Skip to content

Class: SubTechnique

The MITRE Sub-technique object describes the ATT&CK® or ATLAS™ Sub-technique ID

and/or name associated to an attack.

URI: ocsf:SubTechnique

 classDiagram
    class SubTechnique
    click SubTechnique href "../SubTechnique/"
      Entity <|-- SubTechnique
        click Entity href "../Entity/"

      SubTechnique : name

      SubTechnique : src_url

      SubTechnique : uid

Inheritance

Slots

Name Cardinality and Range Description Inheritance
name 0..1 recommended
String		 The name of the attack sub-technique direct
src_url 0..1
UrlT		 The versioned permalink of the attack sub-technique direct
uid 0..1 recommended
String		 The unique identifier of the attack sub-technique direct

Usages

used by used in type used
Attack sub_technique range SubTechnique

In Subsets

Aliases

  • MITRE Sub-technique

See Also

Notes

Identifier and Mapping Information

Schema Source

Mappings

Mapping Type Mapped Value
self ocsf:SubTechnique
native ocsf:SubTechnique
exact attack:SubTechnique
close capec:AttackStep

LinkML Source

Direct

name: SubTechnique
description: 'The MITRE Sub-technique object describes the ATT&CK® or ATLAS™ Sub-technique
  ID

  and/or name associated to an attack.'
notes:
- ATT&CK® Matrix — https://attack.mitre.org
- ATLAS™ Matrix — https://atlas.mitre.org/matrices/ATLAS
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://attack.mitre.org
- https://atlas.mitre.org/matrices/ATLAS
aliases:
- MITRE Sub-technique
exact_mappings:
- attack:SubTechnique
close_mappings:
- capec:AttackStep
is_a: Entity
slots:
- name
- src_url
- uid
slot_usage:
  name:
    name: name
    description: 'The name of the attack sub-technique. For example: <code>Scanning
      IP

      Blocks</code> or <code>User Execution: Unsafe ML Artifacts</code>.'
  src_url:
    name: src_url
    description: 'The versioned permalink of the attack sub-technique. For example:

      <code>https://attack.mitre.org/versions/v14/techniques/T1595/001/</code>.'
  uid:
    name: uid
    description: 'The unique identifier of the attack sub-technique. For example:

      <code>T1595.001</code> or <code>AML.T0011.000</code>.'

Induced

name: SubTechnique
description: 'The MITRE Sub-technique object describes the ATT&CK® or ATLAS™ Sub-technique
  ID

  and/or name associated to an attack.'
notes:
- ATT&CK® Matrix — https://attack.mitre.org
- ATLAS™ Matrix — https://atlas.mitre.org/matrices/ATLAS
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://attack.mitre.org
- https://atlas.mitre.org/matrices/ATLAS
aliases:
- MITRE Sub-technique
exact_mappings:
- attack:SubTechnique
close_mappings:
- capec:AttackStep
is_a: Entity
slot_usage:
  name:
    name: name
    description: 'The name of the attack sub-technique. For example: <code>Scanning
      IP

      Blocks</code> or <code>User Execution: Unsafe ML Artifacts</code>.'
  src_url:
    name: src_url
    description: 'The versioned permalink of the attack sub-technique. For example:

      <code>https://attack.mitre.org/versions/v14/techniques/T1595/001/</code>.'
  uid:
    name: uid
    description: 'The unique identifier of the attack sub-technique. For example:

      <code>T1595.001</code> or <code>AML.T0011.000</code>.'
attributes:
  name:
    name: name
    description: 'The name of the attack sub-technique. For example: <code>Scanning
      IP

      Blocks</code> or <code>User Execution: Unsafe ML Artifacts</code>.'
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Name
    rank: 1000
    alias: name
    owner: SubTechnique
    domain_of:
    - AnalysisTarget
    - Observable
    - Os
    - Osint
    - Package
    - Parameter
    - PrivilegeInfo
    - San
    - Scim
    - Script
    - ServicePrivilegeAnalysis
    - SoftwareComponent
    - Sso
    - StartupItem
    - ThreatActor
    - Token
    - Entity
    - Resource
    - Account
    - Agent
    - AiModel
    - Aircraft
    - Analytic
    - ApplicationObject
    - Assessment
    - AutonomousSystem
    - Campaign
    - Check
    - CisBenchmark
    - CisBenchmarkResult
    - CisControl
    - ClassifierDetails
    - Container
    - D3fTactic
    - D3fTechnique
    - Database
    - Databucket
    - DomainContact
    - Edge
    - Endpoint
    - Enrichment
    - EnvironmentVariable
    - Evidences
    - Extension
    - Feature
    - File
    - Graph
    - Group
    - HttpCookie
    - HttpHeader
    - Idp
    - Image
    - Job
    - Kernel
    - KeyValueObject
    - LoadBalancer
    - Logger
    - Malware
    - ManagedEntity
    - MessageContext
    - Metric
    - Mitigation
    - NetworkInterface
    - Node
    - Organization
    - PeripheralDevice
    - Policy
    - ProcessEntity
    - Product
    - QueryInfo
    - Reporter
    - ResourceDetails
    - Rule
    - Scan
    - Service
    - SubTechnique
    - Table
    - Tactic
    - Technique
    - Trait
    - TransformationInfo
    - UnmannedAerialSystem
    - User
    - WebResource
    - Device
    - FtpActivity
    - RegValue
    - WinResource
    - WinService
    - PrefetchQuery
    range: string
    recommended: true
  src_url:
    name: src_url
    description: 'The versioned permalink of the attack sub-technique. For example:

      <code>https://attack.mitre.org/versions/v14/techniques/T1595/001/</code>.'
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Source URL
    rank: 1000
    alias: src_url
    owner: SubTechnique
    domain_of:
    - Osint
    - Package
    - Ticket
    - Advisory
    - Cvss
    - Cwe
    - D3fTactic
    - D3fTechnique
    - DataClassification
    - Enrichment
    - FindingObject
    - FindingInfo
    - KbArticle
    - Mitigation
    - SubTechnique
    - Tactic
    - Technique
    - IncidentProfile
    - IncidentFinding
    range: UrlT
  uid:
    name: uid
    description: 'The unique identifier of the attack sub-technique. For example:

      <code>T1595.001</code> or <code>AML.T0011.000</code>.'
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Unique ID
    rank: 1000
    alias: uid
    owner: SubTechnique
    domain_of:
    - Osint
    - Package
    - ProgrammaticCredential
    - RelatedEvent
    - Request
    - Sbom
    - Scim
    - Script
    - Session
    - Span
    - Sso
    - Ticket
    - Token
    - Trace
    - Entity
    - Resource
    - Account
    - Advisory
    - Agent
    - AiModel
    - Aircraft
    - Analytic
    - ApplicationObject
    - Assessment
    - Certificate
    - Check
    - ClassifierDetails
    - Container
    - Cve
    - Cwe
    - D3fTactic
    - D3fTechnique
    - DataClassification
    - Database
    - Databucket
    - DomainContact
    - Edge
    - Email
    - Endpoint
    - Evidences
    - Extension
    - Feature
    - File
    - FindingObject
    - FindingInfo
    - Graph
    - Group
    - HttpRequest
    - Idp
    - Image
    - KbArticle
    - LoadBalancer
    - Logger
    - Malware
    - ManagedEntity
    - MessageContext
    - Metadata
    - Mitigation
    - NetworkConnectionInfo
    - NetworkEndpoint
    - NetworkInterface
    - Node
    - Organization
    - PeripheralDevice
    - Policy
    - ProcessEntity
    - Product
    - QueryInfo
    - Reporter
    - Rule
    - Scan
    - Service
    - SubTechnique
    - Table
    - Tactic
    - Technique
    - Trait
    - TransformationInfo
    - UnmannedAerialSystem
    - User
    - WebResource
    - Device
    - WinResource
    range: string
    recommended: true