STIX Wiki
STIX Wiki

Overview

IntroductionGetting StartedWalkthrough

Reference

Domain Objects
Attack PatternCampaignCourse of ActionGroupingIdentityIncidentIndicatorInfrastructureIntrusion SetLocationMalware AnalysisMalwareNoteObserved DataOpinionReportThreat ActorToolVulnerability
Relationship Objects
Cyber-observable Objects
Meta Objects
Bundle Object
Domain Objects

Campaign

A Campaign is a grouping of adversarial behaviors that describes a set of malicious activities or attacks (sometimes called waves) that occur over a period of time against a specific set of targets. Campaigns usually have well defined objectives and may be part of an Intrusion Set.

Campaigns are often attributed to an intrusion set and threat actors. The threat actors may reuse known infrastructure from the intrusion set or may set up new infrastructure specific for conducting that campaign.

Campaigns can be characterized by their objectives and the incidents they cause, people or resources they target, and the resources (infrastructure, intelligence, Malware, Tools, etc.) they use.

For example, a Campaign could be used to describe a crime syndicate's attack using a specific variant of malware and new C2 servers against the executives of ACME Bank during the summer of 2016 in order to gain secret information about an upcoming merger with another bank.

Properties

Required Common Properties
typespec_versionidcreatedmodifiedname
Optional Common Properties
created_by_reflabelsrevokedconfidencelangexternal_referencesobject_marking_refsgranular_markingsextensions
Not Applicable
defanged
Campaign Specific
namedescriptionaliasesfirst_seenlast_seenobjective
PropertyTypeDescription
typeoptional
stringThe type of this object, which MUST be the literal `campaign`.
namerequired
stringThe name used to identify the Campaign.
descriptionoptional
stringA description that provides more details and context about the Campaign, potentially including its purpose and its key characteristics.
aliasesoptional
list of stringAlternative names used to identify this campaign.
first_seenoptional
stringRepresents timestamps across the CTI specifications. The format is an RFC3339 timestamp, with a required timezone specification of 'Z'.
last_seenoptional
stringRepresents timestamps across the CTI specifications. The format is an RFC3339 timestamp, with a required timezone specification of 'Z'.
objectiveoptional
stringThis field defines the Campaign’s primary goal, objective, desired outcome, or intended effect.

Relationships

These are the relationships explicitly defined between the Campaign object and other STIX Objects. The first section lists the embedded relationships by property name along with their corresponding target. The rest of the table identifies the relationships that can be made from this object type to another object type by way of the Relationship object. The reverse relationships section illustrates the relationships targeting this object type from another object type. They are included here for convenience. For their definitions, please see the "Source" object.

Relationships are not restricted to those listed below. Relationships can be created between any objects using the related-to relationship type or, as with open vocabularies, user-defined names.

Attack Pattern

Previous Page

Course of Action

Next Page

On this page

PropertiesRelationships