ATT&CK Changes Between v10.0 and v10.1

Key

New objects: ATT&CK objects which are only present in the new release.
Major version changes: ATT&CK objects that have a major version change. (e.g. 1.0 → 2.0)
Minor version changes: ATT&CK objects that have a minor version change. (e.g. 1.0 → 1.1)
Other version changes: ATT&CK objects that have a version change of any other kind. (e.g. 1.0 → 1.2)
Patches: ATT&CK objects that have been patched while keeping the version the same. (e.g., 1.0 → 1.0 but something like a typo, a URL, or some metadata was fixed)
Object revocations: ATT&CK objects which are revoked by a different object.
Object deprecations: ATT&CK objects which are deprecated and no longer in use, and not replaced.
Object deletions: ATT&CK objects which are no longer found in the STIX data.

Additional formats

These ATT&CK Navigator layer files can be uploaded to ATT&CK Navigator manually.

This JSON file contains the machine readble output used to create this page: changelog.json

Techniques

enterprise-attack

Minor Version Changes

[T1543.001] Create or Modify System Process: Launch Agent

Current version: 1.3

Version changed from: 1.2 → 1.3

Dropped Mitigations:

M1018: User Account Management

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-15 07:41:40.262000+00:00	2021-11-03 20:11:51.687000+00:00
x_mitre_version	1.2	1.3

Patches

[T1543] Create or Modify System Process

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-15 07:41:41.496000+00:00	2021-11-03 20:11:52.175000+00:00

[T1620] Reflective Code Loading

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-17 15:13:55.615000+00:00	2021-11-01 18:09:09.670000+00:00
x_mitre_contributors[3]	Lior Ribak , SentinelOne	Lior Ribak, SentinelOne

mobile-attack

Patches

[T1478] Install Insecure or Malicious Configuration

Current version: 1.0

	Old Description			New Description
t	1	An adversary could attempt to install insecure or malicious	t	1	An adversary could attempt to install insecure or malicious
	>	configuration settings on the mobile device, through means s		>	configuration settings on the mobile device, through means s
	>	uch as phishing emails or text messages either directly cont		>	uch as phishing emails or text messages either directly cont
	>	aining the configuration settings as an attachment, or conta		>	aining the configuration settings as an attachment, or conta
	>	ining a web link to the configuration settings. The device u		>	ining a web link to the configuration settings. The device u
	>	ser may be tricked into installing the configuration setting		>	ser may be tricked into installing the configuration setting
	>	s through social engineering techniques (Citation: Symantec-		>	s through social engineering techniques (Citation: Symantec-
	>	iOSProfile). For example, an unwanted Certification Authori		>	iOSProfile). For example, an unwanted Certification Authori
	>	ty (CA) certificate could be placed in the device's trusted		>	ty (CA) certificate could be placed in the device's trusted
	>	certificate store, increasing the device's susceptibility to		>	certificate store, increasing the device's susceptibility to
	>	man-in-the-middle network attacks seeking to eavesdrop on o		>	adversary-in-the-middle network attacks seeking to eavesdro
	>	r manipulate the device's network communication ([Eavesdrop		>	p on or manipulate the device's network communication ([Eave
	>	on Insecure Network Communication](https://attack.mitre.org/		>	sdrop on Insecure Network Communication](https://attack.mitr
	>	techniques/T1439) and [Manipulate Device Communication](http		>	e.org/techniques/T1439) and [Manipulate Device Communication
	>	s://attack.mitre.org/techniques/T1463)). On iOS, malicious		>	](https://attack.mitre.org/techniques/T1463)). On iOS, mali
	>	Configuration Profiles could contain unwanted Certification		>	cious Configuration Profiles could contain unwanted Certific
	>	Authority (CA) certificates or other insecure settings such		>	ation Authority (CA) certificates or other insecure settings
	>	as unwanted proxy server or VPN settings to route the device		>	such as unwanted proxy server or VPN settings to route the
	>	's network traffic through an adversary's system. The device		>	device's network traffic through an adversary's system. The
	>	could also potentially be enrolled into a malicious Mobile		>	device could also potentially be enrolled into a malicious M
	>	Device Management (MDM) system (Citation: Talos-MDM).		>	obile Device Management (MDM) system (Citation: Talos-MDM).

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_is_subtechnique		False

values_changed
STIX Field	Old value	New Value
modified	2018-10-17 00:14:20.652000+00:00	2021-11-01 18:29:08.293000+00:00
description	An adversary could attempt to install insecure or malicious configuration settings on the mobile device, through means such as phishing emails or text messages either directly containing the configuration settings as an attachment, or containing a web link to the configuration settings. The device user may be tricked into installing the configuration settings through social engineering techniques (Citation: Symantec-iOSProfile). For example, an unwanted Certification Authority (CA) certificate could be placed in the device's trusted certificate store, increasing the device's susceptibility to man-in-the-middle network attacks seeking to eavesdrop on or manipulate the device's network communication ([Eavesdrop on Insecure Network Communication](https://attack.mitre.org/techniques/T1439) and [Manipulate Device Communication](https://attack.mitre.org/techniques/T1463)). On iOS, malicious Configuration Profiles could contain unwanted Certification Authority (CA) certificates or other insecure settings such as unwanted proxy server or VPN settings to route the device's network traffic through an adversary's system. The device could also potentially be enrolled into a malicious Mobile Device Management (MDM) system (Citation: Talos-MDM).	An adversary could attempt to install insecure or malicious configuration settings on the mobile device, through means such as phishing emails or text messages either directly containing the configuration settings as an attachment, or containing a web link to the configuration settings. The device user may be tricked into installing the configuration settings through social engineering techniques (Citation: Symantec-iOSProfile). For example, an unwanted Certification Authority (CA) certificate could be placed in the device's trusted certificate store, increasing the device's susceptibility to adversary-in-the-middle network attacks seeking to eavesdrop on or manipulate the device's network communication ([Eavesdrop on Insecure Network Communication](https://attack.mitre.org/techniques/T1439) and [Manipulate Device Communication](https://attack.mitre.org/techniques/T1463)). On iOS, malicious Configuration Profiles could contain unwanted Certification Authority (CA) certificates or other insecure settings such as unwanted proxy server or VPN settings to route the device's network traffic through an adversary's system. The device could also potentially be enrolled into a malicious Mobile Device Management (MDM) system (Citation: Talos-MDM).

Software

enterprise-attack

Patches

[S0014] BS2005

Current version: 1.1

	Old Description			New Description
t	1	[BS2005](https://attack.mitre.org/software/S0014) is malware	t	1	[BS2005](https://attack.mitre.org/software/S0014) is malware
	>	that was used by [Ke3chang](https://attack.mitre.org/groups		>	that was used by [Ke3chang](https://attack.mitre.org/groups
	>	/G0004) in spearphishing campaigns since at least 2011. (Cit		>	/G0004) in spearphishing campaigns since at least 2011. (Cit
	>	ation: Villeneuve et al 2014)		>	ation: Mandiant Operation Ke3chang November 2014)

Details

values_changed
STIX Field	Old value	New Value
modified	2020-03-30 15:02:35.427000+00:00	2021-11-01 21:12:14.638000+00:00
description	[BS2005](https://attack.mitre.org/software/S0014) is malware that was used by [Ke3chang](https://attack.mitre.org/groups/G0004) in spearphishing campaigns since at least 2011. (Citation: Villeneuve et al 2014)	[BS2005](https://attack.mitre.org/software/S0014) is malware that was used by [Ke3chang](https://attack.mitre.org/groups/G0004) in spearphishing campaigns since at least 2011. (Citation: Mandiant Operation Ke3chang November 2014)
external_references[1]['source_name']	Villeneuve et al 2014	Mandiant Operation Ke3chang November 2014
external_references[1]['url']	https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf	https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs

[S0641] Kobalos

Current version: 1.0

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_contributors		['Manikantan Srinivasan, NEC Corporation India', 'Pooja Natarajan, NEC Corporation India', 'Hiroki Nagahama, NEC Corporation']

values_changed
STIX Field	Old value	New Value
modified	2021-10-19 00:09:52.008000+00:00	2021-10-25 17:16:21.187000+00:00

[S0652] MarkiRAT

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-15 17:18:54.363000+00:00	2021-10-25 14:24:59.957000+00:00
x_mitre_contributors[2]	Nagahama Hiroki, NEC Corporation	Hiroki Nagahama, NEC Corporation

Deprecations

[S0609] TRITON

Current version: 1.0

Description: This entry was deprecated as it was inadvertently added to Enterprise; a similar Software entry was created for ATT&CK for ICS. [TRITON](https://attack.mitre.org/software/S0609) is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. [TRITON](https://attack.mitre.org/software/S0609) was deployed against at least one target in the Middle East. (Citation: FireEye TRITON 2017)(Citation: FireEye TRITON 2018)(Citation: Dragos TRISIS)(Citation: CISA HatMan)(Citation: FireEye TEMP.Veles 2018)

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_deprecated		True

values_changed
STIX Field	Old value	New Value
modified	2021-05-04 19:10:43.045000+00:00	2021-10-27 20:47:40.880000+00:00
description	[TRITON](https://attack.mitre.org/software/S0609) is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. [TRITON](https://attack.mitre.org/software/S0609) was deployed against at least one target in the Middle East. (Citation: FireEye TRITON 2017)(Citation: FireEye TRITON 2018)(Citation: Dragos TRISIS)(Citation: CISA HatMan)(Citation: FireEye TEMP.Veles 2018)	This entry was deprecated as it was inadvertently added to Enterprise; a similar Software entry was created for ATT&CK for ICS. [TRITON](https://attack.mitre.org/software/S0609) is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. [TRITON](https://attack.mitre.org/software/S0609) was deployed against at least one target in the Middle East. (Citation: FireEye TRITON 2017)(Citation: FireEye TRITON 2018)(Citation: Dragos TRISIS)(Citation: CISA HatMan)(Citation: FireEye TEMP.Veles 2018)

mobile-attack

Patches

[S0407] Monokle

Current version: 1.2

Details

values_changed
STIX Field	Old value	New Value
modified	2021-09-24 14:52:40.927000+00:00	2021-11-01 18:30:41.998000+00:00

Groups

enterprise-attack

Patches

[G0137] Ferocious Kitten

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-15 16:47:52.864000+00:00	2021-10-25 14:28:10.337000+00:00
x_mitre_contributors[2]	Nagahama Hiroki, NEC Corporation	Hiroki Nagahama, NEC Corporation

[G0004] Ke3chang

Current version: 1.4

	Old Description			New Description
t	1	[Ke3chang](https://attack.mitre.org/groups/G0004) is a threa	t	1	[Ke3chang](https://attack.mitre.org/groups/G0004) is a threa
	>	t group attributed to actors operating out of China. [Ke3cha		>	t group attributed to actors operating out of China. [Ke3cha
	>	ng](https://attack.mitre.org/groups/G0004) has targeted seve		>	ng](https://attack.mitre.org/groups/G0004) has targeted seve
	>	ral industries, including oil, government, military, and mor		>	ral industries, including oil, government, military, and mor
	>	e. (Citation: Villeneuve et al 2014) (Citation: NCC Group AP		>	e.(Citation: Mandiant Operation Ke3chang November 2014)(Cita
	>	T15 Alive and Strong) (Citation: APT15 Intezer June 2018)		>	tion: NCC Group APT15 Alive and Strong)(Citation: APT15 Inte
				>	zer June 2018)

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-12 20:02:51.565000+00:00	2021-11-01 21:12:15.839000+00:00
description	[Ke3chang](https://attack.mitre.org/groups/G0004) is a threat group attributed to actors operating out of China. [Ke3chang](https://attack.mitre.org/groups/G0004) has targeted several industries, including oil, government, military, and more. (Citation: Villeneuve et al 2014) (Citation: NCC Group APT15 Alive and Strong) (Citation: APT15 Intezer June 2018)	[Ke3chang](https://attack.mitre.org/groups/G0004) is a threat group attributed to actors operating out of China. [Ke3chang](https://attack.mitre.org/groups/G0004) has targeted several industries, including oil, government, military, and more.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: NCC Group APT15 Alive and Strong)(Citation: APT15 Intezer June 2018)
external_references[8]['source_name']	Villeneuve et al 2014	Mandiant Operation Ke3chang November 2014
external_references[8]['url']	https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf	https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs

[G0071] Orangeworm

Current version: 1.1

	Old Description			New Description
t	1	[Orangeworm](https://attack.mitre.org/groups/G0071) is a gro	t	1	[Orangeworm](https://attack.mitre.org/groups/G0071) is a gro
	>	up that has targeted organizations in the healthcare sector		>	up that has targeted organizations in the healthcare sector
	>	in the United States, Europe, and Asia since at least 2015,		>	in the United States, Europe, and Asia since at least 2015,
	>	likely for the purpose of corporate espionage. (Citation: Sy		>	likely for the purpose of corporate espionage.(Citation: Sym
	>	mantec Orangeworm April 2018)		>	antec Orangeworm April 2018)

Details

values_changed
STIX Field	Old value	New Value
modified	2020-03-30 19:12:41.915000+00:00	2021-10-26 22:29:09.327000+00:00
description	[Orangeworm](https://attack.mitre.org/groups/G0071) is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage. (Citation: Symantec Orangeworm April 2018)	[Orangeworm](https://attack.mitre.org/groups/G0071) is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage.(Citation: Symantec Orangeworm April 2018)

[G0040] Patchwork

Current version: 1.4

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-12 21:55:09.686000+00:00	2021-11-02 21:07:07.755000+00:00
external_references[7]['url']	https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf	https://web.archive.org/web/20180825085952/https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf

[G0134] Transparent Tribe

Current version: 1.0

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_contributors		['Manikantan Srinivasan, NEC Corporation India', 'Pooja Natarajan, NEC Corporation India', 'Hiroki Nagahama, NEC Corporation']

values_changed
STIX Field	Old value	New Value
modified	2021-10-15 19:27:15.500000+00:00	2021-10-25 17:19:00.720000+00:00

[G0044] Winnti Group

Current version: 1.1

Details

values_changed
STIX Field	Old value	New Value
modified	2020-08-24 15:01:01.939000+00:00	2021-11-05 15:59:50.451000+00:00
external_references[6]['url']	https://401trg.com/burning-umbrella/	https://401trg.github.io/pages/burning-umbrella.html

Data Sources

enterprise-attack

Patches

[DS0026] Active Directory

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-20T15:05:19.274110Z	2021-11-10T09:30:48.693951Z
x_mitre_contributors[0]	CTID	Center for Threat-Informed Defense (CTID)

[DS0025] Cloud Service

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-20T15:05:19.273990Z	2021-11-10T09:30:48.694425Z
x_mitre_contributors[0]	CTID	Center for Threat-Informed Defense (CTID)

[DS0010] Cloud Storage

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-20T15:05:19.272382Z	2021-11-10T09:30:48.694594Z
x_mitre_contributors[0]	CTID	Center for Threat-Informed Defense (CTID)

[DS0031] Cluster

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-20T15:05:19.274720Z	2021-11-10T09:30:48.694817Z
x_mitre_contributors[0]	CTID	Center for Threat-Informed Defense (CTID)

[DS0017] Command

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-20T15:05:19.273124Z	2021-11-10T09:30:48.694901Z
x_mitre_contributors[1]	CTID	Center for Threat-Informed Defense (CTID)

[DS0032] Container

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-20T15:05:19.274834Z	2021-11-10T09:30:48.694982Z
x_mitre_contributors[0]	CTID	Center for Threat-Informed Defense (CTID)

[DS0016] Drive

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-20T15:05:19.272982Z	2021-11-10T09:30:48.695272Z
x_mitre_contributors[0]	CTID	Center for Threat-Informed Defense (CTID)

[DS0027] Driver

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-20T15:05:19.274252Z	2021-11-10T09:30:48.695431Z
x_mitre_contributors[0]	CTID	Center for Threat-Informed Defense (CTID)

[DS0022] File

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-20T15:05:19.273672Z	2021-11-10T09:30:48.695560Z
x_mitre_contributors[0]	CTID	Center for Threat-Informed Defense (CTID)

[DS0018] Firewall

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-20T15:05:19.273181Z	2021-11-10T09:30:48.695762Z
x_mitre_contributors[0]	CTID	Center for Threat-Informed Defense (CTID)

[DS0001] Firmware

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-20T15:05:19.265145Z	2021-11-10T09:30:48.695921Z
x_mitre_contributors[0]	CTID	Center for Threat-Informed Defense (CTID)

[DS0036] Group

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-20T15:05:19.275275Z	2021-11-10T09:30:48.695999Z
x_mitre_contributors[0]	CTID	Center for Threat-Informed Defense (CTID)

[DS0007] Image

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-20T15:05:19.271956Z	2021-11-10T09:30:48.696179Z
x_mitre_contributors[0]	CTID	Center for Threat-Informed Defense (CTID)

[DS0008] Kernel

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-20T15:05:19.272087Z	2021-11-10T09:30:48.696693Z
x_mitre_contributors[0]	CTID	Center for Threat-Informed Defense (CTID)

[DS0028] Logon Session

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-20T15:05:19.274352Z	2021-11-10T09:30:48.696771Z
x_mitre_contributors[0]	CTID	Center for Threat-Informed Defense (CTID)

[DS0011] Module

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-20T15:05:19.272552Z	2021-11-10T09:30:48.697073Z
x_mitre_contributors[0]	CTID	Center for Threat-Informed Defense (CTID)

[DS0023] Named Pipe

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-20T15:05:19.273816Z	2021-11-10T09:30:48.697149Z
x_mitre_contributors[0]	CTID	Center for Threat-Informed Defense (CTID)

[DS0033] Network Share

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-20T15:05:19.274950Z	2021-11-10T09:30:48.697227Z
x_mitre_contributors[0]	CTID	Center for Threat-Informed Defense (CTID)

[DS0029] Network Traffic

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-20T15:05:19.274446Z	2021-11-10T09:30:48.697365Z
x_mitre_contributors[0]	CTID	Center for Threat-Informed Defense (CTID)

[DS0014] Pod

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-20T15:05:19.272712Z	2021-11-10T09:30:48.697559Z
x_mitre_contributors[0]	CTID	Center for Threat-Informed Defense (CTID)

[DS0009] Process

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-20T15:05:19.272143Z	2021-11-10T09:30:48.697770Z
x_mitre_contributors[0]	CTID	Center for Threat-Informed Defense (CTID)

[DS0003] Scheduled Job

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-20T15:05:19.271574Z	2021-11-10T09:30:48.697992Z
x_mitre_contributors[0]	CTID	Center for Threat-Informed Defense (CTID)

[DS0012] Script

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-20T15:05:19.272610Z	2021-11-10T09:30:48.698144Z
x_mitre_contributors[0]	CTID	Center for Threat-Informed Defense (CTID)
external_references[2]['description']	Dunwoody, M. (2016, February 11). https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html. Retrieved September 28, 2021.	Dunwoody, M. (2016, February 11). Greater Visibility Through PowerShell Logging. Retrieved September 28, 2021.

[DS0013] Sensor Health

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-20T15:05:19.272664Z	2021-11-10T09:30:48.698218Z
x_mitre_contributors[0]	CTID	Center for Threat-Informed Defense (CTID)

[DS0019] Service

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-20T15:05:19.273300Z	2021-11-10T09:30:48.698295Z
x_mitre_contributors[0]	CTID	Center for Threat-Informed Defense (CTID)

[DS0020] Snapshot

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-20T15:05:19.273471Z	2021-11-10T09:30:48.698426Z
x_mitre_contributors[0]	CTID	Center for Threat-Informed Defense (CTID)

[DS0002] User Account

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-20T15:05:19.271422Z	2021-11-10T09:30:48.698605Z
x_mitre_contributors[0]	CTID	Center for Threat-Informed Defense (CTID)

[DS0034] Volume

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-20T15:05:19.275065Z	2021-11-10T09:30:48.698797Z
x_mitre_contributors[0]	CTID	Center for Threat-Informed Defense (CTID)

[DS0005] WMI

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2021-10-20T15:05:19.271772Z	2021-11-10T09:30:48.699233Z
x_mitre_contributors[0]	CTID	Center for Threat-Informed Defense (CTID)