Fill Tool Details
Threat actors use certain tools to perform attacks. Analyzing how and when threat actors use such tools provides insights on how campaigns are executed. Unlike malware, these tools or software packages are often found on a system and have legitimate purposes for power users, system administrators, network administrators, or even normal users. Remote access tools such as RDP, and network scanning tools such as Nmap are a few examples of tools that a threat actor may use during an attack.
The Tool threat data object characterizes the properties of these software tools and can be used as a basis for asserting how a threat actor uses them during an attack. It contains properties to name and describe the tool, a list of kill chain phases the tool is used to carry out, and the version of the tool.
Add the following details for the tool.
Basic Details
Common Fields
Custom Attributes
Kill Chain Phases
External References
Basic Details
Field Name | Required | Description |
---|---|---|
Name | Mandatory | Specify the name of the tool. |
Description | Optional | Specify the additional information, such as the key details about the tool. |
Aliases | Optional | Specify the alternate names a tool uses to identify itself. |
Tool Version | Optional | Specify the version details associated with the tool. |
Common Fields
Field Name | Description |
---|---|
Tags | Specify the tags for the tool. |
TLP | Specify the TLP, such as RED, AMBER, GREEN, WHITE, and NONE for the tool. |
Created by Reference | Specify the entity that created the CTIX object. |
Revoked | Select this option to mark the component as revoked or invalid. |
Custom Attributes
Field Name | Description |
---|---|
Add Custom Attributes | Specify the additional information that helps in improving the threat intelligence details. CTIX displays custom attributes created in Administration > Custom Entities Management. You can create multiple custom attributes for the tool. |
Kill Chain Phases
Include the kill chain phases for which this object can be used.
Field Name | Description |
Kill Chain Name | Choose the kill chain name to associate with this object. You can choose Lockheed Martin or MITRE kill chains. You can also create and add custom kill chains in Administration > Custom Entities Management and associate them here. |
Kill Chain Phase | Choose the kill chain phase associated with the kill chain. |
External References
Use external references to include any non-STIX information that you may want to associate with this object.
Field Name | Description |
---|---|
Source Name | Enter a source name. |
Description | Enter a description. |
External ID | Enter an external ID. |
URL | Enter the URL of the external reference. |
Hash Type | Select the hash type. |
Hash Value | Enter the hash value. |