MITRE ATT&CK App Data Mappings
- 23 Jan 2024
- 3 Minutes to read
-
Print
-
DarkLight
MITRE ATT&CK App Data Mappings
- Updated on 23 Jan 2024
- 3 Minutes to read
-
Print
-
DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
The following sections illustrate how data created by the MITRE ATT&CK® App are mapped in ThreatConnect and describe how each ThreatConnect object created by the App corresponds to the information provided for the object in the MITRE ATT&CK database.
ThreatConnect Data Model Mappings
Table 1 shows how each ATT&CK® data type is mapped to the ThreatConnect data model for data created by the MITRE ATT&CK App.
| ATT&CK Data Type | ThreatConnect Object Type | Name Format in Object's Summary | MITRE ATT&CK Website Link |
|---|---|---|---|
| Tactic | Tactic, Tag | Tactic: TAxxxx Tactic Name Example: TA0004 Privilege Escalation Tag: Tactic-Name Example: Privilege-Escalation | Enterprise ATT&CK Tactics |
| Technique | Attack Pattern | Txxxx Technique Name Example: T1548 Abuse Elevation Control Mechanism | Enterprise ATT&CK Techniques |
| Sub-Technique | Attack Pattern | Txxxx.xxx Sub-Technique Name Example: T1548.001 Setuid and Setgid | Enterprise ATT&CK Techniques |
| Software | Malware, Tool | Software Name Example: WindTail | Enterprise ATT&CK Software |
| Group | Intrusion Set | Group Name Example: Chimera | Enterprise ATT&CK Groups |
ATT&CK Data Type Mappings
Table 2 through Table 5 illustrate how STIX™ fields for each ATT&CK data type are mapped in ThreatConnect. The information provided in the Attributes card on the Overview tab of the Details screen for each Group object created by the MITRE ATT&CK App corresponds to the information provided for the ATT&CK object in the MITRE ATT&CK database.
ATT&CK Tactics
ThreatConnect object type: Tactic Group
| ATT&CK STIX Field | ThreatConnect Mapping | Pivotable? |
|---|---|---|
| name | Name/Summary | No |
| id | Attribute: External ID | Yes |
| external_references/url, external_references/description, x_mitre_contributors | Attribute: External References (concatenated), Attribute: Source | Yes |
| description | Attribute: Description | No |
| kill_chain_phases/phase_name | Tag | Yes |
| modified | Attribute: External Date Last Modified | Yes |
| created | Attribute: External Date Created | Yes |
| x_mitre_platforms, x_mitre_permissions_required | Attribute: Capabilities (concatenated) | Yes |
| x_mitre_detection, x_mitre_data_sources | Attribute: Additional Analysis and Context (concatenated) | No |
ATT&CK Techniques and Sub-Techniques
ThreatConnect object type: Attack Pattern Group
| ATT&CK STIX Field | ThreatConnect Mapping | Pivotable? |
|---|---|---|
| name | Name/Summary | No |
| id | Attribute: External ID | Yes |
| external_references/url, external_references/description, x_mitre_contributors | Attribute: External References (concatenated), Attribute: Source | Yes |
| description | Attribute: Description | No |
| kill_chain_phases/phase_name | Tag | Yes |
| modified | Attribute: External Date Last Modified | Yes |
| created | Attribute: External Date Created | Yes |
| x_mitre_platforms, x_mitre_permissions_required | Attribute: Capabilities (concatenated) | Yes |
| x_mitre_detection, x_mitre_data_sources | Attribute: Additional Analysis and Context (concatenated) | No |
ATT&CK Groups
ThreatConnect object type: Intrusion Set Group
| ATT&CK STIX Field | ThreatConnect Mapping | Pivotable? |
|---|---|---|
| name | Name/Summary | No |
| id | Attribute: External ID | Yes |
| description | Attribute: Description | No |
| external_references/url, external_references/description, x_mitre_contributors | Attribute: External References (concatenated), Attribute: Source | Yes |
| aliases | Attribute: Aliases | Yes |
| modified | Attribute: External Date Last Modified | Yes |
| created | Attribute: External Date Created | Yes |
ATT&CK Software
ThreatConnect object types: Malware Group; Tool Group
| ATT&CK STIX Field | ThreatConnect Mapping | Pivotable? |
|---|---|---|
| name | Name/Summary | No |
| id | Attribute: External ID | Yes |
| description | Attribute: Description | No |
| external_references/url, external_references/description, x_mitre_contributors | Attribute: External References (concatenated), Attribute: Source | Yes |
| aliases | Attribute: Aliases | Yes |
| modified | Attribute: External Date Last Modified | Yes |
| created | Attribute: External Date Created | Yes |
| x_mitre_platforms | Attribute: Capabilities | Yes |
Associations
Groups created by the MITRE ATT&CK App are associated to each other according to their relationships in the MITRE ATT&CK framework. For example, all techniques and sub-techniques (Attack Pattern Groups in ThreatConnect) used by a given software will be associated to the Malware or Tool Group representing the software in ThreatConnect. These associations are shown on the Associations tab of the Details screen and the Associations card on the Overview tab of the legacy Details screen for the Group object. Similarly, if an ATT&CK group uses a number of techniques, sub-techniques, and software, all of the objects representing those items will be associated to the Intrusion Set Group representing the ATT&CK group in ThreatConnect.
If an ATT&CK technique has sub-techniques, the Attack Pattern Groups for the sub-techniques will be associated with the Attack Pattern Group representing the parent technique in ThreatConnect.
Note
Sub-techniques for a given parent technique are not directly associated to each other; instead, they are linked through a second-level association via the parent technique
Tags
Groups created by the MITRE ATT&CK App will have one or more standard Tags or ATT&CK Tags applied to them, depending on the Group’s type.
Important
If you are using the MITRE ATT&CK App version 2.0.3 or newer on a ThreatConnect instance with version 7.1.3 or older installed, standard Tags representing techniques and sub-techniques will be applied to Intrusion Set, Malware, Tactic, and Tool Groups instead of ATT&CK Tags.
Tactic Groups (ATT&CK Tactics)
The following Tags will be applied to Tactic Groups representing ATT&CK tactics:
- A standard Tag representing the ATT&CK tactic to which the Group corresponds. If there are multiple words in a tactic’s name, they will be separated by hyphens in the Tag’s name (e.g., Defense-Evasion, Privilege-Escalation).
- One or more ATT&CK Tags representing each technique and sub-technique the tactic comprises. If an ATT&CK Tag does not exist for a technique or sub-technique, a standard Tag representing it will be applied instead.
Attack Pattern Groups (ATT&CK Techniques and Sub-Techniques)
The following Tags will be applied to Attack Pattern Groups representing ATT&CK techniques and sub-techniques:
- A standard Tag named Enterprise ATT&CK to indicate that the technique or sub-technique belongs to the MITRE ATT&CK Enterprise framework.
- A standard Tag representing the parent tactic for the technique or sub-technique. If there are multiple words in a tactic’s name, they will be separated by hyphens in the Tag’s name (e.g., Defense-Evasion, Privilege-Escalation).
Intrusion Set Groups (ATT&CK Groups)
Intrusion Set Groups representing ATT&CK groups may have one or more ATT&CK Tags representing each technique and sub-technique used by the ATT&CK group, if any. If an ATT&CK Tag does not exist for a technique or sub-technique, a standard Tag representing it will be applied instead.
Malware and Tool Groups (ATT&CK Software)
Malware and Tool Groups representing ATT&CK software may have one or more ATT&CK Tags representing each technique and sub-technique used by the ATT&CK software, if any. If an ATT&CK Tag does not exist for a technique or sub-technique, a standard Tag representing it will be applied instead.
ThreatConnect® is a registered trademark of ThreatConnect, Inc.
MITRE ATT&CK® and ATT&CK® are registered trademarks, and STIX™ is a trademark, of The MITRE Corporation.
20119-08 v.04.A
Was this article helpful?
