You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: USAGE.md
+26-2Lines changed: 26 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -36,6 +36,7 @@ We also recommend reading the [ATT&CK Design and Philosophy Paper](https://attac
36
36
-[Software](#software)
37
37
-[Data Sources and Data Components](#data-sources-and-data-components)
38
38
-[Campaigns](#campaigns)
39
+
-[Assets](#assets)
39
40
-[Relationships](#relationships)
40
41
-[Collections](#collections)
41
42
-[Accessing ATT&CK data in python](#accessing-attck-data-in-python)
@@ -96,8 +97,9 @@ ATT&CK uses a mix of predefined and custom STIX objects to implement ATT&CK conc
96
97
|[Group](#groups)|[intrusion-set](https://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230941)| no |
97
98
|[Software](#software)|[malware](http://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230945) or [tool](http://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230961)| no |
|[Campaign](#campaigns)|[campaign](http://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230925)| no |
102
+
|[Asset](#assets)|`x-mitre-asset`| yes |
101
103
102
104
<sup>1</sup> This type was added in the upgrade to STIX 2.1 and is not available in [the STIX 2.0 dataset](https://github.com/mitre/cti).
103
105
@@ -157,8 +159,9 @@ The most commonly used ID format is what is referred to as the ATT&CK ID or simp
157
159
|[Mitigation](#mitigations)|`Mxxxx`|
158
160
|[Group](#groups)|`Gxxxx`|
159
161
|[Software](#software)|`Sxxxx`|
160
-
|[Data Source](#data-source)|`DSxxxx`|
162
+
|[Data Source](#data-sources)|`DSxxxx`|
161
163
|[Campaign](#campaigns)|`Cxxxx`|
164
+
|[Asset](#assets)|`Axxxx`|
162
165
163
166
ATT&CK IDs are typically, but not always, unique. See [Collisions with Technique ATT&CK IDs](#collisions-with-technique-attck-ids) for an edge case involving ID collisions between mitigations and techniques. Matrices that exist within the same domain will have the same ATT&CK ID.
164
167
@@ -321,6 +324,26 @@ Campaigns extend the generic SDO format with the following fields:
321
324
|`x_mitre_first_seen_citation`| string | One to many citations for when the Campaign was first reported in the form “(Citation: \<citation name>)” where \<citation name> can be found as one of the source_name of one of the external_references. |
322
325
| `x_mitre_last_seen_citation` | string | One to many citations for when the Campaign was last reported in the form “(Citation: \<citation name>)” where \<citation name> can be found as one of the source_name of one of the external_references.
323
326
327
+
### Assets
328
+
329
+
An Asset in ATT&CK is defined by an `x-mitre-asset` object. As a custom STIX type they follow only the generic [STIX Domain Object pattern](https://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230920).
330
+
331
+
Assets extend the generic SDO format with the following fields:
332
+
333
+
| Field | Type | Description |
334
+
|:------|:-----|-------------|
335
+
|`x_mitre_sectors`| string[]| List of industry sector(s) an asset may be commonly observed in. |
336
+
|`x_mitre_related_assets`| related_asset[]| Related assets describe sector specific device names or alias that may be commonly associated with the primary asset page name or functional description. Related asset objects include a description of how the related asset is associated with the page definition. |
337
+
338
+
#### Extended Subtypes
339
+
The `related_asset` subtype is an object with the properties:
340
+
341
+
| Field | Type |
342
+
|-------------|---------|
343
+
|`name`| string |
344
+
|`related_asset_sectors`| string[]|
345
+
|`description`| string |
346
+
324
347
### Relationships
325
348
326
349
Objects in ATT&CK are related to each other via STIX [relationship](https://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230970) objects. These relationships convey concepts like groups using techniques (also called "procedure examples" on the technique pages), the hierarchy of techniques and sub-techniques, and so on.
@@ -338,6 +361,7 @@ Relationships oftentimes have descriptions which contextualize the relationship
338
361
|`course-of-action`|`mitigates`|`attack-pattern`| No | Mitigation mitigating technique. |
339
362
|`attack-pattern`|`subtechnique-of`|`attack-pattern`| Yes | Sub-technique of a technique, where the `source_ref` is the sub-technique and the `target_ref` is the parent technique. |
340
363
|`x-mitre-data-component`|`detects`|`attack-pattern`| Yes | Data component detecting a technique. |
364
+
|`attack-pattern`|`targets`|`x-mitre-asset`| Yes | Technique targets an asset. |
341
365
| any type |`revoked-by`| any type | Yes | The target object is a replacement for the source object. Only occurs where the objects are of the same type, and the source object will have the property `revoked = true`. See [Working with deprecated and revoked objects](#Working-with-deprecated-and-revoked-objects) for more information on revoked objects. |
342
366
343
367
Note that because groups use software and software uses techniques, groups can be considered indirect users of techniques used by their software. See [Getting techniques used by a group's software](#Getting-techniques-used-by-a-groups-software).
0 commit comments