Class: AttackMalware
Malware represents malicious software programs that adversaries use to accomplish their operational objectives, such as data exfiltration, persistent access, lateral movement, or destructive impact. ATT&CK tracks both malware families (is_family: true) and specific malware instances or samples (is_family: false).
Together with Tool objects, Malware forms the ATT&CK 'Software' category. Both share the ATT&CK ID format S#### and are often linked to Groups and Techniques via 'uses' relationships.
The x_mitre_aliases field holds ATT&CK-recognized alternative names; the first alias MUST match the object's name. The STIX 'aliases' property is defined in the STIX specification but is not actively maintained in ATT&CK Malware objects.
Note: Several STIX Malware properties (malware_types, kill_chain_phases, first_seen, last_seen, architecture_execution_envs, implementation_languages, capabilities) are available from the STIX specification but not actively used in ATT&CK.
URI: attack:AttackMalware
classDiagram
class AttackMalware
click AttackMalware href "../AttackMalware/"
AttackSoftware <|-- AttackMalware
click AttackSoftware href "../AttackSoftware/"
AttackMalware : confidence
AttackMalware : created
AttackMalware : created_by_ref
AttackMalware : description
AttackMalware : extensions
AttackMalware : external_references
AttackMalware --> "1..*" ExternalReference : external_references
click ExternalReference href "../ExternalReference/"
AttackMalware : granular_markings
AttackMalware --> "*" GranularMarking : granular_markings
click GranularMarking href "../GranularMarking/"
AttackMalware : id
AttackMalware : labels
AttackMalware : lang
AttackMalware : modified
AttackMalware : name
AttackMalware : object_marking_refs
AttackMalware : revoked
AttackMalware : spec_version
AttackMalware --> "1" SpecVersionEnum : spec_version
click SpecVersionEnum href "../SpecVersionEnum/"
AttackMalware : type
AttackMalware : x_mitre_aliases
AttackMalware : x_mitre_attack_spec_version
AttackMalware : x_mitre_contributors
AttackMalware : x_mitre_deprecated
AttackMalware : x_mitre_domains
AttackMalware --> "1..*" AttackDomainEnum : x_mitre_domains
click AttackDomainEnum href "../AttackDomainEnum/"
AttackMalware : x_mitre_modified_by_ref
AttackMalware : x_mitre_old_attack_id
AttackMalware : x_mitre_platforms
AttackMalware --> "*" AttackPlatformEnum : x_mitre_platforms
click AttackPlatformEnum href "../AttackPlatformEnum/"
AttackMalware : x_mitre_version
Inheritance
- StixEntity
- CommonSchemaComponent
- Core
- AttackObject
- AttackSoftware
- AttackMalware
- AttackSoftware
- AttackObject
- Core
- CommonSchemaComponent
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| x_mitre_domains | 1..* AttackDomainEnum |
The ATT&CK technology domains to which this object belongs | direct |
| x_mitre_platforms | * AttackPlatformEnum |
The set of technology platforms or operating environments to which this ATT&C... | direct |
| x_mitre_contributors | * String |
Names of people and organizations who have contributed to the creation or enr... | direct |
| x_mitre_modified_by_ref | 1 StixIdentifier |
The STIX ID of the identity object that created the current version of this o... | direct |
| x_mitre_aliases | * String |
ATT&CK-recognized alternative names or aliases for this software object (Malw... | direct |
| x_mitre_attack_spec_version | 1 SemverString |
The version of the ATT&CK Data Model specification used to construct this obj... | AttackObject |
| x_mitre_version | 1 AttackVersionString |
The version of this ATT&CK object content in 'major | AttackObject |
| x_mitre_deprecated | 0..1 Boolean |
Boolean flag indicating that this ATT&CK object has been deprecated and shoul... | AttackObject |
| x_mitre_old_attack_id | 0..1 String |
A legacy ATT&CK ID previously assigned to this object before a knowledge base... | AttackObject |
| type | 1 StixTypeName |
STIX object type | Core, StixEntity |
| spec_version | 1 SpecVersionEnum |
STIX specification version | Core |
| id | 1 StixIdentifier |
STIX object identifier | Core, StixEntity |
| created | 1 Datetime |
Creation timestamp | Core |
| modified | 1 Datetime |
Modification timestamp | Core |
| created_by_ref | 1 StixIdentifier |
The STIX ID of the identity object that first created this ATT&CK object | Core |
| labels | * String |
Terms used to describe this object | Core |
| revoked | 0..1 Boolean |
Indicates whether this object has been revoked | Core |
| confidence | 0..1 Integer |
Confidence that the producer has in this data | Core |
| lang | 0..1 String |
Language of textual properties | Core |
| external_references | 1..* ExternalReference |
External references | Core |
| object_marking_refs | * StixIdentifier |
Marking definition references applied to this object | Core |
| granular_markings | * GranularMarking |
Granular markings that apply to selected content | Core |
| extensions | * String |
Open-ended extension payloads | Core |
| name | 1 String |
The primary name of the malware family or instance (e | StixEntity |
| description | 1 String |
A description of the malware, its capabilities, how adversaries use it in att... | StixEntity |
In Subsets
Comments
- validator_hint: first-x-mitre-alias-or-alias-must-match-name
Notes
- The class name 'attack:Software' collides with (is_a) 'stix:Software', so renamed.
- The class name 'attack:Malware' collides with 'stix:Malware', so renamed.
Identifier and Mapping Information
Annotations
| property | value |
|---|---|
| stix_type | malware |
| attack_id_format | S#### |
Schema Source
- from schema: https://w3id.org/lmodel/attack
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | attack:AttackMalware |
| native | attack:AttackMalware |
LinkML Source
Direct
name: AttackMalware
annotations:
stix_type:
tag: stix_type
value: malware
attack_id_format:
tag: attack_id_format
value: S####
description: 'Malware represents malicious software programs that adversaries use
to accomplish their operational objectives, such as data exfiltration, persistent
access, lateral movement, or destructive impact. ATT&CK tracks both malware families
(is_family: true) and specific malware instances or samples (is_family: false).
Together with Tool objects, Malware forms the ATT&CK ''Software'' category. Both
share the ATT&CK ID format S#### and are often linked to Groups and Techniques via
''uses'' relationships.
The x_mitre_aliases field holds ATT&CK-recognized alternative names; the first alias
MUST match the object''s name. The STIX ''aliases'' property is defined in the STIX
specification but is not actively maintained in ATT&CK Malware objects.
Note: Several STIX Malware properties (malware_types, kill_chain_phases, first_seen,
last_seen, architecture_execution_envs, implementation_languages, capabilities)
are available from the STIX specification but not actively used in ATT&CK.'
notes:
- The class name 'attack:Software' collides with (is_a) 'stix:Software', so renamed.
- The class name 'attack:Malware' collides with 'stix:Malware', so renamed.
comments:
- 'validator_hint: first-x-mitre-alias-or-alias-must-match-name'
in_subset:
- attack_sdos
from_schema: https://w3id.org/lmodel/attack
is_a: AttackSoftware
slots:
- x_mitre_domains
- x_mitre_platforms
- x_mitre_contributors
- x_mitre_modified_by_ref
- x_mitre_aliases
slot_usage:
type:
name: type
required: true
pattern: ^malware$
id:
name: id
required: true
pattern: ^malware--
name:
name: name
description: The primary name of the malware family or instance (e.g., 'Mimikatz',
'WannaCry').
required: true
description:
name: description
description: A description of the malware, its capabilities, how adversaries use
it in attacks, and any notable technical characteristics.
required: true
external_references:
name: external_references
description: External references. The first entry MUST have source_name 'mitre-attack'
and contain the software's ATT&CK ID as external_id (e.g., 'S0001').
comments:
- 'validator_hint: first-ref-must-be-mitre-attack-software-id jsonschema_minItems:
"1"'
required: true
created_by_ref:
name: created_by_ref
required: true
is_family:
name: is_family
description: Indicates whether this object represents a malware family (true)
or a specific malware instance or sample (false). Required by STIX for malware
objects.
required: true
x_mitre_domains:
name: x_mitre_domains
required: true
x_mitre_modified_by_ref:
name: x_mitre_modified_by_ref
required: true
aliases:
name: aliases
description: STIX aliases property. Not actively maintained in ATT&CK Malware
objects; use x_mitre_aliases for ATT&CK-recognized software names.
malware_types:
name: malware_types
description: STIX malware type classifications from malware-type-ov. Available
from STIX but not actively used in ATT&CK Malware objects.
kill_chain_phases:
name: kill_chain_phases
description: STIX kill chain phases. Available from STIX but not actively used
in ATT&CK Malware objects; technique relationships encode tactic associations.
range: AttackKillChainPhase
first_seen:
name: first_seen
description: The time this malware family or instance was first observed. Available
from STIX but not actively used in ATT&CK Malware objects.
last_seen:
name: last_seen
description: The time this malware family or instance was last observed. Available
from STIX but not actively used in ATT&CK Malware objects.
architecture_execution_envs:
name: architecture_execution_envs
description: Processor architectures (from processor-architecture-ov) that this
malware executes on. Available from STIX but not actively used in ATT&CK Malware
objects.
implementation_languages:
name: implementation_languages
description: Programming languages used to implement this malware (from implementation-language-ov).
Available from STIX but not actively used in ATT&CK Malware objects.
capabilities:
name: capabilities
description: Malware capability classifications from malware-capabilities-ov.
Available from STIX but not actively used in ATT&CK Malware objects.
Induced
name: AttackMalware
annotations:
stix_type:
tag: stix_type
value: malware
attack_id_format:
tag: attack_id_format
value: S####
description: 'Malware represents malicious software programs that adversaries use
to accomplish their operational objectives, such as data exfiltration, persistent
access, lateral movement, or destructive impact. ATT&CK tracks both malware families
(is_family: true) and specific malware instances or samples (is_family: false).
Together with Tool objects, Malware forms the ATT&CK ''Software'' category. Both
share the ATT&CK ID format S#### and are often linked to Groups and Techniques via
''uses'' relationships.
The x_mitre_aliases field holds ATT&CK-recognized alternative names; the first alias
MUST match the object''s name. The STIX ''aliases'' property is defined in the STIX
specification but is not actively maintained in ATT&CK Malware objects.
Note: Several STIX Malware properties (malware_types, kill_chain_phases, first_seen,
last_seen, architecture_execution_envs, implementation_languages, capabilities)
are available from the STIX specification but not actively used in ATT&CK.'
notes:
- The class name 'attack:Software' collides with (is_a) 'stix:Software', so renamed.
- The class name 'attack:Malware' collides with 'stix:Malware', so renamed.
comments:
- 'validator_hint: first-x-mitre-alias-or-alias-must-match-name'
in_subset:
- attack_sdos
from_schema: https://w3id.org/lmodel/attack
is_a: AttackSoftware
slot_usage:
type:
name: type
required: true
pattern: ^malware$
id:
name: id
required: true
pattern: ^malware--
name:
name: name
description: The primary name of the malware family or instance (e.g., 'Mimikatz',
'WannaCry').
required: true
description:
name: description
description: A description of the malware, its capabilities, how adversaries use
it in attacks, and any notable technical characteristics.
required: true
external_references:
name: external_references
description: External references. The first entry MUST have source_name 'mitre-attack'
and contain the software's ATT&CK ID as external_id (e.g., 'S0001').
comments:
- 'validator_hint: first-ref-must-be-mitre-attack-software-id jsonschema_minItems:
"1"'
required: true
created_by_ref:
name: created_by_ref
required: true
is_family:
name: is_family
description: Indicates whether this object represents a malware family (true)
or a specific malware instance or sample (false). Required by STIX for malware
objects.
required: true
x_mitre_domains:
name: x_mitre_domains
required: true
x_mitre_modified_by_ref:
name: x_mitre_modified_by_ref
required: true
aliases:
name: aliases
description: STIX aliases property. Not actively maintained in ATT&CK Malware
objects; use x_mitre_aliases for ATT&CK-recognized software names.
malware_types:
name: malware_types
description: STIX malware type classifications from malware-type-ov. Available
from STIX but not actively used in ATT&CK Malware objects.
kill_chain_phases:
name: kill_chain_phases
description: STIX kill chain phases. Available from STIX but not actively used
in ATT&CK Malware objects; technique relationships encode tactic associations.
range: AttackKillChainPhase
first_seen:
name: first_seen
description: The time this malware family or instance was first observed. Available
from STIX but not actively used in ATT&CK Malware objects.
last_seen:
name: last_seen
description: The time this malware family or instance was last observed. Available
from STIX but not actively used in ATT&CK Malware objects.
architecture_execution_envs:
name: architecture_execution_envs
description: Processor architectures (from processor-architecture-ov) that this
malware executes on. Available from STIX but not actively used in ATT&CK Malware
objects.
implementation_languages:
name: implementation_languages
description: Programming languages used to implement this malware (from implementation-language-ov).
Available from STIX but not actively used in ATT&CK Malware objects.
capabilities:
name: capabilities
description: Malware capability classifications from malware-capabilities-ov.
Available from STIX but not actively used in ATT&CK Malware objects.
attributes:
x_mitre_domains:
name: x_mitre_domains
description: The ATT&CK technology domains to which this object belongs. At least
one domain must be specified. An object may belong to multiple domains when
the same technique, group, or software is relevant across domain boundaries.
comments:
- 'jsonschema_minItems: "1"'
in_subset:
- attack_sdos
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: x_mitre_domains
owner: AttackMalware
domain_of:
- Technique
- Tactic
- Group
- AttackCampaign
- Mitigation
- AttackMalware
- AttackTool
- Asset
- DataSource
- DataComponent
- Matrix
- DetectionStrategy
- Analytic
range: AttackDomainEnum
required: true
multivalued: true
x_mitre_platforms:
name: x_mitre_platforms
description: The set of technology platforms or operating environments to which
this ATT&CK object applies. Each value must be a supported ATT&CK platform identifier.
Values within the array must be unique; duplicate platforms are not permitted.
comments:
- 'jsonschema_minItems: "1" validator_hint: no-duplicate-platforms'
in_subset:
- attack_sdos
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: x_mitre_platforms
owner: AttackMalware
domain_of:
- Technique
- AttackMalware
- AttackTool
- Asset
- DataSource
- Analytic
range: AttackPlatformEnum
multivalued: true
x_mitre_contributors:
name: x_mitre_contributors
description: Names of people and organizations who have contributed to the creation
or enrichment of this ATT&CK object. Contributors are credited for providing
information, examples, or analysis that informed the object's content. Not present
on relationship objects.
in_subset:
- attack_sdos
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: x_mitre_contributors
owner: AttackMalware
domain_of:
- Technique
- Tactic
- Group
- AttackCampaign
- Mitigation
- AttackMalware
- AttackTool
- Asset
- DataSource
- DetectionStrategy
range: string
multivalued: true
x_mitre_modified_by_ref:
name: x_mitre_modified_by_ref
description: 'The STIX ID of the identity object that created the current version
of this object. In practice, always references MITRE''s canonical identity object:
identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5. May differ from created_by_ref
if the object was originally created by a third party and subsequently adopted
or updated by MITRE.'
comments:
- 'validator_hint: must-match-mitre-identity-id'
in_subset:
- attack_sdos
- attack_sros
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: x_mitre_modified_by_ref
owner: AttackMalware
domain_of:
- Technique
- Tactic
- Group
- AttackCampaign
- Mitigation
- AttackMalware
- AttackTool
- Asset
- DataSource
- DataComponent
- Matrix
- Collection
- DetectionStrategy
- Analytic
- AttackRelationship
range: stix_identifier
required: true
pattern: ^identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5$
x_mitre_aliases:
name: x_mitre_aliases
description: ATT&CK-recognized alternative names or aliases for this software
object (Malware or Tool). The first alias in the array MUST match the object's
name property. This is the preferred alias field for ATT&CK software objects,
distinct from the STIX-standard 'aliases' property which is present but not
actively maintained in ATT&CK software objects.
comments:
- 'jsonschema_minItems: "1" validator_hint: first-alias-must-match-name'
in_subset:
- attack_sdos
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: x_mitre_aliases
owner: AttackMalware
domain_of:
- AttackMalware
- AttackTool
range: string
multivalued: true
x_mitre_attack_spec_version:
name: x_mitre_attack_spec_version
description: The version of the ATT&CK Data Model specification used to construct
this object, in MAJOR.MINOR.PATCH (semantic versioning) format. Helps consuming
software determine whether the data format is supported. Objects lacking this
property are assumed to conform to ATT&CK spec version 2.0.0. Refer to the ATT&CK
CHANGELOG for all supported versions.
comments:
- 'absent_on: marking-definition, identity (x_mitre_version absent), relationship
(x_mitre_version absent)'
in_subset:
- attack_sdos
- attack_sros
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: x_mitre_attack_spec_version
owner: AttackMalware
domain_of:
- AttackObject
range: semver_string
required: true
x_mitre_version:
name: x_mitre_version
description: 'The version of this ATT&CK object content in ''major.minor'' format,
where both components are integers between 0 and 99. Incremented by ATT&CK whenever
the substantive content of the object changes. Does not apply to relationship
objects. Example: "1.0", "12.5".'
comments:
- 'absent_on: relationship, marking-definition'
in_subset:
- attack_sdos
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: x_mitre_version
owner: AttackMalware
domain_of:
- AttackObject
range: attack_version_string
required: true
x_mitre_deprecated:
name: x_mitre_deprecated
description: Boolean flag indicating that this ATT&CK object has been deprecated
and should no longer be used in new analyses or tooling implementations. Deprecated
objects are retained in the knowledge base for historical reference and legacy
compatibility, but are not actively maintained with new information.
comments:
- 'absent_on: marking-definition'
in_subset:
- attack_sdos
- attack_sros
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: x_mitre_deprecated
owner: AttackMalware
domain_of:
- AttackObject
range: boolean
x_mitre_old_attack_id:
name: x_mitre_old_attack_id
description: A legacy ATT&CK ID previously assigned to this object before a knowledge
base restructuring or domain migration event. Format mirrors the current ATT&CK
ID format but from the prior numbering scheme (e.g., "MOB-T1001" for a mobile
technique previously in the pre-unification Mobile ATT&CK dataset).
in_subset:
- attack_sdos
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: x_mitre_old_attack_id
owner: AttackMalware
domain_of:
- AttackObject
range: string
type:
name: type
description: STIX object type.
from_schema: https://w3id.org/lmodel/attack
related_mappings:
- unified_cyber_ontology:state
rank: 1000
alias: type
owner: AttackMalware
domain_of:
- StixEntity
- Bundle
- Core
- CyberObservableCore
- ExtensionDefinition
- LanguageContent
- MarkingDefinition
- File
range: stix_type_name
required: true
pattern: ^malware$
spec_version:
name: spec_version
description: STIX specification version.
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:specVersion
rank: 1000
alias: spec_version
owner: AttackMalware
domain_of:
- Core
- CyberObservableCore
- MarkingDefinition
range: SpecVersionEnum
required: true
id:
name: id
description: STIX object identifier.
from_schema: https://w3id.org/lmodel/attack
related_mappings:
- unified_cyber_ontology:externalReference
rank: 1000
alias: id
owner: AttackMalware
domain_of:
- StixEntity
- Bundle
- Core
- CyberObservableCore
- ExtensionDefinition
- LanguageContent
- MarkingDefinition
- File
range: stix_identifier
required: true
pattern: ^malware--
created:
name: created
description: Creation timestamp.
notes:
- STIX core timestamps require millisecond precision.
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:objectCreatedTime
rank: 1000
alias: created
owner: AttackMalware
domain_of:
- Core
- MarkingDefinition
range: datetime
required: true
pattern: T\d{2}:\d{2}:\d{2}\.\d{3,}Z$
modified:
name: modified
description: Modification timestamp.
notes:
- STIX core timestamps require millisecond precision.
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:modifiedTime
rank: 1000
alias: modified
owner: AttackMalware
domain_of:
- Core
range: datetime
required: true
pattern: T\d{2}:\d{2}:\d{2}\.\d{3,}Z$
created_by_ref:
name: created_by_ref
description: The STIX ID of the identity object that first created this ATT&CK
object. Typically references MITRE's identity (identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5).
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:createdBy
rank: 1000
alias: created_by_ref
owner: AttackMalware
domain_of:
- Core
- MarkingDefinition
range: stix_identifier
required: true
labels:
name: labels
description: Terms used to describe this object.
comments:
- 'jsonschema_minItems: "1"'
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:tag
rank: 1000
alias: labels
owner: AttackMalware
domain_of:
- Core
range: string
multivalued: true
revoked:
name: revoked
description: Indicates whether this object has been revoked.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: revoked
owner: AttackMalware
domain_of:
- Core
range: boolean
confidence:
name: confidence
description: Confidence that the producer has in this data.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: confidence
owner: AttackMalware
domain_of:
- Core
range: integer
minimum_value: 0
maximum_value: 100
lang:
name: lang
description: Language of textual properties.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: lang
owner: AttackMalware
domain_of:
- Core
- GranularMarking
range: string
external_references:
name: external_references
description: External references. The first entry MUST have source_name 'mitre-attack'
and contain the software's ATT&CK ID as external_id (e.g., 'S0001').
comments:
- 'validator_hint: first-ref-must-be-mitre-attack-software-id jsonschema_minItems:
"1"'
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:externalReference
rank: 1000
alias: external_references
owner: AttackMalware
domain_of:
- Core
- MarkingDefinition
range: ExternalReference
required: true
multivalued: true
object_marking_refs:
name: object_marking_refs
description: Marking definition references applied to this object.
comments:
- 'jsonschema_minItems: "1"'
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:objectMarking
rank: 1000
alias: object_marking_refs
owner: AttackMalware
domain_of:
- Core
- CyberObservableCore
- MarkingDefinition
range: stix_identifier
multivalued: true
granular_markings:
name: granular_markings
description: Granular markings that apply to selected content.
comments:
- 'jsonschema_minItems: "1"'
from_schema: https://w3id.org/lmodel/attack
narrow_mappings:
- unified_cyber_ontology:objectMarking
rank: 1000
alias: granular_markings
owner: AttackMalware
domain_of:
- Core
- CyberObservableCore
- MarkingDefinition
range: GranularMarking
multivalued: true
extensions:
name: extensions
description: Open-ended extension payloads.
notes:
- JSON Schema uses patternProperties for extension keys; exact key validation
is delegated to validator tooling.
comments:
- 'jsonschema_rule: patternProperties validator_hint: validate-extension-keys-and-values'
from_schema: https://w3id.org/lmodel/attack
related_mappings:
- unified_cyber_ontology:hasFacet
rank: 1000
alias: extensions
owner: AttackMalware
domain_of:
- Core
- CyberObservableCore
- MarkingDefinition
- File
range: string
multivalued: true
name:
name: name
description: The primary name of the malware family or instance (e.g., 'Mimikatz',
'WannaCry').
from_schema: https://w3id.org/lmodel/attack
exact_mappings:
- unified_cyber_ontology:name
rank: 1000
alias: name
owner: AttackMalware
domain_of:
- RelatedAsset
- StixEntity
- ExtensionDefinition
- MarkingDefinition
- AutonomousSystem
- File
range: string
required: true
description:
name: description
description: A description of the malware, its capabilities, how adversaries use
it in attacks, and any notable technical characteristics.
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:description
rank: 1000
alias: description
owner: AttackMalware
domain_of:
- RelatedAsset
- MutableElement
- StixEntity
- ExtensionDefinition
- ExternalReference
range: string
required: true