adam/cti
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #236 from mitre/update-usage-doc

Browse Source 
Update information to point to the ATT&CK Data Model repository
This commit is contained in:
Jared Ondricek
2025-12-19 16:02:46 -06:00
committed by GitHub
parent 421deacb77 8b248ced38
commit 414deb1f33
3 changed files with 30 additions and 156 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CHANGELOG.md
+5 -140
View File
@@ -1,142 +1,7 @@
# Changes to the ATT&CK/STIX Data Model
## 28 October 2025 - ATT&CK Spec v3.3.0
Changes to ATT&CK in STIX for the October 2025 ATT&CK Content Release (ATT&CK v18.0)
* Added Analytic objects. For detailed information about the representation of Analytics in ATT&CK/STIX, please see the [ATT&CK Data Model schema documentation](https://mitre-attack.github.io/attack-data-model/docs/reference/schemas/sdo/analytic.schema).
* Added Detection Strategy objects. For detailed information about the representation of Detection Strategies in ATT&CK/STIX, please see the [ATT&CK Data Model schema documentation](https://mitre-attack.github.io/attack-data-model/docs/reference/schemas/sdo/detection-strategy.schema).
* Deprecated Data Source objects. These objects will be removed in ATT&CK Spec v4.
* Modified Data Component objects:
* Assigned an ATT&CK ID to each Data Component object.
* Added the `x_mitre_log_sources` property. See the [ATT&CK Data Model schema documentation](https://mitre-attack.github.io/attack-data-model/docs/reference/schemas/sdo/data-component.schema#xmitrelogsources) for a description of this new property.
* Deprecated the `x_mitre_data_source_ref` property. This property will be removed from the spec entirely in ATT&CK Spec v4.
* Modified Technique objects:
* Deprecated the following properties, which will be removed from the spec entirely in ATT&CK Spec v4.
* `x_mitre_detection`
* `x_mitre_system_requirements`
* `x_mitre_permissions_required`
* `x_mitre_effective_permissions`
* `x_mitre_data_sources`
* `x_mitre_defense_bypassed`
* `x_mitre_remote_support`
* Deprecated the `x_mitre_data_component` `--detects-->` `attack-pattern` relationship object. These will be removed in ATT&CK Spec v4. This has been replaced by the `x_mitre_detection_strategy` `--detects-->` `attack-pattern` relationship object.
## 22 April 2025
There are no changes to the data model in the April 2025 ATT&CK Content Release (ATT&CK v17.0)
## 31 October 2024
There are no changes to the data model in the October 2024 ATT&CK Content Release (ATT&CK v16.0)
## 23 April 2024
There are no changes to the data model in the April 2024 ATT&CK Content Release (ATT&CK v15.0)
## 31 October 2023 - ATT&CK Spec v3.2.0
Changes to ATT&CK in STIX for October 2023 ATT&CK Content Release (ATT&CK v14.0)
* Added Asset objects. For detailed information about the representation of Assets in ATT&CK/STIX, please see the assets section of the [USAGE document](https://github.com/mitre/cti/blob/master/USAGE.md#assets).
## 25 April 2023 - ATT&CK Spec v3.1.0
Changes to ATT&CK in STIX for April 2023 ATT&CK Content Release (ATT&CK v13.0)
* Restored the `labels` property for ICS mitigation objects. This property documents security controls for ICS mitigations.
## 25 October 2022 - ATT&CK Spec v3.0.0
Changes to ATT&CK in STIX for October 2022 ATT&CK Content Release (ATT&CK-v12.0)
* Added Campaign objects. For detailed information about the representation of Campaigns in ATT&CK/STIX, please see the campaign section of the [USAGE document](https://github.com/mitre/cti/blob/master/USAGE.md).
## 25 April 2022 (ATT&CK v11) release
NOTE: Changes to ATT&CK for the April 2022 (ATT&CK v11) release were initially omitted from this change log.
As of the v11 content release, the following fields that previously were only available in the STIX 2.1 bundles are also available in STIX 2.0.
* `x_mitre_modified_by_ref`: has been added to all object types. Defined in spec 2.0.0 below.
* `x_mitre_domains`: has been added to all non-relationship objects. Defined in spec 2.0.0 below.
* `x_mitre_attack_spec_version`: has been added to all object types. Defined in spec 2.1.0 below.
## 21 October 2021 - ATT&CK Spec v2.1.0
Changes to ATT&CK in STIX for October 2021 ATT&CK Content Release (ATT&CK-v10.0)
| Feature | [Available in STIX 2.0](https://github.com/mitre/cti) | [Available in STIX 2.1](https://github.com/mitre-attack/attack-stix-data) |
|:--------|:-----------------------------------------------------:|:-------------------------------------------------------------------------:|
| Added full objects for data sources and data components. See [the data sources section of the USAGE document](https://github.com/mitre-attack/attack-stix-data/blob/master/USAGE.md#data-sources-and-data-components) for more information about data sources, data components, and their relationships with techniques. | :white_check_mark: | :white_check_mark: |
| Added `x_mitre_attack_spec_version` field to all object types. This field tracks the version of the ATT&CK Spec used by the object. Consuming software can use this field to determine if the data format is supported; if the field is absent the object will be assumed to use ATT&CK Spec version `2.0.0`. | :x: | :white_check_mark: |
## 21 June 2021 - ATT&CK Spec v2.0.0
Release of ATT&CK in STIX 2.1.
The contents of this repository is not affected, but you can find ATT&CK in STIX 2.1 (ATT&CK spec v2.0.0+) on our new [attack-stix-data](https://github.com/mitre-attack/attack-stix-data) GitHub repository. Both MITRE/CTI (this repository) and attack-stix-data will be maintained and updated with new ATT&CK releases for the foreseeable future, but the data model of attack-stix-data includes quality-of-life improvements not found on MITRE/CTI.
| Feature | [Available in STIX 2.0](https://github.com/mitre/cti) | [Available in STIX 2.1](https://github.com/mitre-attack/attack-stix-data) |
|:--------|:-----------------------------------------------------:|:-------------------------------------------------------------------------:|
| Added `x_mitre_modified_by_ref` field to all object types. This field tracks the identity of the individual or organization which created the current _version_ of the object. | :x: | :white_check_mark: |
| Added `x_mitre_domains` field to all non-relationship objects. This field tracks the domains the object is found in. | :x: | :white_check_mark: |
| Added [collection](https://github.com/center-for-threat-informed-defense/attack-workbench-frontend/blob/master/docs/collections.md) objects to track information about specific releases of the dataset and to allow the dataset to be imported into [ATT&CK Workbench](https://github.com/center-for-threat-informed-defense/attack-workbench-frontend/). | :x: | :white_check_mark: |
| Added a [collection index](https://github.com/center-for-threat-informed-defense/attack-workbench-frontend/blob/master/docs/collections.md) to list the contents of this repository and to allow the data to be imported into [ATT&CK Workbench](https://github.com/center-for-threat-informed-defense/attack-workbench-frontend/). | :x: | :white_check_mark: |
## 29 April 2021
Changes to ATT&CK in STIX for April 2021 ATT&CK Content Release (ATT&CK-v9.0)
1. Replaced `GCP`, `AWS` and `Azure` platforms under the enterprise domain with `IaaS` (Infrastructure as a Service).
2. Added `Containers` and `Google Workspace` to the platforms of the enterprise domain.
3. Revised the data sources of the enterprise domain. Data sources are still represented as a string array, but the elements within that array are now formatted `"data source: data component"` to reflect the new data source representation. More information on the new data sources can be found on our [attack-datasources](https://github.com/mitre-attack/attack-datasources) GitHub repository. Note that the data sources in the ICS domain was not affected by this change.
With the release of ATT&CK version 9 we are also hosting an excel representation of the knowledge base on our website. You can find that representation and more about ATT&CK tools on the updated [Working with ATT&CK](https://attack.mitre.org/resources/working-with-attack/) page.
## 27 October 2020
Changes to ATT&CK in STIX for October 2020 ATT&CK Content Release (ATT&CK-v8.0)
1. Added new platforms under the enterprise domain: `Network` and `PRE`.
2. Deprecated the pre-ATT&CK domain. Pre-ATT&CK has been migrated to two new tactics in the Enterprise domain tagged with the `PRE` platform. Please see the new [PRE matrix](https://attack.mitre.org/matrices/enterprise/PRE/) for the replacing Enterprise tactics and techniques. All objects within the pre-ATT&CK domain have been marked as deprecated, along with a new description pointing to their new home in Enterprise.
3. Added the [ATT&CK for ICS domain](ics-attack).
## 8 July 2020 - ATT&CK Spec v1.3.0
Changes to ATT&CK in STIX for July 2020 ATT&CK Content Release (ATT&CK-v7.0)
1. Added sub-techniques:
- A sub-technique is an attack-pattern where `x_mitre_is_subtechnique` is `true`.
- Relationships of type `subtechnique-of` between sub-techniques and techniques convey their hierarchy.
For more information about the representation of sub-techniques in STIX, please see [the sub-techniques section of the USAGE document](USAGE.md#sub-techniques).
2. Revised the representation of deprecated objects. The first paragraph of deprecated objects' descriptions should in most cases convey the reason the object was deprecated.
We've also rewritten the [USAGE](USAGE.md) document with additional information about the ATT&CK data model and more examples of how to access and use ATT&CK in Python.
## 24 October 2019
Changes to ATT&CK in STIX for October 2019 ATT&CK Content Release (ATT&CK-v6.0)
1. Added cloud platforms under the enterprise domain: `AWS`, `GCP`, `Azure`, `Office 365`, `Azure AD`, and `SaaS`.
## 31 July 2019
Changes to ATT&CK in STIX for July 2019 ATT&CK Content Release (ATT&CK-v5.0)
1. Descriptions added to relationships of type `mitigates` under the enterprise domain
## 30 April 2019 - ATT&CK Spec v1.2.0
Changes to ATT&CK in STIX for April 2019 ATT&CK Content Release (ATT&CK-v4.0)
1. `x_mitre_impact_type` added for enterprise techniques within the `Impact` tactic
2. Descriptions added to relationships between software/groups
## 23 October 2018 - ATT&CK Spec v1.1.0
Changes to ATT&CK in STIX for October 2018 ATT&CK Content Release (ATT&CK-v3.0)
1. `x_mitre_platforms` added for enterprise malware/tools
2. `x_mitre_detection` added to attack-patterns
3. Custom MITRE attributes removed from descriptions in attack-patterns
4. Alias descriptions added for malware/tools/intrusion-sets as external references
5. Descriptions added to relationships between groups/attack-patterns in PRE-ATT&CK
6. Names of ATT&CK objects replaced in descriptions and x_mitre_detection fields with markdown links
7. `CAPEC ids` added to external references for attack-patterns
8. Citations in alias descriptions added as external references in the object containing the alias description
9. Added `x-mitre-tactic` and `x-mitre-matrix` objects
10. Changed ===Windows=== subheadings to ### Windows subheadings (Windows is just one example)
11. Added space between asterisks (ex. *Content to * Content) to populate markdown correctly
12. Changed "true" to True in `x_mitre_deprecated`
13. Added old ATT&CK IDs to Mobile/PRE-ATT&CK objects whose IDs have changed as `x-mitre-old-attack-id`
> [!IMPORTANT]
> **Documentation Notice**
>
> We have unified the changelog of our STIX 2.0 and STIX 2.1 representations into a single specification.
> You can view the [updated changelog here](https://mitre-attack.github.io/attack-data-model/schemas/changelog-schema).
README.md
+12 -5
View File
@@ -1,18 +1,24 @@
# CTI
This repository contains the MITRE ATT&CK® and CAPEC™ datasets expressed in STIX 2.0. See [USAGE](USAGE.md) or [USAGE-CAPEC](USAGE-CAPEC.md) for information on using this content with [python-stix2](https://github.com/oasis-open/cti-python-stix2).
This repository contains the MITRE ATT&CK® and CAPEC™ datasets expressed in STIX 2.0.
See [USAGE](USAGE.md) or [USAGE-CAPEC](USAGE-CAPEC.md) for information on using this content with [python-stix2](https://github.com/oasis-open/cti-python-stix2).
If you are looking for ATT&CK represented in STIX 2.1, please see the [attack-stix-data](https://github.com/mitre-attack/attack-stix-data) GitHub repository. Both MITRE/CTI (this repository) and attack-stix-data will be maintained and updated with new ATT&CK releases for the foreseeable future, but the data model of attack-stix-data includes quality-of-life improvements not found on MITRE/CTI. Please see the [attack-stix-data USAGE document](https://github.com/mitre-attack/attack-stix-data) for more information on the improved data model of that repository.
If you are looking for ATT&CK represented in STIX 2.1, please see the [attack-stix-data](https://github.com/mitre-attack/attack-stix-data) GitHub repository.
Both MITRE/CTI (this repository) and attack-stix-data will be maintained and updated with new ATT&CK releases for the foreseeable future, but the data model of attack-stix-data includes quality-of-life improvements not found on MITRE/CTI.
Please see the [attack-stix-data USAGE document](https://github.com/mitre-attack/attack-stix-data/blob/master/USAGE.md) for more information on the improved data model of that repository.
## ATT&CK
MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.
The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
<https://attack.mitre.org>
## CAPEC
Understanding how the adversary operates is essential to effective cyber security. CAPEC™ helps by providing a comprehensive dictionary of known patterns of attacks employed by adversaries to exploit known weaknesses in cyber-enabled capabilities. It can be used by analysts, developers, testers, and educators to advance community understanding and enhance defenses.
Understanding how the adversary operates is essential to effective cyber security.
CAPEC™ helps by providing a comprehensive dictionary of known patterns of attacks employed by adversaries to exploit known weaknesses in cyber-enabled capabilities.
It can be used by analysts, developers, testers, and educators to advance community understanding and enhance defenses.
- Focuses on application security
- Enumerates exploits against vulnerable systems
@@ -25,7 +31,8 @@ Understanding how the adversary operates is essential to effective cyber securit
Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI).
STIX enables organizations to share CTI with one another in a consistent and machine readable manner, allowing security communities to better understand what computer-based attacks they are most likely to see and to anticipate and/or respond to those attacks faster and more effectively.
STIX enables organizations to share CTI with one another in a consistent and machine readable manner, allowing security communities to better
understand what computer-based attacks they are most likely to see and to anticipate and/or respond to those attacks faster and more effectively.
STIX is designed to improve many different capabilities, such as collaborative threat analysis, automated threat exchange, automated detection and response, and more.
USAGE.md
+13 -11
View File
@@ -2,9 +2,11 @@
> [!IMPORTANT]
> **Documentation Notice**
>
> We have unified our STIX 2.0 and STIX 2.1 representations into a single specification. For the most up-to-date information about the structure and format of our published STIX files, see the [ATT&CK Data Model Specification](https://github.com/mitre-attack/attack-data-model/blob/main/docs/SPEC.md).
>
>
> We have unified our STIX 2.0 and STIX 2.1 representations into a single specification.
> For the most up-to-date information about the structure and format of our published STIX files,
> see the [ATT&CK Data Model Specification](https://mitre-attack.github.io/attack-data-model/schemas/changelog-schema).
>
> This document focuses on practical usage examples and Python recipes for working with ATT&CK data. For detailed information about object types, fields, and relationships, please refer to the specification linked above.
This document describes how to query and manipulate ATT&CK data from either this repository or the ATT&CK TAXII server using Python.
@@ -61,7 +63,7 @@ ATT&CK uses a mix of predefined and custom STIX objects to implement ATT&CK conc
## Accessing ATT&CK data in python
There are several ways to acquire the ATT&CK data in Python. All of them will provide an object
implementing the DataStore API and can be used interchangeably with the recipes provided in the [Python recipes](#Python-Recipes) section.
implementing the DataStore API and can be used interchangeably with the recipes provided in the [Python recipes](#python-recipes) section.
This section utilizes the [stix2 python library](https://github.com/oasis-open/cti-python-stix2). Please refer to the [STIX2 Python API Documentation](https://stix2.readthedocs.io/en/latest/) for more information on how to work with STIX programmatically.
@@ -143,11 +145,11 @@ Some users may instead prefer to access "live" ATT&CK content over the internet.
Users can access the ATT&CK data from the official ATT&CK TAXII server. In TAXII, the ATT&CK domains are represented as collections with static IDs:
| domain | collection ID |
|:-------|:--------------|
| domain | collection ID |
|:--------------------|:---------------------------------------|
| `enterprise-attack` | `95ecc380-afe9-11e4-9b6c-751b66dd541e` |
| `mobile-attack` | `2f669986-b40b-4423-b720-4396ca6a462b` |
| `ics-attack` | `02c3ef24-9cd4-48f3-a99f-b74ce24f1d34` |
| `mobile-attack` | `2f669986-b40b-4423-b720-4396ca6a462b` |
| `ics-attack` | `02c3ef24-9cd4-48f3-a99f-b74ce24f1d34` |
You can also get a list of available collection from the server directly:
@@ -245,7 +247,7 @@ You can then use this CompositeDataSource just as you would the DataSource for a
## Python recipes
Below are example python recipes which can be used to work with ATT&CK data. They assume the existence of an object implementing the DataStore API. Any of the methods outlined in the [Accessing ATT&CK data in python](#accessing-ATTCK-Data-in-Python) section should provide an object implementing this API.
Below are example python recipes which can be used to work with ATT&CK data. They assume the existence of an object implementing the DataStore API. Any of the methods outlined in the [Accessing ATT&CK data in python](#accessing-attck-data-in-python) section should provide an object implementing this API.
This section utilizes the [stix2 python library](https://github.com/oasis-open/cti-python-stix2). Please refer to the [STIX2 Python API Documentation](https://stix2.readthedocs.io/en/latest/) for more information on how to work with STIX programmatically. See also the section on [Requirements and imports](#requirements-and-imports).
@@ -282,7 +284,7 @@ t1134 = src.query([
])[0]
```
The old 1:1 mitigations causing this issue are deprecated, so you can also filter them out that way — see [Removing revoked and deprecated objects](#Removing-revoked-and-deprecated-objects).
The old 1:1 mitigations causing this issue are deprecated, so you can also filter them out that way — see [Removing revoked and deprecated objects](#removing-revoked-and-deprecated-objects).
#### By name
@@ -321,7 +323,7 @@ get_group_by_alias(src, 'Cozy Bear')
The recipes in this section address how to query the dataset for multiple objects.
&#9888; When working with queries to return objects based on a set of characteristics, it is likely that you'll end up with a few objects which are no longer maintained by ATT&CK. These are objects marked as deprecated or revoked. We keep these outdated objects around so that workflows depending on them don't break, but we recommend you avoid using them when possible. Please see the section [Working with deprecated and revoked objects](#Working-with-deprecated-and-revoked-objects) for more information.
&#9888; When working with queries to return objects based on a set of characteristics, it is likely that you'll end up with a few objects which are no longer maintained by ATT&CK. These are objects marked as deprecated or revoked. We keep these outdated objects around so that workflows depending on them don't break, but we recommend you avoid using them when possible. Please see the section [Working with deprecated and revoked objects](#working-with-deprecated-and-revoked-objects) for more information.
#### Objects by type