Posted by:

David Greenwood

David Greenwood, Chief of Signal

If you are reading this blog post via a 3rd party source it is very likely that many parts of it will not render correctly. Please view the post on signalscorps.com for the full interactive viewing experience.

In this post I review of all the Custom STIX 2.1 Objects and Properties used by the ATT&CK.

Note: this tutorial is written for MITRE ATT&CK version 11.0 (published on 2022-04-24). Some of the concepts discussed are not correct for other versions of ATT&CK.

ATT&CK is represented using a mix of core STIX 2.1 Domain Objects and some Custom Objects created by MITRE.

[As you know from the last post; MITRE ATT&CK 101: Data Structure, the Custom STIX 2.1 Objects used by MITRE ATT&CK:

  • Matrix (x-mitre-matrix)
  • Data Sources (x-mitre-data-source)
  • Data Component (x-mitre-data-component)
  • Tactic (x-mitre-tactic)

A list of all STIX Objects and custom properties they contain used by ATT&CK can be viewed here too.

Custom Properties shared between all Objects

The STIX 2.1 Specification sets predefined Properties for each SDO.

Where these Properties do not meet the needs of ATT&CK, MITRE have created their own.

These are the shared Custom Properties used by MITRE for all ATT&CK STIX 2.1 Objects.

  • x_mitre_domains: sets the ATT&CK Domain. Currently either; enterprise-attack, ics-attack, or mobile-attack. Can be more than one if the Object crossed Domains.
    • e.g. "x_mitre_domains": ["enterprise-attack", "mobile-attack"]
  • x_mitre_platforms defines the platform(s) the Technique or Sub-Technique affects as a list. Specific for each domain:
    • for enterprise-attack: PRE, Linux, MacOS, Windows, Network, Office 365, Azure AD, SaaS, IaaS, Google Workspace, Containers
    • for ics-attack: none
    • for mobile-attack: android, iOS
    • e.g. "x_mitre_platforms": ["Windows", "Android"],
  • x_mitre_version: the version assigned by MITRE. The MITRE version is updated when MITRE make changes to the Object. In many cases, Objects (and thus their versions) do not change as ATT&CK version increases.
    • e.g. "x_mitre_version": "1.1"
  • x_mitre_modified_by_ref: A reference to the MITRE identity-- STIX 2.1 Object.
    • e.g. "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
  • x_mitre_contributors: A list of contributors who helped create or update the Object.
    • e.g. "x_mitre_contributors": "Chris Ross @xorrior"
  • x_mitre_attack_spec_version: This is MITRE’s way of tracking the STIX version used.
    • e.g. "x_mitre_attack_spec_version": "2.1.0"
  • x_mitre_deprecated: Between releases of ATT&CK, some Objects are deprecated. If the value for this Property is true it means the Object is deprecated from the version of ATT&CK being viewed.
    • e.g. "x_mitre_deprecated": true

Unique Custom Properties for Matrix Objects (x-mitre-matrix)

None.

Example Matrix Object;

Unique Custom Properties for Tactic Objects (x-mitre-tactic--)

The following Custom Properties are unique to ATT&CK Tactic Objects;

  • x_mitre_shortname: the slug for the Tactic name.
    • e.g. "x_mitre_shortname": "lateral-movement"

Example Object;

Unique Custom Properties for Technique and Sub-Technique Objects (attack-pattern)

The following Custom Properties are unique to ATT&CK Technique and Sub-Technique (attack-pattern) Objects;

  • x_mitre_is_subtechnique (Enterprise only): because the attack-pattern Object is used by both Techniques and Sub-Techniques, this sets the distinction. Note, Techniques and Sub-Techniques contain other fields that are the same
    • e.g. "x_mitre_is_subtechnique": true
  • x_mitre_permissions_required (Enterprise only): a plain text list that defines the permissions required the Technique needs.
    • e.g. "x_mitre_permissions_required": ["Administrator", "User"]
  • x_mitre_effective_permissions (Enterprise domain in the Privilege Escalation tactic): The lowest level of permissions the adversary is required to be operating within to perform the technique on a system.
  • x_mitre_defense_bypassed (Enterprise domain in the Defense Evasion tactic): List of defensive tools, methodologies, or processes the technique can bypass.
  • x_mitre_remote_support (Enterprise domain in the Execution tactic): If true, the technique can be used to execute something on a remote system.
  • x_mitre_impact_type (Enterprise domain in the Impact tactic): Denotes if the technique can be used for integrity or availability attacks.
  • x_mitre_detection: a plain text list that defines the data sources the Technique needs.
    • e.g. "x_mitre_detection": "Monitor for new, unfamiliar DLL files written to a domain controller ..."
  • x_mitre_data_sources (Enterprise & ICS domains): a plain text list that defines the data sources the Technique needs. Note, this is not a related to defined ATT&CK Data Sources (x-mitre-data-source) which are defined in Relationships.
    • e.g. "x_mitre_data_sources": ["Network Traffic: Network Connection Creation", "Command: Command Execution", "Process: Process Creation"
  • x_mitre_system_requirements: a list that defines the system requirements the Technique needs
    • e.g. "x_mitre_system_requirements": ["Ability to update component device firmware from the host operating system."]
  • x_mitre_tactic_type (Mobile only): “Post-Adversary Device Access”, “Pre-Adversary Device Access”, or “Without Adversary Device Access”.

Example Technique Object;

Example Sub-Technique Object;

Unique Custom Properties for Software Objects (malware and tool)

The following Custom Properties are unique to ATT&CK Software (malware and tool) Objects;

  • x_mitre_aliases: A list of aliases for the malware string. Shown in MITRE UI as Associated Sofware.
    • e.g. "x_mitre_aliases": ["Orz", "AIRBREAK"]
    • Note, Other Core Objects STIX 2.1 Objects, including intrusion-set, use the aliases Core Property. The alias Property is not in either the malware or tool Objects Specification, hence MITRE use a Custom Property here.

Example Malware Object;

Example Software Object;

Unique Custom Properties for Group Objects (intrusion-set)

None.

Example Group Object;

Unique Custom Properties for Mitigation Objects (course-of-action)

None.

Example Mitigation Object;

Unique Custom Properties for Data Source Objects (x-mitre-data-source)

The following Custom Properties are unique to ATT&CK Data Source (x-mitre-data-source) Objects;

  • x_mitre_collection_layers: A list list of where the data source may be physically collected (ex: Host, Network, Cloud Control Plane, etc.)
    • e.g. "x_mitre_collection_layers": ["Container", "Host"]

Example Data Source Object;

Unique Custom Properties for Data Component Objects (x-mitre-data-component)

The following Custom Properties are unique to ATT&CK Data Component (x-mitre-data-component) Objects;

  • x_mitre_data_source_ref: The STIX 2.1 ID of the x-mitre-data-source
    • e.g. "x_mitre_data_source_ref": "x-mitre-data-source--b86d9b40-5fbe-4ef1-8dc3-263eff26f495"

Example Data Component Object;

Unique Custom Properties for Relationship Objects (relationship)

None.

Example of a Relationship Object:

https://github.com/mitre/cti/blob/46ea00730d8d61184720a325ea1232b0d78d43dc/enterprise-attack/relationship/relationship–00d3d6a8-c711-4bb5-bf0a-e17c0ecac8c8.json

Other ways to natively extend ATT&CK objects

Most ATT&CK Objects utilise the external_references Property.

It’s used for all Tactic, Technique, and Sub-Technique Objects where you will always see the "source_name": "mitre-attack" with the external_id will containing the ID of the Technique or Tactic and url with a link to its MITRE ATT&CK website. For example,

"external_references": [
  {
    "source_name": "mitre-attack",
    "external_id": "T1113",
    "url": "https://attack.mitre.org/techniques/T1113"
                },

Whilst you can use any external references sources, another external_references value is recognised by MITRE when rendering ATT&CK Objects on their website.

CAPEC (Common Attack Pattern Enumerations and Classifications) entries can be linked here too. You’ll see CAPEC ID’s listed on the MITRE ATT&CK website for Techniques and Sub-Techniques;

MITRE ATT&CK CAPEC Reference

Example above: T1113: Screen Capture.

You will see CAPEC ID 648 referenced. This is stored in the external_references of the T1113 attack-pattern Object using "source_name": "capec" and the external_id value containing the CAPEC ID in the format CAPEC-XXX. For example,

  {
    "external_id": "CAPEC-648",
    "source_name": "capec",
    "url": "https://capec.mitre.org/data/definitions/648.html"
  }

MITRE ATT&CK References

The external_references section is also used to render References to more information about the Object (how it was discovered, research into it, etc.).

Note, the MITRE ATT&CK website references are displayed for all Objects with a Relationship to the Object you are viewing listed on the page (e.g Data Sources, Software, etc.).

This time, instead of using the field external_references.external_id, the field external_references.description is used to denote a Reference;

  {
    "source_name": "CopyFromScreen .NET",
    "url": "https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen?view=netframework-4.8",
    "description": "Microsoft. (n.d.). Graphics.CopyFromScreen Method. Retrieved March 24, 2020."
  },
  {
    "url": "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/",
    "description": "Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.",
    "source_name": "Antiquated Mac Malware"
  }

Putting it ATT&CK to work

Now you know the depth of ATT&CK, you can put it with the intelligence you are creating and sharing for both defensive and offensive purposes.

In the next post of this tutorial I will show you a tool designed to help with this, the MITRE ATT&CK Navigator.


ATT&CK Certification (Virtual and In Person)

The content used in this post is a small subset of our full training material used in our ATT&CK training.

If you want to join a select group of certified ATT&CK professionals, subscribe to our newsletter below to be notified of new course dates.




Our brand new Discord!

Like this blog?

Sign up to receive new posts in your inbox.


Stixify

Stixify. Extract machine readable intelligence from unstructured data.

Extract machine readable intelligence from unstructured data.

Obstracts

Obstracts

Turn any blog into structured threat intelligence.


Vulmatch

Vulmatch

Know when software you use is vulnerable, how it is being exploited, and how to detect an attack.

SIEM Rules

SIEM Rules. Your detection engineering database.

View, modify, and deploy SIEM rules for threat hunting.