TTP Object

A TTP is an instance of a Tool, Technique, or Procedure used by a cyber actor

Property	Type	Description	Required?
id	String		✓
schema_version	String	CTIM schema version for this entity	✓
ttp_type	String	type of this TTP	✓
type	TTPTypeIdentifier String		✓
valid_time	ValidTime Object	a timestamp for the definition of a specific version of a TTP item	✓
behavior	Behavior Object	describes the attack patterns, malware, or exploits that the attacker leverages to execute this TTP
description	String
external_ids	String List
intended_effect	IntendedEffect String List	the suspected intended effect for this TTP
kill_chains	KillChain String List
language	String
resources	Resource Object	infrastructure or tools that the adversary uses to execute this TTP
revision	Integer
short_description	String
source	String
source_uri	String
timestamp	Inst (Date)
title	String
tlp	TLP String
victim_targeting	VictimTargeting Object	characterizes the people, organizations, information or access being targeted

Reference: TTPType

Property behavior ∷ Behavior Object

describes the attack patterns, malware, or exploits that the attacker leverages to execute this TTP

This entry is optional

Behavior Object Value
- Details: Behavior Object

Property description ∷ String

This entry is optional
- Markdown string with at most 5000 characters

Property external_ids ∷ String List

This entry is optional
This entry's type is sequential (allows zero or more values)

Property id ∷ String

This entry is required
- IDs are strings of the form: type-<128bitUUID>, for example judgment-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property intended_effect ∷ IntendedEffect String List

the suspected intended effect for this TTP

This entry is optional
This entry's type is sequential (allows zero or more values)
- Allowed Values:
  - Account Takeover
  - Advantage
  - Advantage - Economic
  - Advantage - Military
  - Advantage - Political
  - Brand Damage
  - Competitive Advantage
  - Degradation of Service
  - Denial and Deception
  - Destruction
  - Disruption
  - Embarrassment
  - Exposure
  - Extortion
  - Fraud
  - Harassment
  - ICS Control
  - Theft
  - Theft - Credential Theft
  - Theft - Identity Theft
  - Theft - Intellectual Property
  - Theft - Theft of Proprietary Information
  - Traffic Diversion
  - Unauthorized Access

Property kill_chains ∷ KillChain String List

This entry is optional
This entry's type is sequential (allows zero or more values)
- Allowed Values:
  - Actions on Objectives
  - Command & Control
  - Delivery
  - Exploitation
  - Installation
  - Reconnaissance
  - Weaponization

Property language ∷ String

This entry is optional
- String with at most 1024 characters

Property resources ∷ Resource Object

infrastructure or tools that the adversary uses to execute this TTP

This entry is optional

Resource Object Value
- Details: Resource Object

Property revision ∷ Integer

This entry is optional
- Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

This entry is required
- A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ String

This entry is optional
- String with at most 2048 characters

Property source ∷ String

This entry is optional
- String with at most 2048 characters

Property source_uri ∷ String

This entry is optional
- A URI

Property timestamp ∷ Inst (Date)

This entry is optional
- Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ String

This entry is optional
- String with at most 1024 characters

Property tlp ∷ TLP String

This entry is optional
- TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
- Default: green
- Allowed Values:
  - amber
  - green
  - red
  - white

Property ttp_type ∷ String

type of this TTP

This entry is required
- String with at most 1024 characters

Property type ∷ TTPTypeIdentifier String

This entry is required
- Must equal: "ttp"

Property valid_time ∷ ValidTime Object

a timestamp for the definition of a specific version of a TTP item

This entry is required

ValidTime Object Value
- Details: ValidTime Object

Property victim_targeting ∷ VictimTargeting Object

characterizes the people, organizations, information or access being targeted

This entry is optional

VictimTargeting Object Value
- Details: VictimTargeting Object

ValidTime Object

Period of time when a cyber observation is valid.

Property	Type	Description	Required?
end_time	Inst (Date)	If end_time is not present, then the valid time position of the object does not have an upper bound.
start_time	Inst (Date)	If not present, the valid time position of the indicator does not have an upper bound

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

This entry is optional
- Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound

This entry is optional
- Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Behavior Object

Property	Type	Description	Required?
attack_patterns	AttackPattern Object List	one or more Attack Patterns for this TTP
malware_type	MalwareInstance Object List	one or more instances of Malware for this TTP

Reference: BehaviorType

Property attack_patterns ∷ AttackPattern Object List

one or more Attack Patterns for this TTP

This entry is optional
This entry's type is sequential (allows zero or more values)

AttackPattern Object Value
- Details: AttackPattern Object

Property malware_type ∷ MalwareInstance Object List

one or more instances of Malware for this TTP

This entry is optional
This entry's type is sequential (allows zero or more values)

MalwareInstance Object Value
- Details: MalwareInstance Object

MalwareInstance Object

Property	Type	Description
description	String
short_description	String
title	String
type	MalwareType String List	a characterization of what type of malware this

Reference: MalwareInstanceType

Property description ∷ String

This entry is optional
- Markdown string with at most 5000 characters

Property short_description ∷ String

This entry is optional
- String with at most 2048 characters

Property title ∷ String

This entry is optional
- String with at most 1024 characters

Property type ∷ MalwareType String List

a characterization of what type of malware this

This entry is optional
This entry's type is sequential (allows zero or more values)
- Allowed Values:
  - Adware
  - Automated Transfer Scripts
  - Bot
  - Bot - Credential Theft
  - Bot - DDoS
  - Bot - Loader
  - Bot - Spam
  - Dialer
  - DoS / DDoS - Participatory
  - DoS / DDoS - Script
  - DoS / DDoS - Stress Test Tools
  - DoS/ DDoS
  - Exploit Kit
  - POS / ATM Malware
  - Ransomware
  - Remote Access Trojan
  - Rogue Antivirus
  - Rootkit

AttackPattern Object

Property	Type	Description
capec_id	String	a reference to a particular entry within the Common Attack Pattern Enumeration and Classification
description	String
short_description	String
title	String

Reference: AttackPatternType

Property capec_id ∷ String

a reference to a particular entry within the Common Attack Pattern Enumeration and Classification

This entry is optional

Property description ∷ String

This entry is optional
- Markdown string with at most 5000 characters

Property short_description ∷ String

This entry is optional
- String with at most 2048 characters

Property title ∷ String

This entry is optional
- String with at most 1024 characters

Resource Object

Property	Type	Description
infrastructure	Infrastructure Object	infrastructure observed to have been utilized for cyber attack
personas	Identity Object
tools	Tool Object	The tool leveraged by this TTP

Reference: ResourceType

Property infrastructure ∷ Infrastructure Object

infrastructure observed to have been utilized for cyber attack

This entry is optional

Infrastructure Object Value
- Details: Infrastructure Object

Property personas ∷ Identity Object

This entry is optional

Identity Object Value
- Details: Identity Object

Property tools ∷ Tool Object

The tool leveraged by this TTP

This entry is optional

Tool Object Value
- Details: Tool Object

Identity Object

Describes a person or an organization

Property	Type	Description	Required?
description	String		✓
related_identities	RelatedIdentity Object List	Identifies other entity Identities related to this Identity	✓

Reference: IdentityType

Property description ∷ String

This entry is required
- Markdown string with at most 5000 characters

Property related_identities ∷ RelatedIdentity Object List

Identifies other entity Identities related to this Identity

This entry is required
This entry's type is sequential (allows zero or more values)

RelatedIdentity Object Value
- Details: RelatedIdentity Object

RelatedIdentity Object

Describes a related Identity

Property	Type	Description	Required?
identity	String	The reference (URI) of the related Identity object	✓
confidence	HighMedLow String	Specifies the level of confidence in the assertion of the relationship between the two objects
information_source	String	Specifies the source of the information about the relationship between the two components
relationship	String

Reference: RelatedIdentityType

Property confidence ∷ HighMedLow String

Specifies the level of confidence in the assertion of the relationship between the two objects

This entry is optional
- Allowed Values:
  - High
  - Low
  - Medium
  - None
  - Unknown
- Reference: HighMedLowVocab

Property identity ∷ String

The reference (URI) of the related Identity object

This entry is required
- A URI

Property information_source ∷ String

Specifies the source of the information about the relationship between the two components

This entry is optional

Property relationship ∷ String

This entry is optional

Infrastructure Object

Property	Type	Description
description	String	text (Markdown) description of specific classes or instances of infrastructure utilized for cyber attack
short_description	String
title	String
type	AttackerInfrastructure String	represents the type of infrastructure being described

Reference: [Infrastructure Type](http://stixproject.github.io/data-model/1.2/ttp/Infrastructure Type/)

Property description ∷ String

text (Markdown) description of specific classes or instances of infrastructure utilized for cyber attack

This entry is optional
- Markdown string with at most 5000 characters

Property short_description ∷ String

This entry is optional
- String with at most 2048 characters

Property title ∷ String

This entry is optional
- String with at most 1024 characters

Property type ∷ AttackerInfrastructure String

represents the type of infrastructure being described

This entry is optional
- Allowed Values:
  - Anonymization
  - Anonymization - Proxy
  - Anonymization - TOR Network
  - Anonymization - VPN
  - Communications
  - Communications - Blogs
  - Communications - Forums
  - Communications - Internet Relay Chat
  - Communications - Micro-Blogs
  - Communications - Mobile Communications
  - Communications - Social Networks
  - Communications - User-Generated Content Websites
  - Domain Registration
  - Domain Registration - Dynamic DNS Services
  - Domain Registration - Legitimate Domain Registration Services
  - Domain Registration - Malicious Domain Registrars
  - Domain Registration - Top-Level Domain Registrars
  - Electronic Payment Methods
  - Hosting
  - Hosting - Bulletproof / Rogue Hosting
  - Hosting - Cloud Hosting
  - Hosting - Compromised Server
  - Hosting - Fast Flux Botnet Hosting
  - Hosting - Legitimate Hosting
- Reference: AttackInfrastructureTypeVocab

Tool Object

Describes a hardware or software tool used

Property	Type	Description	Required?
description	String		✓
references	String List	references to instances or additional information for this tool
service_pack	String	service pack descriptor for this tool
type	AttackToolType String List	type of the tool leveraged
vendor	String	information identifying the vendor organization for this tool

Reference: ToolInformationType

Property description ∷ String

This entry is required
- Markdown string with at most 5000 characters

Property references ∷ String List

references to instances or additional information for this tool

This entry is optional
This entry's type is sequential (allows zero or more values)

Property service_pack ∷ String

service pack descriptor for this tool

This entry is optional

Property type ∷ AttackToolType String List

type of the tool leveraged

This entry is optional
This entry's type is sequential (allows zero or more values)
- Allowed Values:
  - Application Scanner
  - Malware
  - Password Cracking
  - Penetration Testing
  - Port Scanner
  - Traffic Scanner
  - Vulnerability Scanner
- Reference: AttackerToolTypeVocab

Property vendor ∷ String

information identifying the vendor organization for this tool

This entry is optional

VictimTargeting Object

Property	Type	Description
identity	Identity Object	infrastructure observed to have been utilized for cyber attack
targeted_information	InformationType String List	a type of information that is targeted
targeted_observables	Observable Object List	targeted observables
targeted_systems	SystemType String List	type of system that is targeted

Reference: VictimTargetingType

Property identity ∷ Identity Object

infrastructure observed to have been utilized for cyber attack

This entry is optional

Identity Object Value
- Details: Identity Object

Property targeted_information ∷ InformationType String List

a type of information that is targeted

This entry is optional
This entry's type is sequential (allows zero or more values)
- Allowed Values:
  - Authentication Cookies
  - Information Assets
  - Information Assets - Corporate Employee Information
  - Information Assets - Customer PII
  - Information Assets - Email Lists / Archives
  - Information Assets - Financial Data
  - Information Assets - Intellectual Property
  - Information Assets - Mobile Phone Contacts
  - Information Assets - User Credentials
- Reference: InformationTypeVocab

Property targeted_observables ∷ Observable Object List

targeted observables

This entry is optional
This entry's type is sequential (allows zero or more values)
Dev Notes: Was targeted_technical_details

Observable Object Value
- Details: Observable Object

Property targeted_systems ∷ SystemType String List

type of system that is targeted

This entry is optional
This entry's type is sequential (allows zero or more values)
- Allowed Values:
  - Enterprise Systems
  - Enterprise Systems - Application Layer
  - Enterprise Systems - Database Layer
  - Enterprise Systems - Enterprise Technologies and Support Infrastructure
  - Enterprise Systems - Network Systems
  - Enterprise Systems - Networking Devices
  - Enterprise Systems - VoIP
  - Enterprise Systems - Web Layer
  - Industrial Control Systems
  - Industrial Control Systems - Equipment Under Control
  - Industrial Control Systems - Operations Management
  - Industrial Control Systems - Safety, Protection and Local Control
  - Industrial Control Systems - Supervisory Control
  - Mobile Systems
  - Mobile Systems - Mobile Devices
  - Mobile Systems - Mobile Operating Systems
  - Mobile Systems - Near Field Communications
  - Third-Party Services
  - Third-Party Services - Application Stores
  - Third-Party Services - Cloud Services
  - Third-Party Services - Security Vendors
  - Third-Party Services - Social Media
  - Third-Party Services - Software Update
  - Users
  - Users - Application And Software
  - Users - Removable Media
  - Users - Workstation
- Reference: SystemTypeVocab

Observable Object

A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.

Property	Type	Description	Required?
type	ObservableTypeIdentifier String		✓
value	String		✓

Property type ∷ ObservableTypeIdentifier String

This entry is required
- Observable type names
- Allowed Values:
  - amp-device
  - amp_computer_guid
  - device
  - domain
  - email
  - file_name
  - file_path
  - hostname
  - imei
  - imsi
  - ip
  - ipv6
  - mac_address
  - md5
  - pki-serial
  - sha1
  - sha256
  - url
  - user

Property value ∷ String

This entry is required

Identity Object

Describes a person or an organization

Property	Type	Description	Required?
description	String		✓
related_identities	RelatedIdentity Object List	Identifies other entity Identities related to this Identity	✓

Reference: IdentityType

Property description ∷ String

This entry is required
- Markdown string with at most 5000 characters

Property related_identities ∷ RelatedIdentity Object List

Identifies other entity Identities related to this Identity

This entry is required
This entry's type is sequential (allows zero or more values)

RelatedIdentity Object Value
- Details: RelatedIdentity Object

RelatedIdentity Object

Describes a related Identity

Property	Type	Description	Required?
identity	String	The reference (URI) of the related Identity object	✓
confidence	HighMedLow String	Specifies the level of confidence in the assertion of the relationship between the two objects
information_source	String	Specifies the source of the information about the relationship between the two components
relationship	String

Reference: RelatedIdentityType

Property confidence ∷ HighMedLow String

Specifies the level of confidence in the assertion of the relationship between the two objects

This entry is optional
- Allowed Values:
  - High
  - Low
  - Medium
  - None
  - Unknown
- Reference: HighMedLowVocab

Property identity ∷ String

The reference (URI) of the related Identity object

This entry is required
- A URI

Property information_source ∷ String

Specifies the source of the information about the relationship between the two components

This entry is optional

Property relationship ∷ String

This entry is optional

Files

ttp.md

Latest commit

History

ttp.md

File metadata and controls

TTP Object

Property behavior ∷ Behavior Object

Property description ∷ String

Property external_ids ∷ String List

Property id ∷ String

Property intended_effect ∷ IntendedEffect String List

Property kill_chains ∷ KillChain String List

Property language ∷ String

Property resources ∷ Resource Object

Property revision ∷ Integer

Property schema_version ∷ String

Property short_description ∷ String

Property source ∷ String

Property source_uri ∷ String

Property timestamp ∷ Inst (Date)

Property title ∷ String

Property tlp ∷ TLP String

Property ttp_type ∷ String

Property type ∷ TTPTypeIdentifier String

Property valid_time ∷ ValidTime Object

Property victim_targeting ∷ VictimTargeting Object

ValidTime Object

Property end_time ∷ Inst (Date)

Property start_time ∷ Inst (Date)

Behavior Object

Property attack_patterns ∷ AttackPattern Object List

Property malware_type ∷ MalwareInstance Object List

MalwareInstance Object

Property description ∷ String

Property short_description ∷ String

Property title ∷ String

Property type ∷ MalwareType String List

AttackPattern Object

Property capec_id ∷ String

Property description ∷ String

Property short_description ∷ String

Property title ∷ String

Resource Object

Property infrastructure ∷ Infrastructure Object

Property personas ∷ Identity Object

Property tools ∷ Tool Object

Identity Object

Property description ∷ String

Property related_identities ∷ RelatedIdentity Object List

RelatedIdentity Object

Property confidence ∷ HighMedLow String

Property identity ∷ String

Property information_source ∷ String

Property relationship ∷ String

Infrastructure Object

Property description ∷ String

Property short_description ∷ String

Property title ∷ String

Property type ∷ AttackerInfrastructure String

Tool Object

Property description ∷ String

Property references ∷ String List

Property service_pack ∷ String

Property type ∷ AttackToolType String List

Property vendor ∷ String

VictimTargeting Object

Property identity ∷ Identity Object

Property targeted_information ∷ InformationType String List

Property targeted_observables ∷ Observable Object List

Property targeted_systems ∷ SystemType String List

Observable Object

Property type ∷ ObservableTypeIdentifier String

Property value ∷ String

Identity Object

Property description ∷ String

Property related_identities ∷ RelatedIdentity Object List

RelatedIdentity Object

Property confidence ∷ HighMedLow String

Property identity ∷ String