ElJocko
commented
1 year ago There isn't a link directly in either of the technique (attack-pattern) objects. Instead, the two techniques are linked by a revoked-by relationship object. This is the STIX specified method for linking a revoked object with the object that supersedes it. Here's that relationship with T1050 referenced in the source_ref property and T1543.003 referenced in the target_ref property:
{
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--5fa955eb-63da-4281-8904-03f6c04c9d8d",
"type": "relationship",
"created": "2020-03-17T16:21:36.718Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2022-04-25T14:00:00.188Z",
"relationship_type": "revoked-by",
"source_ref": "attack-pattern--478aa214-2ca7-4ec0-9978-18798e514790",
"target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32",
"x_mitre_version": "1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"enterprise-attack"
]
}
jecarr
(Issue created as of v12.1)
For entries that are marked revoked or x_mitre_deprecated, it can be useful to note if one entry supersedes another.
For example, T1050:
https://attack.mitre.org/techniques/T1050/
redirects to
https://attack.mitre.org/techniques/T1543/003/
In enterprise-attack.json, there could be a field for attack-pattern--478aa214-2ca7-4ec0-9978-18798e514790 (T1050) that refers to attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32 (T1543.003).
As far as I'm aware, the two entries don't have a link with each other to reflect one replaces the other.