How are ATT&CK STIX object `id`s determined?

Frameworks, Standards, and Tools
,
1

I’m trying to understand some anomalies I’m seeing with ATT&CK results.

My initial assumption was that all Matices have distinct object ID’s, even if the object is in more than one Matrix.

As an example, the Tactic Persistence is found in all three Matricies. For reference they are…

  • x-mitre-tactic--5bc1d813-693e-4823-9961-abf9af4b0e92 (TA0003 Enterprise)
  • x-mitre-tactic--78f1d2ae-a579-44c4-8fc5-3e1775c73fac (TA0110 ICS)
  • x-mitre-tactic--363bbeff-bb2a-4734-ac74-d6d37202fe54 (TA0028 Mobile)

Another example, take the Technique Process Injection

  • attack-pattern--43c9bc06-715b-42db-972f-52d25c09a20c (T1659 Enterprise)
  • attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff (T1631 Mobile)

BUT…

Take the group OilRig (G0049)

It has a duplicate ID in both the ICS and Enterprise Matrix as follows

  • intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d (Enterprise)
  • intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d (ICS)

So in some cases ids seem to persist, but in others they change.

What is the logic here?

2

It comes down to the type of object (as I understand it)

Take the Tactic and Technique IDs that change between each framework (Enterprise, Mobile, ICS).

Tactics and Techniques will be slightly different in their execution between mobile and enterprise infrastructure, for example (thus warrant slightly different objects to represent them).

Now take Groups, your other example. Groups are the same regardless of wether it’s targeting enterprise, mobile or ICS infrastructure.