Skip to main content

Cyware Threat Intelligence eXchange

Fill Tool Details

Threat actors use certain tools to perform attacks. Analyzing how and when threat actors use such tools provides insights on how campaigns are executed. Unlike malware, these tools or software packages are often found on a system and have legitimate purposes for power users, system administrators, network administrators, or even normal users. Remote access tools such as RDP, and network scanning tools such as Nmap are a few examples of tools that a threat actor may use during an attack.

The Tool threat data object characterizes the properties of these software tools and can be used as a basis for asserting how a threat actor uses them during an attack. It contains properties to name and describe the tool, a list of kill chain phases the tool is used to carry out, and the version of the tool.

Add the following details for the tool.

  • Basic Details

  • Common Fields

  • Custom Attributes

  • Kill Chain Phases

  • External References

Basic Details

Field Name

Required

Description

Name

Mandatory

Specify the name of the tool.

Description

Optional

Specify the additional information, such as the key details about the tool.

Aliases

Optional

Specify the alternate names a tool uses to identify itself.

Tool Version

Optional

Specify the version details associated with the tool.

Common Fields

Field Name

Description

Tags

Specify the tags for the tool.

TLP

Specify the TLP, such as RED, AMBER, GREEN, WHITE, and NONE for the tool.

Created by Reference

Specify the entity that created the CTIX object.

Revoked

Select this option to mark the component as revoked or invalid.

Custom Attributes

Field Name

Description

Add Custom Attributes

Specify the additional information that helps in improving the threat intelligence details. CTIX displays custom attributes created in Administration > Custom Entities Management. You can create multiple custom attributes for the tool.

Kill Chain Phases

Include the kill chain phases for which this object can be used.

Field Name

Description

Kill Chain Name

Choose the kill chain name to associate with this object. You can choose Lockheed Martin or MITRE kill chains. You can also create and add custom kill chains in Administration > Custom Entities Management and associate them here.

Kill Chain Phase

Choose the kill chain phase associated with the kill chain.

External References

Use external references to include any non-STIX information that you may want to associate with this object.

Field Name

Description

Source Name

Enter a source name.

Description

Enter a description.

External ID

Enter an external ID.

URL

Enter the URL of the external reference.

Hash Type

Select the hash type.

Hash Value

Enter the hash value.