MITRE ATT&CK App Data Mappings
  • 23 Jan 2024
  • 3 Minutes to read
  • Dark
    Light

MITRE ATT&CK App Data Mappings

  • Dark
    Light

Article summary

The following sections illustrate how data created by the MITRE ATT&CK® App are mapped in ThreatConnect and describe how each ThreatConnect object created by the App corresponds to the information provided for the object in the MITRE ATT&CK database.

ThreatConnect Data Model Mappings

Table 1 shows how each ATT&CK® data type is mapped to the ThreatConnect data model for data created by the MITRE ATT&CK App.

 

ATT&CK Data TypeThreatConnect Object TypeName Format in Object's SummaryMITRE ATT&CK Website Link
TacticTactic, TagTactic:
TAxxxx Tactic Name
Example: TA0004 Privilege Escalation Tag:
Tactic-Name
Example: Privilege-Escalation
Enterprise ATT&CK Tactics
TechniqueAttack PatternTxxxx Technique Name
Example: T1548 Abuse Elevation Control Mechanism
Enterprise ATT&CK Techniques
Sub-TechniqueAttack PatternTxxxx.xxx Sub-Technique Name
Example: T1548.001 Setuid and Setgid
Enterprise ATT&CK Techniques
SoftwareMalware, ToolSoftware Name
Example: WindTail
Enterprise ATT&CK Software
GroupIntrusion SetGroup Name
Example: Chimera
Enterprise ATT&CK Groups

ATT&CK Data Type Mappings

Table 2 through Table 5 illustrate how STIX™ fields for each ATT&CK data type are mapped in ThreatConnect. The information provided in the Attributes card on the Overview tab of the Details screen for each Group object created by the MITRE ATT&CK App corresponds to the information provided for the ATT&CK object in the MITRE ATT&CK database.

ATT&CK Tactics

ThreatConnect object type: Tactic Group

 

ATT&CK STIX FieldThreatConnect MappingPivotable?
nameName/SummaryNo
idAttribute: External IDYes
external_references/url, external_references/description, x_mitre_contributorsAttribute: External References (concatenated), Attribute: SourceYes
descriptionAttribute: DescriptionNo
kill_chain_phases/phase_nameTagYes
modifiedAttribute: External Date Last ModifiedYes
createdAttribute: External Date CreatedYes
x_mitre_platforms, x_mitre_permissions_requiredAttribute: Capabilities (concatenated)Yes
x_mitre_detection, x_mitre_data_sourcesAttribute: Additional Analysis and Context (concatenated)No

ATT&CK Techniques and Sub-Techniques

ThreatConnect object type: Attack Pattern Group

 

ATT&CK STIX FieldThreatConnect MappingPivotable?
nameName/SummaryNo
idAttribute: External IDYes
external_references/url, external_references/description, x_mitre_contributorsAttribute: External References (concatenated), Attribute: SourceYes
descriptionAttribute: DescriptionNo
kill_chain_phases/phase_nameTagYes
modifiedAttribute: External Date Last ModifiedYes
createdAttribute: External Date CreatedYes
x_mitre_platforms, x_mitre_permissions_requiredAttribute: Capabilities (concatenated)Yes
x_mitre_detection, x_mitre_data_sourcesAttribute: Additional Analysis and Context (concatenated)No

ATT&CK Groups

ThreatConnect object type: Intrusion Set Group

 

ATT&CK STIX FieldThreatConnect MappingPivotable?
nameName/SummaryNo
idAttribute: External IDYes
descriptionAttribute: DescriptionNo
external_references/url, external_references/description, x_mitre_contributorsAttribute: External References (concatenated), Attribute: SourceYes
aliasesAttribute: AliasesYes
modifiedAttribute: External Date Last ModifiedYes
createdAttribute: External Date CreatedYes

ATT&CK Software

ThreatConnect object types: Malware Group; Tool Group

 

ATT&CK STIX FieldThreatConnect MappingPivotable?
nameName/SummaryNo
idAttribute: External IDYes
descriptionAttribute: DescriptionNo
external_references/url, external_references/description, x_mitre_contributorsAttribute: External References (concatenated), Attribute: SourceYes
aliasesAttribute: AliasesYes
modifiedAttribute: External Date Last ModifiedYes
createdAttribute: External Date CreatedYes
x_mitre_platformsAttribute: CapabilitiesYes

Associations

Groups created by the MITRE ATT&CK App are associated to each other according to their relationships in the MITRE ATT&CK framework. For example, all techniques and sub-techniques (Attack Pattern Groups in ThreatConnect) used by a given software will be associated to the Malware or Tool Group representing the software in ThreatConnect. These associations are shown on the Associations tab of the Details screen and the Associations card on the Overview tab of the legacy Details screen for the Group object. Similarly, if an ATT&CK group uses a number of techniques, sub-techniques, and software, all of the objects representing those items will be associated to the Intrusion Set Group representing the ATT&CK group in ThreatConnect.

If an ATT&CK technique has sub-techniques, the Attack Pattern Groups for the sub-techniques will be associated with the Attack Pattern Group representing the parent technique in ThreatConnect.

Note
Sub-techniques for a given parent technique are not directly associated to each other; instead, they are linked through a second-level association via the parent technique

Tags

Groups created by the MITRE ATT&CK App will have one or more standard Tags or ATT&CK Tags applied to them, depending on the Group’s type.

Important
If you are using the MITRE ATT&CK App version 2.0.3 or newer on a ThreatConnect instance with version 7.1.3 or older installed, standard Tags representing techniques and sub-techniques will be applied to Intrusion Set, Malware, Tactic, and Tool Groups instead of ATT&CK Tags.


Tactic Groups (ATT&CK Tactics)

The following Tags will be applied to Tactic Groups representing ATT&CK tactics:

  • A standard Tag representing the ATT&CK tactic to which the Group corresponds. If there are multiple words in a tactic’s name, they will be separated by hyphens in the Tag’s name (e.g., Defense-Evasion, Privilege-Escalation).
  • One or more ATT&CK Tags representing each technique and sub-technique the tactic comprises. If an ATT&CK Tag does not exist for a technique or sub-technique, a standard Tag representing it will be applied instead.

Attack Pattern Groups (ATT&CK Techniques and Sub-Techniques)

The following Tags will be applied to Attack Pattern Groups representing ATT&CK techniques and sub-techniques:

  • A standard Tag named Enterprise ATT&CK to indicate that the technique or sub-technique belongs to the MITRE ATT&CK Enterprise framework.
  • A standard Tag representing the parent tactic for the technique or sub-technique. If there are multiple words in a tactic’s name, they will be separated by hyphens in the Tag’s name (e.g., Defense-Evasion, Privilege-Escalation).

Intrusion Set Groups (ATT&CK Groups)

Intrusion Set Groups representing ATT&CK groups may have one or more ATT&CK Tags representing each technique and sub-technique used by the ATT&CK group, if any. If an ATT&CK Tag does not exist for a technique or sub-technique, a standard Tag representing it will be applied instead.

Malware and Tool Groups (ATT&CK Software)

Malware and Tool Groups representing ATT&CK software may have one or more ATT&CK Tags representing each technique and sub-technique used by the ATT&CK software, if any. If an ATT&CK Tag does not exist for a technique or sub-technique, a standard Tag representing it will be applied instead.


ThreatConnect® is a registered trademark of ThreatConnect, Inc.
MITRE ATT&CK® and ATT&CK® are registered trademarks, and STIX™ is a trademark, of The MITRE Corporation.

20119-08 v.04.A


Was this article helpful?