A closer look at the MITRE ATT&CK STIX 2.1 custom objects and properties

Frameworks, Standards, and Tools
, ,
1

If you’re new to STIX, I’d recommend first jumping back into my STIX tutorial to really understand the concept of STIX customisation before continuing.

Those who are familiar with STIX customisation, read on.

You might have also noticed that many Custom STIX Properties are being used in addition the default STIX 2.1 Properties for each ATT&CK STIX Object.

Custom Properties are easily identifiable in STIX 2.1 as the Property names should always start with x_. In the case of ATT&CK, MITRE always use the prefix x_mitre_, for example, x_mitre_version.

Note, as described in this post, this way to define a custom property is now deprecated by STIX.

In addition to custom properties, ATT&CK is also represented using a mix of core STIX 2.1 Domain Objects and some Custom SDOs. These custom objects can be identified where their type starts with x-. For reference, here are the custom SDOs created by MITRE for ATT&CK,

  • Matrix (x-mitre-matrix)
  • Data Sources (x-mitre-data-source)
  • Data Component (x-mitre-data-component)
  • Tactic (x-mitre-tactic)

A list of all STIX Objects and custom properties they contain used by ATT&CK can be viewed here too. Let me try an summarise…

Custom Properties shared between all Objects

The STIX 2.1 Specification sets predefined Properties for each SDO.

Where these Properties do not meet the needs of ATT&CK, MITRE have created their own.

These are the shared Custom Properties used by MITRE for all ATT&CK STIX 2.1 Objects.

  • x_mitre_domains: sets the ATT&CK Domain. Currently either; enterprise-attack, ics-attack, or mobile-attack. Can be more than one if the Object crossed Domains.
    • e.g. "x_mitre_domains": ["enterprise-attack", "mobile-attack"]
  • x_mitre_platforms defines the platform(s) the Technique or Sub-Technique affects as a list. Specific for each domain:
    • for enterprise-attack: PRE, Linux, MacOS, Windows, Network, Office 365, Azure AD, SaaS, IaaS, Google Workspace, Containers
    • for ics-attack: none
    • for mobile-attack: android, iOS
    • e.g. "x_mitre_platforms": ["Windows", "Android"],
  • x_mitre_version: the version assigned by MITRE. The MITRE version is updated when MITRE make changes to the Object. In many cases, Objects (and thus their versions) do not change as ATT&CK version increases.
    • e.g. "x_mitre_version": "1.1"
  • x_mitre_modified_by_ref: A reference to the MITRE identity-- STIX 2.1 Object.
    • e.g. "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
  • x_mitre_contributors: A list of contributors who helped create or update the Object.
    • e.g. "x_mitre_contributors": "Chris Ross @xorrior"
  • x_mitre_attack_spec_version: This is MITRE’s way of tracking the STIX version used.
    • e.g. "x_mitre_attack_spec_version": "2.1.0"
  • x_mitre_deprecated: Between releases of ATT&CK, some Objects are deprecated. If the value for this Property is true it means the Object is deprecated from the version of ATT&CK being viewed.
    • e.g. "x_mitre_deprecated": true

Unique Custom Properties specific to Tactic Objects (x-mitre-tactic--)

The following Custom Properties are unique to ATT&CK Tactic Objects;

  • x_mitre_shortname: the slug for the Tactic name.
    • e.g. "x_mitre_shortname": "lateral-movement"

Unique Custom Properties specific to Technique and Sub-Technique Objects (attack-pattern)

The following Custom Properties are unique to ATT&CK Technique and Sub-Technique (attack-pattern) Objects;

  • x_mitre_is_subtechnique (Enterprise only): because the attack-pattern Object is used by both Techniques and Sub-Techniques, this sets the distinction. Note, Techniques and Sub-Techniques contain other fields that are the same
    • e.g. "x_mitre_is_subtechnique": true
  • x_mitre_permissions_required (Enterprise only): a plain text list that defines the permissions required the Technique needs.
    • e.g. "x_mitre_permissions_required": ["Administrator", "User"]
  • x_mitre_effective_permissions (Enterprise domain in the Privilege Escalation tactic): The lowest level of permissions the adversary is required to be operating within to perform the technique on a system.
  • x_mitre_defense_bypassed (Enterprise domain in the Defense Evasion tactic): List of defensive tools, methodologies, or processes the technique can bypass.
  • x_mitre_remote_support (Enterprise domain in the Execution tactic): If true, the technique can be used to execute something on a remote system.
  • x_mitre_impact_type (Enterprise domain in the Impact tactic): Denotes if the technique can be used for integrity or availability attacks.
  • x_mitre_detection: a plain text list that defines the data sources the Technique needs.
    • e.g. "x_mitre_detection": "Monitor for new, unfamiliar DLL files written to a domain controller ..."
  • x_mitre_data_sources (Enterprise & ICS domains): a plain text list that defines the data sources the Technique needs. Note, this is not a related to defined ATT&CK Data Sources (x-mitre-data-source) which are defined in Relationships.
    • e.g. "x_mitre_data_sources": ["Network Traffic: Network Connection Creation", "Command: Command Execution", "Process: Process Creation"
  • x_mitre_system_requirements: a list that defines the system requirements the Technique needs
    • e.g. "x_mitre_system_requirements": ["Ability to update component device firmware from the host operating system."]
  • x_mitre_tactic_type (Mobile only): “Post-Adversary Device Access”, “Pre-Adversary Device Access”, or “Without Adversary Device Access”.

Unique Custom Properties specific to Software Objects (malware and tool)

The following Custom Properties are unique to ATT&CK Software (malware and tool) Objects;

  • x_mitre_aliases: A list of aliases for the malware string. Shown in MITRE UI as Associated Sofware.
    • e.g. "x_mitre_aliases": ["Orz", "AIRBREAK"]
    • Note, Other Core Objects STIX 2.1 Objects, including intrusion-set, use the aliases Core Property. The alias Property is not in either the malware or tool Objects Specification, hence MITRE use a Custom Property here.

Unique Custom Properties specific to Data Source Objects (x-mitre-data-source)

The following Custom Properties are unique to ATT&CK Data Source (x-mitre-data-source) Objects;

  • x_mitre_collection_layers: A list list of where the data source may be physically collected (ex: Host, Network, Cloud Control Plane, etc.)
    • e.g. "x_mitre_collection_layers": ["Container", "Host"]

Unique Custom Properties specific to Data Component Objects (x-mitre-data-component)

The following Custom Properties are unique to ATT&CK Data Component (x-mitre-data-component) Objects;

  • x_mitre_data_source_ref: The STIX 2.1 ID of the x-mitre-data-source
    • e.g. "x_mitre_data_source_ref": "x-mitre-data-source--b86d9b40-5fbe-4ef1-8dc3-263eff26f495"