| File |
The File Object represents the properties of a file |
yes |
| Indicator |
Indicators contain a pattern that can be used to detect suspicious or malicio... |
yes |
| MarkingDefinition |
The marking-definition object represents a specific marking |
yes |
| AttackRelationship |
ATT&CK Relationship objects connect ATT&CK STIX objects using typed semantic ... |
yes |
| WindowsPESection |
The Windows PE Section type specifies metadata about a PE file section |
no |
| AutonomousSystem |
The AS object represents the properties of an Autonomous Systems (AS) |
yes |
| Core |
Common properties and behavior across all STIX Domain Objects and STIX Relati... |
yes |
| Identifier |
Represents identifiers across the CTI specifications |
no |
| NetworkTraffic |
The Network Traffic Object represents arbitrary network traffic that originat... |
yes |
| CyberObservableObject |
|
no |
| DetectionStrategy |
Detection Strategies define high-level, platform-agnostic approaches for dete... |
yes |
| CommonSchemaComponent |
|
no |
| PdfExt |
The PDF extension specifies a default extension for capturing properties spec... |
no |
| Location |
A Location represents a geographic location |
yes |
| Properties |
Rules for custom properties |
no |
| RasterImageExt |
The Raster Image extension specifies a default extension for capturing proper... |
no |
| DomainName |
The Domain Name represents the properties of a network domain name |
yes |
| Asset |
Assets represent physical or logical systems, devices, and technologies withi... |
yes |
| Artifact |
The Artifact Object permits capturing an array of bytes (8-bits), as a base64... |
yes |
| Vulnerability |
A Vulnerability is a mistake in software that can be directly used by a hacke... |
yes |
| EmailAddr |
The Email Address Object represents a single email address |
yes |
| MacAddr |
The MAC Address Object represents a single Media Access Control (MAC) address |
yes |
| WindowsRegistryValue |
Structured value entry under a Windows registry key |
no |
| AttackSoftware |
Abstract superclass for ATT&CK Software objects, representing both Malware an... |
no |
| AttackMalware |
Malware represents malicious software programs that adversaries use to accomp... |
yes |
| Grouping |
A Grouping object explicitly asserts that the referenced STIX Objects have a ... |
yes |
| Ipv6Addr |
The IPv6 Address Object represents one or more IPv6 addresses expressed using... |
yes |
| Mitigation |
Mitigations describe defensive measures, security controls, and configuration... |
yes |
| AttackCampaign |
Campaigns represent a grouping of adversary behaviors and resources with a co... |
yes |
| AttackObject |
Abstract base class for all versioned ATT&CK objects (SDOs and SROs) |
yes |
| KillChainPhase |
The kill-chain-phase represents a phase in a kill chain |
no |
| Sighting |
A Sighting denotes the belief that something in CTI (e |
yes |
| Tool |
Tools are legitimate software that can be used by threat actors to perform at... |
yes |
| WindowsPEOptionalHeaderType |
The Windows PE Optional Header type represents the properties of the PE optio... |
no |
| Technique |
Techniques describe the specific methods adversaries use to achieve tactical ... |
yes |
| UrlRegex |
Matches a URI according to RFC 3986 |
no |
| Report |
Reports are collections of threat intelligence focused on one or more topics,... |
yes |
| DataComponent |
Data Components represent specific types of observable events or artifacts wi... |
yes |
| Matrix |
ATT&CK Matrices define the structural layout and organization of tactics and ... |
yes |
| Malware |
Malware is a type of TTP that is also known as malicious code and malicious s... |
yes |
| Analytic |
Analytics contain the concrete, platform-specific detection logic implementin... |
yes |
| GranularMarking |
The granular-marking type defines how the list of marking-definition objects ... |
no |
| Relationship |
The Relationship object is used to link together two SDOs in order to describ... |
yes |
| Directory |
The Directory Object represents the properties common to a file system direct... |
yes |
| AlternateDataStreamType |
Specifies properties of an NTFS alternate data stream |
no |
| AttackMarkingDefinition |
ATT&CK Marking Definition objects apply data handling constraints to ATT&CK c... |
yes |
| ObservedData |
Observed data conveys information that was observed on systems and networks, ... |
yes |
| MalwareAnalysis |
Malware Analysis captures the metadata and results of a particular analysis p... |
yes |
| Hex |
The hex data type encodes an array of octets (8-bit bytes) as hexadecimal |
no |
| Ipv4Addr |
The IPv4 Address Object represents one or more IPv4 addresses expressed using... |
yes |
| IntrusionSet |
An Intrusion Set is a grouped set of adversary behavior and resources with co... |
yes |
| Note |
A Note is a comment or note containing informative text to help explain the c... |
yes |
| MimePartType |
Specifies a component of a multi-part email body as defined in the email-mess... |
no |
| EmailMessage |
The Email Message Object represents an instance of an email message |
yes |
| CourseOfAction |
A Course of Action is an action taken either to prevent an attack or to respo... |
yes |
| WindowsRegistryKey |
The Registry Key Object represents the properties of a Windows registry key |
yes |
| CyberObservableCore |
Common properties and behavior across all Cyber Observable Objects |
yes |
| HttpRequestExt |
The HTTP Request extension specifies a default extension for capturing networ... |
no |
| NtfsExt |
The NTFS extension specifies a default extension for capturing properties spe... |
no |
| ExternalReference |
External references are used to describe pointers to information represented ... |
no |
| Identity |
Identities can represent actual individuals, organizations, or groups (e |
yes |
| AttackBundle |
An ATT&CK STIX Bundle is the top-level distribution container for an ATT&CK d... |
yes |
| Opinion |
An Opinion is an assessment of the correctness of the information in a STIX O... |
yes |
| Group |
Groups represent clusters of adversary activity attributed to a common actor,... |
yes |
| AttackPattern |
Attack Patterns are a type of TTP that describe ways that adversaries attempt... |
yes |
| Mutex |
The Mutex Object represents the properties of a mutual exclusion (mutex) obje... |
yes |
| Extension |
Converted from common/extension |
no |
| Dictionary |
A dictionary captures a set of key/value pairs |
no |
| DataSource |
DEPRECATED as of ATT&CK Specification 3 |
yes |
| Url |
The URL Object represents the properties of a uniform resource locator (URL) |
yes |
| Infrastructure |
Infrastructure objects describe systems, software services, and associated ph... |
yes |
| StixDomainObject |
|
no |
| ThreatActor |
Threat Actors are actual individuals, groups, or organizations believed to be... |
yes |
| LanguageContent |
The language-content object represents text content for STIX Objects represen... |
yes |
| StixEntity |
|
no |
| UnixAccountExt |
The Unix Account extension specifies a default extension for capturing the ad... |
no |
| ExtensionDefinition |
The STIX Extension Definition object allows producers of threat intelligence ... |
yes |
| X509Certificate |
The X509 Certificate Object represents the properties of an X |
yes |
| Incident |
The Incident object in STIX 2 |
yes |
| IcmpExt |
The ICMP extension specifies a default extension for capturing network traffi... |
no |
| WindowsProcessExt |
The Windows Process extension specifies properties specific to Windows proces... |
no |
| Timestamp |
Represents timestamps across the CTI specifications |
no |
| Bundle |
A Bundle is a collection of arbitrary STIX Objects and Marking Definitions gr... |
yes |
| AttackIdentity |
The ATT&CK Identity object represents MITRE Corporation, the organization tha... |
yes |
| Software |
The Software Object represents high-level properties associated with software... |
yes |
| HashesType |
The Hashes type represents one or more cryptographic hashes, as a special set... |
no |
| AttackTool |
Tools represent legitimate software programs that adversaries may abuse or re... |
yes |
| SocketExt |
The Socket extension specifies a default extension for capturing network traf... |
no |
| ArchiveExt |
The Archive File extension specifies a default extension for capturing proper... |
no |
| AttackKillChainPhase |
An ATT&CK-constrained kill chain phase restricting kill_chain_name to the thr... |
no |
| PEBinaryExt |
The Windows PE Binary File extension specifies a default extension for captur... |
no |
| UserAccount |
The User Account Object represents an instance of any type of user account, i... |
yes |
| X509V3ExtensionsType |
Specifies any standard X |
no |
| StixRelationshipObject |
|
no |
| Collection |
Collections are versioned snapshots of an ATT&CK dataset grouping all STIX ob... |
yes |
| Tactic |
Tactics represent the adversary's high-level strategic objectives during an a... |
yes |
| Campaign |
A Campaign is a grouping of adversary behavior that describes a set of malici... |
yes |
| Process |
The Process Object represents common properties of an instance of a computer ... |
yes |
| TcpExt |
The TCP extension specifies a default extension for capturing network traffic... |
no |
| WindowsServiceExt |
The Windows Service extension specifies properties specific to Windows servic... |
no |