...
<mitre_attack_technique_id>[.<mitre_attack_subtechnique_id>] - <mitre_attack_technique> - <tactic_abbr> - <data_abbr> - ATT&CK
...
<mitre_attack_technique_id> is the MITRE ATT&CK Technique ID such as T1220.
<mitre_attack_subtechnique_id> is the MITRE ATT&CK Sub-Technique ID such as 001. This field (along with the preceding
.
) is optional based on available data.<mitre_attack_technique> is the MITRE ATT&CK Technique Name such as “XSL Script Processing”.
<tactic_abbr> is the MITRE ATT&CK ID translated into a three-character abbreviation against Table 2 in this document.
<data_abbr> is a three-character abbreviation for the MITRE ATT&CK data model: PRE (PRE-ATT&CK) or ENT (Enterprise ATT&CK)
ATT&CK is static to represent MITRE ATT&CK framework
...
T1220 - XSL Script Process - DEF - ENT - ATT&CK
T1546.011 - Event Triggered Execution - PER - ENT - ATT&CK
T1334 - Compromise 3rd party infrastructure to support delivery - EMI - PRE - ATT&CK
Command-and-Control
In this example, only the Tactic information is available and therefore is applied as the Tactic Name only including the “-” character replacing spaces.