Odd behavior with ATT&CK STIX Object ID's

0101001001001 · 29 February 2024 15:38

I’m trying to understand some anomalies I’m seeing with ATT&CK results.

My initial assumption was that all Matices have distinct object ID’s, even if the object is in more than one Matrix.

As an example, the Tactic Persistence is found in all three Matricies. For reference they are…

x-mitre-tactic--5bc1d813-693e-4823-9961-abf9af4b0e92 (TA0003 Enterprise)
x-mitre-tactic--78f1d2ae-a579-44c4-8fc5-3e1775c73fac (TA0110 ICS)
x-mitre-tactic--363bbeff-bb2a-4734-ac74-d6d37202fe54 (TA0028 Mobile)

Another example, take the Technique Process Injection…

attack-pattern--43c9bc06-715b-42db-972f-52d25c09a20c (T1659 Enterprise)
attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff (T1631 Mobile)

BUT…

Take the group OilRig (G0049)

It has a duplicate ID in both the ICS and Enterprise Matrix as follows

intrusion-set–4ca1929c-7d64-4aab-b849-badbfc0c760d (Enterprise)
intrusion-set–4ca1929c-7d64-4aab-b849-badbfc0c760d (ICS)

What is the logic here?

dgreenwood-dogesec · 29 February 2024 15:42

You’ve almost answered your own question!

See for the Tactic and Technique the ATT&CK ID changes. When this is the case, the STIX objects are also unique.

This I’d assume is MITRE saying; Tactics and Techniques are slightly different between Matrices. Which makes sense. Techniques will be slightly different in their execution between mobile and enterprise infrastructure.

The Group you list has the same ATT&CK ID in each Matrix. Hence, the STIX ID persists between the Matrices too.

This also makes sense. A Group is the same regardless of wether it’s targeting enterprise, mobile or ICS infrastructure.