This schema was originally developed by The MITRE Corporation. The STIX XML Schema implementation is maintained by The MITRE Corporation and developed by the open STIX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the STIX website at http://stix.mitre.org.
The Type field provides a characterization of what type of malware this MalwareInstance is.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is MalwareTypeVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Type" type="stixCommon:ControlledVocabularyStringType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Type field provides a characterization of what type of malware this MalwareInstance is.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is MalwareTypeVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation><xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation></xs:annotation></xs:element>
The Name field specifies a name associated with this MalwareInstance.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. No default vocabulary type has been defined for STIX 1.2. Users may either define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a free string field.
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Name" type="stixCommon:ControlledVocabularyStringType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Name field specifies a name associated with this MalwareInstance.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. No default vocabulary type has been defined for STIX 1.2. Users may either define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a free string field.</xs:documentation></xs:annotation></xs:element>
The Title field is optional and provides an unstructured, text description of an individual Malware Instance.
Diagram
Type
xs:string
Source
<xs:element name="Title" type="xs:string" minOccurs="0"><xs:annotation><xs:documentation>The Title field is optional and provides an unstructured, text description of an individual Malware Instance.</xs:documentation></xs:annotation></xs:element>
Specifies the intended order position of this construct instance (e.g. Description) within a set of potentially multiple peer construct instances. If only a single construct instance is present its ordinality can be assumed to be 1. If multiple construct instances are present, the ordinality field should be specified with unique values for each instance.
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Description field provides an text description of an individual Malware Instance.</xs:documentation></xs:annotation></xs:element>
Specifies the intended order position of this construct instance (e.g. Description) within a set of potentially multiple peer construct instances. If only a single construct instance is present its ordinality can be assumed to be 1. If multiple construct instances are present, the ordinality field should be specified with unique values for each instance.
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element name="Short_Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Short_Description field provides a short text description of an individual Malware Instance.</xs:documentation></xs:annotation></xs:element>
Element ttp:TTP
Namespace
http://stix.mitre.org/TTP-1
Annotations
The TTP field characterizes specific details of observed or potential attacker Tactics, Techniques and Procedures.
Specifies a timestamp for the definition of a specific version of a TTP item. When used in conjunction with the id, this field is specifying the definition time for the specific version of the TTP item. When used in conjunction with the idref, this field is specifying a reference to a specific version of a TTP item defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Specifies the relevant STIX-TTP schema version for this content.
Source
<xs:element name="TTP" type="ttp:TTPType"><xs:annotation><xs:documentation>The TTP field characterizes specific details of observed or potential attacker Tactics, Techniques and Procedures.</xs:documentation></xs:annotation></xs:element>
The Title field provides a simple title for this TTP.
Diagram
Type
xs:string
Source
<xs:element name="Title" type="xs:string" minOccurs="0"><xs:annotation><xs:documentation>The Title field provides a simple title for this TTP.</xs:documentation></xs:annotation></xs:element>
Specifies the intended order position of this construct instance (e.g. Description) within a set of potentially multiple peer construct instances. If only a single construct instance is present its ordinality can be assumed to be 1. If multiple construct instances are present, the ordinality field should be specified with unique values for each instance.
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Description field is optional and provides an unstructured, text description of this TTP.</xs:documentation></xs:annotation></xs:element>
Specifies the intended order position of this construct instance (e.g. Description) within a set of potentially multiple peer construct instances. If only a single construct instance is present its ordinality can be assumed to be 1. If multiple construct instances are present, the ordinality field should be specified with unique values for each instance.
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element name="Short_Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Short_Description field is optional and provides a short, unstructured, text description of this TTP.</xs:documentation></xs:annotation></xs:element>
The Intended_Effect field specifies the suspected intended effect for this TTP.
It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is IntendedEffectVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
<xs:element name="Intended_Effect" type="stixCommon:StatementType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Intended_Effect field specifies the suspected intended effect for this TTP.</xs:documentation><xs:documentation>It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is IntendedEffectVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation><xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Behavior" type="ttp:BehaviorType" minOccurs="0"><xs:annotation><xs:documentation>Behavior describes the attack patterns, malware, or exploits that the attacker leverages to execute this TTP.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Attack_Patterns" type="ttp:AttackPatternsType" minOccurs="0"><xs:annotation><xs:documentation>The Attack_Patterns field specifies one or more Attack Patterns for this TTP item.</xs:documentation></xs:annotation></xs:element>
Specifies a reference to the ID for this Attack Pattern specified elsewhere.
Source
<xs:element name="Attack_Pattern" type="ttp:AttackPatternType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Attack_Pattern field specifies a single Attack Pattern for this TTP item.</xs:documentation></xs:annotation></xs:element>
The Title field provides a simple title for an individual Attack Pattern.
Diagram
Type
xs:string
Source
<xs:element name="Title" type="xs:string" minOccurs="0"><xs:annotation><xs:documentation>The Title field provides a simple title for an individual Attack Pattern.</xs:documentation></xs:annotation></xs:element>
Specifies the intended order position of this construct instance (e.g. Description) within a set of potentially multiple peer construct instances. If only a single construct instance is present its ordinality can be assumed to be 1. If multiple construct instances are present, the ordinality field should be specified with unique values for each instance.
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Description field is optional and provides an unstructured, text description of an individual Attack Pattern.</xs:documentation></xs:annotation></xs:element>
Specifies the intended order position of this construct instance (e.g. Description) within a set of potentially multiple peer construct instances. If only a single construct instance is present its ordinality can be assumed to be 1. If multiple construct instances are present, the ordinality field should be specified with unique values for each instance.
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element name="Short_Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Short_Description field is optional and provides a short, unstructured, text description of an individual Attack Pattern.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Malware" type="ttp:MalwareType" minOccurs="0"><xs:annotation><xs:documentation>The Malware field specifies one or more instances of Malware for this TTP item.</xs:documentation></xs:annotation></xs:element>
Specifies a reference to the ID for this Malware Instance specified elsewhere.
Source
<xs:element name="Malware_Instance" type="ttp:MalwareInstanceType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Malware_Instance field specifies a single instance of Malware for this TTP item.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Exploits" type="ttp:ExploitsType" minOccurs="0"><xs:annotation><xs:documentation>The Exploits field specifies one or more Exploits for this TTP item.</xs:documentation></xs:annotation></xs:element>
Specifies a reference to the ID for this Exploit Instance specified elsewhere.
Source
<xs:element name="Exploit" type="ttp:ExploitType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Exploit field specifies a single Exploit for this TTP item.</xs:documentation></xs:annotation></xs:element>
The Title field provides a simple title for an individual Exploit instance.
Diagram
Type
xs:string
Source
<xs:element name="Title" type="xs:string" minOccurs="0"><xs:annotation><xs:documentation>The Title field provides a simple title for an individual Exploit instance.</xs:documentation></xs:annotation></xs:element>
Specifies the intended order position of this construct instance (e.g. Description) within a set of potentially multiple peer construct instances. If only a single construct instance is present its ordinality can be assumed to be 1. If multiple construct instances are present, the ordinality field should be specified with unique values for each instance.
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Description field is optional and provides an unstructured, text description of an individual Exploit Instance.</xs:documentation></xs:annotation></xs:element>
Specifies the intended order position of this construct instance (e.g. Description) within a set of potentially multiple peer construct instances. If only a single construct instance is present its ordinality can be assumed to be 1. If multiple construct instances are present, the ordinality field should be specified with unique values for each instance.
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element name="Short_Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Short_Description field is optional and provides a short, unstructured, text description of an individual Exploit Instance.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Resources" type="ttp:ResourceType" minOccurs="0"><xs:annotation><xs:documentation>Resources describe the infrastructure or tools that the adversary uses to execute this TTP.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Tools" type="ttp:ToolsType" minOccurs="0"><xs:annotation><xs:documentation>The Tools field specifies one or more Tools leveraged by this TTP item.</xs:documentation></xs:annotation></xs:element>
The Tool field specifies a single Tool leveraged by this TTP item.
The Type field under this field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is AttackerToolTypeVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
The idref field specifies reference to a unique ID for this Tool.
When idref is specified, the id attribute must not be specified, and any instance of this type should not hold content unless an extension of the type allows it.
Source
<xs:element name="Tool" type="stixCommon:ToolInformationType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Tool field specifies a single Tool leveraged by this TTP item.</xs:documentation><xs:documentation>The Type field under this field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is AttackerToolTypeVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation><xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation></xs:annotation></xs:element>
Specifies a reference to the ID for this class or instance of Infrastructure specified elsewhere.
Source
<xs:element name="Infrastructure" type="ttp:InfrastructureType" minOccurs="0"><xs:annotation><xs:documentation>The Infrastructure field characterizes specific classes or instances of infrastructure observed to have been utilized for cyber attack.</xs:documentation></xs:annotation></xs:element>
The Title field provides a simple title for a class or instance of Infrastructure utilized for cyber attack.
Diagram
Type
xs:string
Source
<xs:element name="Title" type="xs:string" minOccurs="0"><xs:annotation><xs:documentation>The Title field provides a simple title for a class or instance of Infrastructure utilized for cyber attack.</xs:documentation></xs:annotation></xs:element>
The Type field represents the type of infrastructure being described.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is AttackerInfrastructureTypeVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Type" type="stixCommon:ControlledVocabularyStringType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Type field represents the type of infrastructure being described.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is AttackerInfrastructureTypeVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation><xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation></xs:annotation></xs:element>
The Description field is optional and provides an unstructured, text description of specific classes or instances of infrastructure utilized for cyber attack.
Specifies the intended order position of this construct instance (e.g. Description) within a set of potentially multiple peer construct instances. If only a single construct instance is present its ordinality can be assumed to be 1. If multiple construct instances are present, the ordinality field should be specified with unique values for each instance.
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Description field is optional and provides an unstructured, text description of specific classes or instances of infrastructure utilized for cyber attack.</xs:documentation></xs:annotation></xs:element>
The Short_Description field is optional and provides a short, unstructured, text description of specific classes or instances of infrastructure utilized for cyber attack.
Specifies the intended order position of this construct instance (e.g. Description) within a set of potentially multiple peer construct instances. If only a single construct instance is present its ordinality can be assumed to be 1. If multiple construct instances are present, the ordinality field should be specified with unique values for each instance.
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element name="Short_Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Short_Description field is optional and provides a short, unstructured, text description of specific classes or instances of infrastructure utilized for cyber attack.</xs:documentation></xs:annotation></xs:element>
The Observable_Characterization field provides structured characterization of the cyber observables detailing specific classes or instances of infrastructure utilized for cyber attack.
The cybox_update_version field specifies the update version of the CybOX language utilized for this set of Observables. This field MUST be used when using an update version of CybOX.
Source
<xs:element name="Observable_Characterization" type="cybox:ObservablesType" minOccurs="0"><xs:annotation><xs:documentation>The Observable_Characterization field provides structured characterization of the cyber observables detailing specific classes or instances of infrastructure utilized for cyber attack.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Personas" type="ttp:PersonasType" minOccurs="0"><xs:annotation><xs:documentation>The Personas field characterizes specific classes or instances of personas (identities) leveraged by a threat to masquerade as other parties.</xs:documentation></xs:annotation></xs:element>
Specifies a reference to a unique ID defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Identity should not hold content.
Source
<xs:element name="Persona" type="stixCommon:IdentityType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The persona field characterizes a single persona (identity) leveraged by a threat to masquerade as another party.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Victim_Targeting" type="ttp:VictimTargetingType" minOccurs="0"><xs:annotation><xs:documentation>The Victim_Targeting field characterizes the people, organizations, information or access being targeted.</xs:documentation></xs:annotation></xs:element>
The Identity field characterizes information about the identity or characteristics of the targeted people or organizations.
This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity_3.0.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity_3.0/1.1/ciq_identity_3.0.xsd.
Specifies a reference to a unique ID defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Identity should not hold content.
Source
<xs:element name="Identity" type="stixCommon:IdentityType" minOccurs="0"><xs:annotation><xs:documentation>The Identity field characterizes information about the identity or characteristics of the targeted people or organizations.</xs:documentation><xs:documentation>This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity_3.0.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity_3.0/1.1/ciq_identity_3.0.xsd.</xs:documentation></xs:annotation></xs:element>
The Targeted_Systems field characterizes a type of system that is targeted. It may be included multiple times to specify multiple types of targeted systems.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is SystemTypeVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Targeted_Systems" type="stixCommon:ControlledVocabularyStringType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Targeted_Systems field characterizes a type of system that is targeted. It may be included multiple times to specify multiple types of targeted systems.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is SystemTypeVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation><xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation></xs:annotation></xs:element>
The Targeted_Systems field characterizes a type of information that is targeted. It may be included multiple times to specify multiple types of targeted information.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is InformationTypeVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Targeted_Information" type="stixCommon:ControlledVocabularyStringType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Targeted_Systems field characterizes a type of information that is targeted. It may be included multiple times to specify multiple types of targeted information.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is InformationTypeVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation><xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation></xs:annotation></xs:element>
The Targeted_Technical_Details field characterizes the technical information about what is targeted. It is implemented using the CybOX observables type, which allows for the representation of products, platforms, and code that are targeted.
The cybox_update_version field specifies the update version of the CybOX language utilized for this set of Observables. This field MUST be used when using an update version of CybOX.
Source
<xs:element name="Targeted_Technical_Details" type="cybox:ObservablesType" minOccurs="0"><xs:annotation><xs:documentation>The Targeted_Technical_Details field characterizes the technical information about what is targeted. It is implemented using the CybOX observables type, which allows for the representation of products, platforms, and code that are targeted.</xs:documentation></xs:annotation></xs:element>
Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.
Source
<xs:element name="Exploit_Targets" type="ttp:ExploitTargetsType" minOccurs="0"><xs:annotation><xs:documentation>The Exploit_Targets field characterizes potential vulnerability, weakness or configuration targets for exploitation by this TTP.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Exploit_Target" type="stixCommon:RelatedExploitTargetType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Exploit_Target field characterizes potential vulnerability, weakness or configuration targets for exploitation by this TTP.</xs:documentation></xs:annotation></xs:element>
Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.
Source
<xs:element name="Related_TTPs" type="ttp:RelatedTTPsType" minOccurs="0"><xs:annotation><xs:documentation>The Related_TTPs field specifies other TTPs asserted to be related to this cyber threat TTP.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Related_TTP" type="stixCommon:RelatedTTPType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Related_TTP field specifies a single other TTP asserted to be related to this cyber threat TTP.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Kill_Chain_Phases" type="stixCommon:KillChainPhasesReferenceType" minOccurs="0"><xs:annotation><xs:documentation>The Kill_Chain_Phases field specifies one or more Kill Chain phases associated with this TTP item.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Information_Source" type="stixCommon:InformationSourceType" minOccurs="0"><xs:annotation><xs:documentation>The Information_Source field details the source of this entry.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Kill_Chains" type="stixCommon:KillChainsType" minOccurs="0"><xs:annotation><xs:documentation>The Kill_Chains field characterizes specific Kill Chain definitions for reference within specific TTP entries, Indicators and elsewhere.</xs:documentation></xs:annotation></xs:element>
Specifies the relevant handling guidance for this TTP. The valid marking scope is the nearest TTPBaseType ancestor of this Handling element and all its descendants.
<xs:element name="Handling" type="marking:MarkingType" minOccurs="0"><xs:annotation><xs:documentation>Specifies the relevant handling guidance for this TTP. The valid marking scope is the nearest TTPBaseType ancestor of this Handling element and all its descendants.</xs:documentation></xs:annotation></xs:element>
The Related_Packages field identifies or characterizes relationships to set of related Packages.
DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.
<xs:element name="Related_Packages" type="stixCommon:RelatedPackageRefsType" minOccurs="0"><xs:annotation><xs:documentation>The Related_Packages field identifies or characterizes relationships to set of related Packages.</xs:documentation><xs:documentation>DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.</xs:documentation><xs:appinfo><deprecated>true</deprecated></xs:appinfo></xs:annotation></xs:element>
Complex Type ttp:MalwareInstanceType
Namespace
http://stix.mitre.org/TTP-1
Annotations
Captures basic information about an individual malware instance.
In addition to capturing basic information, this type is intended to be extended to enable the structured description of a malware instance using the XML Schema extension feature. The STIX default extension uses the Malware Attribute Enumeration and Classification (MAEC) schema to do so. The extension that defines this is captured in the MAEC4.1InstanceType in the http://stix.mitre.org/extensions/Malware#MAEC4.1-1 namespace. This type is defined in the extensions/malware/maec_4.1_malware.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/malware/maec_4.1/1.0/maec_4.1_malware.xsd.
Specifies a reference to the ID for this Malware Instance specified elsewhere.
Source
<xs:complexType name="MalwareInstanceType"><xs:annotation><xs:documentation>Captures basic information about an individual malware instance.</xs:documentation><xs:documentation>In addition to capturing basic information, this type is intended to be extended to enable the structured description of a malware instance using the XML Schema extension feature. The STIX default extension uses the Malware Attribute Enumeration and Classification (MAEC) schema to do so. The extension that defines this is captured in the MAEC4.1InstanceType in the http://stix.mitre.org/extensions/Malware#MAEC4.1-1 namespace. This type is defined in the extensions/malware/maec_4.1_malware.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/malware/maec_4.1/1.0/maec_4.1_malware.xsd.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Type" type="stixCommon:ControlledVocabularyStringType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Type field provides a characterization of what type of malware this MalwareInstance is.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is MalwareTypeVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation><xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation></xs:annotation></xs:element><xs:element name="Name" type="stixCommon:ControlledVocabularyStringType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Name field specifies a name associated with this MalwareInstance.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. No default vocabulary type has been defined for STIX 1.2. Users may either define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a free string field.</xs:documentation></xs:annotation></xs:element><xs:element name="Title" type="xs:string" minOccurs="0"><xs:annotation><xs:documentation>The Title field is optional and provides an unstructured, text description of an individual Malware Instance.</xs:documentation></xs:annotation></xs:element><xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Description field provides an text description of an individual Malware Instance.</xs:documentation></xs:annotation></xs:element><xs:element name="Short_Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Short_Description field provides a short text description of an individual Malware Instance.</xs:documentation></xs:annotation></xs:element></xs:sequence><xs:attribute name="id" type="xs:QName"><xs:annotation><xs:documentation>Specifies a unique ID for this Malware Instance.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>Specifies a reference to the ID for this Malware Instance specified elsewhere.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
Complex Type ttp:TTPType
Namespace
http://stix.mitre.org/TTP-1
Annotations
Represents a single STIX TTP.
TTPs are representations of the behavior or modus operandi of cyber adversaries. It is a term taken from the traditional military sphere and is used to characterize what an adversary does and how they do it in increasing levels of detail. For instance, to give a simple example, a tactic may be to use malware to steal credit card credentials. A related technique (at a lower level of detail) may be to send targeted emails to potential victims, which have documents attached containing malicious code which executes upon opening, captures credit card information from keystrokes, and uses http to communicate with a command and control server to transfer information. A related procedure (at a lower level of detail) may be to perform open source research to identify potentially gullible individuals, craft a convincing socially engineered email and document, create malware/exploit that will bypass current antivirus detection, establish a command and control server by registering a domain called mychasebank.org, and send mail to victims from a Gmail account called accounts-mychasebank@gmail.com.
TTPs consist of the specific adversary behavior (attack patterns, malware, exploits) exhibited, resources leveraged (tools, infrastructure, personas), information on the victims targeted (who, what or where), relevant ExploitTargets being targeted, intended effects, relevant kill chain phases, handling guidance, source of the TTP information, etc.
TTPs play a central role in cyber threat information and cyber threat intelligence. They are relevant for Indicators, Incidents, Campaigns, and ThreatActors. In addition, they hold a close relationship with ExploitTargets that characterize the specific targets that the TTPs seek to exploit.
Specifies a timestamp for the definition of a specific version of a TTP item. When used in conjunction with the id, this field is specifying the definition time for the specific version of the TTP item. When used in conjunction with the idref, this field is specifying a reference to a specific version of a TTP item defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Specifies the relevant STIX-TTP schema version for this content.
Source
<xs:complexType name="TTPType"><xs:annotation><xs:documentation>Represents a single STIX TTP.</xs:documentation><xs:documentation>TTPs are representations of the behavior or modus operandi of cyber adversaries. It is a term taken from the traditional military sphere and is used to characterize what an adversary does and how they do it in increasing levels of detail. For instance, to give a simple example, a tactic may be to use malware to steal credit card credentials. A related technique (at a lower level of detail) may be to send targeted emails to potential victims, which have documents attached containing malicious code which executes upon opening, captures credit card information from keystrokes, and uses http to communicate with a command and control server to transfer information. A related procedure (at a lower level of detail) may be to perform open source research to identify potentially gullible individuals, craft a convincing socially engineered email and document, create malware/exploit that will bypass current antivirus detection, establish a command and control server by registering a domain called mychasebank.org, and send mail to victims from a Gmail account called accounts-mychasebank@gmail.com.</xs:documentation><xs:documentation>TTPs consist of the specific adversary behavior (attack patterns, malware, exploits) exhibited, resources leveraged (tools, infrastructure, personas), information on the victims targeted (who, what or where), relevant ExploitTargets being targeted, intended effects, relevant kill chain phases, handling guidance, source of the TTP information, etc.</xs:documentation><xs:documentation>TTPs play a central role in cyber threat information and cyber threat intelligence. They are relevant for Indicators, Incidents, Campaigns, and ThreatActors. In addition, they hold a close relationship with ExploitTargets that characterize the specific targets that the TTPs seek to exploit.</xs:documentation></xs:annotation><xs:complexContent><xs:extension base="stixCommon:TTPBaseType"><xs:sequence><xs:element name="Title" type="xs:string" minOccurs="0"><xs:annotation><xs:documentation>The Title field provides a simple title for this TTP.</xs:documentation></xs:annotation></xs:element><xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Description field is optional and provides an unstructured, text description of this TTP.</xs:documentation></xs:annotation></xs:element><xs:element name="Short_Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Short_Description field is optional and provides a short, unstructured, text description of this TTP.</xs:documentation></xs:annotation></xs:element><xs:element name="Intended_Effect" type="stixCommon:StatementType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Intended_Effect field specifies the suspected intended effect for this TTP.</xs:documentation><xs:documentation>It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is IntendedEffectVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation><xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation></xs:annotation></xs:element><xs:element name="Behavior" type="ttp:BehaviorType" minOccurs="0"><xs:annotation><xs:documentation>Behavior describes the attack patterns, malware, or exploits that the attacker leverages to execute this TTP.</xs:documentation></xs:annotation></xs:element><xs:element name="Resources" type="ttp:ResourceType" minOccurs="0"><xs:annotation><xs:documentation>Resources describe the infrastructure or tools that the adversary uses to execute this TTP.</xs:documentation></xs:annotation></xs:element><xs:element name="Victim_Targeting" type="ttp:VictimTargetingType" minOccurs="0"><xs:annotation><xs:documentation>The Victim_Targeting field characterizes the people, organizations, information or access being targeted.</xs:documentation></xs:annotation></xs:element><xs:element name="Exploit_Targets" type="ttp:ExploitTargetsType" minOccurs="0"><xs:annotation><xs:documentation>The Exploit_Targets field characterizes potential vulnerability, weakness or configuration targets for exploitation by this TTP.</xs:documentation></xs:annotation></xs:element><xs:element name="Related_TTPs" type="ttp:RelatedTTPsType" minOccurs="0"><xs:annotation><xs:documentation>The Related_TTPs field specifies other TTPs asserted to be related to this cyber threat TTP.</xs:documentation></xs:annotation></xs:element><xs:element name="Kill_Chain_Phases" type="stixCommon:KillChainPhasesReferenceType" minOccurs="0"><xs:annotation><xs:documentation>The Kill_Chain_Phases field specifies one or more Kill Chain phases associated with this TTP item.</xs:documentation></xs:annotation></xs:element><xs:element name="Information_Source" type="stixCommon:InformationSourceType" minOccurs="0"><xs:annotation><xs:documentation>The Information_Source field details the source of this entry.</xs:documentation></xs:annotation></xs:element><xs:element name="Kill_Chains" type="stixCommon:KillChainsType" minOccurs="0"><xs:annotation><xs:documentation>The Kill_Chains field characterizes specific Kill Chain definitions for reference within specific TTP entries, Indicators and elsewhere.</xs:documentation></xs:annotation></xs:element><xs:element name="Handling" type="marking:MarkingType" minOccurs="0"><xs:annotation><xs:documentation>Specifies the relevant handling guidance for this TTP. The valid marking scope is the nearest TTPBaseType ancestor of this Handling element and all its descendants.</xs:documentation></xs:annotation></xs:element><xs:element name="Related_Packages" type="stixCommon:RelatedPackageRefsType" minOccurs="0"><xs:annotation><xs:documentation>The Related_Packages field identifies or characterizes relationships to set of related Packages.</xs:documentation><xs:documentation>DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.</xs:documentation><xs:appinfo><deprecated>true</deprecated></xs:appinfo></xs:annotation></xs:element></xs:sequence><xs:attribute name="version" type="ttp:TTPVersionType"><xs:annotation><xs:documentation>Specifies the relevant STIX-TTP schema version for this content.</xs:documentation></xs:annotation></xs:attribute></xs:extension></xs:complexContent></xs:complexType>
<xs:complexType name="BehaviorType"><xs:sequence><xs:element name="Attack_Patterns" type="ttp:AttackPatternsType" minOccurs="0"><xs:annotation><xs:documentation>The Attack_Patterns field specifies one or more Attack Patterns for this TTP item.</xs:documentation></xs:annotation></xs:element><xs:element name="Malware" type="ttp:MalwareType" minOccurs="0"><xs:annotation><xs:documentation>The Malware field specifies one or more instances of Malware for this TTP item.</xs:documentation></xs:annotation></xs:element><xs:element name="Exploits" type="ttp:ExploitsType" minOccurs="0"><xs:annotation><xs:documentation>The Exploits field specifies one or more Exploits for this TTP item.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
<xs:complexType name="AttackPatternsType"><xs:sequence><xs:element name="Attack_Pattern" type="ttp:AttackPatternType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Attack_Pattern field specifies a single Attack Pattern for this TTP item.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type ttp:AttackPatternType
Namespace
http://stix.mitre.org/TTP-1
Annotations
Captures prose information about an individual attack pattern as well as a CAPEC reference.
In addition to capturing basic information, this type is intended to be extended to enable the structured description of an attack pattern instance using the XML Schema extension feature. The STIX default extension uses the Common Attack Pattern Enumeration and Classification (CAPEC) schema to do so. The extension that defines this is captured in the CAPEC2.7InstanceType in the http://stix.mitre.org/extensions/AP#CAPEC2.7-1 namespace. This type is defined in the extensions/attack_pattern/capec_2.7_attack_pattern.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/attack_pattern/capec_2.7/1.0.1/capec_2.7_attack_pattern.xsd.
Specifies a reference to the ID for this Attack Pattern specified elsewhere.
Source
<xs:complexType name="AttackPatternType"><xs:annotation><xs:documentation>Captures prose information about an individual attack pattern as well as a CAPEC reference.</xs:documentation><xs:documentation>In addition to capturing basic information, this type is intended to be extended to enable the structured description of an attack pattern instance using the XML Schema extension feature. The STIX default extension uses the Common Attack Pattern Enumeration and Classification (CAPEC) schema to do so. The extension that defines this is captured in the CAPEC2.7InstanceType in the http://stix.mitre.org/extensions/AP#CAPEC2.7-1 namespace. This type is defined in the extensions/attack_pattern/capec_2.7_attack_pattern.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/attack_pattern/capec_2.7/1.0.1/capec_2.7_attack_pattern.xsd.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Title" type="xs:string" minOccurs="0"><xs:annotation><xs:documentation>The Title field provides a simple title for an individual Attack Pattern.</xs:documentation></xs:annotation></xs:element><xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Description field is optional and provides an unstructured, text description of an individual Attack Pattern.</xs:documentation></xs:annotation></xs:element><xs:element name="Short_Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Short_Description field is optional and provides a short, unstructured, text description of an individual Attack Pattern.</xs:documentation></xs:annotation></xs:element></xs:sequence><xs:attribute name="id" type="xs:QName"><xs:annotation><xs:documentation>Specifies a unique ID for this Attack Pattern.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>Specifies a reference to the ID for this Attack Pattern specified elsewhere.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="capec_id"><xs:annotation><xs:documentation>This field specifies a reference to a particular entry within the Common Attack Pattern Enumeration and Classification (CAPEC)</xs:documentation></xs:annotation><xs:simpleType><xs:restriction base="xs:string"><xs:pattern value="CAPEC-\d+"/></xs:restriction></xs:simpleType></xs:attribute></xs:complexType>
<xs:complexType name="MalwareType"><xs:sequence><xs:element name="Malware_Instance" type="ttp:MalwareInstanceType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Malware_Instance field specifies a single instance of Malware for this TTP item.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
<xs:complexType name="ExploitsType"><xs:sequence><xs:element name="Exploit" type="ttp:ExploitType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Exploit field specifies a single Exploit for this TTP item.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type ttp:ExploitType
Namespace
http://stix.mitre.org/TTP-1
Annotations
Characterizes a description of an individual exploit.
In addition to capturing basic information, this type is intended to be extended to enable the structured description of an exploit using the XML Schema extension feature. No extension is provided by STIX to support this, however those wishing to represent structured exploit information may develop such an extension.
Specifies a reference to the ID for this Exploit Instance specified elsewhere.
Source
<xs:complexType name="ExploitType"><xs:annotation><xs:documentation>Characterizes a description of an individual exploit.</xs:documentation><xs:documentation>In addition to capturing basic information, this type is intended to be extended to enable the structured description of an exploit using the XML Schema extension feature. No extension is provided by STIX to support this, however those wishing to represent structured exploit information may develop such an extension.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Title" type="xs:string" minOccurs="0"><xs:annotation><xs:documentation>The Title field provides a simple title for an individual Exploit instance.</xs:documentation></xs:annotation></xs:element><xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Description field is optional and provides an unstructured, text description of an individual Exploit Instance.</xs:documentation></xs:annotation></xs:element><xs:element name="Short_Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Short_Description field is optional and provides a short, unstructured, text description of an individual Exploit Instance.</xs:documentation></xs:annotation></xs:element></xs:sequence><xs:attribute name="id" type="xs:QName"><xs:annotation><xs:documentation>Specifies a unique ID for this Exploit Instance.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>Specifies a reference to the ID for this Exploit Instance specified elsewhere.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
<xs:complexType name="ResourceType"><xs:sequence><xs:element name="Tools" type="ttp:ToolsType" minOccurs="0"><xs:annotation><xs:documentation>The Tools field specifies one or more Tools leveraged by this TTP item.</xs:documentation></xs:annotation></xs:element><xs:element name="Infrastructure" type="ttp:InfrastructureType" minOccurs="0"><xs:annotation><xs:documentation>The Infrastructure field characterizes specific classes or instances of infrastructure observed to have been utilized for cyber attack.</xs:documentation></xs:annotation></xs:element><xs:element name="Personas" type="ttp:PersonasType" minOccurs="0"><xs:annotation><xs:documentation>The Personas field characterizes specific classes or instances of personas (identities) leveraged by a threat to masquerade as other parties.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
<xs:complexType name="ToolsType"><xs:sequence><xs:element name="Tool" type="stixCommon:ToolInformationType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Tool field specifies a single Tool leveraged by this TTP item.</xs:documentation><xs:documentation>The Type field under this field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is AttackerToolTypeVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation><xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Specifies a reference to the ID for this class or instance of Infrastructure specified elsewhere.
Source
<xs:complexType name="InfrastructureType"><xs:sequence><xs:element name="Title" type="xs:string" minOccurs="0"><xs:annotation><xs:documentation>The Title field provides a simple title for a class or instance of Infrastructure utilized for cyber attack.</xs:documentation></xs:annotation></xs:element><xs:element name="Type" type="stixCommon:ControlledVocabularyStringType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Type field represents the type of infrastructure being described.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is AttackerInfrastructureTypeVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation><xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation></xs:annotation></xs:element><xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Description field is optional and provides an unstructured, text description of specific classes or instances of infrastructure utilized for cyber attack.</xs:documentation></xs:annotation></xs:element><xs:element name="Short_Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Short_Description field is optional and provides a short, unstructured, text description of specific classes or instances of infrastructure utilized for cyber attack.</xs:documentation></xs:annotation></xs:element><xs:element name="Observable_Characterization" type="cybox:ObservablesType" minOccurs="0"><xs:annotation><xs:documentation>The Observable_Characterization field provides structured characterization of the cyber observables detailing specific classes or instances of infrastructure utilized for cyber attack.</xs:documentation></xs:annotation></xs:element></xs:sequence><xs:attribute name="id" type="xs:QName"><xs:annotation><xs:documentation>Specifies a unique ID for this class or instance of Infrastructure.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>Specifies a reference to the ID for this class or instance of Infrastructure specified elsewhere.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
<xs:complexType name="PersonasType"><xs:sequence><xs:element name="Persona" type="stixCommon:IdentityType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The persona field characterizes a single persona (identity) leveraged by a threat to masquerade as another party.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
<xs:complexType name="VictimTargetingType"><xs:sequence><xs:element name="Identity" type="stixCommon:IdentityType" minOccurs="0"><xs:annotation><xs:documentation>The Identity field characterizes information about the identity or characteristics of the targeted people or organizations.</xs:documentation><xs:documentation>This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity_3.0.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity_3.0/1.1/ciq_identity_3.0.xsd.</xs:documentation></xs:annotation></xs:element><xs:element name="Targeted_Systems" type="stixCommon:ControlledVocabularyStringType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Targeted_Systems field characterizes a type of system that is targeted. It may be included multiple times to specify multiple types of targeted systems.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is SystemTypeVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation><xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation></xs:annotation></xs:element><xs:element name="Targeted_Information" type="stixCommon:ControlledVocabularyStringType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Targeted_Systems field characterizes a type of information that is targeted. It may be included multiple times to specify multiple types of targeted information.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is InformationTypeVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation><xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation></xs:annotation></xs:element><xs:element name="Targeted_Technical_Details" type="cybox:ObservablesType" minOccurs="0"><xs:annotation><xs:documentation>The Targeted_Technical_Details field characterizes the technical information about what is targeted. It is implemented using the CybOX observables type, which allows for the representation of products, platforms, and code that are targeted.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.
Source
<xs:complexType name="ExploitTargetsType"><xs:complexContent><xs:extension base="stixCommon:GenericRelationshipListType"><xs:sequence><xs:element name="Exploit_Target" type="stixCommon:RelatedExploitTargetType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Exploit_Target field characterizes potential vulnerability, weakness or configuration targets for exploitation by this TTP.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:extension></xs:complexContent></xs:complexType>
Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.
Source
<xs:complexType name="RelatedTTPsType"><xs:complexContent><xs:extension base="stixCommon:GenericRelationshipListType"><xs:sequence><xs:element name="Related_TTP" type="stixCommon:RelatedTTPType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Related_TTP field specifies a single other TTP asserted to be related to this cyber threat TTP.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:extension></xs:complexContent></xs:complexType>
Simple Type ttp:TTPVersionType
Namespace
http://stix.mitre.org/TTP-1
Annotations
An enumeration of all versions of the TTP type valid in the current release of STIX.
<xs:simpleType name="TTPVersionType"><xs:annotation><xs:documentation>An enumeration of all versions of the TTP type valid in the current release of STIX.</xs:documentation></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="1.0"/><xs:enumeration value="1.0.1"/><xs:enumeration value="1.1"/><xs:enumeration value="1.1.1"/><xs:enumeration value="1.2"/></xs:restriction></xs:simpleType>
<xs:attribute name="id" type="xs:QName"><xs:annotation><xs:documentation>Specifies a unique ID for this Malware Instance.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>Specifies a reference to the ID for this Malware Instance specified elsewhere.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="id" type="xs:QName"><xs:annotation><xs:documentation>Specifies a unique ID for this Attack Pattern.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>Specifies a reference to the ID for this Attack Pattern specified elsewhere.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="capec_id"><xs:annotation><xs:documentation>This field specifies a reference to a particular entry within the Common Attack Pattern Enumeration and Classification (CAPEC)</xs:documentation></xs:annotation><xs:simpleType><xs:restriction base="xs:string"><xs:pattern value="CAPEC-\d+"/></xs:restriction></xs:simpleType></xs:attribute>
<xs:attribute name="id" type="xs:QName"><xs:annotation><xs:documentation>Specifies a unique ID for this Exploit Instance.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>Specifies a reference to the ID for this Exploit Instance specified elsewhere.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="id" type="xs:QName"><xs:annotation><xs:documentation>Specifies a unique ID for this class or instance of Infrastructure.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>Specifies a reference to the ID for this class or instance of Infrastructure specified elsewhere.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="version" type="ttp:TTPVersionType"><xs:annotation><xs:documentation>Specifies the relevant STIX-TTP schema version for this content.</xs:documentation></xs:annotation></xs:attribute>
