Attack Patterns are a type of TTP that describe ways that adversaries attempt to compromise targets.
| Property | Type | Description | Required? |
|---|---|---|---|
| description | Markdown String | A description that provides more details and context about the Attack Pattern, potentially including its purpose and its key characteristics. | ✓ |
| id | String | Globally unique URI identifying this object. | ✓ |
| name | ShortString String | A name used to identify the Attack Pattern. | ✓ |
| schema_version | String | CTIM schema version for this entity | ✓ |
| type | AttackPatternTypeIdentifier String | ✓ | |
| abstraction_level | AttackPatternAbstractions String | The CAPEC abstraction level for patterns describing techniques to attack a system. | |
| external_ids | String List | ||
| external_references | ExternalReference Object List | A list of external references which refer to non-STIX information. This property MAY be used to provide one or more Attack Pattern identifiers, such as a CAPEC ID. When specifying a CAPEC ID, the source_name property of the external reference MUST be set to capec and the external_id property MUST be formatted as CAPEC-[id]. | |
| kill_chain_phases | KillChainPhase Object List | The list of Kill Chain Phases for which this Attack Pattern is used. | |
| language | ShortString String | The human language this object is specified in. | |
| revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
| source | MedString String | ||
| source_uri | String | ||
| timestamp | Inst (Date) | The time this object was created at, or last modified. | |
| tlp | TLP String | Specification for how, and to whom, this object can be shared. | |
| x_mitre_contributors | ShortString String List | ATT&CK Technique.Contributors | |
| x_mitre_data_sources | ShortString String List | ATT&CK Technique.Data Sources | |
| x_mitre_platforms | ShortString String List | ATT&CK Technique.Platforms |
- Reference: Attack Pattern
The CAPEC abstraction level for patterns describing techniques to attack a system.
-
This entry is optional
- Abstraction levels corresponding to CAPEC data describing attack-pattern objects.
- Allowed Values:
- aggregate
- category
- detailed
- meta
- standard
- Reference: Common Attack Pattern Enumeration and Classification
A description that provides more details and context about the Attack Pattern, potentially including its purpose and its key characteristics.
-
This entry is required
- Markdown string with at most 5000 characters
- This entry is optional
- This entry's type is sequential (allows zero or more values)
A list of external references which refer to non-STIX information. This property MAY be used to provide one or more Attack Pattern identifiers, such as a CAPEC ID. When specifying a CAPEC ID, the source_name property of the external reference MUST be set to capec and the external_id property MUST be formatted as CAPEC-[id].
- This entry is optional
- This entry's type is sequential (allows zero or more values)
- ExternalReference Object Value
- Details: ExternalReference Object
Globally unique URI identifying this object.
-
This entry is required
- IDs are URIs, for example
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.
- IDs are URIs, for example
The list of Kill Chain Phases for which this Attack Pattern is used.
- This entry is optional
- This entry's type is sequential (allows zero or more values)
- KillChainPhase Object Value
- Details: KillChainPhase Object
The human language this object is specified in.
-
This entry is optional
- String with at most 1024 characters
A name used to identify the Attack Pattern.
-
This entry is required
- String with at most 1024 characters
A monotonically increasing revision, incremented each time the object is changed.
-
This entry is optional
- Zero, or a positive integer
CTIM schema version for this entity
-
This entry is required
- A semantic version matching the CTIM version against which this object should be valid.
-
This entry is optional
- String with at most 2048 characters
-
This entry is optional
- A URI
The time this object was created at, or last modified.
-
This entry is optional
- Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
Specification for how, and to whom, this object can be shared.
-
This entry is optional
- TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
- Default: green
- Allowed Values:
- amber
- green
- red
- white
-
This entry is required
- Must equal: "attack-pattern"
ATT&CK Technique.Contributors
-
This entry is optional
-
This entry's type is sequential (allows zero or more values)
- String with at most 1024 characters
ATT&CK Technique.Data Sources
-
This entry is optional
-
This entry's type is sequential (allows zero or more values)
- String with at most 1024 characters
ATT&CK Technique.Platforms
-
This entry is optional
-
This entry's type is sequential (allows zero or more values)
- String with at most 1024 characters
External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
| Property | Type | Description | Required? |
|---|---|---|---|
| source_name | MedString String | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
| description | Markdown String | ||
| external_id | String | An identifier for the external reference content. | |
| hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
| url | String | A URL reference to an external resource |
- Reference: External Reference
-
This entry is optional
- Markdown string with at most 5000 characters
An identifier for the external reference content.
- This entry is optional
Specifies a dictionary of hashes for the contents of the url.
- This entry is optional
- This entry's type is sequential (allows zero or more values)
The source within which the external-reference is defined (system, registry, organization, etc.)
-
This entry is required
- String with at most 2048 characters
A URL reference to an external resource
-
This entry is optional
- A URI
External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
| Property | Type | Description | Required? |
|---|---|---|---|
| source_name | MedString String | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
| description | Markdown String | ||
| external_id | String | An identifier for the external reference content. | |
| hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
| url | String | A URL reference to an external resource |
- Reference: External Reference
-
This entry is optional
- Markdown string with at most 5000 characters
An identifier for the external reference content.
- This entry is optional
Specifies a dictionary of hashes for the contents of the url.
- This entry is optional
- This entry's type is sequential (allows zero or more values)
The source within which the external-reference is defined (system, registry, organization, etc.)
-
This entry is required
- String with at most 2048 characters
A URL reference to an external resource
-
This entry is optional
- A URI
The kill-chain-phase represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives.
| Property | Type | Description | Required? |
|---|---|---|---|
| kill_chain_name | String | The name of the kill chain. | ✓ |
| phase_name | String | The name of the phase in the kill chain. | ✓ |
- Reference: Kill Chain Phase
The name of the kill chain.
-
This entry is required
- SHOULD be all lowercase (where lowercase is defined by the locality conventions) and SHOULD use hyphens instead of spaces or underscores as word separators.
- Must equal: "lockheed-martin-cyber-kill-chain"
- Reference: Open Vocabulary
The name of the phase in the kill chain.
-
This entry is required
- SHOULD be all lowercase (where lowercase is defined by the locality conventions) and SHOULD use hyphens instead of spaces or underscores as word separators.
- Allowed Values:
- actions-on-objective
- command-and-control
- delivery
- exploitation
- installation
- reconnaissance
- weaponization
- Reference: Open Vocabulary