Class: Technique
Techniques describe the specific methods adversaries use to achieve tactical objectives. They are implemented as STIX attack-pattern objects and represent the "how" of adversary behavior — the concrete actions taken to accomplish a tactic.
A Technique may be a top-level technique (x_mitre_is_subtechnique: false) or a sub-technique (x_mitre_is_subtechnique: true). Sub-techniques provide more granular detail about specific implementations of their parent technique.
Sub-technique constraints:
_ - ATT&CK ID format: T####.### where T#### is the parent's ID_
_ - Connected to parent via 'subtechnique-of' relationship (source = sub, target = parent)_
_ - Each sub-technique has exactly one parent; parents may have many sub-techniques_
_ - Sub-techniques inherit all parent tactics; platforms must be a subset of parent's_
__
Tactics mapping: kill_chain_phases entries use the tactic's x_mitre_shortname as phase_name, with kill_chain_name set to the appropriate ATT&CK domain value.
URI: attack:Technique
classDiagram
class Technique
click Technique href "../Technique/"
AttackObject <|-- Technique
click AttackObject href "../AttackObject/"
Technique : confidence
Technique : created
Technique : created_by_ref
Technique : description
Technique : extensions
Technique : external_references
Technique --> "1..*" ExternalReference : external_references
click ExternalReference href "../ExternalReference/"
Technique : granular_markings
Technique --> "*" GranularMarking : granular_markings
click GranularMarking href "../GranularMarking/"
Technique : id
Technique : labels
Technique : lang
Technique : modified
Technique : name
Technique : object_marking_refs
Technique : revoked
Technique : spec_version
Technique --> "1" SpecVersionEnum : spec_version
click SpecVersionEnum href "../SpecVersionEnum/"
Technique : type
Technique : x_mitre_attack_spec_version
Technique : x_mitre_contributors
Technique : x_mitre_data_sources
Technique : x_mitre_defense_bypassed
Technique --> "*" AttackDefenseBypassEnum : x_mitre_defense_bypassed
click AttackDefenseBypassEnum href "../AttackDefenseBypassEnum/"
Technique : x_mitre_deprecated
Technique : x_mitre_detection
Technique : x_mitre_domains
Technique --> "1..*" AttackDomainEnum : x_mitre_domains
click AttackDomainEnum href "../AttackDomainEnum/"
Technique : x_mitre_effective_permissions
Technique --> "*" AttackEffectivePermissionsEnum : x_mitre_effective_permissions
click AttackEffectivePermissionsEnum href "../AttackEffectivePermissionsEnum/"
Technique : x_mitre_impact_type
Technique --> "*" AttackImpactTypeEnum : x_mitre_impact_type
click AttackImpactTypeEnum href "../AttackImpactTypeEnum/"
Technique : x_mitre_is_subtechnique
Technique : x_mitre_modified_by_ref
Technique : x_mitre_network_requirements
Technique : x_mitre_old_attack_id
Technique : x_mitre_permissions_required
Technique --> "*" AttackPermissionsRequiredEnum : x_mitre_permissions_required
click AttackPermissionsRequiredEnum href "../AttackPermissionsRequiredEnum/"
Technique : x_mitre_platforms
Technique --> "*" AttackPlatformEnum : x_mitre_platforms
click AttackPlatformEnum href "../AttackPlatformEnum/"
Technique : x_mitre_remote_support
Technique : x_mitre_system_requirements
Technique : x_mitre_tactic_type
Technique --> "*" AttackTacticTypeEnum : x_mitre_tactic_type
click AttackTacticTypeEnum href "../AttackTacticTypeEnum/"
Technique : x_mitre_version
Inheritance
- StixEntity
- CommonSchemaComponent
- Core
- AttackObject
- Technique
- AttackObject
- Core
- CommonSchemaComponent
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| x_mitre_domains | 1..* AttackDomainEnum |
The ATT&CK technology domains to which this object belongs | direct |
| x_mitre_is_subtechnique | 1 Boolean |
Boolean flag indicating whether this attack-pattern is a sub-technique (true)... | direct |
| x_mitre_platforms | * AttackPlatformEnum |
The set of technology platforms or operating environments to which this ATT&C... | direct |
| x_mitre_detection | 0..1 String |
DEPRECATED in ATT&CK Specification v3 | direct |
| x_mitre_data_sources | * String |
DEPRECATED in ATT&CK Specification v3 | direct |
| x_mitre_defense_bypassed | * AttackDefenseBypassEnum |
DEPRECATED in ATT&CK Specification v3 | direct |
| x_mitre_permissions_required | * AttackPermissionsRequiredEnum |
DEPRECATED in ATT&CK Specification v3 | direct |
| x_mitre_effective_permissions | * AttackEffectivePermissionsEnum |
DEPRECATED in ATT&CK Specification v3 | direct |
| x_mitre_remote_support | 0..1 Boolean |
DEPRECATED in ATT&CK Specification v3 | direct |
| x_mitre_system_requirements | * String |
DEPRECATED in ATT&CK Specification v3 | direct |
| x_mitre_impact_type | * AttackImpactTypeEnum |
Indicates whether this technique can be used for availability attacks, integr... | direct |
| x_mitre_network_requirements | 0..1 Boolean |
Boolean indicating whether this technique requires network connectivity as a ... | direct |
| x_mitre_tactic_type | * AttackTacticTypeEnum |
Indicates the adversary's device access model for Mobile ATT&CK techniques | direct |
| x_mitre_modified_by_ref | 0..1 StixIdentifier |
The STIX ID of the identity object that created the current version of this o... | direct |
| x_mitre_contributors | * String |
Names of people and organizations who have contributed to the creation or enr... | direct |
| x_mitre_attack_spec_version | 1 SemverString |
The version of the ATT&CK Data Model specification used to construct this obj... | AttackObject |
| x_mitre_version | 1 AttackVersionString |
The version of this ATT&CK object content in 'major | AttackObject |
| x_mitre_deprecated | 0..1 Boolean |
Boolean flag indicating that this ATT&CK object has been deprecated and shoul... | AttackObject |
| x_mitre_old_attack_id | 0..1 String |
A legacy ATT&CK ID previously assigned to this object before a knowledge base... | AttackObject |
| type | 1 StixTypeName |
STIX object type | Core, StixEntity |
| spec_version | 1 SpecVersionEnum |
STIX specification version | Core |
| id | 1 StixIdentifier |
STIX object identifier | Core, StixEntity |
| created | 1 Datetime |
Creation timestamp | Core |
| modified | 1 Datetime |
Modification timestamp | Core |
| created_by_ref | 0..1 StixIdentifier |
The STIX ID of the identity object that first created this ATT&CK object | Core |
| labels | * String |
Terms used to describe this object | Core |
| revoked | 0..1 Boolean |
Indicates whether this object has been revoked | Core |
| confidence | 0..1 Integer |
Confidence that the producer has in this data | Core |
| lang | 0..1 String |
Language of textual properties | Core |
| external_references | 1..* ExternalReference |
External references for this technique | Core |
| object_marking_refs | * StixIdentifier |
Marking definition references applied to this object | Core |
| granular_markings | * GranularMarking |
Granular markings that apply to selected content | Core |
| extensions | * String |
Open-ended extension payloads | Core |
| name | 1 String |
The name of the technique or sub-technique (e | StixEntity |
| description | 0..1 String |
A description of the technique, how adversaries use it, what it accomplishes,... | StixEntity |
In Subsets
Identifier and Mapping Information
Annotations
| property | value |
|---|---|
| stix_type | attack-pattern |
| attack_id_format | T#### (technique) or T####.### (sub-technique) |
Schema Source
- from schema: https://w3id.org/lmodel/attack
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | attack:Technique |
| native | attack:Technique |
LinkML Source
Direct
name: Technique
annotations:
stix_type:
tag: stix_type
value: attack-pattern
attack_id_format:
tag: attack_id_format
value: T#### (technique) or T####.### (sub-technique)
description: "Techniques describe the specific methods adversaries use to achieve\
\ tactical objectives. They are implemented as STIX attack-pattern objects and represent\
\ the \"how\" of adversary behavior — the concrete actions taken to accomplish a\
\ tactic.\nA Technique may be a top-level technique (x_mitre_is_subtechnique: false)\
\ or a sub-technique (x_mitre_is_subtechnique: true). Sub-techniques provide more\
\ granular detail about specific implementations of their parent technique.\nSub-technique\
\ constraints:\n - ATT&CK ID format: T####.### where T#### is the parent's ID\n\
\ - Connected to parent via 'subtechnique-of' relationship (source = sub, target\
\ = parent)\n - Each sub-technique has exactly one parent; parents may have many\
\ sub-techniques\n - Sub-techniques inherit all parent tactics; platforms must\
\ be a subset of parent's\n\nTactics mapping: kill_chain_phases entries use the\
\ tactic's x_mitre_shortname as phase_name, with kill_chain_name set to the appropriate\
\ ATT&CK domain value."
in_subset:
- attack_sdos
from_schema: https://w3id.org/lmodel/attack
is_a: AttackObject
slots:
- x_mitre_domains
- x_mitre_is_subtechnique
- x_mitre_platforms
- x_mitre_detection
- x_mitre_data_sources
- x_mitre_defense_bypassed
- x_mitre_permissions_required
- x_mitre_effective_permissions
- x_mitre_remote_support
- x_mitre_system_requirements
- x_mitre_impact_type
- x_mitre_network_requirements
- x_mitre_tactic_type
- x_mitre_modified_by_ref
- x_mitre_contributors
slot_usage:
type:
name: type
required: true
pattern: ^attack-pattern$
id:
name: id
required: true
pattern: ^attack-pattern--
name:
name: name
description: The name of the technique or sub-technique (e.g., 'Command and Scripting
Interpreter', 'PowerShell').
required: true
description:
name: description
description: A description of the technique, how adversaries use it, what it accomplishes,
and typically includes examples of observed adversary behavior and platform
considerations.
external_references:
name: external_references
description: External references for this technique. The first entry MUST have
source_name 'mitre-attack' with the ATT&CK ID as external_id (e.g., 'T1059'
or 'T1059.001'). Additional entries may reference reports, malware analyses,
or other sources.
comments:
- 'validator_hint: first-ref-must-be-mitre-attack-technique-id jsonschema_minItems:
"1"'
required: true
kill_chain_phases:
name: kill_chain_phases
description: The ATT&CK tactic(s) this technique is associated with, as ATT&CK
kill chain phases. Each entry's kill_chain_name identifies the ATT&CK domain
and phase_name matches the corresponding tactic's x_mitre_shortname.
range: AttackKillChainPhase
x_mitre_domains:
name: x_mitre_domains
required: true
x_mitre_is_subtechnique:
name: x_mitre_is_subtechnique
required: true
Induced
name: Technique
annotations:
stix_type:
tag: stix_type
value: attack-pattern
attack_id_format:
tag: attack_id_format
value: T#### (technique) or T####.### (sub-technique)
description: "Techniques describe the specific methods adversaries use to achieve\
\ tactical objectives. They are implemented as STIX attack-pattern objects and represent\
\ the \"how\" of adversary behavior — the concrete actions taken to accomplish a\
\ tactic.\nA Technique may be a top-level technique (x_mitre_is_subtechnique: false)\
\ or a sub-technique (x_mitre_is_subtechnique: true). Sub-techniques provide more\
\ granular detail about specific implementations of their parent technique.\nSub-technique\
\ constraints:\n - ATT&CK ID format: T####.### where T#### is the parent's ID\n\
\ - Connected to parent via 'subtechnique-of' relationship (source = sub, target\
\ = parent)\n - Each sub-technique has exactly one parent; parents may have many\
\ sub-techniques\n - Sub-techniques inherit all parent tactics; platforms must\
\ be a subset of parent's\n\nTactics mapping: kill_chain_phases entries use the\
\ tactic's x_mitre_shortname as phase_name, with kill_chain_name set to the appropriate\
\ ATT&CK domain value."
in_subset:
- attack_sdos
from_schema: https://w3id.org/lmodel/attack
is_a: AttackObject
slot_usage:
type:
name: type
required: true
pattern: ^attack-pattern$
id:
name: id
required: true
pattern: ^attack-pattern--
name:
name: name
description: The name of the technique or sub-technique (e.g., 'Command and Scripting
Interpreter', 'PowerShell').
required: true
description:
name: description
description: A description of the technique, how adversaries use it, what it accomplishes,
and typically includes examples of observed adversary behavior and platform
considerations.
external_references:
name: external_references
description: External references for this technique. The first entry MUST have
source_name 'mitre-attack' with the ATT&CK ID as external_id (e.g., 'T1059'
or 'T1059.001'). Additional entries may reference reports, malware analyses,
or other sources.
comments:
- 'validator_hint: first-ref-must-be-mitre-attack-technique-id jsonschema_minItems:
"1"'
required: true
kill_chain_phases:
name: kill_chain_phases
description: The ATT&CK tactic(s) this technique is associated with, as ATT&CK
kill chain phases. Each entry's kill_chain_name identifies the ATT&CK domain
and phase_name matches the corresponding tactic's x_mitre_shortname.
range: AttackKillChainPhase
x_mitre_domains:
name: x_mitre_domains
required: true
x_mitre_is_subtechnique:
name: x_mitre_is_subtechnique
required: true
attributes:
x_mitre_domains:
name: x_mitre_domains
description: The ATT&CK technology domains to which this object belongs. At least
one domain must be specified. An object may belong to multiple domains when
the same technique, group, or software is relevant across domain boundaries.
comments:
- 'jsonschema_minItems: "1"'
in_subset:
- attack_sdos
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: x_mitre_domains
owner: Technique
domain_of:
- Technique
- Tactic
- Group
- AttackCampaign
- Mitigation
- AttackMalware
- AttackTool
- Asset
- DataSource
- DataComponent
- Matrix
- DetectionStrategy
- Analytic
range: AttackDomainEnum
required: true
multivalued: true
x_mitre_is_subtechnique:
name: x_mitre_is_subtechnique
description: Boolean flag indicating whether this attack-pattern is a sub-technique
(true) or a top-level technique (false). Sub-techniques represent more specific
implementations of parent techniques with ATT&CK IDs in the format T####.###.
Each sub-technique is connected to its parent via a 'subtechnique-of' relationship
where this object is the source_ref and the parent technique is the target_ref.
Sub-techniques inherit all of their parent's tactics and must use a subset of
the parent's platforms.
in_subset:
- attack_sdos
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: x_mitre_is_subtechnique
owner: Technique
domain_of:
- Technique
range: boolean
required: true
x_mitre_platforms:
name: x_mitre_platforms
description: The set of technology platforms or operating environments to which
this ATT&CK object applies. Each value must be a supported ATT&CK platform identifier.
Values within the array must be unique; duplicate platforms are not permitted.
comments:
- 'jsonschema_minItems: "1" validator_hint: no-duplicate-platforms'
in_subset:
- attack_sdos
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: x_mitre_platforms
owner: Technique
domain_of:
- Technique
- AttackMalware
- AttackTool
- Asset
- DataSource
- Analytic
range: AttackPlatformEnum
multivalued: true
x_mitre_detection:
name: x_mitre_detection
description: DEPRECATED in ATT&CK Specification v3.3.0. Will be removed in v4.0.0.
Narrative text describing analytic strategies that defenders can use to identify
whether an adversary has used this technique. Superseded by Detection Strategies
and Analytics referenced via 'detects' relationships.
deprecated: Deprecated in ATT&CK Specification v3.3.0; superseded by DetectionStrategy
and Analytic objects. Will be removed in v4.0.0.
in_subset:
- deprecated
- attack_sdos
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: x_mitre_detection
owner: Technique
domain_of:
- Technique
range: string
x_mitre_data_sources:
name: x_mitre_data_sources
description: 'DEPRECATED in ATT&CK Specification v3.3.0. Will be removed in v4.0.0.
A list of data sources that can provide evidence for detecting this technique.
Each entry must follow the format ''Data Source Name: Data Component Name''
(e.g., ''Process: Process Creation''). Superseded by ''detects'' relationships
from x-mitre-data-component and x-mitre-detection-strategy objects.'
deprecated: Deprecated in ATT&CK Specification v3.3.0; superseded by 'detects'
relationships from DataComponent and DetectionStrategy objects. Will be removed
in v4.0.0.
notes:
- '{"Each value must conform to the pattern ''<Data Source Name>": "<Data Component
Name>''."}'
comments:
- 'jsonschema_minItems: "1" validator_hint: validate-data-source-string-format'
in_subset:
- deprecated
- attack_sdos
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: x_mitre_data_sources
owner: Technique
domain_of:
- Technique
range: string
multivalued: true
x_mitre_defense_bypassed:
name: x_mitre_defense_bypassed
description: DEPRECATED in ATT&CK Specification v3.3.0. Will be removed in v4.0.0.
List of defensive tools, methodologies, or security controls that this technique
can bypass, evade, or otherwise circumvent when used by an adversary.
deprecated: Deprecated in ATT&CK Specification v3.3.0; will be removed in v4.0.0.
comments:
- 'jsonschema_minItems: "1"'
in_subset:
- deprecated
- attack_sdos
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: x_mitre_defense_bypassed
owner: Technique
domain_of:
- Technique
range: AttackDefenseBypassEnum
multivalued: true
x_mitre_permissions_required:
name: x_mitre_permissions_required
description: DEPRECATED in ATT&CK Specification v3.3.0. Will be removed in v4.0.0.
The lowest permission level at which an adversary must be operating to execute
this technique on a target system. If multiple values are present, the technique
can be used at any of the listed permission levels.
deprecated: Deprecated in ATT&CK Specification v3.3.0; will be removed in v4.0.0.
comments:
- 'jsonschema_minItems: "1"'
in_subset:
- deprecated
- attack_sdos
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: x_mitre_permissions_required
owner: Technique
domain_of:
- Technique
range: AttackPermissionsRequiredEnum
multivalued: true
x_mitre_effective_permissions:
name: x_mitre_effective_permissions
description: DEPRECATED in ATT&CK Specification v3.3.0. Will be removed in v4.0.0.
The effective permission level(s) that an adversary achieves on the target system
after successfully executing this technique. Represents the post-exploitation
privilege gain.
deprecated: Deprecated in ATT&CK Specification v3.3.0; will be removed in v4.0.0.
comments:
- 'jsonschema_minItems: "1"'
in_subset:
- deprecated
- attack_sdos
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: x_mitre_effective_permissions
owner: Technique
domain_of:
- Technique
range: AttackEffectivePermissionsEnum
multivalued: true
x_mitre_remote_support:
name: x_mitre_remote_support
description: DEPRECATED in ATT&CK Specification v3.3.0. Will be removed in v4.0.0.
Boolean indicating whether this technique can be used to execute commands or
payloads on a remote system without requiring local presence. When true, the
technique supports remote execution scenarios.
deprecated: Deprecated in ATT&CK Specification v3.3.0; will be removed in v4.0.0.
in_subset:
- deprecated
- attack_sdos
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: x_mitre_remote_support
owner: Technique
domain_of:
- Technique
range: boolean
x_mitre_system_requirements:
name: x_mitre_system_requirements
description: DEPRECATED in ATT&CK Specification v3.3.0. Will be removed in v4.0.0.
Additional preconditions about the state of the target system that may be required
for the technique to succeed, such as required software, configuration settings,
patch levels, or service states.
deprecated: Deprecated in ATT&CK Specification v3.3.0; will be removed in v4.0.0.
comments:
- 'jsonschema_minItems: "1"'
in_subset:
- deprecated
- attack_sdos
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: x_mitre_system_requirements
owner: Technique
domain_of:
- Technique
range: string
multivalued: true
x_mitre_impact_type:
name: x_mitre_impact_type
description: Indicates whether this technique can be used for availability attacks,
integrity attacks, or both. Only applicable to techniques in the Enterprise
ATT&CK Impact tactic. A technique with 'Availability' affects the availability
of systems or data; 'Integrity' indicates unauthorized modification of data
or configuration.
comments:
- 'jsonschema_minItems: "1"'
in_subset:
- enterprise_only
- attack_sdos
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: x_mitre_impact_type
owner: Technique
domain_of:
- Technique
range: AttackImpactTypeEnum
multivalued: true
x_mitre_network_requirements:
name: x_mitre_network_requirements
description: Boolean indicating whether this technique requires network connectivity
as a precondition for execution. When true, the adversary must have network
access to the target environment for the technique to be applicable.
in_subset:
- attack_sdos
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: x_mitre_network_requirements
owner: Technique
domain_of:
- Technique
range: boolean
x_mitre_tactic_type:
name: x_mitre_tactic_type
description: Indicates the adversary's device access model for Mobile ATT&CK techniques.
Specifies whether the technique requires post-device-access, pre-device-access,
or no device access at all. Only used in the Mobile ATT&CK domain.
comments:
- 'jsonschema_minItems: "1"'
in_subset:
- mobile_only
- attack_sdos
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: x_mitre_tactic_type
owner: Technique
domain_of:
- Technique
range: AttackTacticTypeEnum
multivalued: true
x_mitre_modified_by_ref:
name: x_mitre_modified_by_ref
description: 'The STIX ID of the identity object that created the current version
of this object. In practice, always references MITRE''s canonical identity object:
identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5. May differ from created_by_ref
if the object was originally created by a third party and subsequently adopted
or updated by MITRE.'
comments:
- 'validator_hint: must-match-mitre-identity-id'
in_subset:
- attack_sdos
- attack_sros
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: x_mitre_modified_by_ref
owner: Technique
domain_of:
- Technique
- Tactic
- Group
- AttackCampaign
- Mitigation
- AttackMalware
- AttackTool
- Asset
- DataSource
- DataComponent
- Matrix
- Collection
- DetectionStrategy
- Analytic
- AttackRelationship
range: stix_identifier
pattern: ^identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5$
x_mitre_contributors:
name: x_mitre_contributors
description: Names of people and organizations who have contributed to the creation
or enrichment of this ATT&CK object. Contributors are credited for providing
information, examples, or analysis that informed the object's content. Not present
on relationship objects.
in_subset:
- attack_sdos
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: x_mitre_contributors
owner: Technique
domain_of:
- Technique
- Tactic
- Group
- AttackCampaign
- Mitigation
- AttackMalware
- AttackTool
- Asset
- DataSource
- DetectionStrategy
range: string
multivalued: true
x_mitre_attack_spec_version:
name: x_mitre_attack_spec_version
description: The version of the ATT&CK Data Model specification used to construct
this object, in MAJOR.MINOR.PATCH (semantic versioning) format. Helps consuming
software determine whether the data format is supported. Objects lacking this
property are assumed to conform to ATT&CK spec version 2.0.0. Refer to the ATT&CK
CHANGELOG for all supported versions.
comments:
- 'absent_on: marking-definition, identity (x_mitre_version absent), relationship
(x_mitre_version absent)'
in_subset:
- attack_sdos
- attack_sros
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: x_mitre_attack_spec_version
owner: Technique
domain_of:
- AttackObject
range: semver_string
required: true
x_mitre_version:
name: x_mitre_version
description: 'The version of this ATT&CK object content in ''major.minor'' format,
where both components are integers between 0 and 99. Incremented by ATT&CK whenever
the substantive content of the object changes. Does not apply to relationship
objects. Example: "1.0", "12.5".'
comments:
- 'absent_on: relationship, marking-definition'
in_subset:
- attack_sdos
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: x_mitre_version
owner: Technique
domain_of:
- AttackObject
range: attack_version_string
required: true
x_mitre_deprecated:
name: x_mitre_deprecated
description: Boolean flag indicating that this ATT&CK object has been deprecated
and should no longer be used in new analyses or tooling implementations. Deprecated
objects are retained in the knowledge base for historical reference and legacy
compatibility, but are not actively maintained with new information.
comments:
- 'absent_on: marking-definition'
in_subset:
- attack_sdos
- attack_sros
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: x_mitre_deprecated
owner: Technique
domain_of:
- AttackObject
range: boolean
x_mitre_old_attack_id:
name: x_mitre_old_attack_id
description: A legacy ATT&CK ID previously assigned to this object before a knowledge
base restructuring or domain migration event. Format mirrors the current ATT&CK
ID format but from the prior numbering scheme (e.g., "MOB-T1001" for a mobile
technique previously in the pre-unification Mobile ATT&CK dataset).
in_subset:
- attack_sdos
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: x_mitre_old_attack_id
owner: Technique
domain_of:
- AttackObject
range: string
type:
name: type
description: STIX object type.
from_schema: https://w3id.org/lmodel/attack
related_mappings:
- unified_cyber_ontology:state
rank: 1000
alias: type
owner: Technique
domain_of:
- StixEntity
- Bundle
- Core
- CyberObservableCore
- ExtensionDefinition
- LanguageContent
- MarkingDefinition
- File
range: stix_type_name
required: true
pattern: ^attack-pattern$
spec_version:
name: spec_version
description: STIX specification version.
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:specVersion
rank: 1000
alias: spec_version
owner: Technique
domain_of:
- Core
- CyberObservableCore
- MarkingDefinition
range: SpecVersionEnum
required: true
id:
name: id
description: STIX object identifier.
from_schema: https://w3id.org/lmodel/attack
related_mappings:
- unified_cyber_ontology:externalReference
rank: 1000
alias: id
owner: Technique
domain_of:
- StixEntity
- Bundle
- Core
- CyberObservableCore
- ExtensionDefinition
- LanguageContent
- MarkingDefinition
- File
range: stix_identifier
required: true
pattern: ^attack-pattern--
created:
name: created
description: Creation timestamp.
notes:
- STIX core timestamps require millisecond precision.
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:objectCreatedTime
rank: 1000
alias: created
owner: Technique
domain_of:
- Core
- MarkingDefinition
range: datetime
required: true
pattern: T\d{2}:\d{2}:\d{2}\.\d{3,}Z$
modified:
name: modified
description: Modification timestamp.
notes:
- STIX core timestamps require millisecond precision.
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:modifiedTime
rank: 1000
alias: modified
owner: Technique
domain_of:
- Core
range: datetime
required: true
pattern: T\d{2}:\d{2}:\d{2}\.\d{3,}Z$
created_by_ref:
name: created_by_ref
description: The STIX ID of the identity object that first created this ATT&CK
object. Typically references MITRE's identity (identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5).
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:createdBy
rank: 1000
alias: created_by_ref
owner: Technique
domain_of:
- Core
- MarkingDefinition
range: stix_identifier
labels:
name: labels
description: Terms used to describe this object.
comments:
- 'jsonschema_minItems: "1"'
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:tag
rank: 1000
alias: labels
owner: Technique
domain_of:
- Core
range: string
multivalued: true
revoked:
name: revoked
description: Indicates whether this object has been revoked.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: revoked
owner: Technique
domain_of:
- Core
range: boolean
confidence:
name: confidence
description: Confidence that the producer has in this data.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: confidence
owner: Technique
domain_of:
- Core
range: integer
minimum_value: 0
maximum_value: 100
lang:
name: lang
description: Language of textual properties.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: lang
owner: Technique
domain_of:
- Core
- GranularMarking
range: string
external_references:
name: external_references
description: External references for this technique. The first entry MUST have
source_name 'mitre-attack' with the ATT&CK ID as external_id (e.g., 'T1059'
or 'T1059.001'). Additional entries may reference reports, malware analyses,
or other sources.
comments:
- 'validator_hint: first-ref-must-be-mitre-attack-technique-id jsonschema_minItems:
"1"'
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:externalReference
rank: 1000
alias: external_references
owner: Technique
domain_of:
- Core
- MarkingDefinition
range: ExternalReference
required: true
multivalued: true
object_marking_refs:
name: object_marking_refs
description: Marking definition references applied to this object.
comments:
- 'jsonschema_minItems: "1"'
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:objectMarking
rank: 1000
alias: object_marking_refs
owner: Technique
domain_of:
- Core
- CyberObservableCore
- MarkingDefinition
range: stix_identifier
multivalued: true
granular_markings:
name: granular_markings
description: Granular markings that apply to selected content.
comments:
- 'jsonschema_minItems: "1"'
from_schema: https://w3id.org/lmodel/attack
narrow_mappings:
- unified_cyber_ontology:objectMarking
rank: 1000
alias: granular_markings
owner: Technique
domain_of:
- Core
- CyberObservableCore
- MarkingDefinition
range: GranularMarking
multivalued: true
extensions:
name: extensions
description: Open-ended extension payloads.
notes:
- JSON Schema uses patternProperties for extension keys; exact key validation
is delegated to validator tooling.
comments:
- 'jsonschema_rule: patternProperties validator_hint: validate-extension-keys-and-values'
from_schema: https://w3id.org/lmodel/attack
related_mappings:
- unified_cyber_ontology:hasFacet
rank: 1000
alias: extensions
owner: Technique
domain_of:
- Core
- CyberObservableCore
- MarkingDefinition
- File
range: string
multivalued: true
name:
name: name
description: The name of the technique or sub-technique (e.g., 'Command and Scripting
Interpreter', 'PowerShell').
from_schema: https://w3id.org/lmodel/attack
exact_mappings:
- unified_cyber_ontology:name
rank: 1000
alias: name
owner: Technique
domain_of:
- RelatedAsset
- StixEntity
- ExtensionDefinition
- MarkingDefinition
- AutonomousSystem
- File
range: string
required: true
description:
name: description
description: A description of the technique, how adversaries use it, what it accomplishes,
and typically includes examples of observed adversary behavior and platform
considerations.
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:description
rank: 1000
alias: description
owner: Technique
domain_of:
- RelatedAsset
- MutableElement
- StixEntity
- ExtensionDefinition
- ExternalReference
range: string