Skip to content

Missing subtechnique-of relationships for T1053.001 and T1547.011 #64

New issue
New issue
Open
Open
Missing subtechnique-of relationships for T1053.001 and T1547.011#64
Assignees
seansica
@ojasookert

Description

@ojasookert
ojasookert
opened on Jan 26, 2026

Summary

Two subtechniques in enterprise-attack-18.1.json are missing their subtechnique-of relationship objects, making it impossible to programmatically determine their parent techniques using only relationship lookups.

Affected Subtechniques

  • T1053.001 (At - Linux) - Missing relationship to parent T1053 (Scheduled Task/Job)
  • T1547.011 (Plist Modification) - Missing relationship to parent T1547 (Boot or Logon Autostart Execution)

Details

Both objects have:

  • "type": "attack-pattern"
  • "x_mitre_is_subtechnique": true
  • Valid kill_chain_phases arrays

However, no corresponding relationship objects exist with:

  • "relationship_type": "subtechnique-of"
  • "source_ref" pointing to these subtechniques

Impact

Tools parsing the STIX data that rely on relationship objects (rather than inferring from ID format) will fail to associate these subtechniques with their parent techniques.

Expected Behavior

Each subtechnique should have a corresponding relationship object linking it to its parent technique, consistent with the other 477 subtechniques.

Workaround

Parse the technique ID format (split on .) to infer the parent, but this defeats the purpose of explicit relationship modeling in STIX.

Proposed Fix

Add the following two relationship objects to the objects array in enterprise-attack-18.1.json:

For T1053.001 → T1053

{
  "type": "relationship",
  "spec_version": "2.1",
  "id": "relationship--[generate-new-uuid]",
  "created": "[timestamp]",
  "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
  "object_marking_refs": [
    "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
  ],
  "modified": "[timestamp]",
  "relationship_type": "subtechnique-of",
  "source_ref": "attack-pattern--6636bc83-0611-45a6-b74f-1f3daf635b8e",
  "target_ref": "attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9",
  "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
  "x_mitre_deprecated": false,
  "x_mitre_attack_spec_version": "3.2.0"
}

For T1547.011 → T1547

{
  "type": "relationship",
  "spec_version": "2.1",
  "id": "relationship--[generate-new-uuid]",
  "created": "[timestamp]",
  "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
  "object_marking_refs": [
    "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
  ],
  "modified": "[timestamp]",
  "relationship_type": "subtechnique-of",
  "source_ref": "attack-pattern--6747daa2-3533-4e78-8fb8-446ebb86448a",
  "target_ref": "attack-pattern--1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf",
  "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
  "x_mitre_deprecated": false,
  "x_mitre_attack_spec_version": "3.2.0"
}

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions