I’m trying to understand some anomalies I’m seeing with ATT&CK results.
My initial assumption was that all Matices have distinct object ID’s, even if the object is in more than one Matrix.
As an example, the Tactic Persistence
is found in all three Matricies. For reference they are…
x-mitre-tactic--5bc1d813-693e-4823-9961-abf9af4b0e92
(TA0003 Enterprise)x-mitre-tactic--78f1d2ae-a579-44c4-8fc5-3e1775c73fac
(TA0110 ICS)x-mitre-tactic--363bbeff-bb2a-4734-ac74-d6d37202fe54
(TA0028 Mobile)
Another example, take the Technique Process Injection
…
attack-pattern--43c9bc06-715b-42db-972f-52d25c09a20c
(T1659 Enterprise)attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff
(T1631 Mobile)
BUT…
Take the group OilRig (G0049)
It has a duplicate ID in both the ICS and Enterprise Matrix as follows
- intrusion-set–4ca1929c-7d64-4aab-b849-badbfc0c760d (Enterprise)
- intrusion-set–4ca1929c-7d64-4aab-b849-badbfc0c760d (ICS)
What is the logic here?