ATT&CK Changes Between v13.0 and v13.1

Key

Colors for description field
Added
Changed
Deleted

Additional formats

These ATT&CK Navigator layer files can be uploaded to ATT&CK Navigator manually.

This JSON file contains the machine readble output used to create this page: changelog.json

Techniques

enterprise-attack

Patches

[T1098.001] Account Manipulation: Additional Cloud Credentials

Current version: 2.5

Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-12 21:30:31.151000+00:002023-05-04 18:03:36.622000+00:00
x_mitre_contributors[5]DylanDylan Silva, AWS Security

[T1550.001] Use Alternate Authentication Material: Application Access Token

Current version: 1.5

Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-15 00:29:43.297000+00:002023-05-04 18:04:17.588000+00:00
x_mitre_contributors[6]DylanDylan Silva, AWS Security

[T1059.009] Command and Scripting Interpreter: Cloud API

Current version: 1.0


Old Description
New Description
t1Adversaries may abuse cloud APIs to execute malicious commant1Adversaries may abuse cloud APIs to execute malicious comman
>ds. APIs available in cloud environments provide various fun>ds. APIs available in cloud environments provide various fun
>ctionalities and are a feature-rich method for programmatic >ctionalities and are a feature-rich method for programmatic 
>access to nearly all aspects of a tenant. These APIs may be >access to nearly all aspects of a tenant. These APIs may be 
>utilized through various methods such as command line interp>utilized through various methods such as command line interp
>reters (CLIs), in-browser Cloud Shells, [PowerShell](https:/>reters (CLIs), in-browser Cloud Shells, [PowerShell](https:/
>/attack.mitre.org/techniques/T1059/001) modules like Azure f>/attack.mitre.org/techniques/T1059/001) modules like Azure f
>or PowerShell(Citation: A), or software developer kits (SDKs>or PowerShell(Citation: Microsoft - Azure PowerShell), or so
>) available for languages such as [Python](https://attack.mi>ftware developer kits (SDKs) available for languages such as
>tre.org/techniques/T1059/006).    Cloud API functionality ma> [Python](https://attack.mitre.org/techniques/T1059/006).   
>y allow for administrative access across all major services > Cloud API functionality may allow for administrative access
>in a tenant such as compute, storage, identity and access ma> across all major services in a tenant such as compute, stor
>nagement (IAM), networking, and security policies.  With pro>age, identity and access management (IAM), networking, and s
>per permissions (often via use of credentials such as [Appli>ecurity policies.  With proper permissions (often via use of
>cation Access Token](https://attack.mitre.org/techniques/T15> credentials such as [Application Access Token](https://atta
>50/001) and [Web Session Cookie](https://attack.mitre.org/te>ck.mitre.org/techniques/T1550/001) and [Web Session Cookie](
>chniques/T1550/004)), adversaries may abuse cloud APIs to in>https://attack.mitre.org/techniques/T1550/004)), adversaries
>voke various functions that execute malicious actions. For e> may abuse cloud APIs to invoke various functions that execu
>xample, CLI and PowerShell functionality may be accessed thr>te malicious actions. For example, CLI and PowerShell functi
>ough binaries installed on cloud-hosted or on-premises hosts>onality may be accessed through binaries installed on cloud-
> or accessed through a browser-based cloud shell offered by >hosted or on-premises hosts or accessed through a browser-ba
>many cloud platforms (such as AWS, Azure, and GCP). These cl>sed cloud shell offered by many cloud platforms (such as AWS
>oud shells are often a packaged unified environment to use C>, Azure, and GCP). These cloud shells are often a packaged u
>LI and/or scripting modules hosted as a container in the clo>nified environment to use CLI and/or scripting modules hoste
>ud environment.  >d as a container in the cloud environment.  
Details
values_changed
STIX FieldOld valueNew Value
descriptionAdversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through various methods such as command line interpreters (CLIs), in-browser Cloud Shells, [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules like Azure for PowerShell(Citation: A), or software developer kits (SDKs) available for languages such as [Python](https://attack.mitre.org/techniques/T1059/006). Cloud API functionality may allow for administrative access across all major services in a tenant such as compute, storage, identity and access management (IAM), networking, and security policies. With proper permissions (often via use of credentials such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001) and [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004)), adversaries may abuse cloud APIs to invoke various functions that execute malicious actions. For example, CLI and PowerShell functionality may be accessed through binaries installed on cloud-hosted or on-premises hosts or accessed through a browser-based cloud shell offered by many cloud platforms (such as AWS, Azure, and GCP). These cloud shells are often a packaged unified environment to use CLI and/or scripting modules hosted as a container in the cloud environment. Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through various methods such as command line interpreters (CLIs), in-browser Cloud Shells, [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules like Azure for PowerShell(Citation: Microsoft - Azure PowerShell), or software developer kits (SDKs) available for languages such as [Python](https://attack.mitre.org/techniques/T1059/006). Cloud API functionality may allow for administrative access across all major services in a tenant such as compute, storage, identity and access management (IAM), networking, and security policies. With proper permissions (often via use of credentials such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001) and [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004)), adversaries may abuse cloud APIs to invoke various functions that execute malicious actions. For example, CLI and PowerShell functionality may be accessed through binaries installed on cloud-hosted or on-premises hosts or accessed through a browser-based cloud shell offered by many cloud platforms (such as AWS, Azure, and GCP). These cloud shells are often a packaged unified environment to use CLI and/or scripting modules hosted as a container in the cloud environment.
external_references[1]['source_name']AMicrosoft - Azure PowerShell

[T1526] Cloud Service Discovery

Current version: 1.3

Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-11 20:33:55.356000+00:002023-05-04 18:01:44.086000+00:00
x_mitre_contributors[2]ThanabodiThanabodi Phrakhun, I-SECURE

[T1652] Device Driver Discovery

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-11 01:18:10.369000+00:002023-05-04 18:07:16.804000+00:00
x_mitre_contributors[0]Filip Kafka, ESETESET
x_mitre_data_sources[2]Windows Registry: Windows Registry Key AccessProcess: Process Creation
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_data_sourcesWindows Registry: Windows Registry Key Access
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_contributorsZuzana Legáthová, ESET
x_mitre_contributorsMiroslav Babiš, ESET
x_mitre_data_sourcesProcess: Process Creation

[T1567.003] Exfiltration Over Web Service: Exfiltration to Text Storage Sites

Current version: 1.0

Details
dictionary_item_removed
STIX FieldOld valueNew Value
x_mitre_network_requirementsFalse
values_changed
STIX FieldOld valueNew Value
modified2023-04-14 20:36:09.042000+00:002023-05-04 18:00:33.023000+00:00
x_mitre_contributors[0]Kuessner ConsultingHarun Küßner

[T1027.011] Obfuscated Files or Information: Fileless Storage

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-24 13:51:48.636000+00:002023-05-04 18:06:40.829000+00:00
x_mitre_data_sources[0]Windows Registry: Windows Registry Key CreationWMI: WMI Creation
x_mitre_data_sources[1]WMI: WMI CreationWindows Registry: Windows Registry Key Creation
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsXavier Rousseau

[T1606] Forge Web Credentials

Current version: 1.3

Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-12 21:35:48.084000+00:002023-05-04 18:05:16.877000+00:00
x_mitre_contributors[0]DylanDylan Silva, AWS Security
x_mitre_data_sources[1]Web Credential: Web Credential CreationLogon Session: Logon Session Creation
x_mitre_data_sources[2]Logon Session: Logon Session CreationWeb Credential: Web Credential Creation

[T1490] Inhibit System Recovery

Current version: 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-14 23:09:55.976000+00:002023-05-04 18:05:57.725000+00:00
x_mitre_contributors[2]Pallavi SivakumaranPallavi Sivakumaran, WithSecure
x_mitre_data_sources[0]Command: Command ExecutionProcess: Process Creation
x_mitre_data_sources[1]Windows Registry: Windows Registry Key ModificationCommand: Command Execution
x_mitre_data_sources[3]Process: Process CreationWindows Registry: Windows Registry Key Modification
x_mitre_data_sources[5]File: File DeletionService: Service Metadata
x_mitre_data_sources[6]Service: Service MetadataFile: File Deletion

[T1556.008] Modify Authentication Process: Network Provider DLL

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-11 03:16:05.019000+00:002023-05-04 18:02:51.318000+00:00
x_mitre_data_sources[1]Windows Registry: Windows Registry Key CreationFile: File Creation
x_mitre_data_sources[3]File: File CreationWindows Registry: Windows Registry Key Creation
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsJai Minton

ics-attack

Patches

[T0873] Project File Infection

Current version: 1.0


Old Description
New Description
t1Adversaries may attempt to infect project files with maliciot1Adversaries may attempt to infect project files with malicio
>us code. These project files may consist of objects, program>us code. These project files may consist of objects, program
> organization units, variables such as tags, documentation, > organization units, variables such as tags, documentation, 
>and other configurations needed for PLC programs to function>and other configurations needed for PLC programs to function
>. (Citation: Beckhoff) Using built in functions of the engin>. (Citation: Beckhoff) Using built in functions of the engin
>eering software, adversaries may be able to download an infe>eering software, adversaries may be able to download an infe
>cted program to a PLC in the operating environment enabling >cted program to a PLC in the operating environment enabling 
>further [execution](http://attacksite.mitre.org/tactics/TA01>further [Execution](https://attack.mitre.org/tactics/TA0104)
>04/) and [persistence](http://attacksite.mitre.org/tactics/T> and [Persistence](https://attack.mitre.org/tactics/TA0110) 
>A0110/) techniques. (Citation: PLCdev)   Adversaries may exp>techniques. (Citation: PLCdev)   Adversaries may export thei
>ort their own code into project files with conditions to exe>r own code into project files with conditions to execute at 
>cute at specific intervals. (Citation: Nicolas Falliere, Lia>specific intervals. (Citation: Nicolas Falliere, Liam O Murc
>m O Murchu, Eric Chien February 2011) Malicious programs all>hu, Eric Chien February 2011) Malicious programs allow adver
>ow adversaries control of all aspects of the process enabled>saries control of all aspects of the process enabled by the 
> by the PLC. Once the project file is downloaded to a PLC th>PLC. Once the project file is downloaded to a PLC the workst
>e workstation device may be disconnected with the infected p>ation device may be disconnected with the infected project f
>roject file still executing. (Citation: PLCdev)>ile still executing. (Citation: PLCdev)
Details
values_changed
STIX FieldOld valueNew Value
modified2023-03-09 18:38:51.471000+00:002023-05-08 18:58:24.092000+00:00
descriptionAdversaries may attempt to infect project files with malicious code. These project files may consist of objects, program organization units, variables such as tags, documentation, and other configurations needed for PLC programs to function. (Citation: Beckhoff) Using built in functions of the engineering software, adversaries may be able to download an infected program to a PLC in the operating environment enabling further [execution](http://attacksite.mitre.org/tactics/TA0104/) and [persistence](http://attacksite.mitre.org/tactics/TA0110/) techniques. (Citation: PLCdev) Adversaries may export their own code into project files with conditions to execute at specific intervals. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) Malicious programs allow adversaries control of all aspects of the process enabled by the PLC. Once the project file is downloaded to a PLC the workstation device may be disconnected with the infected project file still executing. (Citation: PLCdev)Adversaries may attempt to infect project files with malicious code. These project files may consist of objects, program organization units, variables such as tags, documentation, and other configurations needed for PLC programs to function. (Citation: Beckhoff) Using built in functions of the engineering software, adversaries may be able to download an infected program to a PLC in the operating environment enabling further [Execution](https://attack.mitre.org/tactics/TA0104) and [Persistence](https://attack.mitre.org/tactics/TA0110) techniques. (Citation: PLCdev) Adversaries may export their own code into project files with conditions to execute at specific intervals. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) Malicious programs allow adversaries control of all aspects of the process enabled by the PLC. Once the project file is downloaded to a PLC the workstation device may be disconnected with the infected project file still executing. (Citation: PLCdev)
x_mitre_attack_spec_version2.1.03.1.0

Software

enterprise-attack

Patches

[S1070] Black Basta

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-17 21:45:00.661000+00:002023-05-01 17:05:56.388000+00:00
x_mitre_contributors[2]Inna Danilevich, U.S BankInna Danilevich, U.S. Bank

[S0650] QakBot

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2023-04-14 14:37:59.896000+00:002023-05-01 17:05:20.902000+00:00
x_mitre_contributors[1]Inna Danilevich, U.S BankInna Danilevich, U.S. Bank