Open aedenmurray opened 1 year ago
Thanks for catching this. For ATT&CK v13.0 we modified the x_mitre_shortname
for ICS tactics to fit the pattern used for other tactics. We also updated the ICS techniques to match. But we didn't update the deprecated and revoked techniques.
In this particular case, attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a
(T0825) is deprecated. The x_mitre_shortname
of the corresponding tactic was changed to 'collection', but the technique kill_chain_phases.phase_name
was not updated to match.
We generally try to avoid updating deprecated and revoked techniques, but this may be a case where it's necessary to maintain data integrity. We'll put this on the list of issues to address with v13.1.
[edited to fix the ATT&CK ID of the technique]
In the 13.0 release, some techniques in the ICS bundle have
kill_chain_phases.phase_name
that don't match thex_mitre_shortname
in any of the tactics in the bundle. Relevant documentation here.For example, technique:
attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a
has acollection-ics
kill_chain_phases.phase_name
. However, there is nox-mitre-tactic
with acollection-ics
x_mitre_shortname
.