Please consider adding a type for "Procedure Examples" in json feed

[Radu3000]

"Procedure Examples" such as the one showing below are encoded using "description" attribute on the "relationship" type objects. They are natural language statements with technical details. Currently there is no type "x_mitre_procedure_example". However it could be useful to find answers to such questions:

• List techniques used by groups or tools with procedure examples that rely on using "%temp% folder.

I believe it is possible to answer the above question using mitre attack python libraries as well as raw json. However a bit more different than other types such as "x_mitre_system_requirements"

            "type": "relationship",
            "target_ref": "attack-pattern--b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4",
            "description": "[Honeybee](https://attack.mitre.org/groups/G0072) adds collected files to a temp.zip file saved in the %temp% folder, then base64 encodes it and uploads it to control server.",

            "type": "relationship",
            "target_ref": "attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e",
            "description": "[Honeybee](https://attack.mitre.org/groups/G0072) adds collected files to a temp.zip file saved in the %temp% folder, then base64 encodes it and uploads it to control server.",

            "type": "relationship",
            "target_ref": "attack-pattern--d54416bd-0803-41ca-870a-ce1af7c05638",
            "description": "[Honeybee](https://attack.mitre.org/groups/G0072) adds collected files to a temp.zip file saved in the %temp% folder, then base64 encodes it and uploads it to control server.",

Finally the other question I have:

• Where can I find a useful definition for "Procedure"? The closest analogy in my mind is a recipe - which is all about ingredients and sequence of steps. But I guess we are not there yet...

Regards, Radu

[isaisabel]

Hi @Radu3000,

We don't intend to represent procedure examples as their own type of object due to the nature of procedures themselves. We define procedures as a specific use of a technique by an adversary. Or said another way, "the way a specific group implements a technique".

Therefore it makes the most sense for us to represent it as the relationship between a technique and a adversary (group) because it is wholly reliant on the context of the associated group and the technique the procedure implements.

For your second question, you can find definitions for procedures in our FAQ and our design and philosophy paper in section 3.4.1.

From the FAQ:

Procedures are the specific implementation the adversary uses for techniques or sub-techniques. For example, a procedure could be an adversary using PowerShell to inject into lsass.exe to dump credentials by scraping LSASS memory on a victim. Procedures are categorized in ATT&CK as the observed in the wild use of techniques in the "Procedure Examples" section of technique pages.

Design and Philosophy, section 3.4.1 defines prcedures as follows:

Procedures are another important component of the TTP concept, and we cannot talk about tactics and techniques without also including procedures as well. Within ATT&CK, procedures are the specific implementation adversaries have used for techniques or sub-techniques. For example, a procedure could APT28 using PowerShell to inject into lsass.exe to dump credentials by scraping LSASS memory on a victim.

The two important aspects to note about procedures in ATT&CK are that it is how an adversary uses techniques and sub-techniques and that a procedure can span multiple techniques and subtechniques. Expanding on the prior example, the procedure the adversary uses to dump credentials includes PowerShell, Process Injection, and LSASS Memory, which are all distinct behaviors. Procedures may also include use of specific tools in how they’re performed.

Procedures are documented in ATT&CK as the observed in-the-wild use of techniques in the "Procedure Examples" section of the technique and sub-technique pages.

[Radu3000]

Isabela,

As always thank you for this very detailed explanation. Very helpful indeed. And also thank you for sharing FAQ links and philosophy paper - bookmarked now!

So my summary from what I have read is:

• Procedures are specific uses and or implementations of (sub)technique(s) by Groups, Tools(, and Malware?) with detailed (Indicator?) information.

I understand that you don't intend to make procedure examples as type. What about "Procedure" itself as a type? "x_mitre_system_requirements" is a type with similar (in my limited understanding) - content type - a sentence like description. In my mind there are a lot of benefits for extending MITRE ATT&CK model and additional types from stix2, capec, maec, etc.

Apologies for all the questions - I will do more reading now.

Regards, Radu