Liking cljdoc? Tell your friends :D

TTP Object

A TTP is an instance of a Tool, Technique, or Procedure used by a cyber actor

PropertyTypeDescriptionRequired?
idString
schema_versionStringCTIM schema version for this entity
ttp_typeStringtype of this TTP
typeTTPTypeIdentifier String
valid_timeValidTime Objecta timestamp for the definition of a specific version of a TTP item
behaviorBehavior Objectdescribes the attack patterns, malware, or exploits that the attacker leverages to execute this TTP
descriptionString
external_idsString List
intended_effectIntendedEffect String Listthe suspected intended effect for this TTP
kill_chainsKillChain String List
languageString
resourcesResource Objectinfrastructure or tools that the adversary uses to execute this TTP
revisionInteger
short_descriptionString
sourceString
source_uriString
timestampInst (Date)
titleString
tlpTLP String
victim_targetingVictimTargeting Objectcharacterizes the people, organizations, information or access being targeted

Property behavior ∷ Behavior Object

describes the attack patterns, malware, or exploits that the attacker leverages to execute this TTP

  • This entry is optional

Property description ∷ String

  • This entry is optional

    • Markdown string with at most 5000 characters

Property external_ids ∷ String List

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property id ∷ String

  • This entry is required

    • IDs are strings of the form: type-<128bitUUID>, for example judgment-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property intended_effect ∷ IntendedEffect String List

the suspected intended effect for this TTP

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • Allowed Values:
      • Account Takeover
      • Advantage
      • Advantage - Economic
      • Advantage - Military
      • Advantage - Political
      • Brand Damage
      • Competitive Advantage
      • Degradation of Service
      • Denial and Deception
      • Destruction
      • Disruption
      • Embarrassment
      • Exposure
      • Extortion
      • Fraud
      • Harassment
      • ICS Control
      • Theft
      • Theft - Credential Theft
      • Theft - Identity Theft
      • Theft - Intellectual Property
      • Theft - Theft of Proprietary Information
      • Traffic Diversion
      • Unauthorized Access

Property kill_chains ∷ KillChain String List

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • Allowed Values:
      • Actions on Objectives
      • Command & Control
      • Delivery
      • Exploitation
      • Installation
      • Reconnaissance
      • Weaponization

Property language ∷ String

  • This entry is optional

    • String with at most 1024 characters

Property resources ∷ Resource Object

infrastructure or tools that the adversary uses to execute this TTP

  • This entry is optional

Property revision ∷ Integer

  • This entry is optional

    • Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ String

  • This entry is optional

    • String with at most 2048 characters

Property source ∷ String

  • This entry is optional

    • String with at most 2048 characters

Property source_uri ∷ String

  • This entry is optional

    • A URI

Property timestamp ∷ Inst (Date)

  • This entry is optional

    • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ String

  • This entry is optional

    • String with at most 1024 characters

Property tlp ∷ TLP String

  • This entry is optional

    • TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
    • Default: green
    • Allowed Values:
      • amber
      • green
      • red
      • white

Property ttp_type ∷ String

type of this TTP

  • This entry is required

    • String with at most 1024 characters

Property type ∷ TTPTypeIdentifier String

  • This entry is required

    • Must equal: "ttp"

Property valid_time ∷ ValidTime Object

a timestamp for the definition of a specific version of a TTP item

  • This entry is required

Property victim_targeting ∷ VictimTargeting Object

characterizes the people, organizations, information or access being targeted

  • This entry is optional

ValidTime Object

Period of time when a cyber observation is valid.

PropertyTypeDescriptionRequired?
end_timeInst (Date)If end_time is not present, then the valid time position of the object does not have an upper bound.
start_timeInst (Date)If not present, the valid time position of the indicator does not have an upper bound

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

  • This entry is optional

    • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound

  • This entry is optional

    • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Behavior Object

PropertyTypeDescriptionRequired?
attack_patternsAttackPattern Object Listone or more Attack Patterns for this TTP
malware_typeMalwareInstance Object Listone or more instances of Malware for this TTP

Property attack_patterns ∷ AttackPattern Object List

one or more Attack Patterns for this TTP

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property malware_type ∷ MalwareInstance Object List

one or more instances of Malware for this TTP

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

MalwareInstance Object

PropertyTypeDescriptionRequired?
descriptionString
short_descriptionString
titleString
typeMalwareType String Lista characterization of what type of malware this

Property description ∷ String

  • This entry is optional

    • Markdown string with at most 5000 characters

Property short_description ∷ String

  • This entry is optional

    • String with at most 2048 characters

Property title ∷ String

  • This entry is optional

    • String with at most 1024 characters

Property type ∷ MalwareType String List

a characterization of what type of malware this

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • Allowed Values:
      • Adware
      • Automated Transfer Scripts
      • Bot
      • Bot - Credential Theft
      • Bot - DDoS
      • Bot - Loader
      • Bot - Spam
      • Dialer
      • DoS / DDoS - Participatory
      • DoS / DDoS - Script
      • DoS / DDoS - Stress Test Tools
      • DoS/ DDoS
      • Exploit Kit
      • POS / ATM Malware
      • Ransomware
      • Remote Access Trojan
      • Rogue Antivirus
      • Rootkit

AttackPattern Object

PropertyTypeDescriptionRequired?
capec_idStringa reference to a particular entry within the Common Attack Pattern Enumeration and Classification
descriptionString
short_descriptionString
titleString

Property capec_id ∷ String

a reference to a particular entry within the Common Attack Pattern Enumeration and Classification

  • This entry is optional

Property description ∷ String

  • This entry is optional

    • Markdown string with at most 5000 characters

Property short_description ∷ String

  • This entry is optional

    • String with at most 2048 characters

Property title ∷ String

  • This entry is optional

    • String with at most 1024 characters

Resource Object

PropertyTypeDescriptionRequired?
infrastructureInfrastructure Objectinfrastructure observed to have been utilized for cyber attack
personasIdentity Object
toolsTool ObjectThe tool leveraged by this TTP

Property infrastructure ∷ Infrastructure Object

infrastructure observed to have been utilized for cyber attack

  • This entry is optional

Property personas ∷ Identity Object

  • This entry is optional

Property tools ∷ Tool Object

The tool leveraged by this TTP

  • This entry is optional

Identity Object

Describes a person or an organization

PropertyTypeDescriptionRequired?
descriptionString
related_identitiesRelatedIdentity Object ListIdentifies other entity Identities related to this Identity

Property description ∷ String

  • This entry is required

    • Markdown string with at most 5000 characters

Property related_identities ∷ RelatedIdentity Object List

Identifies other entity Identities related to this Identity

  • This entry is required
  • This entry's type is sequential (allows zero or more values)

RelatedIdentity Object

Describes a related Identity

PropertyTypeDescriptionRequired?
identityStringThe reference (URI) of the related Identity object
confidenceHighMedLow StringSpecifies the level of confidence in the assertion of the relationship between the two objects
information_sourceStringSpecifies the source of the information about the relationship between the two components
relationshipString

Property confidence ∷ HighMedLow String

Specifies the level of confidence in the assertion of the relationship between the two objects

  • This entry is optional

Property identity ∷ String

The reference (URI) of the related Identity object

  • This entry is required

    • A URI

Property information_source ∷ String

Specifies the source of the information about the relationship between the two components

  • This entry is optional

Property relationship ∷ String

  • This entry is optional

Infrastructure Object

PropertyTypeDescriptionRequired?
descriptionStringtext (Markdown) description of specific classes or instances of infrastructure utilized for cyber attack
short_descriptionString
titleString
typeAttackerInfrastructure Stringrepresents the type of infrastructure being described

Property description ∷ String

text (Markdown) description of specific classes or instances of infrastructure utilized for cyber attack

  • This entry is optional

    • Markdown string with at most 5000 characters

Property short_description ∷ String

  • This entry is optional

    • String with at most 2048 characters

Property title ∷ String

  • This entry is optional

    • String with at most 1024 characters

Property type ∷ AttackerInfrastructure String

represents the type of infrastructure being described

  • This entry is optional

    • Allowed Values:
      • Anonymization
      • Anonymization - Proxy
      • Anonymization - TOR Network
      • Anonymization - VPN
      • Communications
      • Communications - Blogs
      • Communications - Forums
      • Communications - Internet Relay Chat
      • Communications - Micro-Blogs
      • Communications - Mobile Communications
      • Communications - Social Networks
      • Communications - User-Generated Content Websites
      • Domain Registration
      • Domain Registration - Dynamic DNS Services
      • Domain Registration - Legitimate Domain Registration Services
      • Domain Registration - Malicious Domain Registrars
      • Domain Registration - Top-Level Domain Registrars
      • Electronic Payment Methods
      • Hosting
      • Hosting - Bulletproof / Rogue Hosting
      • Hosting - Cloud Hosting
      • Hosting - Compromised Server
      • Hosting - Fast Flux Botnet Hosting
      • Hosting - Legitimate Hosting
    • Reference: AttackInfrastructureTypeVocab

Tool Object

Describes a hardware or software tool used

PropertyTypeDescriptionRequired?
descriptionString
referencesString Listreferences to instances or additional information for this tool
service_packStringservice pack descriptor for this tool
typeAttackToolType String Listtype of the tool leveraged
vendorStringinformation identifying the vendor organization for this tool

Property description ∷ String

  • This entry is required

    • Markdown string with at most 5000 characters

Property references ∷ String List

references to instances or additional information for this tool

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property service_pack ∷ String

service pack descriptor for this tool

  • This entry is optional

Property type ∷ AttackToolType String List

type of the tool leveraged

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • Allowed Values:
      • Application Scanner
      • Malware
      • Password Cracking
      • Penetration Testing
      • Port Scanner
      • Traffic Scanner
      • Vulnerability Scanner
    • Reference: AttackerToolTypeVocab

Property vendor ∷ String

information identifying the vendor organization for this tool

  • This entry is optional

VictimTargeting Object

PropertyTypeDescriptionRequired?
identityIdentity Objectinfrastructure observed to have been utilized for cyber attack
targeted_informationInformationType String Lista type of information that is targeted
targeted_observablesObservable Object Listtargeted observables
targeted_systemsSystemType String Listtype of system that is targeted

Property identity ∷ Identity Object

infrastructure observed to have been utilized for cyber attack

  • This entry is optional

Property targeted_information ∷ InformationType String List

a type of information that is targeted

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • Allowed Values:
      • Authentication Cookies
      • Information Assets
      • Information Assets - Corporate Employee Information
      • Information Assets - Customer PII
      • Information Assets - Email Lists / Archives
      • Information Assets - Financial Data
      • Information Assets - Intellectual Property
      • Information Assets - Mobile Phone Contacts
      • Information Assets - User Credentials
    • Reference: InformationTypeVocab

Property targeted_observables ∷ Observable Object List

targeted observables

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)
  • Dev Notes: Was targeted_technical_details

Property targeted_systems ∷ SystemType String List

type of system that is targeted

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • Allowed Values:
      • Enterprise Systems
      • Enterprise Systems - Application Layer
      • Enterprise Systems - Database Layer
      • Enterprise Systems - Enterprise Technologies and Support Infrastructure
      • Enterprise Systems - Network Systems
      • Enterprise Systems - Networking Devices
      • Enterprise Systems - VoIP
      • Enterprise Systems - Web Layer
      • Industrial Control Systems
      • Industrial Control Systems - Equipment Under Control
      • Industrial Control Systems - Operations Management
      • Industrial Control Systems - Safety, Protection and Local Control
      • Industrial Control Systems - Supervisory Control
      • Mobile Systems
      • Mobile Systems - Mobile Devices
      • Mobile Systems - Mobile Operating Systems
      • Mobile Systems - Near Field Communications
      • Third-Party Services
      • Third-Party Services - Application Stores
      • Third-Party Services - Cloud Services
      • Third-Party Services - Security Vendors
      • Third-Party Services - Social Media
      • Third-Party Services - Software Update
      • Users
      • Users - Application And Software
      • Users - Removable Media
      • Users - Workstation
    • Reference: SystemTypeVocab

Observable Object

A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.

PropertyTypeDescriptionRequired?
typeObservableTypeIdentifier String
valueString

Property type ∷ ObservableTypeIdentifier String

  • This entry is required

    • Observable type names
    • Allowed Values:
      • amp-device
      • amp_computer_guid
      • device
      • domain
      • email
      • file_name
      • file_path
      • hostname
      • imei
      • imsi
      • ip
      • ipv6
      • mac_address
      • md5
      • pki-serial
      • sha1
      • sha256
      • url
      • user

Property value ∷ String

  • This entry is required

Identity Object

Describes a person or an organization

PropertyTypeDescriptionRequired?
descriptionString
related_identitiesRelatedIdentity Object ListIdentifies other entity Identities related to this Identity

Property description ∷ String

  • This entry is required

    • Markdown string with at most 5000 characters

Property related_identities ∷ RelatedIdentity Object List

Identifies other entity Identities related to this Identity

  • This entry is required
  • This entry's type is sequential (allows zero or more values)

RelatedIdentity Object

Describes a related Identity

PropertyTypeDescriptionRequired?
identityStringThe reference (URI) of the related Identity object
confidenceHighMedLow StringSpecifies the level of confidence in the assertion of the relationship between the two objects
information_sourceStringSpecifies the source of the information about the relationship between the two components
relationshipString

Property confidence ∷ HighMedLow String

Specifies the level of confidence in the assertion of the relationship between the two objects

  • This entry is optional

Property identity ∷ String

The reference (URI) of the related Identity object

  • This entry is required

    • A URI

Property information_source ∷ String

Specifies the source of the information about the relationship between the two components

  • This entry is optional

Property relationship ∷ String

  • This entry is optional

Can you improve this documentation?Edit on GitHub

cljdoc is a website building & hosting documentation for Clojure/Script libraries

× close