We’re fairly new to MITRE ATT&CK beyond the tactic and technique level. One of the things I’m most stuck on is why some Software in MITRE ATT&CK is both a Tool and Malware object in STIX.
Is there a document that explains more about what MITRE ATT&CK object type is mapped to what STIX object type to help me better understand it?
Ha! You’re not alone.
To answer your question about why ATT&CK Software (Software | MITRE ATT&CK®) has both STIX Tool and Malware objects is quite simple…
Malware (malware) represents some ATT&CK Software objects, for Software entries that are deemed malicious (e.g. 4H RAT, Software S0065 | MITRE ATT&CK®)
Tools (tool) also represent some ATT&CK software entries, but unlike Malware, they represent objects that are that is benign (e.g. can be used by defenders, like netstat netstat, Software S0104 | MITRE ATT&CK®)
More generally, here’s something I wrote up a while ago you’ll find useful…
Tactic = STIX object x-mitre-tacticTactics (x-mitre-tactic--) represent the “why” of an ATT&CK technique or sub-technique. It is the adversary’s tactical goal: the reason for performing an action. For example, an adversary may want to achieve credential access.
https://attack.mitre.org/tactics/
Tactics have IDs in format: TANNNN
For example, Tactic TA0043 Reconnaissance: Reconnaissance, Tactic TA0043 - Enterprise | MITRE ATT&CK®
{
"x_mitre_domains": [
"enterprise-attack"
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1efd6e0592",
"type": "x-mitre-tactic",
"created": "2020-10-02T14:48:41.809Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"external_id": "TA0043",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/tactics/TA0043"
}
],
"modified": "2020-10-18T02:04:50.842Z",
"name": "Reconnaissance",
"description": "The adversary is trying to gather information they can use to plan future operations.\n\nReconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim organization, infrastructure, or staff/personnel. This information can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using gathered information to plan and execute Initial Access, to scope and prioritize post-compromise objectives, or to drive and lead further Reconnaissance efforts.",
"x_mitre_version": "1.0",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_shortname": "reconnaissance"
}
Technique = STIX object attack-patternTechniques (attack-pattern with Custom Property "x_mitre_is_subtechnique": false) represent ‘how’ an adversary achieves a tactical goal by performing an action. For example, an adversary may dump credentials to achieve credential access.
https://attack.mitre.org/techniques/
Techniques have IDs in format: TNNNN
For example, Technique T1595 Active Scanning: Active Scanning, Technique T1595 - Enterprise | MITRE ATT&CK®
{
"x_mitre_platforms": [
"PRE"
],
"x_mitre_domains": [
"enterprise-attack"
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--67073dde-d720-45ae-83da-b12d5e73ca3b",
"type": "attack-pattern",
"created": "2020-10-02T16:53:16.526Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "mitre-attack",
"external_id": "T1595",
"url": "https://attack.mitre.org/techniques/T1595"
},
{
"source_name": "Botnet Scan",
"url": "https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf",
"description": "Dainotti, A. et al. (2012). Analysis of a \u201c/0\u201d Stealth Scan from a Botnet. Retrieved October 20, 2020."
},
{
"source_name": "OWASP Fingerprinting",
"url": "https://wiki.owasp.org/index.php/OAT-004_Fingerprinting",
"description": "OWASP Wiki. (2018, February 16). OAT-004 Fingerprinting. Retrieved October 20, 2020."
}
],
"modified": "2022-03-08T20:58:13.661Z",
"name": "Active Scanning",
"description": "Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.\n\nAdversaries may perform different forms of active scanning depending on what information they seek to gather. These scans can also be performed in various ways, including using native features of network protocols such as ICMP.(Citation: Botnet Scan)(Citation: OWASP Fingerprinting) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "reconnaissance"
}
],
"x_mitre_detection": "Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
"x_mitre_version": "1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Flow",
"Network Traffic: Network Traffic Content"
],
"x_mitre_is_subtechnique": false
}
Note, how x_mitre_is_subtechnique = false indicating this is not a sub-technique.
Sub-Technique = STIX object attack-patternSub-Techniques (attack-pattern with Custom Property "x_mitre_is_subtechnique": true) are a more specific implementation of a Technique (they children to a parent).
For example, T1595.001 Scanning IP Blocks is a Sub-Technique of Technique T1595 Active Scanning.
Techniques have IDs in format: TNNNN.NNN
For example, Sub-Technique T1595.001 Scanning IP Blocks: Active Scanning: Scanning IP Blocks, Sub-technique T1595.001 - Enterprise | MITRE ATT&CK®
{
"x_mitre_platforms": [
"PRE"
],
"x_mitre_domains": [
"enterprise-attack"
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120",
"type": "attack-pattern",
"created": "2020-10-02T16:54:23.193Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "mitre-attack",
"external_id": "T1595.001",
"url": "https://attack.mitre.org/techniques/T1595/001"
},
{
"source_name": "Botnet Scan",
"url": "https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf",
"description": "Dainotti, A. et al. (2012). Analysis of a \u201c/0\u201d Stealth Scan from a Botnet. Retrieved October 20, 2020."
}
],
"modified": "2021-04-15T03:19:38.469Z",
"name": "Scanning IP Blocks",
"description": "Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.\n\nAdversaries may scan IP blocks in order to [Gather Victim Network Information](https://attack.mitre.org/techniques/T1590), such as which IP addresses are actively in use as well as more detailed information about hosts assigned these addresses. Scans may range from simple pings (ICMP requests and responses) to more nuanced scans that may reveal host software/versions via server banners or other network artifacts.(Citation: Botnet Scan) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "reconnaissance"
}
],
"x_mitre_detection": "Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet).\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
"x_mitre_is_subtechnique": true,
"x_mitre_version": "1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Flow"
]
}
This time note how x_mitre_is_subtechnique = true. This is how Techniques and Sub-Techniques can be most easily differentiated.
Mitigation = STIX object course-of-actionA Course of Action (course-of-action) represents ATT&CK Mitigations.
https://attack.mitre.org/mitigations/
Mitigations represent security concepts and classes of technologies that can be used to prevent a technique or sub-technique from being successfully executed.
Mitigations have IDs in format: MNNNN
For example, Mitigation M1049 - Antivirus/Antimalware: Antivirus/Antimalware, Mitigation M1049 - Enterprise | MITRE ATT&CK®
{
"x_mitre_domains": [
"enterprise-attack"
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "course-of-action--a6a47a06-08fc-4ec4-bdc3-20373375ebb9",
"type": "course-of-action",
"created": "2019-06-11T17:08:33.055Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "mitre-attack",
"external_id": "M1049",
"url": "https://attack.mitre.org/mitigations/M1049"
}
],
"modified": "2020-03-31T13:07:15.684Z",
"name": "Antivirus/Antimalware",
"description": "Use signatures or heuristics to detect malicious software.",
"x_mitre_version": "1.1",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
}
Groups = STIX object intrusion-setIntrusion Sets (intrusion-set) represent ATT&CK Groups.
https://attack.mitre.org/groups/
Groups are sets of related intrusion activity that are tracked by a common name in the security community.
Groups have IDs in format: GNNNN
For example, Group G0016 - APT29: APT29, IRON RITUAL, IRON HEMLOCK, NobleBaron, Dark Halo, StellarParticle, NOBELIUM, UNC2452, YTTRIUM, The Dukes, Cozy Bear, CozyDuke, SolarStorm, Blue Kitsune, UNC3524, Midnight Blizzard, Group G0016 | MITRE ATT&CK®
{
"modified": "2023-10-02T21:33:07.807Z",
"name": "APT29",
"description": "[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April 2021) They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. [APT29](https://attack.mitre.org/groups/G0016) reportedly compromised the Democratic National Committee starting in the summer of 2015.(Citation: F-Secure The Dukes)(Citation: GRIZZLY STEPPE JAR)(Citation: Crowdstrike DNC June 2016)(Citation: UK Gov UK Exposes Russia SolarWinds April 2021)\n\nIn April 2021, the US and UK governments attributed the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024) to the SVR; public statements included citations to [APT29](https://attack.mitre.org/groups/G0016), Cozy Bear, and The Dukes.(Citation: NSA Joint Advisory SVR SolarWinds April 2021)(Citation: UK NSCS Russia SolarWinds April 2021) Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: MSTIC NOBELIUM Mar 2021)(Citation: CrowdStrike SUNSPOT Implant January 2021)(Citation: Volexity SolarWinds)(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: Unit 42 SolarStorm December 2020)",
"aliases": [
"APT29",
"IRON RITUAL",
"IRON HEMLOCK",
"NobleBaron",
"Dark Halo",
"StellarParticle",
"NOBELIUM",
"UNC2452",
"YTTRIUM",
"The Dukes",
"Cozy Bear",
"CozyDuke",
"SolarStorm",
"Blue Kitsune",
"UNC3524"
],
"x_mitre_deprecated": false,
"x_mitre_version": "5.0",
"x_mitre_contributors": [
"Daniyal Naeem, BT Security",
"Matt Brenton, Zurich Insurance Group",
"Katie Nickels, Red Canary",
"Joe Gumke, U.S. Bank"
],
"type": "intrusion-set",
"id": "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542",
"created": "2017-05-31T21:31:52.748Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/groups/G0016",
"external_id": "G0016"
},
{
"source_name": "CozyDuke",
"description": "(Citation: Crowdstrike DNC June 2016)"
},
{
"source_name": "Cozy Bear",
"description": "(Citation: Crowdstrike DNC June 2016)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: CrowdStrike StellarParticle January 2022)"
},
{
"source_name": "StellarParticle",
"description": "(Citation: CrowdStrike SUNSPOT Implant January 2021)(Citation: CrowdStrike StellarParticle January 2022)"
},
{
"source_name": "The Dukes",
"description": "(Citation: F-Secure The Dukes)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)(Citation: Cybersecurity Advisory SVR TTP May 2021)"
},
{
"source_name": "APT29",
"description": "(Citation: F-Secure The Dukes)(Citation: FireEye APT29 Nov 2018)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)(Citation: Cybersecurity Advisory SVR TTP May 2021)"
},
{
"source_name": "UNC2452",
"description": "(Citation: FireEye SUNBURST Backdoor December 2020)"
},
{
"source_name": "UNC3524",
"description": "(Citation: Mandiant APT29 Eye Spy Email Nov 22)"
},
{
"source_name": "YTTRIUM",
"description": "(Citation: Microsoft Unidentified Dec 2018)"
},
{
"source_name": "NOBELIUM",
"description": "(Citation: MSTIC NOBELIUM Mar 2021)(Citation: MSTIC NOBELIUM May 2021)(Citation: MSTIC Nobelium Toolset May 2021)(Citation: MSRC Nobelium June 2021)"
},
{
"source_name": "Blue Kitsune",
"description": "(Citation: PWC WellMess July 2020)(Citation: PWC WellMess C2 August 2020)"
},
{
"source_name": "IRON HEMLOCK",
"description": "(Citation: Secureworks IRON HEMLOCK Profile)"
},
{
"source_name": "IRON RITUAL",
"description": "(Citation: Secureworks IRON RITUAL Profile)"
},
{
"source_name": "NobleBaron",
"description": "(Citation: SentinelOne NobleBaron June 2021)"
},
{
"source_name": "SolarStorm",
"description": "(Citation: Unit 42 SolarStorm December 2020)"
},
{
"source_name": "Dark Halo",
"description": "(Citation: Volexity SolarWinds)"
},
{
"source_name": "Crowdstrike DNC June 2016",
"description": "Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.",
"url": "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"
},
{
"source_name": "Volexity SolarWinds",
"description": "Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.",
"url": "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/"
},
{
"source_name": "CrowdStrike SUNSPOT Implant January 2021",
"description": "CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.",
"url": "https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/"
},
{
"source_name": "CrowdStrike StellarParticle January 2022",
"description": "CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.",
"url": "https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/"
},
{
"source_name": "GRIZZLY STEPPE JAR",
"description": "Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.",
"url": "https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf"
},
{
"source_name": "FireEye APT29 Nov 2018",
"description": "Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.",
"url": "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html"
},
{
"source_name": "F-Secure The Dukes",
"description": "F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.",
"url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf"
},
{
"source_name": "ESET Dukes October 2019",
"description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.",
"url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf"
},
{
"source_name": "FireEye SUNBURST Backdoor December 2020",
"description": "FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.",
"url": "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"
},
{
"source_name": "SentinelOne NobleBaron June 2021",
"description": "Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021.",
"url": "https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/"
},
{
"source_name": "Mandiant APT29 Eye Spy Email Nov 22",
"description": "Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.",
"url": "https://www.mandiant.com/resources/blog/unc3524-eye-spy-email"
},
{
"source_name": "Microsoft Unidentified Dec 2018",
"description": "Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019.",
"url": "https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/"
},
{
"source_name": "MSTIC NOBELIUM May 2021",
"description": "Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.",
"url": "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/"
},
{
"source_name": "MSRC Nobelium June 2021",
"description": "MSRC. (2021, June 25). New Nobelium activity. Retrieved August 4, 2021.",
"url": "https://msrc-blog.microsoft.com/2021/06/25/new-nobelium-activity/"
},
{
"source_name": "MSTIC Nobelium Toolset May 2021",
"description": "MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.",
"url": "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
},
{
"source_name": "MSTIC NOBELIUM Mar 2021",
"description": "Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.",
"url": "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/"
},
{
"source_name": "NCSC APT29 July 2020",
"description": "National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.",
"url": "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf"
},
{
"source_name": "Cybersecurity Advisory SVR TTP May 2021",
"description": "NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.",
"url": "https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf"
},
{
"source_name": "NSA Joint Advisory SVR SolarWinds April 2021",
"description": "NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021.",
"url": "https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF"
},
{
"source_name": "PWC WellMess C2 August 2020",
"description": "PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020.",
"url": "https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html"
},
{
"source_name": "PWC WellMess July 2020",
"description": "PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.",
"url": "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html"
},
{
"source_name": "Secureworks IRON HEMLOCK Profile",
"description": "Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022.",
"url": "http://www.secureworks.com/research/threat-profiles/iron-hemlock"
},
{
"source_name": "Secureworks IRON RITUAL Profile",
"description": "Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022.",
"url": "https://www.secureworks.com/research/threat-profiles/iron-ritual"
},
{
"source_name": "UK Gov Malign RIS Activity April 2021",
"description": "UK Gov. (2021, April 15). UK and US expose global campaign of malign activity by Russian intelligence services . Retrieved April 16, 2021.",
"url": "https://www.gov.uk/government/news/russia-uk-and-us-expose-global-campaigns-of-malign-activity-by-russian-intelligence-services"
},
{
"source_name": "UK Gov UK Exposes Russia SolarWinds April 2021",
"description": "UK Gov. (2021, April 15). UK exposes Russian involvement in SolarWinds cyber compromise . Retrieved April 16, 2021.",
"url": "https://www.gov.uk/government/news/russia-uk-exposes-russian-involvement-in-solarwinds-cyber-compromise"
},
{
"source_name": "UK NSCS Russia SolarWinds April 2021",
"description": "UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021.",
"url": "https://www.ncsc.gov.uk/news/uk-and-us-call-out-russia-for-solarwinds-compromise"
},
{
"source_name": "Unit 42 SolarStorm December 2020",
"description": "Unit 42. (2020, December 23). SolarStorm Supply Chain Attack Timeline. Retrieved March 24, 2023.",
"url": "https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/"
},
{
"source_name": "White House Imposing Costs RU Gov April 2021",
"description": "White House. (2021, April 15). Imposing Costs for Harmful Foreign Activities by the Russian Government. Retrieved April 16, 2021.",
"url": "https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
}
Software = STIX object malwareMalware (malware) represents ATT&CK Software.
https://attack.mitre.org/software/
Software have IDs in format: SNNNN
For example, Software S0331 - Agent Tesla: Agent Tesla, Software S0331 | MITRE ATT&CK®
{
"modified": "2023-09-11T20:13:18.738Z",
"name": "Agent Tesla",
"description": "[Agent Tesla](https://attack.mitre.org/software/S0331) is a spyware Trojan written for the .NET framework that has been observed since at least 2014.(Citation: Fortinet Agent Tesla April 2018)(Citation: Bitdefender Agent Tesla April 2020)(Citation: Malwarebytes Agent Tesla April 2020)",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_version": "1.3",
"x_mitre_aliases": [
"Agent Tesla"
],
"type": "malware",
"id": "malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8",
"created": "2019-01-29T18:44:04.748Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0331",
"external_id": "S0331"
},
{
"source_name": "Agent Tesla",
"description": "(Citation: Fortinet Agent Tesla April 2018)(Citation: Talos Agent Tesla Oct 2018)(Citation: DigiTrust Agent Tesla Jan 2017)"
},
{
"source_name": "Bitdefender Agent Tesla April 2020",
"description": "Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020.",
"url": "https://labs.bitdefender.com/2020/04/oil-gas-spearphishing-campaigns-drop-agent-tesla-spyware-in-advance-of-historic-opec-deal/"
},
{
"source_name": "Talos Agent Tesla Oct 2018",
"description": "Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.",
"url": "https://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html"
},
{
"source_name": "Malwarebytes Agent Tesla April 2020",
"description": "Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020.",
"url": "https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/"
},
{
"source_name": "DigiTrust Agent Tesla Jan 2017",
"description": "The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018.",
"url": "https://www.digitrustgroup.com/agent-tesla-keylogger/"
},
{
"source_name": "Fortinet Agent Tesla April 2018",
"description": "Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.",
"url": "https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"labels": [
"malware"
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
}
Software = STIX object toolTools (tool) also represents a type of software, but unlike Malware, they represent objects that are that is benign.
Tools also have IDs in format: SNNNN
ATT&CK “S” IDs, can be determined whether they are Malware and Tools by the STIX objects used, Malware and Software objects respectively. Both object types also use the labels property of the object using the labels = malware or tool values respectively which can also be used for this reason.
For example, Software S0104 - netstat: netstat, Software S0104 | MITRE ATT&CK®
{
"modified": "2023-07-25T19:25:05.678Z",
"name": "netstat",
"description": "[netstat](https://attack.mitre.org/software/S0104) is an operating system utility that displays active TCP connections, listening ports, and network statistics. (Citation: TechNet Netstat)",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_version": "1.2",
"x_mitre_aliases": [
"netstat"
],
"type": "tool",
"id": "tool--4664b683-f578-434f-919b-1c1aad2a1111",
"created": "2017-05-31T21:33:04.545Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0104",
"external_id": "S0104"
},
{
"source_name": "TechNet Netstat",
"description": "Microsoft. (n.d.). Netstat. Retrieved April 17, 2016.",
"url": "https://technet.microsoft.com/en-us/library/bb490947.aspx"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"labels": [
"tool"
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
}
Note, the labels=[tool], indicating this an ATT&CK Tool Object (and not Malware.)
Data Source = STIX object x-mitre-data-sourceData Sources (x-mitre-data-source) represent the various subjects/topics of information that can be collected by sensors/logs.
https://attack.mitre.org/datasources/
Data Sources have IDs in format: DSNNNN
For example, Data Source DS0029 - Network Traffic: Network Traffic, Data Source DS0029 | MITRE ATT&CK®
{
"modified": "2023-04-20T18:38:13.356Z",
"name": "Network Traffic",
"description": "Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)",
"x_mitre_platforms": [
"IaaS",
"Linux",
"Windows",
"macOS",
"Android",
"iOS"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack",
"mobile-attack"
],
"x_mitre_version": "1.1",
"x_mitre_contributors": [
"Center for Threat-Informed Defense (CTID)",
"ExtraHop"
],
"x_mitre_collection_layers": [
"Cloud Control Plane",
"Host",
"Network"
],
"type": "x-mitre-data-source",
"id": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3",
"created": "2021-10-20T15:05:19.274Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/datasources/DS0029",
"external_id": "DS0029"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
}
Data Component = STIX object x-mitre-data-componentData components are children of Data Sources.
Data Components identify specific properties/values of a data source relevant to detecting a given ATT&CK technique or sub-technique. For example, Network Traffic is the Data Source and Network Traffic Flow is one of the Data Components linked to it.
Data Components don’t ave any ID’s.
{
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
"type": "x-mitre-data-component",
"created": "2021-10-20T15:05:19.274Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2021-10-20T15:05:19.274Z",
"name": "Network Traffic Flow",
"description": "Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)",
"x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3",
"x_mitre_version": "1.0",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
}
You can see the relationship to the Data Source in the x_mitre_data_source_ref property (in this case x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3, DS0029 - Network Traffic)
Matrix = STIX object x-mitre-matrixThe Matrix (x-mitre-matrix) object captures specific information about the Matrix for the Domain being covered (there is one Matrix object per Domain);
{
"tactic_refs": [
"x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1efd6e0592",
"x-mitre-tactic--d679bca2-e57d-4935-8650-8031c87a4400",
"x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca",
"x-mitre-tactic--4ca45d45-df4d-4613-8980-bac22d278fa5",
"x-mitre-tactic--5bc1d813-693e-4823-9961-abf9af4b0e92",
"x-mitre-tactic--5e29b093-294e-49e9-a803-dab3d73b77dd",
"x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a",
"x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263",
"x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9",
"x-mitre-tactic--7141578b-e50b-4dcc-bfa4-08a8dd689e9e",
"x-mitre-tactic--d108ce10-2419-4cf9-a774-46161d6c6cfe",
"x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813",
"x-mitre-tactic--9a4e74ab-5008-408c-84bf-a10dfbc53462",
"x-mitre-tactic--5569339b-94c2-49ee-afb3-2222936582c8"
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "x-mitre-matrix--eafc1b4c-5e56-4965-bd4e-66a6a89c88cc",
"type": "x-mitre-matrix",
"created": "2018-10-17T00:14:20.652Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"external_id": "enterprise-attack",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/matrices/enterprise"
}
],
"modified": "2022-04-01T20:43:55.937Z",
"name": "Enterprise ATT&CK",
"description": "Below are the tactics and technique representing the MITRE ATT&CK Matrix for Enterprise. The Matrix contains information for the following platforms: Windows, macOS, Linux, AWS, GCP, Azure, Azure AD, Office 365, SaaS.",
"x_mitre_version": "1.0",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
}
The main purpose of this object is to group the Tactic objects (x-mitre-tactic) associated with the domain.
STIX Relationship Objects are also used to link Object types that have a connection, e.g. a Malware to a Technique (to describe the technique a malware utilises).
Note, as shown earlier, STIX embedded relationships are also used in some cases (e.g. as shown to link a data component to a data source).
Here’s an example SRO linking a Data Component to a Technique (Data Component detects the Technique)…
{
"type": "relationship",
"id": "relationship--00b98fa6-4913-40a4-8920-befed8621c41",
"created": "2022-05-11T16:22:58.806Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2022-09-26T15:15:33.180Z",
"description": "Monitor ICS asset application logs that indicate alarm settings have changed, although not all assets will produce such logs.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
"target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92",
"x_mitre_deprecated": false,
"x_mitre_version": "1.0",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
}
Software = STIX object malwareMalware (malware) represents ATT&CK Software.
https://attack.mitre.org/software/
Software have IDs in format: SNNNN
For example, Software S0331 - Agent Tesla: Agent Tesla, Software S0331 | MITRE ATT&CK®
{
"modified": "2023-09-11T20:13:18.738Z",
"name": "Agent Tesla",
"description": "[Agent Tesla](https://attack.mitre.org/software/S0331) is a spyware Trojan written for the .NET framework that has been observed since at least 2014.(Citation: Fortinet Agent Tesla April 2018)(Citation: Bitdefender Agent Tesla April 2020)(Citation: Malwarebytes Agent Tesla April 2020)",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_version": "1.3",
"x_mitre_aliases": [
"Agent Tesla"
],
"type": "malware",
"id": "malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8",
"created": "2019-01-29T18:44:04.748Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0331",
"external_id": "S0331"
},
{
"source_name": "Agent Tesla",
"description": "(Citation: Fortinet Agent Tesla April 2018)(Citation: Talos Agent Tesla Oct 2018)(Citation: DigiTrust Agent Tesla Jan 2017)"
},
{
"source_name": "Bitdefender Agent Tesla April 2020",
"description": "Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020.",
"url": "https://labs.bitdefender.com/2020/04/oil-gas-spearphishing-campaigns-drop-agent-tesla-spyware-in-advance-of-historic-opec-deal/"
},
{
"source_name": "Talos Agent Tesla Oct 2018",
"description": "Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.",
"url": "https://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html"
},
{
"source_name": "Malwarebytes Agent Tesla April 2020",
"description": "Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020.",
"url": "https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/"
},
{
"source_name": "DigiTrust Agent Tesla Jan 2017",
"description": "The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018.",
"url": "https://www.digitrustgroup.com/agent-tesla-keylogger/"
},
{
"source_name": "Fortinet Agent Tesla April 2018",
"description": "Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.",
"url": "https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"labels": [
"malware"
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
}
Software = STIX object toolTools (tool) also represents a type of software, but unlike Malware, they represent objects that are that is benign.
Tools also have IDs in format: SNNNN
ATT&CK “S” IDs, can be determined whether they are Malware and Tools by the STIX objects used, Malware and Software objects respectively. Both object types also use the labels property of the object using the labels = malware or tool values respectively which can also be used for this reason.
For example, Software S0104 - netstat: netstat, Software S0104 | MITRE ATT&CK®
{
"modified": "2023-07-25T19:25:05.678Z",
"name": "netstat",
"description": "[netstat](https://attack.mitre.org/software/S0104) is an operating system utility that displays active TCP connections, listening ports, and network statistics. (Citation: TechNet Netstat)",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_version": "1.2",
"x_mitre_aliases": [
"netstat"
],
"type": "tool",
"id": "tool--4664b683-f578-434f-919b-1c1aad2a1111",
"created": "2017-05-31T21:33:04.545Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0104",
"external_id": "S0104"
},
{
"source_name": "TechNet Netstat",
"description": "Microsoft. (n.d.). Netstat. Retrieved April 17, 2016.",
"url": "https://technet.microsoft.com/en-us/library/bb490947.aspx"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"labels": [
"tool"
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
}
Note, the labels=[tool], indicating this an ATT&CK Tool Object (and not Malware.)
Data Source = STIX object x-mitre-data-sourceData Sources (x-mitre-data-source) represent the various subjects/topics of information that can be collected by sensors/logs.
https://attack.mitre.org/datasources/
Data Sources have IDs in format: DSNNNN
For example, Data Source DS0029 - Network Traffic: Network Traffic, Data Source DS0029 | MITRE ATT&CK®
{
"modified": "2023-04-20T18:38:13.356Z",
"name": "Network Traffic",
"description": "Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)",
"x_mitre_platforms": [
"IaaS",
"Linux",
"Windows",
"macOS",
"Android",
"iOS"
],
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack",
"mobile-attack"
],
"x_mitre_version": "1.1",
"x_mitre_contributors": [
"Center for Threat-Informed Defense (CTID)",
"ExtraHop"
],
"x_mitre_collection_layers": [
"Cloud Control Plane",
"Host",
"Network"
],
"type": "x-mitre-data-source",
"id": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3",
"created": "2021-10-20T15:05:19.274Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/datasources/DS0029",
"external_id": "DS0029"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
}
Data Component = STIX object x-mitre-data-componentData components are children of Data Sources.
Data Components identify specific properties/values of a data source relevant to detecting a given ATT&CK technique or sub-technique. For example, Network Traffic is the Data Source and Network Traffic Flow is one of the Data Components linked to it.
Data Components don’t ave any ID’s.
{
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
"type": "x-mitre-data-component",
"created": "2021-10-20T15:05:19.274Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2021-10-20T15:05:19.274Z",
"name": "Network Traffic Flow",
"description": "Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)",
"x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3",
"x_mitre_version": "1.0",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
}
You can see the relationship to the Data Source in the x_mitre_data_source_ref property (in this case x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3, DS0029 - Network Traffic)
Matrix = STIX object x-mitre-matrixThe Matrix (x-mitre-matrix) object captures specific information about the Matrix for the Domain being covered (there is one Matrix object per Domain);
{
"tactic_refs": [
"x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1efd6e0592",
"x-mitre-tactic--d679bca2-e57d-4935-8650-8031c87a4400",
"x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca",
"x-mitre-tactic--4ca45d45-df4d-4613-8980-bac22d278fa5",
"x-mitre-tactic--5bc1d813-693e-4823-9961-abf9af4b0e92",
"x-mitre-tactic--5e29b093-294e-49e9-a803-dab3d73b77dd",
"x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a",
"x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263",
"x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9",
"x-mitre-tactic--7141578b-e50b-4dcc-bfa4-08a8dd689e9e",
"x-mitre-tactic--d108ce10-2419-4cf9-a774-46161d6c6cfe",
"x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813",
"x-mitre-tactic--9a4e74ab-5008-408c-84bf-a10dfbc53462",
"x-mitre-tactic--5569339b-94c2-49ee-afb3-2222936582c8"
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "x-mitre-matrix--eafc1b4c-5e56-4965-bd4e-66a6a89c88cc",
"type": "x-mitre-matrix",
"created": "2018-10-17T00:14:20.652Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"external_id": "enterprise-attack",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/matrices/enterprise"
}
],
"modified": "2022-04-01T20:43:55.937Z",
"name": "Enterprise ATT&CK",
"description": "Below are the tactics and technique representing the MITRE ATT&CK Matrix for Enterprise. The Matrix contains information for the following platforms: Windows, macOS, Linux, AWS, GCP, Azure, Azure AD, Office 365, SaaS.",
"x_mitre_version": "1.0",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
}
The main purpose of this object is to group the Tactic objects (x-mitre-tactic) associated with the domain.
STIX Relationship Objects are also used to link Object types that have a connection, e.g. a Malware to a Technique (to describe the technique a malware utilises).
Note, as shown earlier, STIX embedded relationships are also used in some cases (e.g. as shown to link a data component to a data source).
Here’s an example SRO linking a Data Component to a Technique (Data Component detects the Technique)…
{
"type": "relationship",
"id": "relationship--00b98fa6-4913-40a4-8920-befed8621c41",
"created": "2022-05-11T16:22:58.806Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2022-09-26T15:15:33.180Z",
"description": "Monitor ICS asset application logs that indicate alarm settings have changed, although not all assets will produce such logs.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
"target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92",
"x_mitre_deprecated": false,
"x_mitre_version": "1.0",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
}
Wow. That’s more than I could have hoped for. Thanks.
One question, on the MITRE ATT&CK website under data sources (e.g. AD: Active Directory, Data Source DS0026 | MITRE ATT&CK®) the data components show as ATT&CK Techniques which is different to your diagram.
Is your diagram correct?
Hey @packet_rat,
My diagram is correct, though I know where the confusion stems from.
Lets look at the STIX object for Active Directory (DS0026)…
{
"type": "bundle",
"id": "bundle--b330d362-4f30-404a-8283-b3aab2b5eae4",
"spec_version": "2.0",
"objects": [
{
"x_mitre_platforms": [
"Azure AD",
"Windows"
],
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_contributors": [
"Center for Threat-Informed Defense (CTID)"
],
"x_mitre_collection_layers": [
"Cloud Control Plane",
"Host"
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8",
"type": "x-mitre-data-source",
"created": "2021-10-20T15:05:19.274Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/datasources/DS0026",
"external_id": "DS0026"
},
{
"source_name": "Microsoft AD DS Getting Started",
"description": "Foulds, I. et al. (2018, August 7). AD DS Getting Started. Retrieved September 23, 2021.",
"url": "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/ad-ds-getting-started"
}
],
"modified": "2022-03-30T14:26:51.803Z",
"name": "Active Directory",
"description": "A database and set of services that allows administrators to manage permissions, access to network resources, and stored data objects (user, group, application, or devices)(Citation: Microsoft AD DS Getting Started)",
"x_mitre_version": "1.0",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
}
]
}
Now keep that in mind, but it’s not super important ATM.
Now look in your screenshot, it reads “Active Directory: Active Directory Credential Request”.
“Active Directory Credential Request” is the ATT&CK Data Component.
{
"type": "bundle",
"id": "bundle--52e9316b-67f0-4841-b90e-346c16deaeb6",
"spec_version": "2.0",
"objects": [
{
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "x-mitre-data-component--02d090b6-8157-48da-98a2-517f7edd49fc",
"type": "x-mitre-data-component",
"created": "2021-10-20T15:05:19.274Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2021-10-20T15:05:19.274Z",
"name": "Active Directory Credential Request",
"description": "A user requested active directory credentials, such as a ticket or token (ex: Windows EID 4769)",
"x_mitre_data_source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8",
"x_mitre_version": "1.0",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
}
]
}
See it is linked to the Active Directory Data Source under the x_mitre_data_source_ref property.
Thus you see them linked in my diagram without a relationship (as they are linked using the STIX embedded relationship, not a STIX Relationship object).
Not wanting to confuse you, it’s also important to make you aware of how Techniques point to Data Components. Take T1649 in your screenshot…
{
"type": "bundle",
"id": "bundle--587de7da-3292-416a-9902-b3c25766fa6e",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-03-02T19:06:41.828Z",
"name": "Steal or Forge Authentication Certificates",
"description": "Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Azure AD device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)\n\nAuthentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files)(Citation: APT29 Deep Look at Credential Roaming), misplaced certificate files (i.e. [Unsecured Credentials](https://attack.mitre.org/techniques/T1552)), or directly from the Windows certificate store via various crypto APIs.(Citation: SpecterOps Certified Pre Owned)(Citation: GitHub CertStealer)(Citation: GitHub GhostPack Certificates) With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Of note, the certificate\u2019s extended key usage (EKU) values define signing, encryption, and authentication use cases, while the certificate\u2019s subject alternative name (SAN) values define the certificate owner\u2019s alternate names.(Citation: Medium Certified Pre Owned)\n\nAbusing certificates for authentication credentials may enable other behaviors such as [Lateral Movement](https://attack.mitre.org/tactics/TA0008). Certificate-related misconfigurations may also enable opportunities for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), by way of allowing users to impersonate or assume privileged accounts or permissions via the identities (SANs) associated with a certificate. These abuses may also enable [Persistence](https://attack.mitre.org/tactics/TA0003) via stealing or forging certificates that can be used as [Valid Accounts](https://attack.mitre.org/techniques/T1078) for the duration of the certificate's validity, despite user password resets. Authentication certificates can also be stolen and forged for machine accounts.\n\nAdversaries who have access to root (or subordinate) CA certificate private keys (or mechanisms protecting/managing these keys) may also establish [Persistence](https://attack.mitre.org/tactics/TA0003) by forging arbitrary authentication certificates for the victim domain (known as \u201cgolden\u201d certificates).(Citation: Medium Certified Pre Owned) Adversaries may also target certificates and related services in order to access other forms of credentials, such as [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) ticket-granting tickets (TGT) or NTLM plaintext.(Citation: Medium Certified Pre Owned)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"x_mitre_detection": "",
"x_mitre_platforms": [
"Windows",
"Linux",
"macOS",
"Azure AD"
],
"x_mitre_is_subtechnique": false,
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_version": "1.1",
"x_mitre_contributors": [
"Tristan Bennett, Seamless Intelligence",
"Lee Christensen, SpecterOps",
"Thirumalai Natarajan, Mandiant"
],
"x_mitre_data_sources": [
"Command: Command Execution",
"Application Log: Application Log Content",
"Active Directory: Active Directory Credential Request",
"Active Directory: Active Directory Object Modification",
"Windows Registry: Windows Registry Key Access",
"File: File Access",
"Logon Session: Logon Session Creation"
],
"type": "attack-pattern",
"id": "attack-pattern--7de1f7ac-5d0c-4c9c-8873-627202205331",
"created": "2022-08-03T03:20:58.955Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1649",
"external_id": "T1649"
},
{
"source_name": "GitHub GhostPack Certificates",
"description": "HarmJ0y. (2018, August 22). SharpDPAPI - Certificates. Retrieved August 2, 2022.",
"url": "https://github.com/GhostPack/SharpDPAPI#certificates"
},
{
"source_name": "Microsoft AD CS Overview",
"description": "Microsoft. (2016, August 31). Active Directory Certificate Services Overview. Retrieved August 2, 2022.",
"url": "https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831740(v=ws.11)"
},
{
"source_name": "Medium Certified Pre Owned",
"description": "Schroeder, W. (2021, June 17). Certified Pre-Owned. Retrieved August 2, 2022.",
"url": "https://posts.specterops.io/certified-pre-owned-d95910965cd2"
},
{
"source_name": "SpecterOps Certified Pre Owned",
"description": "Schroeder, W. & Christensen, L. (2021, June 22). Certified Pre-Owned - Abusing Active Directory Certificate Services. Retrieved August 2, 2022.",
"url": "https://web.archive.org/web/20220818094600/https://specterops.io/assets/resources/Certified_Pre-Owned.pdf"
},
{
"source_name": "O365 Blog Azure AD Device IDs",
"description": "Syynimaa, N. (2022, February 15). Stealing and faking Azure AD device identities. Retrieved August 3, 2022.",
"url": "https://o365blog.com/post/deviceidentity/"
},
{
"source_name": "GitHub CertStealer",
"description": "TheWover. (2021, April 21). CertStealer. Retrieved August 2, 2022.",
"url": "https://github.com/TheWover/CertStealer"
},
{
"source_name": "APT29 Deep Look at Credential Roaming",
"description": "Thibault Van Geluwe De Berlaere. (2022, November 8). They See Me Roaming: Following APT29 by Taking a Deeper Look at Windows Credential Roaming. Retrieved November 9, 2022.",
"url": "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
}
]
}
See the x_mitre_data_sources points to the Data Source: Data Component, Active Directory: Active Directory Credential Request. This is why it’s shown in the UI. It’s essentially saying, this Technique can be detected by monitoring this Data Source and more specifically this Data Component of this Data Source.