be used by object creators who wish to remain anonymous. | string |
labels | The labels property specifies a set of terms used to meta this object. | XMitreSystemRequirements |
revoked | The revoked property indicates whether the object has been revoked. | boolean |
confidence | Identifies the confidence that the creator has in the correctness of their data. | number (int, ≥1, ≤99) |
lang | Identifies the language of the text content in this object. | XMitreDetection |
external_references (*) | A list of external references with the first containing a valid ATT&CK ID | Array of at least 1 objects:
|
object_marking_refs | The list of marking-definition objects to be applied to this object. | Array<string (_startsWith: marking-definition--_)> |
granular_markings | The set of granular markings that apply to this object. | Array of objects:
|
extensions | Specifies any extensions of the object, as a dictionary where keys are extension definition UUIDs | Object with dynamic keys of type XMitreDetection and values of type Object with properties:
unknown |
name (*) | The name of the object. | XMitreDetection |
x_mitre_attack_spec_version (*) | The version of the ATT&CK spec used by the object. This field helps consuming software determine if the data format is supported. If the field is not present on an object, the spec version will be assumed to be 2.0.0. Refer to the ATT&CK CHANGELOG for all supported versions. | string (min length: 1, regex: /^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)$/) |
x_mitre_version (*) | Represents the version of the object in a 'major.minor' format, where both 'major' and 'minor' are integers between 0 and 99. This versioning follows semantic versioning principles but excludes the patch number. The version number is incremented by ATT&CK when the content of the object is updated. This property does not apply to relationship objects. | string (min length: 1, regex: /^(\d{1,2})\.(\d{1,2})$/) |
x_mitre_old_attack_id | Old ATT&CK IDs that may have been associated with this object | string (min length: 1) |
x_mitre_deprecated | Indicates whether the object has been deprecated. | boolean |
kill_chain_phases | Techniques are associated with Tactics through their kill_chain_phases property. When the kill_chain_name matches the domain (mitre-attack, mitre-mobile-attack, or mitre-ics-attack), the phase_name corresponds to the x_mitre_shortname of the associated x-mitre-tactic object. | Array of at least 1 objects:
|
description | A description of the object. | XMitreDetection |
x_mitre_platforms | List of platforms that apply to the object. | Array<'Field Controller/RTU/PLC/IED' | 'Network Devices' | 'Data Historian' | 'Google Workspace' | 'Office Suite' | 'ESXi' | 'Identity Provider' | 'Containers' | 'Azure AD' | 'Engineering Workstation' | 'Control Server' | 'Human-Machine Interface' | 'Windows' | 'Linux' | 'IaaS' | 'None' | 'iOS' | 'PRE' | 'SaaS' | 'Input/Output Server' | ...> (min: 1) |
x_mitre_detection | DEPRECATED in v3.3.0. Will be removed in v4.0.0. Strategies for identifying if a technique has been used by an adversary. | XMitreDetection |
x_mitre_is_subtechnique (*) | If true, this attack-pattern is a sub-technique | XMitreIsSubtechnique |
x_mitre_data_sources | DEPRECATED in v3.3.0. Will be removed in v4.0.0. Sources of information that may be used to identify the action or result of the action being performed | XMitreDataSources |
x_mitre_defense_bypassed | DEPRECATED in v3.3.0. Will be removed in v4.0.0. List of defensive tools, methodologies, or processes the technique can bypass. | XMitreDefenseBypasses |
x_mitre_contributors | People and organizations who have contributed to the object. Not found on objects of type relationship. | XMitreSystemRequirements |
x_mitre_permissions_required | DEPRECATED in v3.3.0. Will be removed in v4.0.0. The lowest level of permissions the adversary is required to be operating within to perform the technique on a system. | XMitrePermissionsRequired |
x_mitre_remote_support | DEPRECATED in v3.3.0. Will be removed in v4.0.0. If true, the technique can be used to execute something on a remote system. | XMitreRemoteSupport |
x_mitre_system_requirements | DEPRECATED in v3.3.0. Will be removed in v4.0.0. Additional information on requirements the adversary needs to meet or about the state of the system (software, patch level, etc.) that may be required for the technique to work | XMitreSystemRequirements |
x_mitre_impact_type | Denotes if the technique can be used for integrity or availability attacks. Only used in Enterprise domain in the Impact tactic. | XMitreImpactType |
x_mitre_effective_permissions | DEPRECATED in v3.3.0. Will be removed in v4.0.0. The level of permissions the adversary will attain by performing the technique | XMitreEffectivePermissions |
x_mitre_network_requirements | Requires network to execute the technique | XMitreNetworkRequirements |
x_mitre_tactic_type | "Post-Adversary Device Access", "Pre-Adversary Device Access", or "Without Adversary Device Access". Only used in Mobile domain. | XMitreTacticType |
x_mitre_domains (*) | The technology domains to which the ATT&CK object belongs. | Array<'enterprise-attack' | 'mobile-attack' | 'ics-attack'> (min: 1) |
x_mitre_modified_by_ref | The STIX ID of the MITRE identity object. Used to track the identity of the MITRE organization, which created the current version of the object. Previous versions of the object may have been created by other individuals or organizations. | 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5' |
(*) Required.
XMitreDataSource
DEPRECATED in v3.3.0. Will be removed in v4.0.0. A single data source in the format 'Data Source Name: Data Component Name'
Never type.
XMitreDataSources
DEPRECATED in v3.3.0. Will be removed in v4.0.0. Sources of information that may be used to identify the action or result of the action being performed
Array of at least 1 XMitreDataSource items.
XMitreDefenseBypasses
DEPRECATED in v3.3.0. Will be removed in v4.0.0. List of defensive tools, methodologies, or processes the technique can bypass.
Array of at least 1 'Signature-based detection' | 'Multi-Factor Authentication' | 'Network Intrusion Detection System' | 'Application Control' | 'Host forensic analysis' | 'Exploit Prevention' | 'Signature-based Detection' | 'Data Execution Prevention' | 'Heuristic Detection' | 'File system access controls' | 'File Monitoring' | 'Digital Certificate Validation' | 'Logon Credentials' | 'Firewall' | 'Host Forensic Analysis' | 'Static File Analysis' | 'Heuristic detection' | 'Notarization' | 'System access controls' | 'Binary Analysis' | ... items.
XMitreDetection
DEPRECATED in v3.3.0. Will be removed in v4.0.0. Strategies for identifying if a technique has been used by an adversary.
String which has a minimum length of 1.
XMitreEffectivePermissions
DEPRECATED in v3.3.0. Will be removed in v4.0.0. The level of permissions the adversary will attain by performing the technique
Array of at least 1 'Administrator' | 'SYSTEM' | 'User' | 'root' items.
XMitreImpactType
Denotes if the technique can be used for integrity or availability attacks. Only used in Enterprise domain in the Impact tactic.
Array of at least 1 'Availability' | 'Integrity' items.
XMitreIsSubtechnique
If true, this attack-pattern is a sub-technique
Boolean.
XMitreNetworkRequirements
Requires network to execute the technique
Boolean.
XMitrePermissionsRequired
DEPRECATED in v3.3.0. Will be removed in v4.0.0. The lowest level of permissions the adversary is required to be operating within to perform the technique on a system.
Array of at least 1 'Remote Desktop Users' | 'SYSTEM' | 'Administrator' | 'root' | 'User' items.
XMitreRemoteSupport
DEPRECATED in v3.3.0. Will be removed in v4.0.0. If true, the technique can be used to execute something on a remote system.
Boolean.
XMitreSystemRequirements
DEPRECATED in v3.3.0. Will be removed in v4.0.0. Additional information on requirements the adversary needs to meet or about the state of the system (software, patch level, etc.) that may be required for the technique to work
Array of at least 1 XMitreDetection items.
XMitreTacticType
"Post-Adversary Device Access", "Pre-Adversary Device Access", or "Without Adversary Device Access". Only used in Mobile domain.
Array of at least 1 'Post-Adversary Device Access' | 'Pre-Adversary Device Access' | 'Without Adversary Device Access' items.