Showing:

Annotations
Attributes
Diagrams
Facets
Source
Used by
Main schema ttp.xsd
Namespace http://stix.mitre.org/TTP-1
Annotations
 
This schema was originally developed by The MITRE Corporation. The STIX XML Schema implementation is maintained by The MITRE Corporation and developed by the open STIX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the STIX website at http://stix.mitre.org.
Element ttp:TTP
Namespace http://stix.mitre.org/TTP-1
Annotations
 
The TTP field characterizes specific details of observed or potential attacker Tactics, Techniques and Procedures.
Diagram
Diagram stix_common_xsd.tmp#TTPBaseType_id stix_common_xsd.tmp#TTPBaseType_idref stix_common_xsd.tmp#TTPBaseType ttp_xsd.tmp#TTPType_version ttp_xsd.tmp#TTPType_Title ttp_xsd.tmp#TTPType_Description ttp_xsd.tmp#TTPType_Intended_Effect ttp_xsd.tmp#TTPType_Behavior ttp_xsd.tmp#TTPType_Resources ttp_xsd.tmp#TTPType_Victim_Targeting ttp_xsd.tmp#TTPType_Exploit_Targets ttp_xsd.tmp#TTPType_Related_TTPs ttp_xsd.tmp#TTPType_Kill_Chain_Phases ttp_xsd.tmp#TTPType_Information_Source ttp_xsd.tmp#TTPType_Kill_Chains ttp_xsd.tmp#TTPType_Handling ttp_xsd.tmp#TTPType
Type ttp:TTPType
Type hierarchy
Children ttp:Behavior, ttp:Description, ttp:Exploit_Targets, ttp:Handling, ttp:Information_Source, ttp:Intended_Effect, ttp:Kill_Chain_Phases, ttp:Kill_Chains, ttp:Related_TTPs, ttp:Resources, ttp:Title, ttp:Victim_Targeting
Attributes
QName Type Use Annotation
id xs:QName optional 
Specifies a globally unique identifier for this TTP item.
idref xs:QName optional 
Specifies a globally unique identifier of a TTP item specified elsewhere.
version ttp:TTPVersionType optional 
Specifies the relevant STIX-TTP schema version for this content.
Source
 
<xs:element name="TTP" type="ttp:TTPType">
  <xs:annotation>
    <xs:documentation>The TTP field characterizes specific details of observed or potential attacker Tactics, Techniques and Procedures.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ttp:TTPType / ttp:Title
Namespace http://stix.mitre.org/TTP-1
Annotations
 
The Title field provides a simple title for this TTP.
Diagram
Diagram
Type xs:string
Source
 
<xs:element name="Title" type="xs:string" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Title field provides a simple title for this TTP.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ttp:TTPType / ttp:Description
Namespace http://stix.mitre.org/TTP-1
Annotations
 
The Description field provides an unstructured description of the TTP.
Diagram
Diagram stix_common_xsd.tmp#StructuredTextType_structuring_format stix_common_xsd.tmp#StructuredTextType
Type stixCommon:StructuredTextType
Attributes
QName Type Use Annotation
structuring_format xs:string optional 
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the CybOX document. If this attribute is absent, the implication is that no markup is being used.
Source
 
<xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Description field provides an unstructured description of the TTP.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ttp:TTPType / ttp:Intended_Effect
Namespace http://stix.mitre.org/TTP-1
Annotations
 
The Intended_Effect field specifies the suspected intended effect for this TTP.

It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is IntendedEffectVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.0.1/stix_default_vocabularies.xsd .

Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Diagram
Diagram stix_common_xsd.tmp#StatementType_timestamp stix_common_xsd.tmp#StatementType_Value stix_common_xsd.tmp#StatementType_Description stix_common_xsd.tmp#StatementType_Source stix_common_xsd.tmp#StatementType_Confidence stix_common_xsd.tmp#StatementType
Type stixCommon:StatementType
Children stixCommon:Confidence, stixCommon:Description, stixCommon:Source, stixCommon:Value
Attributes
QName Type Use Annotation
timestamp xs:dateTime optional 
Specifies the time this statement was asserted.
Source
 
<xs:element name="Intended_Effect" type="stixCommon:StatementType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Intended_Effect field specifies the suspected intended effect for this TTP. It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is IntendedEffectVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.0.1/stix_default_vocabularies.xsd . Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ttp:TTPType / ttp:Behavior
Namespace http://stix.mitre.org/TTP-1
Annotations
 
Behavior describes the attack patterns, malware, or exploits that the attacker leverages to execute this TTP.
Diagram
Diagram ttp_xsd.tmp#BehaviorType_Attack_Patterns ttp_xsd.tmp#BehaviorType_Malware ttp_xsd.tmp#BehaviorType_Exploits ttp_xsd.tmp#BehaviorType
Type ttp:BehaviorType
Children ttp:Attack_Patterns, ttp:Exploits, ttp:Malware
Source
 
<xs:element name="Behavior" type="ttp:BehaviorType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Behavior describes the attack patterns, malware, or exploits that the attacker leverages to execute this TTP.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ttp:BehaviorType / ttp:Attack_Patterns
Namespace http://stix.mitre.org/TTP-1
Annotations
 
The Attack_Patterns field specifies one or more Attack Patterns for this TTP item.
Diagram
Diagram ttp_xsd.tmp#AttackPatternsType_Attack_Pattern ttp_xsd.tmp#AttackPatternsType
Type ttp:AttackPatternsType
Children ttp:Attack_Pattern
Source
 
<xs:element name="Attack_Patterns" type="ttp:AttackPatternsType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Attack_Patterns field specifies one or more Attack Patterns for this TTP item.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ttp:AttackPatternsType / ttp:Attack_Pattern
Namespace http://stix.mitre.org/TTP-1
Annotations
 
The Attack_Pattern field specifies a single Attack Pattern for this TTP item.
Diagram
Diagram ttp_xsd.tmp#AttackPatternType_capec_id ttp_xsd.tmp#AttackPatternType_Description ttp_xsd.tmp#AttackPatternType
Type ttp:AttackPatternType
Children ttp:Description
Attributes
QName Type Use Annotation
capec_id restriction of xs:string optional 
This field specifies a reference to a particular entry within the Common Attack Pattern Enumeration and Classification (CAPEC)
Source
 
<xs:element name="Attack_Pattern" type="ttp:AttackPatternType" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Attack_Pattern field specifies a single Attack Pattern for this TTP item.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ttp:AttackPatternType / ttp:Description
Namespace http://stix.mitre.org/TTP-1
Annotations
 
The Description field provides an unstructured description of an individual Attack Pattern.
Diagram
Diagram stix_common_xsd.tmp#StructuredTextType_structuring_format stix_common_xsd.tmp#StructuredTextType
Type stixCommon:StructuredTextType
Attributes
QName Type Use Annotation
structuring_format xs:string optional 
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the CybOX document. If this attribute is absent, the implication is that no markup is being used.
Source
 
<xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Description field provides an unstructured description of an individual Attack Pattern.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ttp:BehaviorType / ttp:Malware
Namespace http://stix.mitre.org/TTP-1
Annotations
 
The Malware field specifies one or more instances of Malware for this TTP item.
Diagram
Diagram ttp_xsd.tmp#MalwareType_Malware_Instance ttp_xsd.tmp#MalwareType
Type ttp:MalwareType
Children ttp:Malware_Instance
Source
 
<xs:element name="Malware" type="ttp:MalwareType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Malware field specifies one or more instances of Malware for this TTP item.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ttp:MalwareType / ttp:Malware_Instance
Namespace http://stix.mitre.org/TTP-1
Annotations
 
The Malware_Instance field specifies a single instance of Malware for this TTP item.
Diagram
Diagram ttp_xsd.tmp#MalwareInstanceType_Type ttp_xsd.tmp#MalwareInstanceType_Name ttp_xsd.tmp#MalwareInstanceType_Description ttp_xsd.tmp#MalwareInstanceType
Type ttp:MalwareInstanceType
Children ttp:Description, ttp:Name, ttp:Type
Source
 
<xs:element name="Malware_Instance" type="ttp:MalwareInstanceType" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Malware_Instance field specifies a single instance of Malware for this TTP item.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ttp:MalwareInstanceType / ttp:Type
Namespace http://stix.mitre.org/TTP-1
Annotations
 
The Type field provides a characterization of what type of malware this MalwareInstance is.

This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is MalwareTypeVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.0.1/stix_default_vocabularies.xsd .

Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Diagram
Diagram stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_name stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_reference stix_common_xsd.tmp#ControlledVocabularyStringType
Type stixCommon:ControlledVocabularyStringType
Attributes
QName Type Use Annotation
vocab_name xs:string optional 
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional 
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
 
<xs:element name="Type" type="stixCommon:ControlledVocabularyStringType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Type field provides a characterization of what type of malware this MalwareInstance is. This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is MalwareTypeVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.0.1/stix_default_vocabularies.xsd . Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ttp:MalwareInstanceType / ttp:Name
Namespace http://stix.mitre.org/TTP-1
Annotations
 
The Name field specifies a name associated with this MalwareInstance.

	This field is implemented through the xsi:type controlled vocabulary extension mechanism. No default vocabulary type has been defined for STIX 1.0. Users may either define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a free string field.
Diagram
Diagram stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_name stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_reference stix_common_xsd.tmp#ControlledVocabularyStringType
Type stixCommon:ControlledVocabularyStringType
Attributes
QName Type Use Annotation
vocab_name xs:string optional 
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional 
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
 
<xs:element name="Name" type="stixCommon:ControlledVocabularyStringType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Name field specifies a name associated with this MalwareInstance. This field is implemented through the xsi:type controlled vocabulary extension mechanism. No default vocabulary type has been defined for STIX 1.0. Users may either define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a free string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ttp:MalwareInstanceType / ttp:Description
Namespace http://stix.mitre.org/TTP-1
Annotations
 
The Description field provides an unstructured description of an individual Malware instance.
Diagram
Diagram stix_common_xsd.tmp#StructuredTextType_structuring_format stix_common_xsd.tmp#StructuredTextType
Type stixCommon:StructuredTextType
Attributes
QName Type Use Annotation
structuring_format xs:string optional 
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the CybOX document. If this attribute is absent, the implication is that no markup is being used.
Source
 
<xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Description field provides an unstructured description of an individual Malware instance.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ttp:BehaviorType / ttp:Exploits
Namespace http://stix.mitre.org/TTP-1
Annotations
 
The Exploits field specifies one or more Exploits for this TTP item.
Diagram
Diagram ttp_xsd.tmp#ExploitsType_Exploit ttp_xsd.tmp#ExploitsType
Type ttp:ExploitsType
Children ttp:Exploit
Source
 
<xs:element name="Exploits" type="ttp:ExploitsType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Exploits field specifies one or more Exploits for this TTP item.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ttp:ExploitsType / ttp:Exploit
Namespace http://stix.mitre.org/TTP-1
Annotations
 
The Exploit field specifies a single Exploit for this TTP item.
Diagram
Diagram ttp_xsd.tmp#ExploitType_Description ttp_xsd.tmp#ExploitType
Type ttp:ExploitType
Children ttp:Description
Source
 
<xs:element name="Exploit" type="ttp:ExploitType" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Exploit field specifies a single Exploit for this TTP item.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ttp:ExploitType / ttp:Description
Namespace http://stix.mitre.org/TTP-1
Annotations
 
The Description field provides an unstructured description of an individual Exploit instance.
Diagram
Diagram stix_common_xsd.tmp#StructuredTextType_structuring_format stix_common_xsd.tmp#StructuredTextType
Type stixCommon:StructuredTextType
Attributes
QName Type Use Annotation
structuring_format xs:string optional 
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the CybOX document. If this attribute is absent, the implication is that no markup is being used.
Source
 
<xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Description field provides an unstructured description of an individual Exploit instance.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ttp:TTPType / ttp:Resources
Namespace http://stix.mitre.org/TTP-1
Annotations
 
Resources describe the infrastructure or tools that the adversary uses to execute this TTP.
Diagram
Diagram ttp_xsd.tmp#ResourceType_Tools ttp_xsd.tmp#ResourceType_Infrastructure ttp_xsd.tmp#ResourceType
Type ttp:ResourceType
Children ttp:Infrastructure, ttp:Tools
Source
 
<xs:element name="Resources" type="ttp:ResourceType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Resources describe the infrastructure or tools that the adversary uses to execute this TTP.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ttp:ResourceType / ttp:Tools
Namespace http://stix.mitre.org/TTP-1
Annotations
 
The Tools field specifies one or more Tools leveraged by this TTP item.
Diagram
Diagram ttp_xsd.tmp#ToolsType_Tool ttp_xsd.tmp#ToolsType
Type ttp:ToolsType
Children ttp:Tool
Source
 
<xs:element name="Tools" type="ttp:ToolsType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Tools field specifies one or more Tools leveraged by this TTP item.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ttp:ToolsType / ttp:Tool
Namespace http://stix.mitre.org/TTP-1
Annotations
 
The Tool field specifies a single Tool leveraged by this TTP item.

The Type field under this field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is AttackerToolTypeVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.0.1/stix_default_vocabularies.xsd .

Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Diagram
Diagram cybox_common_xsd.tmp#ToolInformationType_id cybox_common_xsd.tmp#ToolInformationType_idref cybox_common_xsd.tmp#ToolInformationType_Name cybox_common_xsd.tmp#ToolInformationType_Type cybox_common_xsd.tmp#ToolInformationType_Description cybox_common_xsd.tmp#ToolInformationType_References cybox_common_xsd.tmp#ToolInformationType_Vendor cybox_common_xsd.tmp#ToolInformationType_Version cybox_common_xsd.tmp#ToolInformationType_Service_Pack cybox_common_xsd.tmp#ToolInformationType_Tool_Specific_Data cybox_common_xsd.tmp#ToolInformationType_Tool_Hashes cybox_common_xsd.tmp#ToolInformationType_Tool_Configuration cybox_common_xsd.tmp#ToolInformationType_Execution_Environment cybox_common_xsd.tmp#ToolInformationType_Errors cybox_common_xsd.tmp#ToolInformationType_Metadata cybox_common_xsd.tmp#ToolInformationType
Type cyboxCommon:ToolInformationType
Children cyboxCommon:Description, cyboxCommon:Errors, cyboxCommon:Execution_Environment, cyboxCommon:Metadata, cyboxCommon:Name, cyboxCommon:References, cyboxCommon:Service_Pack, cyboxCommon:Tool_Configuration, cyboxCommon:Tool_Hashes, cyboxCommon:Tool_Specific_Data, cyboxCommon:Type, cyboxCommon:Vendor, cyboxCommon:Version
Attributes
QName Type Use Annotation
id xs:QName optional 
The id field specifies a unique ID for this Tool.
idref xs:QName optional 
The idref field specifies reference to a unique ID for this Tool.
Source
 
<xs:element name="Tool" type="cyboxCommon:ToolInformationType" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Tool field specifies a single Tool leveraged by this TTP item. The Type field under this field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is AttackerToolTypeVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.0.1/stix_default_vocabularies.xsd . Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ttp:ResourceType / ttp:Infrastructure
Namespace http://stix.mitre.org/TTP-1
Annotations
 
The Infrastructure field characterizes specific classes or instances of infrastructure observed to have been utilized for cyber attack.
Diagram
Diagram ttp_xsd.tmp#InfrastructureType_Type ttp_xsd.tmp#InfrastructureType_Description ttp_xsd.tmp#InfrastructureType_Observable_Characterization ttp_xsd.tmp#InfrastructureType
Type ttp:InfrastructureType
Children ttp:Description, ttp:Observable_Characterization, ttp:Type
Source
 
<xs:element name="Infrastructure" type="ttp:InfrastructureType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Infrastructure field characterizes specific classes or instances of infrastructure observed to have been utilized for cyber attack.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ttp:InfrastructureType / ttp:Type
Namespace http://stix.mitre.org/TTP-1
Annotations
 
The Type field represents the type of infrastructure being described.

This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is AttackerInfrastructureTypeVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.0.1/stix_default_vocabularies.xsd .

Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Diagram
Diagram stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_name stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_reference stix_common_xsd.tmp#ControlledVocabularyStringType
Type stixCommon:ControlledVocabularyStringType
Attributes
QName Type Use Annotation
vocab_name xs:string optional 
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional 
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
 
<xs:element name="Type" type="stixCommon:ControlledVocabularyStringType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Type field represents the type of infrastructure being described. This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is AttackerInfrastructureTypeVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.0.1/stix_default_vocabularies.xsd . Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ttp:InfrastructureType / ttp:Description
Namespace http://stix.mitre.org/TTP-1
Annotations
 
The Description field generally describes specific classes or instances of infrastructure utilized for cyber attack.
Diagram
Diagram stix_common_xsd.tmp#StructuredTextType_structuring_format stix_common_xsd.tmp#StructuredTextType
Type stixCommon:StructuredTextType
Attributes
QName Type Use Annotation
structuring_format xs:string optional 
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the CybOX document. If this attribute is absent, the implication is that no markup is being used.
Source
 
<xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Description field generally describes specific classes or instances of infrastructure utilized for cyber attack.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ttp:InfrastructureType / ttp:Observable_Characterization
Namespace http://stix.mitre.org/TTP-1
Annotations
 
The Observable_Characterization field provides structured characterization of the cyber observables detailing specific classes or instances of infrastructure utilized for cyber attack.
Diagram
Diagram cybox_core_xsd.tmp#ObservablesType_cybox_major_version cybox_core_xsd.tmp#ObservablesType_cybox_minor_version cybox_core_xsd.tmp#ObservablesType_cybox_update_version cybox_core_xsd.tmp#ObservablesType_Observable_Package_Source cybox_core_xsd.tmp#Observable cybox_core_xsd.tmp#ObservablesType_Pools cybox_core_xsd.tmp#ObservablesType
Type cybox:ObservablesType
Children cybox:Observable, cybox:Observable_Package_Source, cybox:Pools
Attributes
QName Type Use Annotation
cybox_major_version xs:string required 
The cybox_major_version field specifies the major version of the CybOX language utlized for this set of Observables.
cybox_minor_version xs:string required 
The cybox_minor_version field specifies the minor version of the CybOX language utlized for this set of Observables.
cybox_update_version xs:string optional 
The cybox_update_version field specifies the update version of the CybOX language utlized for this set of Observables. This field MUST be used when using an update version of CybOX.
Source
 
<xs:element name="Observable_Characterization" type="cybox:ObservablesType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Observable_Characterization field provides structured characterization of the cyber observables detailing specific classes or instances of infrastructure utilized for cyber attack.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ttp:TTPType / ttp:Victim_Targeting
Namespace http://stix.mitre.org/TTP-1
Annotations
 
The Victim_Targeting field characterizes the people, organizations, information or access being targeted.
Diagram
Diagram ttp_xsd.tmp#VictimTargetingType_Identity ttp_xsd.tmp#VictimTargetingType_Targeted_Systems ttp_xsd.tmp#VictimTargetingType_Targeted_Information ttp_xsd.tmp#VictimTargetingType
Type ttp:VictimTargetingType
Children ttp:Identity, ttp:Targeted_Information, ttp:Targeted_Systems
Source
 
<xs:element name="Victim_Targeting" type="ttp:VictimTargetingType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Victim_Targeting field characterizes the people, organizations, information or access being targeted.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ttp:VictimTargetingType / ttp:Identity
Namespace http://stix.mitre.org/TTP-1
Annotations
 
The Identity field characterizes information about the identity or characteristics of the targeted people or organizations.

	This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity_3.0.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity_3.0/1.0/ciq_identity_3.0.xsd.
Diagram
Diagram stix_common_xsd.tmp#IdentityType_id stix_common_xsd.tmp#IdentityType_idref stix_common_xsd.tmp#IdentityType_Name stix_common_xsd.tmp#IdentityType_Related_Identities stix_common_xsd.tmp#IdentityType
Type stixCommon:IdentityType
Children stixCommon:Name, stixCommon:Related_Identities
Attributes
QName Type Use Annotation
id xs:QName optional 
Specifies a unique ID for this Identity.
idref xs:QName optional 
Specifies a reference to a unique ID defined elsewhere.
Source
 
<xs:element name="Identity" type="stixCommon:IdentityType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Identity field characterizes information about the identity or characteristics of the targeted people or organizations. This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity_3.0.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity_3.0/1.0/ciq_identity_3.0.xsd.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ttp:VictimTargetingType / ttp:Targeted_Systems
Namespace http://stix.mitre.org/TTP-1
Annotations
 
The Targeted_Systems field characterizes a type of system that is targeted. It may be included multiple times to specify multiple types of targeted systems.

This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is SystemTypeVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.0.1/stix_default_vocabularies.xsd .

Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Diagram
Diagram stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_name stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_reference stix_common_xsd.tmp#ControlledVocabularyStringType
Type stixCommon:ControlledVocabularyStringType
Attributes
QName Type Use Annotation
vocab_name xs:string optional 
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional 
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
 
<xs:element name="Targeted_Systems" type="stixCommon:ControlledVocabularyStringType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Targeted_Systems field characterizes a type of system that is targeted. It may be included multiple times to specify multiple types of targeted systems. This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is SystemTypeVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.0.1/stix_default_vocabularies.xsd . Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ttp:VictimTargetingType / ttp:Targeted_Information
Namespace http://stix.mitre.org/TTP-1
Annotations
 
The Targeted_Systems field characterizes a type of information that is targeted. It may be included multiple times to specify multiple types of targeted information.

This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is InformationTypeVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.0.1/stix_default_vocabularies.xsd .

Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Diagram
Diagram stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_name stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_reference stix_common_xsd.tmp#ControlledVocabularyStringType
Type stixCommon:ControlledVocabularyStringType
Attributes
QName Type Use Annotation
vocab_name xs:string optional 
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional 
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
 
<xs:element name="Targeted_Information" type="stixCommon:ControlledVocabularyStringType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Targeted_Systems field characterizes a type of information that is targeted. It may be included multiple times to specify multiple types of targeted information. This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is InformationTypeVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.0.1/stix_default_vocabularies.xsd . Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ttp:TTPType / ttp:Exploit_Targets
Namespace http://stix.mitre.org/TTP-1
Annotations
 
The Exploit_Targets field characterizes potential vulnerability, weakness or configuration targets for exploitation by this TTP.
Diagram
Diagram stix_common_xsd.tmp#ExploitTargetsType_Exploit_Target stix_common_xsd.tmp#ExploitTargetsType
Type stixCommon:ExploitTargetsType
Children stixCommon:Exploit_Target
Source
 
<xs:element name="Exploit_Targets" type="stixCommon:ExploitTargetsType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Exploit_Targets field characterizes potential vulnerability, weakness or configuration targets for exploitation by this TTP.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ttp:TTPType / ttp:Related_TTPs
Namespace http://stix.mitre.org/TTP-1
Annotations
Diagram
Type ttp:RelatedTTPsType
Type hierarchy
Children ttp:Related_TTP
Attributes
Source
Element ttp:RelatedTTPsType / ttp:Related_TTP
Namespace http://stix.mitre.org/TTP-1
Annotations
Diagram
Type stixCommon:RelatedTTPType
Type hierarchy
Children stixCommon:Confidence, stixCommon:Information_Source, stixCommon:Relationship, stixCommon:TTP
Source
Element ttp:TTPType / ttp:Kill_Chain_Phases
Namespace http://stix.mitre.org/TTP-1
Annotations
 
The Kill_Chain_Phases field specifies one or more Kill Chain phases associated with this TTP item.
Diagram
Diagram stix_common_xsd.tmp#KillChainPhasesReferenceType_Kill_Chain_Phase stix_common_xsd.tmp#KillChainPhasesReferenceType
Type stixCommon:KillChainPhasesReferenceType
Children stixCommon:Kill_Chain_Phase
Source
 
<xs:element name="Kill_Chain_Phases" type="stixCommon:KillChainPhasesReferenceType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Kill_Chain_Phases field specifies one or more Kill Chain phases associated with this TTP item.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ttp:TTPType / ttp:Information_Source
Namespace http://stix.mitre.org/TTP-1
Annotations
 
The Information_Source field details the source of this entry.
Diagram
Diagram stix_common_xsd.tmp#InformationSourceType_Identity stix_common_xsd.tmp#InformationSourceType_Contributors stix_common_xsd.tmp#InformationSourceType_Time stix_common_xsd.tmp#InformationSourceType_Tools stix_common_xsd.tmp#InformationSourceType_References stix_common_xsd.tmp#InformationSourceType
Type stixCommon:InformationSourceType
Children stixCommon:Contributors, stixCommon:Identity, stixCommon:References, stixCommon:Time, stixCommon:Tools
Source
 
<xs:element name="Information_Source" type="stixCommon:InformationSourceType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Information_Source field details the source of this entry.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ttp:TTPType / ttp:Kill_Chains
Namespace http://stix.mitre.org/TTP-1
Annotations
 
The Kill_Chains field characterizes specific Kill Chain definitions for reference within specific TTP entries, Indicators and elsewhere.
Diagram
Diagram stix_common_xsd.tmp#KillChainsType_Kill_Chain stix_common_xsd.tmp#KillChainsType
Type stixCommon:KillChainsType
Children stixCommon:Kill_Chain
Source
 
<xs:element name="Kill_Chains" type="stixCommon:KillChainsType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Kill_Chains field characterizes specific Kill Chain definitions for reference within specific TTP entries, Indicators and elsewhere.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ttp:TTPType / ttp:Handling
Namespace http://stix.mitre.org/TTP-1
Annotations
 
Specifies the relevant handling guidance for this TTP. The valid marking scope is the nearest TTPBaseType ancestor of this Handling element and all its descendants.
Diagram
Diagram data_marking_xsd.tmp#MarkingType_Marking data_marking_xsd.tmp#MarkingType
Type marking:MarkingType
Children marking:Marking
Source
 
<xs:element name="Handling" type="marking:MarkingType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Specifies the relevant handling guidance for this TTP. The valid marking scope is the nearest TTPBaseType ancestor of this Handling element and all its descendants.</xs:documentation>
  </xs:annotation>
</xs:element>
Complex Type ttp:TTPType
Namespace http://stix.mitre.org/TTP-1
Annotations
 
TTPType characterizes an individual adversary TTP.
Diagram
Diagram stix_common_xsd.tmp#TTPBaseType_id stix_common_xsd.tmp#TTPBaseType_idref stix_common_xsd.tmp#TTPBaseType ttp_xsd.tmp#TTPType_version ttp_xsd.tmp#TTPType_Title ttp_xsd.tmp#TTPType_Description ttp_xsd.tmp#TTPType_Intended_Effect ttp_xsd.tmp#TTPType_Behavior ttp_xsd.tmp#TTPType_Resources ttp_xsd.tmp#TTPType_Victim_Targeting ttp_xsd.tmp#TTPType_Exploit_Targets ttp_xsd.tmp#TTPType_Related_TTPs ttp_xsd.tmp#TTPType_Kill_Chain_Phases ttp_xsd.tmp#TTPType_Information_Source ttp_xsd.tmp#TTPType_Kill_Chains ttp_xsd.tmp#TTPType_Handling
Type extension of stixCommon:TTPBaseType
Type hierarchy
Used by
Element ttp:TTP
Children ttp:Behavior, ttp:Description, ttp:Exploit_Targets, ttp:Handling, ttp:Information_Source, ttp:Intended_Effect, ttp:Kill_Chain_Phases, ttp:Kill_Chains, ttp:Related_TTPs, ttp:Resources, ttp:Title, ttp:Victim_Targeting
Attributes
QName Type Use Annotation
id xs:QName optional 
Specifies a globally unique identifier for this TTP item.
idref xs:QName optional 
Specifies a globally unique identifier of a TTP item specified elsewhere.
version ttp:TTPVersionType optional 
Specifies the relevant STIX-TTP schema version for this content.
Source
 
<xs:complexType name="TTPType">
  <xs:annotation>
    <xs:documentation>TTPType characterizes an individual adversary TTP.</xs:documentation>
  </xs:annotation>
  <xs:complexContent>
    <xs:extension base="stixCommon:TTPBaseType">
      <xs:sequence>
        <xs:element name="Title" type="xs:string" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Title field provides a simple title for this TTP.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Description field provides an unstructured description of the TTP.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Intended_Effect" type="stixCommon:StatementType" minOccurs="0" maxOccurs="unbounded">
          <xs:annotation>
            <xs:documentation>The Intended_Effect field specifies the suspected intended effect for this TTP. It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is IntendedEffectVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.0.1/stix_default_vocabularies.xsd . Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Behavior" type="ttp:BehaviorType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>Behavior describes the attack patterns, malware, or exploits that the attacker leverages to execute this TTP.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Resources" type="ttp:ResourceType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>Resources describe the infrastructure or tools that the adversary uses to execute this TTP.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Victim_Targeting" type="ttp:VictimTargetingType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Victim_Targeting field characterizes the people, organizations, information or access being targeted.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Exploit_Targets" type="stixCommon:ExploitTargetsType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Exploit_Targets field characterizes potential vulnerability, weakness or configuration targets for exploitation by this TTP.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Related_TTPs" type="ttp:RelatedTTPsType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Related_TTPs field specifies other TTPs asserted to be related to this cyber threat TTP.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Kill_Chain_Phases" type="stixCommon:KillChainPhasesReferenceType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Kill_Chain_Phases field specifies one or more Kill Chain phases associated with this TTP item.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Information_Source" type="stixCommon:InformationSourceType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Information_Source field details the source of this entry.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Kill_Chains" type="stixCommon:KillChainsType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Kill_Chains field characterizes specific Kill Chain definitions for reference within specific TTP entries, Indicators and elsewhere.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Handling" type="marking:MarkingType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>Specifies the relevant handling guidance for this TTP. The valid marking scope is the nearest TTPBaseType ancestor of this Handling element and all its descendants.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
      <xs:attribute name="version" type="ttp:TTPVersionType">
        <xs:annotation>
          <xs:documentation>Specifies the relevant STIX-TTP schema version for this content.</xs:documentation>
        </xs:annotation>
      </xs:attribute>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
Complex Type ttp:BehaviorType
Namespace http://stix.mitre.org/TTP-1
Diagram
Diagram ttp_xsd.tmp#BehaviorType_Attack_Patterns ttp_xsd.tmp#BehaviorType_Malware ttp_xsd.tmp#BehaviorType_Exploits
Used by
Children ttp:Attack_Patterns, ttp:Exploits, ttp:Malware
Source
 
<xs:complexType name="BehaviorType">
  <xs:sequence>
    <xs:element name="Attack_Patterns" type="ttp:AttackPatternsType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Attack_Patterns field specifies one or more Attack Patterns for this TTP item.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Malware" type="ttp:MalwareType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Malware field specifies one or more instances of Malware for this TTP item.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Exploits" type="ttp:ExploitsType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Exploits field specifies one or more Exploits for this TTP item.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type ttp:AttackPatternsType
Namespace http://stix.mitre.org/TTP-1
Diagram
Diagram ttp_xsd.tmp#AttackPatternsType_Attack_Pattern
Used by
Children ttp:Attack_Pattern
Source
 
<xs:complexType name="AttackPatternsType">
  <xs:sequence>
    <xs:element name="Attack_Pattern" type="ttp:AttackPatternType" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The Attack_Pattern field specifies a single Attack Pattern for this TTP item.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type ttp:AttackPatternType
Namespace http://stix.mitre.org/TTP-1
Annotations
 
Captures prose information about an individual attack pattern as well as a CAPEC reference.

In addition to capturing basic information, this type is intended to be extended to enable the structured description of an attack pattern instance using the XML Schema extension feature. The STIX default extension uses the Common Attack Pattern Enumeration and Classification (CAPEC) schema to do so. The extension that defines this is captured in the CAPEC2.5InstanceType in the http://stix.mitre.org/extensions/AP#CAPEC2.5-1 namespace. This type is defined in the extensions/attack_pattern/capec_2.5.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/attack_pattern/capec_2.5/1.0/capec_2.5.xsd.
Diagram
Diagram ttp_xsd.tmp#AttackPatternType_capec_id ttp_xsd.tmp#AttackPatternType_Description
Used by
Children ttp:Description
Attributes
QName Type Use Annotation
capec_id restriction of xs:string optional 
This field specifies a reference to a particular entry within the Common Attack Pattern Enumeration and Classification (CAPEC)
Source
 
<xs:complexType name="AttackPatternType">
  <xs:annotation>
    <xs:documentation>Captures prose information about an individual attack pattern as well as a CAPEC reference. In addition to capturing basic information, this type is intended to be extended to enable the structured description of an attack pattern instance using the XML Schema extension feature. The STIX default extension uses the Common Attack Pattern Enumeration and Classification (CAPEC) schema to do so. The extension that defines this is captured in the CAPEC2.5InstanceType in the http://stix.mitre.org/extensions/AP#CAPEC2.5-1 namespace. This type is defined in the extensions/attack_pattern/capec_2.5.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/attack_pattern/capec_2.5/1.0/capec_2.5.xsd.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Description field provides an unstructured description of an individual Attack Pattern.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
  <xs:attribute name="capec_id">
    <xs:annotation>
      <xs:documentation>This field specifies a reference to a particular entry within the Common Attack Pattern Enumeration and Classification (CAPEC)</xs:documentation>
    </xs:annotation>
    <xs:simpleType>
      <xs:restriction base="xs:string">
        <xs:pattern value="CAPEC-\d+"/>
      </xs:restriction>
    </xs:simpleType>
  </xs:attribute>
</xs:complexType>
Complex Type ttp:MalwareType
Namespace http://stix.mitre.org/TTP-1
Diagram
Diagram ttp_xsd.tmp#MalwareType_Malware_Instance
Used by
Children ttp:Malware_Instance
Source
 
<xs:complexType name="MalwareType">
  <xs:sequence>
    <xs:element name="Malware_Instance" type="ttp:MalwareInstanceType" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The Malware_Instance field specifies a single instance of Malware for this TTP item.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type ttp:MalwareInstanceType
Namespace http://stix.mitre.org/TTP-1
Annotations
 
Captures basic information about an individual malware instance.

In addition to capturing basic information, this type is intended to be extended to enable the structured description of a malware instance using the XML Schema extension feature. The STIX default extension uses the Malware Attribute Enumeration and Classification (MAEC) schema to do so. The extension that defines this is captured in the MAECInstanceType in the http://stix.mitre.org/extensions/Malware#MAEC-1 namespace. This type is defined in the extensions/malware/maec-4.0.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/malware/maec-4.0/1.0/maec-4.0.xsd.
Diagram
Diagram ttp_xsd.tmp#MalwareInstanceType_Type ttp_xsd.tmp#MalwareInstanceType_Name ttp_xsd.tmp#MalwareInstanceType_Description
Used by
Children ttp:Description, ttp:Name, ttp:Type
Source
 
<xs:complexType name="MalwareInstanceType">
  <xs:annotation>
    <xs:documentation>Captures basic information about an individual malware instance. In addition to capturing basic information, this type is intended to be extended to enable the structured description of a malware instance using the XML Schema extension feature. The STIX default extension uses the Malware Attribute Enumeration and Classification (MAEC) schema to do so. The extension that defines this is captured in the MAECInstanceType in the http://stix.mitre.org/extensions/Malware#MAEC-1 namespace. This type is defined in the extensions/malware/maec-4.0.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/malware/maec-4.0/1.0/maec-4.0.xsd.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="Type" type="stixCommon:ControlledVocabularyStringType" minOccurs="0" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The Type field provides a characterization of what type of malware this MalwareInstance is. This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is MalwareTypeVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.0.1/stix_default_vocabularies.xsd . Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Name" type="stixCommon:ControlledVocabularyStringType" minOccurs="0" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The Name field specifies a name associated with this MalwareInstance. This field is implemented through the xsi:type controlled vocabulary extension mechanism. No default vocabulary type has been defined for STIX 1.0. Users may either define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a free string field.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Description field provides an unstructured description of an individual Malware instance.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type ttp:ExploitsType
Namespace http://stix.mitre.org/TTP-1
Diagram
Diagram ttp_xsd.tmp#ExploitsType_Exploit
Used by
Children ttp:Exploit
Source
 
<xs:complexType name="ExploitsType">
  <xs:sequence>
    <xs:element name="Exploit" type="ttp:ExploitType" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The Exploit field specifies a single Exploit for this TTP item.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type ttp:ExploitType
Namespace http://stix.mitre.org/TTP-1
Annotations
 
Characterizes a description of an individual exploit.

In addition to capturing basic information, this type is intended to be extended to enable the structured description of an exploit using the XML Schema extension feature. No extension is provided by STIX to support this, however those wishing to represent structured exploit information may develop such an extension.
Diagram
Diagram ttp_xsd.tmp#ExploitType_Description
Used by
Children ttp:Description
Source
 
<xs:complexType name="ExploitType">
  <xs:annotation>
    <xs:documentation>Characterizes a description of an individual exploit. In addition to capturing basic information, this type is intended to be extended to enable the structured description of an exploit using the XML Schema extension feature. No extension is provided by STIX to support this, however those wishing to represent structured exploit information may develop such an extension.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Description field provides an unstructured description of an individual Exploit instance.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type ttp:ResourceType
Namespace http://stix.mitre.org/TTP-1
Diagram
Diagram ttp_xsd.tmp#ResourceType_Tools ttp_xsd.tmp#ResourceType_Infrastructure
Used by
Children ttp:Infrastructure, ttp:Tools
Source
 
<xs:complexType name="ResourceType">
  <xs:sequence>
    <xs:element name="Tools" type="ttp:ToolsType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Tools field specifies one or more Tools leveraged by this TTP item.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Infrastructure" type="ttp:InfrastructureType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Infrastructure field characterizes specific classes or instances of infrastructure observed to have been utilized for cyber attack.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type ttp:ToolsType
Namespace http://stix.mitre.org/TTP-1
Diagram
Diagram ttp_xsd.tmp#ToolsType_Tool
Used by
Children ttp:Tool
Source
 
<xs:complexType name="ToolsType">
  <xs:sequence>
    <xs:element name="Tool" type="cyboxCommon:ToolInformationType" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The Tool field specifies a single Tool leveraged by this TTP item. The Type field under this field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is AttackerToolTypeVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.0.1/stix_default_vocabularies.xsd . Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type ttp:InfrastructureType
Namespace http://stix.mitre.org/TTP-1
Diagram
Diagram ttp_xsd.tmp#InfrastructureType_Type ttp_xsd.tmp#InfrastructureType_Description ttp_xsd.tmp#InfrastructureType_Observable_Characterization
Used by
Children ttp:Description, ttp:Observable_Characterization, ttp:Type
Source
 
<xs:complexType name="InfrastructureType">
  <xs:sequence>
    <xs:element name="Type" type="stixCommon:ControlledVocabularyStringType" minOccurs="0" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The Type field represents the type of infrastructure being described. This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is AttackerInfrastructureTypeVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.0.1/stix_default_vocabularies.xsd . Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Description field generally describes specific classes or instances of infrastructure utilized for cyber attack.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Observable_Characterization" type="cybox:ObservablesType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Observable_Characterization field provides structured characterization of the cyber observables detailing specific classes or instances of infrastructure utilized for cyber attack.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type ttp:VictimTargetingType
Namespace http://stix.mitre.org/TTP-1
Diagram
Diagram ttp_xsd.tmp#VictimTargetingType_Identity ttp_xsd.tmp#VictimTargetingType_Targeted_Systems ttp_xsd.tmp#VictimTargetingType_Targeted_Information
Used by
Children ttp:Identity, ttp:Targeted_Information, ttp:Targeted_Systems
Source
 
<xs:complexType name="VictimTargetingType">
  <xs:sequence>
    <xs:element name="Identity" type="stixCommon:IdentityType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Identity field characterizes information about the identity or characteristics of the targeted people or organizations. This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity_3.0.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity_3.0/1.0/ciq_identity_3.0.xsd.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Targeted_Systems" type="stixCommon:ControlledVocabularyStringType" minOccurs="0" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The Targeted_Systems field characterizes a type of system that is targeted. It may be included multiple times to specify multiple types of targeted systems. This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is SystemTypeVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.0.1/stix_default_vocabularies.xsd . Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Targeted_Information" type="stixCommon:ControlledVocabularyStringType" minOccurs="0" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The Targeted_Systems field characterizes a type of information that is targeted. It may be included multiple times to specify multiple types of targeted information. This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is InformationTypeVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.0.1/stix_default_vocabularies.xsd . Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type ttp:RelatedTTPsType
Namespace http://stix.mitre.org/TTP-1
Diagram
Diagram stix_common_xsd.tmp#GenericRelationshipListType_scope stix_common_xsd.tmp#GenericRelationshipListType ttp_xsd.tmp#RelatedTTPsType_Related_TTP
Type extension of stixCommon:GenericRelationshipListType
Type hierarchy
Used by
Children ttp:Related_TTP
Attributes
QName Type Default Use Annotation
scope stixCommon:RelationshipScopeEnum exclusive optional 
Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.
Source
 
<xs:complexType name="RelatedTTPsType">
  <xs:complexContent>
    <xs:extension base="stixCommon:GenericRelationshipListType">
      <xs:sequence>
        <xs:element name="Related_TTP" type="stixCommon:RelatedTTPType" maxOccurs="unbounded">
          <xs:annotation>
            <xs:documentation>The Related_TTP field specifies a single other TTP asserted to be related to this cyber threat TTP.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
Simple Type ttp:TTPVersionType
Namespace http://stix.mitre.org/TTP-1
Annotations
 
An enumeration of all versions of the TTP type valid in the current release of STIX.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration 1.0
enumeration 1.0.1
Used by
Source
 
<xs:simpleType name="TTPVersionType">
  <xs:annotation>
    <xs:documentation>An enumeration of all versions of the TTP type valid in the current release of STIX.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="1.0"/>
    <xs:enumeration value="1.0.1"/>
  </xs:restriction>
</xs:simpleType>
Attribute ttp:AttackPatternType / @capec_id
Namespace No namespace
Annotations
 
This field specifies a reference to a particular entry within the Common Attack Pattern Enumeration and Classification (CAPEC)
Type restriction of xs:string
Facets
pattern CAPEC-\d+
Used by
Complex Type ttp:AttackPatternType
Source
 
<xs:attribute name="capec_id">
  <xs:annotation>
    <xs:documentation>This field specifies a reference to a particular entry within the Common Attack Pattern Enumeration and Classification (CAPEC)</xs:documentation>
  </xs:annotation>
  <xs:simpleType>
    <xs:restriction base="xs:string">
      <xs:pattern value="CAPEC-\d+"/>
    </xs:restriction>
  </xs:simpleType>
</xs:attribute>
Attribute ttp:TTPType / @version
Namespace No namespace
Annotations
 
Specifies the relevant STIX-TTP schema version for this content.
Type ttp:TTPVersionType
Facets
enumeration 1.0
enumeration 1.0.1
Used by
Complex Type ttp:TTPType
Source
 
<xs:attribute name="version" type="ttp:TTPVersionType">
  <xs:annotation>
    <xs:documentation>Specifies the relevant STIX-TTP schema version for this content.</xs:documentation>
  </xs:annotation>
</xs:attribute>
XML Schema documentation generated by ® XML Editor.