Attack Patterns are a type of TTP that describe ways that adversaries attempt to compromise targets.
Property | Type | Description | Required? |
---|---|---|---|
description | Markdown String | A description that provides more details and context about the Attack Pattern, potentially including its purpose and its key characteristics. | ✓ |
id | String | Globally unique URI identifying this object. | ✓ |
name | ShortString String | A name used to identify the Attack Pattern. | ✓ |
schema_version | String | CTIM schema version for this entity | ✓ |
type | AttackPatternTypeIdentifier String | ✓ | |
abstraction_level | AttackPatternAbstractions String | The CAPEC abstraction level for patterns describing techniques to attack a system. | |
external_ids | String List | ||
external_references | ExternalReference Object List | A list of external references which refer to non-STIX information. This property MAY be used to provide one or more Attack Pattern identifiers, such as a CAPEC ID. When specifying a CAPEC ID, the source_name property of the external reference MUST be set to capec and the external_id property MUST be formatted as CAPEC-[id]. | |
kill_chain_phases | KillChainPhase Object List | The list of Kill Chain Phases for which this Attack Pattern is used. | |
language | ShortString String | The human language this object is specified in. | |
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
source | MedString String | ||
source_uri | String | ||
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
tlp | TLP String | Specification for how, and to whom, this object can be shared. | |
x_mitre_contributors | ShortString String List | ATT&CK Technique.Contributors | |
x_mitre_data_sources | ShortString String List | ATT&CK Technique.Data Sources | |
x_mitre_platforms | ShortString String List | ATT&CK Technique.Platforms |
The CAPEC abstraction level for patterns describing techniques to attack a system.
This entry is optional
A description that provides more details and context about the Attack Pattern, potentially including its purpose and its key characteristics.
This entry is required
A list of external references which refer to non-STIX information. This property MAY be used to provide one or more Attack Pattern identifiers, such as a CAPEC ID. When specifying a CAPEC ID, the source_name property of the external reference MUST be set to capec and the external_id property MUST be formatted as CAPEC-[id].
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.The list of Kill Chain Phases for which this Attack Pattern is used.
The human language this object is specified in.
This entry is optional
A name used to identify the Attack Pattern.
This entry is required
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
CTIM schema version for this entity
This entry is required
This entry is optional
This entry is optional
The time this object was created at, or last modified.
This entry is optional
Specification for how, and to whom, this object can be shared.
This entry is optional
This entry is required
ATT&CK Technique.Contributors
This entry is optional
This entry's type is sequential (allows zero or more values)
ATT&CK Technique.Data Sources
This entry is optional
This entry's type is sequential (allows zero or more values)
ATT&CK Technique.Platforms
This entry is optional
This entry's type is sequential (allows zero or more values)
External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedString String | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | Markdown String | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource
This entry is optional
External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedString String | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | Markdown String | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource
This entry is optional
The kill-chain-phase represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives.
Property | Type | Description | Required? |
---|---|---|---|
kill_chain_name | String | The name of the kill chain. | ✓ |
phase_name | String | The name of the phase in the kill chain. | ✓ |
The name of the kill chain.
This entry is required
The name of the phase in the kill chain.
This entry is required
Can you improve this documentation? These fine people already did:
Guillaume Buisson, Craig Brozefsky & Matthieu SprunckEdit on GitHub
cljdoc is a website building & hosting documentation for Clojure/Script libraries
× close