TTPType characterizes an individual adversary TTP.
| Field Name | Type | Description |
|---|---|---|
| @idoptional | QName |
Specifies a globally unique identifier for this TTP item. |
| @idrefoptional | QName |
Specifies a globally unique identifier of a TTP item specified elsewhere. |
| @versionoptional | TTPVersionType |
Specifies the relevant STIX-TTP schema version for this content. |
| Title0..1 | string |
The Title field provides a simple title for this TTP. |
| Description0..1 | StructuredTextType |
The Description field provides an unstructured description of the TTP. |
| Intended_Effect0..n | StatementType |
The Intended_Effect field specifies the suspected intended effect for this TTP.
It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is IntendedEffectVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.0.0/stix_default_vocabularies.xsd . Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
|
| Behavior0..1 | BehaviorType |
Behavior describes the attack patterns, malware, or exploits that the attacker leverages to execute this TTP. |
| Resources0..1 | ResourceType |
Resources describe the infrastructure or tools that the adversary uses to execute this TTP. |
| Victim_Targeting0..1 | VictimTargetingType |
The Victim_Targeting field characterizes the people, organizations, information or access being targeted. |
| Exploit_Targets0..1 | ExploitTargetsType |
The Exploit_Targets field characterizes potential vulnerability, weakness or configuration targets for exploitation by this TTP. |
| Related_TTPs0..1 | RelatedTTPsType |
The Related_TTPs field specifies other TTPs asserted to be related to this cyber threat TTP. |
| Kill_Chain_Phases0..1 | KillChainPhasesReferenceType |
The Kill_Chain_Phases field specifies one or more Kill Chain phases associated with this TTP item. |
| Information_Source0..1 | InformationSourceType |
The Information_Source field details the source of this entry. |
| Kill_Chains0..1 | KillChainsType |
The Kill_Chains field characterizes specific Kill Chain definitions for reference within specific TTP entries, Indicators and elsewhere. |
| Handling0..1 | MarkingType |
Specifies the relevant handling guidance for this TTP. The valid marking scope is the nearest TTPBaseType ancestor of this Handling element and all its descendants. |