TTPTypeTTP Schema

Represents a single STIX TTP.

TTPs are representations of the behavior or modus operandi of cyber adversaries. It is a term taken from the traditional military sphere and is used to characterize what an adversary does and how they do it in increasing levels of detail. For instance, to give a simple example, a tactic may be to use malware to steal credit card credentials. A related technique (at a lower level of detail) may be to send targeted emails to potential victims, which have documents attached containing malicious code which executes upon opening, captures credit card information from keystrokes, and uses http to communicate with a command and control server to transfer information. A related procedure (at a lower level of detail) may be to perform open source research to identify potentially gullible individuals, craft a convincing socially engineered email and document, create malware/exploit that will bypass current antivirus detection, establish a command and control server by registering a domain called, and send mail to victims from a Gmail account called

TTPs consist of the specific adversary behavior (attack patterns, malware, exploits) exhibited, resources leveraged (tools, infrastructure, personas), information on the victims targeted (who, what or where), relevant ExploitTargets being targeted, intended effects, relevant kill chain phases, handling guidance, source of the TTP information, etc.

TTPs play a central role in cyber threat information and cyber threat intelligence. They are relevant for Indicators, Incidents, Campaigns, and ThreatActors. In addition, they hold a close relationship with ExploitTargets that characterize the specific targets that the TTPs seek to exploit.


Field Name Type Description
@idoptional QName

Specifies a globally unique identifier for this TTP item.

@idrefoptional QName

Specifies a globally unique identifier of a TTP item specified elsewhere.

When idref is specified, the id attribute must not be specified, and any instance of this TTP item should not hold content.

@timestampoptional dateTime

Specifies a timestamp for the definition of a specific version of a TTP item. When used in conjunction with the id, this field is specifying the definition time for the specific version of the TTP item. When used in conjunction with the idref, this field is specifying a reference to a specific version of a TTP item defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.

@versionoptional TTPVersionType

Specifies the relevant STIX-TTP schema version for this content.

Title0..1 string

The Title field provides a simple title for this TTP.

Description0..n StructuredTextType

The Description field is optional and provides an unstructured, text description of this TTP.

Short_Description0..n StructuredTextType

The Short_Description field is optional and provides a short, unstructured, text description of this TTP.

Intended_Effect0..n StatementType

The Intended_Effect field specifies the suspected intended effect for this TTP.

It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is IntendedEffectVocab-1.0 in the namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL

Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.

Behavior0..1 BehaviorType

Behavior describes the attack patterns, malware, or exploits that the attacker leverages to execute this TTP.

Resources0..1 ResourceType

Resources describe the infrastructure or tools that the adversary uses to execute this TTP.

Victim_Targeting0..1 VictimTargetingType

The Victim_Targeting field characterizes the people, organizations, information or access being targeted.

Exploit_Targets0..1 ExploitTargetsType

The Exploit_Targets field characterizes potential vulnerability, weakness or configuration targets for exploitation by this TTP.

Related_TTPs0..1 RelatedTTPsType

The Related_TTPs field specifies other TTPs asserted to be related to this cyber threat TTP.

Kill_Chain_Phases0..1 KillChainPhasesReferenceType

The Kill_Chain_Phases field specifies one or more Kill Chain phases associated with this TTP item.

Information_Source0..1 InformationSourceType

The Information_Source field details the source of this entry.

Kill_Chains0..1 KillChainsType

The Kill_Chains field characterizes specific Kill Chain definitions for reference within specific TTP entries, Indicators and elsewhere.

Handling0..1 MarkingType

Specifies the relevant handling guidance for this TTP. The valid marking scope is the nearest TTPBaseType ancestor of this Handling element and all its descendants.

Related_Packages0..1 RelatedPackageRefsType

The Related_Packages field identifies or characterizes relationships to set of related Packages.

DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.