Changes to the ATT&CK/STIX Data Model

23 April 2024

There are no changes to the data model in the April 2024 ATT&CK Content Release (ATT&CK v15.0)

31 October 2023 - ATT&CK Spec v3.2.0

Changes to ATT&CK in STIX for October 2023 ATT&CK Content Release (ATT&CK v14.0)

• Added Asset objects. For detailed information about the representation of Assets in ATT&CK/STIX, please see the assets section of the USAGE document.

25 April 2023 - ATT&CK Spec v3.1.0

Changes to ATT&CK in STIX for April 2023 ATT&CK Content Release (ATT&CK v13.0)

• Restored the

  1

  labels

  property for ICS mitigation objects. This property documents security controls for ICS mitigations.

25 October 2022 - ATT&CK Spec v3.0.0

Changes to ATT&CK in STIX for October 2022 ATT&CK Content Release (ATT&CK-v12.0)

• Added Campaign objects. For detailed information about the representation of Campaigns in ATT&CK/STIX, please see the campaign section of the USAGE document.

25 April 2022 (ATT&CK v11) release

NOTE: Changes to ATT&CK for the April 2022 (ATT&CK v11) release were initially omitted from this change log.

As of the v11 content release, the following fields that previously were only available in the STIX 2.1 bundles are also available in STIX 2.0.

• 1	x_mitre_modified_by_ref

  : has been added to all object types. Defined in spec 2.0.0 below.

• 1	x_mitre_domains

  : has been added to all non-relationship objects. Defined in spec 2.0.0 below.

• 1	x_mitre_attack_spec_version

  : has been added to all object types. Defined in spec 2.1.0 below.

21 October 2021 - ATT&CK Spec v2.1.0

Changes to ATT&CK in STIX for October 2021 ATT&CK Content Release (ATT&CK-v10.0)

Feature	Available in STIX 2.0	Available in STIX 2.1
Added full objects for data sources and data components. See the data sources section of the USAGE document for more information about data sources, data components, and their relationships with techniques.
Added 1 x_mitre_attack_spec_version field to all object types. This field tracks the version of the ATT&CK Spec used by the object. Consuming software can use this field to determine if the data format is supported; if the field is absent the object will be assumed to use ATT&CK Spec version 1 2.0.0 .

21 June 2021 - ATT&CK Spec v2.0.0

Release of ATT&CK in STIX 2.1.

The contents of this repository is not affected, but you can find ATT&CK in STIX 2.1 (ATT&CK spec v2.0.0+) on our new attack-stix-data GitHub repository. Both MITRE/CTI (this repository) and attack-stix-data will be maintained and updated with new ATT&CK releases for the foreseeable future, but the data model of attack-stix-data includes quality-of-life improvements not found on MITRE/CTI.

Feature	Available in STIX 2.0	Available in STIX 2.1
Added 1 x_mitre_modified_by_ref field to all object types. This field tracks the identity of the individual or organization which created the current version of the object.
Added 1 x_mitre_domains field to all non-relationship objects. This field tracks the domains the object is found in.
Added collection objects to track information about specific releases of the dataset and to allow the dataset to be imported into ATT&CK Workbench.
Added a collection index to list the contents of this repository and to allow the data to be imported into ATT&CK Workbench.

29 April 2021

Changes to ATT&CK in STIX for April 2021 ATT&CK Content Release (ATT&CK-v9.0)

1. Replaced

   1

   GCP

   ,

   1

   AWS

   and

   1

   Azure

   platforms under the enterprise domain with

   1

   IaaS

   (Infrastructure as a Service).
2. Added

   1	Containers

   and

   1	Google Workspace

   to the platforms of the enterprise domain.
3. Revised the data sources of the enterprise domain. Data sources are still represented as a string array, but the elements within that array are now formatted

   1	"data source: data component"

   to reflect the new data source representation. More information on the new data sources can be found on our attack-datasources GitHub repository. Note that the data sources in the ICS domain was not affected by this change.

With the release of ATT&CK version 9 we are also hosting an excel representation of the knowledge base on our website. You can find that representation and more about ATT&CK tools on the updated Working with ATT&CK page.

27 October 2020

Changes to ATT&CK in STIX for October 2020 ATT&CK Content Release (ATT&CK-v8.0)

1. Added new platforms under the enterprise domain:

   1

   Network

   and

   1

   PRE

   .
2. Deprecated the pre-ATT&CK domain. Pre-ATT&CK has been migrated to two new tactics in the Enterprise domain tagged with the

   1

   PRE

   platform. Please see the new PRE matrix for the replacing Enterprise tactics and techniques. All objects within the pre-ATT&CK domain have been marked as deprecated, along with a new description pointing to their new home in Enterprise.
3. Added the ATT&CK for ICS domain.

8 July 2020 - ATT&CK Spec v1.3.0

Changes to ATT&CK in STIX for July 2020 ATT&CK Content Release (ATT&CK-v7.0)

1. Added sub-techniques:
   • A sub-technique is an attack-pattern where

     1	x_mitre_is_subtechnique

     is

     1

     true

     .
   • Relationships of type

     1	subtechnique-of

     between sub-techniques and techniques convey their hierarchy.

   For more information about the representation of sub-techniques in STIX, please see the sub-techniques section of the USAGE document.

2. Revised the representation of deprecated objects. The first paragraph of deprecated objects’ descriptions should in most cases convey the reason the object was deprecated.

We’ve also rewritten the USAGE document with additional information about the ATT&CK data model and more examples of how to access and use ATT&CK in Python.

24 October 2019

Changes to ATT&CK in STIX for October 2019 ATT&CK Content Release (ATT&CK-v6.0)

1. Added cloud platforms under the enterprise domain:

   1

   AWS

   ,

   1

   GCP

   ,

   1

   Azure

   ,

   1	Office 365

   ,

   1

   Azure AD

   , and

   1

   SaaS

   .

31 July 2019

Changes to ATT&CK in STIX for July 2019 ATT&CK Content Release (ATT&CK-v5.0)

1. Descriptions added to relationships of type

   1

   mitigates

   under the enterprise domain

30 April 2019 - ATT&CK Spec v1.2.0

Changes to ATT&CK in STIX for April 2019 ATT&CK Content Release (ATT&CK-v4.0)

1. 1	x_mitre_impact_type

   added for enterprise techniques within the

   1

   Impact

   tactic
2. Descriptions added to relationships between software/groups

23 October 2018 - ATT&CK Spec v1.1.0

Changes to ATT&CK in STIX for October 2018 ATT&CK Content Release (ATT&CK-v3.0)

1. 1	x_mitre_platforms

   added for enterprise malware/tools

2. 1	x_mitre_detection

   added to attack-patterns
3. Custom MITRE attributes removed from descriptions in attack-patterns
4. Alias descriptions added for malware/tools/intrusion-sets as external references
5. Descriptions added to relationships between groups/attack-patterns in PRE-ATT&CK
6. Names of ATT&CK objects replaced in descriptions and x_mitre_detection fields with markdown links

7. 1

   CAPEC ids

   added to external references for attack-patterns
8. Citations in alias descriptions added as external references in the object containing the alias description
9. Added

   1	x-mitre-tactic

   and

   1	x-mitre-matrix

   objects
10. Changed ===Windows=== subheadings to ### Windows subheadings (Windows is just one example)
11. Added space between asterisks (ex. *Content to * Content) to populate markdown correctly
12. Changed “true” to True in

    1	x_mitre_deprecated

13. Added old ATT&CK IDs to Mobile/PRE-ATT&CK objects whose IDs have changed as

    1	x-mitre-old-attack-id