An Indicator may be linked to one or more malicious actions as part of a larger set of behavior called the kill chain
STIX supports an optional list of Related Kill Chain Phases for each Indicator to represent its relationship to this overall sequence of actions.
In the example below, we define a kill chain and include a reference to one of its phases in an Indicator. Note the use of phase_id and kill_chain_id in reference creation.
stix_pkg=STIXPackage()# make indicator ind=Indicator()ind.title="Malicious executable"ind.description="Resident binary which implements infostealing and credit card grabber"# link to "Installation" phase and kill chain by ID valuesinfect=KillChainPhase(name="Infect Machine")exfil=KillChainPhase(name="Exfiltrate Data")mychain=KillChain(name="Organization-specific Kill Chain")mychain.kill_chain_phases=[infect,exfil]stix_pkg.ttps.add_ttp(TTP())stix_pkg.ttps.kill_chains.append(mychain)stix_pkg.add_indicator(ind)# add referenced phase to indicatorind.kill_chain_phases.append(KillChainPhaseReference(phase_id=infect.phase_id,kill_chain_id=mychain.id_))print(stix_pkg.to_xml(encoding=None))