ATT&CK Changes Between v15.1 and v16.0

[T1098.007] Account Manipulation: Additional Local or Domain Groups

Current version: 1.0

Description: An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access to a system or domain. On Windows, accounts may use the `net localgroup` and `net group` commands to add existing users to local and domain groups.(Citation: Microsoft Net Localgroup)(Citation: Microsoft Net Group) On Linux, adversaries may use the `usermod` command for the same purpose.(Citation: Linux Usermod) For example, accounts may be added to the local administrators group on Windows devices to maintain elevated privileges. They may also be added to the Remote Desktop Users group, which allows them to leverage [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) to log into the endpoints in the future.(Citation: Microsoft RDP Logons) On Linux, accounts may be added to the sudoers group, allowing them to persistently leverage [Sudo and Sudo Caching](https://attack.mitre.org/techniques/T1548/003) for elevated privileges. In Windows environments, machine accounts may also be added to domain groups. This allows the local SYSTEM account to gain privileges on the domain.(Citation: RootDSE AD Detection 2022)

[T1496.002] Resource Hijacking: Bandwidth Hijacking

Current version: 1.0

Description: Adversaries may leverage the network bandwidth resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. Adversaries may also use malware that leverages a system's network bandwidth as part of a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or to seed malicious torrents.(Citation: GoBotKR) Alternatively, they may engage in proxyjacking by selling use of the victims' network bandwidth and IP address to proxyware services.(Citation: Sysdig Proxyjacking) Finally, they may engage in internet-wide scanning in order to identify additional targets for compromise.(Citation: Unit 42 Leaked Environment Variables 2024) In addition to incurring potential financial costs or availability disruptions, this technique may cause reputational damage if a victim’s bandwidth is used for illegal activities.(Citation: Sysdig Proxyjacking)

[T1558.005] Steal or Forge Kerberos Tickets: Ccache Files

Current version: 1.0

Description: Adversaries may attempt to steal Kerberos tickets stored in credential cache files (or ccache). These files are used for short term storage of a user's active session credentials. The ccache file is created upon user authentication and allows for access to multiple services without the user having to re-enter credentials. The /etc/krb5.conf configuration file and the KRB5CCNAME environment variable are used to set the storage location for ccache entries. On Linux, credentials are typically stored in the `/tmp` directory with a naming format of `krb5cc_%UID%` or `krb5.ccache`. On macOS, ccache entries are stored by default in memory with an `API:{uuid}` naming scheme. Typically, users interact with ticket storage using kinit, which obtains a Ticket-Granting-Ticket (TGT) for the principal; klist, which lists obtained tickets currently held in the credentials cache; and other built-in binaries.(Citation: Kerberos GNU/Linux)(Citation: Binary Defense Kerberos Linux) Adversaries can collect tickets from ccache files stored on disk and authenticate as the current user without their password to perform [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) attacks. Adversaries can also use these tickets to impersonate legitimate users with elevated privileges to perform [Privilege Escalation](https://attack.mitre.org/tactics/TA0004). Tools like Kekeo can also be used by adversaries to convert ccache files to Windows format for further [Lateral Movement](https://attack.mitre.org/tactics/TA0008). On macOS, adversaries may use open-source tools or the Kerberos framework to interact with ccache files and extract TGTs or Service Tickets via lower-level APIs.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: Linux Kerberos Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo)

[T1127.002] Trusted Developer Utilities Proxy Execution: ClickOnce

Current version: 1.0

Description: Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of code through a trusted Windows utility.(Citation: Burke/CISA ClickOnce BlackHat) ClickOnce is a deployment that enables a user to create self-updating Windows-based .NET applications (i.e, .XBAP, .EXE, or .DLL) that install and run from a file share or web page with minimal user interaction. The application launches as a child process of DFSVC.EXE, which is responsible for installing, launching, and updating the application.(Citation: SpectorOps Medium ClickOnce) Because ClickOnce applications receive only limited permissions, they do not require administrative permissions to install.(Citation: Microsoft Learn ClickOnce) As such, adversaries may abuse ClickOnce to proxy execution of malicious code without needing to escalate privileges. ClickOnce may be abused in a number of ways. For example, an adversary may rely on [User Execution](https://attack.mitre.org/techniques/T1204). When a user visits a malicious website, the .NET malware is disguised as legitimate software and a ClickOnce popup is displayed for installation.(Citation: NetSPI ClickOnce) Adversaries may also abuse ClickOnce to execute malware via a [Rundll32](https://attack.mitre.org/techniques/T1218/011) script using the command `rundll32.exe dfshim.dll,ShOpenVerbApplication1`.(Citation: LOLBAS /Dfsvc.exe) Additionally, an adversary can move the ClickOnce application file to a remote user’s startup folder for continued malicious code deployment (i.e., [Registry Run Keys / Startup Folder](https://attack.mitre.org/techniques/T1547/001)).(Citation: Burke/CISA ClickOnce BlackHat)(Citation: Burke/CISA ClickOnce Paper)

[T1496.004] Resource Hijacking: Cloud Service Hijacking

Current version: 1.0

Description: Adversaries may leverage compromised software-as-a-service (SaaS) applications to complete resource-intensive tasks, which may impact hosted service availability. For example, adversaries may leverage email and messaging services, such as AWS Simple Email Service (SES), AWS Simple Notification Service (SNS), SendGrid, and Twilio, in order to send large quantities of spam / [Phishing](https://attack.mitre.org/techniques/T1566) emails and SMS messages.(Citation: Invictus IR DangerDev 2024)(Citation: Permiso SES Abuse 2023)(Citation: SentinelLabs SNS Sender 2024) Alternatively, they may engage in LLMJacking by leveraging reverse proxies to hijack the power of cloud-hosted AI models.(Citation: Sysdig LLMJacking 2024)(Citation: Lacework LLMJacking 2024) In some cases, adversaries may leverage services that the victim is already using. In others, particularly when the service is part of a larger cloud platform, they may first enable the service.(Citation: Sysdig LLMJacking 2024) Leveraging SaaS applications may cause the victim to incur significant financial costs, use up service quotas, and otherwise impact availability.

[T1496.001] Resource Hijacking: Compute Hijacking

Current version: 1.0

Description: Adversaries may leverage the compute resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. One common purpose for [Compute Hijacking](https://attack.mitre.org/techniques/T1496/001) is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for [Compute Hijacking](https://attack.mitre.org/techniques/T1496/001) and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker APIs) Additionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it’s not competing for resources.(Citation: Trend Micro War of Crypto Miners)

[T1213.004] Data from Information Repositories: Customer Relationship Management Software

Current version: 1.0

Description: Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information. CRM software is used to assist organizations in tracking and managing customer interactions, as well as storing customer data. Once adversaries gain access to a victim organization, they may mine CRM software for customer data. This may include personally identifiable information (PII) such as full names, emails, phone numbers, and addresses, as well as additional details such as purchase histories and IT support interactions. By collecting this data, an adversary may be able to send personalized [Phishing](https://attack.mitre.org/techniques/T1566) emails, engage in SIM swapping, or otherwise target the organization’s customers in ways that enable financial gain or the compromise of additional organizations.(Citation: Bleeping Computer US Cellular Hack 2022)(Citation: Bleeping Computer Mint Mobile Hack 2021)(Citation: Bleeping Computer Bank Hack 2020) CRM software may be hosted on-premises or in the cloud. Information stored in these solutions may vary based on the specific instance or environment. Examples of CRM software include Microsoft Dynamics 365, Salesforce, Zoho, Zendesk, and HubSpot.

[T1557.004] Adversary-in-the-Middle: Evil Twin

Current version: 1.0

Description: Adversaries may host seemingly genuine Wi-Fi access points to deceive users into connecting to malicious networks as a way of supporting follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002), or [Input Capture](https://attack.mitre.org/techniques/T1056).(Citation: Australia ‘Evil Twin’) By using a Service Set Identifier (SSID) of a legitimate Wi-Fi network, fraudulent Wi-Fi access points may trick devices or users into connecting to malicious Wi-Fi networks.(Citation: Kaspersky evil twin)(Citation: medium evil twin) Adversaries may provide a stronger signal strength or block access to Wi-Fi access points to coerce or entice victim devices into connecting to malicious networks.(Citation: specter ops evil twin) A Wi-Fi Pineapple – a network security auditing and penetration testing tool – may be deployed in Evil Twin attacks for ease of use and broader range. Custom certificates may be used in an attempt to intercept HTTPS traffic. Similarly, adversaries may also listen for client devices sending probe requests for known or previously connected networks (Preferred Network Lists or PNLs). When a malicious access point receives a probe request, adversaries can respond with the same SSID to imitate the trusted, known network.(Citation: specter ops evil twin) Victim devices are led to believe the responding access point is from their PNL and initiate a connection to the fraudulent network. Upon logging into the malicious Wi-Fi access point, a user may be directed to a fake login page or captive portal webpage to capture the victim’s credentials. Once a user is logged into the fraudulent Wi-Fi network, the adversary may able to monitor network activity, manipulate data, or steal additional credentials. Locations with high concentrations of public Wi-Fi access, such as airports, coffee shops, or libraries, may be targets for adversaries to set up illegitimate Wi-Fi access points.

[T1485.001] Data Destruction: Lifecycle-Triggered Deletion

Current version: 1.0

Description: Adversaries may modify the lifecycle policies of a cloud storage bucket to destroy all objects stored within. Cloud storage buckets often allow users to set lifecycle policies to automate the migration, archival, or deletion of objects after a set period of time.(Citation: AWS Storage Lifecycles)(Citation: GCP Storage Lifecycles)(Citation: Azure Storage Lifecycles) If a threat actor has sufficient permissions to modify these policies, they may be able to delete all objects at once. For example, in AWS environments, an adversary with the `PutLifecycleConfiguration` permission may use the `PutBucketLifecycle` API call to apply a lifecycle policy to an S3 bucket that deletes all objects in the bucket after one day.(Citation: Palo Alto Cloud Ransomware) In addition to destroying data for purposes of extortion and [Financial Theft](https://attack.mitre.org/techniques/T1657), adversaries may also perform this action on buckets storing cloud logs for [Indicator Removal](https://attack.mitre.org/techniques/T1070).(Citation: Datadog S3 Lifecycle CloudTrail Logs)

[T1059.011] Command and Scripting Interpreter: Lua

Current version: 1.0

Description: Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua can be executed on the command-line (through the stand-alone lua interpreter), via scripts (.lua), or from Lua-embedded programs (through the struct lua_State).(Citation: Lua main page)(Citation: Lua state) Lua scripts may be executed by adversaries for malicious purposes. Adversaries may incorporate, abuse, or replace existing Lua interpreters to allow for malicious Lua command execution at runtime.(Citation: PoetRat Lua)(Citation: Lua Proofpoint Sunseed)(Citation: Cyphort EvilBunny)(Citation: Kaspersky Lua)

[T1036.010] Masquerading: Masquerade Account Name

Current version: 1.0

Description: Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This will typically occur during [Create Account](https://attack.mitre.org/techniques/T1136), although accounts may also be renamed at a later date. This may also coincide with [Account Access Removal](https://attack.mitre.org/techniques/T1531) if the actor first deletes an account before re-creating one with the same name.(Citation: Huntress MOVEit 2023) Often, adversaries will attempt to masquerade as service accounts, such as those associated with legitimate software, data backups, or container cluster management.(Citation: Elastic CUBA Ransomware 2022)(Citation: Aquasec Kubernetes Attack 2023) They may also give accounts generic, trustworthy names, such as “admin”, “help”, or “root.”(Citation: Invictus IR Cloud Ransomware 2024) Sometimes adversaries may model account names off of those already existing in the system, as a follow-on behavior to [Account Discovery](https://attack.mitre.org/techniques/T1087). Note that this is distinct from [Impersonation](https://attack.mitre.org/techniques/T1656), which describes impersonating specific trusted individuals or organizations, rather than user or service account names.

[T1213.005] Data from Information Repositories: Messaging Applications

Current version: 1.0

Description: Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Google Chat, and Slack, to mine valuable information. The following is a brief list of example information that may hold potential value to an adversary and may also be found on messaging applications: * Testing / development credentials (i.e., [Chat Messages](https://attack.mitre.org/techniques/T1552/008)) * Source code snippets * Links to network shares and other internal resources * Proprietary data(Citation: Guardian Grand Theft Auto Leak 2022) * Discussions about ongoing incident response efforts(Citation: SC Magazine Ragnar Locker 2021)(Citation: Microsoft DEV-0537) In addition to exfiltrating data from messaging applications, adversaries may leverage data from chat messages in order to improve their targeting - for example, by learning more about an environment or evading ongoing incident response efforts.(Citation: Sentinel Labs NullBulge 2024)(Citation: Permiso Scattered Spider 2023)

[T1666] Modify Cloud Resource Hierarchy

Current version: 1.0

Description: Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service (IaaS) environments in order to evade defenses. IaaS environments often group resources into a hierarchy, enabling improved resource management and application of policies to relevant groups. Hierarchical structures differ among cloud providers. For example, in AWS environments, multiple accounts can be grouped under a single organization, while in Azure environments, multiple subscriptions can be grouped under a single management group.(Citation: AWS Organizations)(Citation: Microsoft Azure Resources) Adversaries may add, delete, or otherwise modify resource groups within an IaaS hierarchy. For example, in Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources. They may also engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant. This will allow the adversary to use the victim’s compute resources without generating logs on the victim tenant.(Citation: Microsoft Peach Sandstorm 2023)(Citation: Microsoft Subscription Hijacking 2022) In AWS environments, adversaries with appropriate permissions in a given account may call the `LeaveOrganization` API, causing the account to be severed from the AWS Organization to which it was tied and removing any Service Control Policies, guardrails, or restrictions imposed upon it by its former Organization. Alternatively, adversaries may call the `CreateAccount` API in order to create a new account within an AWS Organization. This account will use the same payment methods registered to the payment account but may not be subject to existing detections or Service Control Policies.(Citation: AWS RE:Inforce Threat Detection 2024)

[T1480.002] Execution Guardrails: Mutual Exclusion

Current version: 1.0

Description: Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource. Only one thread or process can acquire a mutex at a given time.(Citation: Microsoft Mutexes) While local mutexes only exist within a given process, allowing multiple threads to synchronize access to a resource, system mutexes can be used to synchronize the activities of multiple processes.(Citation: Microsoft Mutexes) By creating a unique system mutex associated with a particular malware, adversaries can verify whether or not a system has already been compromised.(Citation: Sans Mutexes 2012) In Linux environments, malware may instead attempt to acquire a lock on a mutex file. If the malware is able to acquire the lock, it continues to execute; if it fails, it exits to avoid creating a second instance of itself.(Citation: Intezer RedXOR 2021)(Citation: Deep Instinct BPFDoor 2023) Mutex names may be hard-coded or dynamically generated using a predictable algorithm.(Citation: ICS Mutexes 2015)

[T1027.014] Obfuscated Files or Information: Polymorphic Code

Current version: 1.0

Description: Adversaries may utilize polymorphic code (also known as metamorphic or mutating code) to evade detection. Polymorphic code is a type of software capable of changing its runtime footprint during code execution.(Citation: polymorphic-blackberry) With each execution of the software, the code is mutated into a different version of itself that achieves the same purpose or objective as the original. This functionality enables the malware to evade traditional signature-based defenses, such as antivirus and antimalware tools.(Citation: polymorphic-sentinelone) Other obfuscation techniques can be used in conjunction with polymorphic code to accomplish the intended effects, including using mutation engines to conduct actions such as [Software Packing](https://attack.mitre.org/techniques/T1027/002), [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010), or [Encrypted/Encoded File](https://attack.mitre.org/techniques/T1027/013).(Citation: polymorphic-linkedin)(Citation: polymorphic-medium)

[T1071.005] Application Layer Protocol: Publish/Subscribe Protocols

Current version: 1.0

Description: Adversaries may communicate using publish/subscribe (pub/sub) application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as MQTT, XMPP, AMQP, and STOMP use a publish/subscribe design, with message distribution managed by a centralized broker.(Citation: wailing crab sub/pub)(Citation: Mandiant APT1 Appendix) Publishers categorize their messages by topics, while subscribers receive messages according to their subscribed topics.(Citation: wailing crab sub/pub) An adversary may abuse publish/subscribe protocols to communicate with systems under their control from behind a message broker while also mimicking normal, expected traffic.

[T1070.010] Indicator Removal: Relocate Malware

Current version: 1.0

Description: Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may also be combined with [File Deletion](https://attack.mitre.org/techniques/T1070/004) to cleanup older artifacts. Relocating malware may be a part of many actions intended to evade defenses. For example, adversaries may copy and rename payloads to better blend into the local environment (i.e., [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005)).(Citation: DFIR Report Trickbot June 2023) Payloads may also be repositioned to target [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012) as well as specific locations associated with establishing [Persistence](https://attack.mitre.org/tactics/TA0003).(Citation: Latrodectus APR 2024) Relocating malicious payloads may also hinder defensive analysis, especially to separate these payloads from earlier events (such as [User Execution](https://attack.mitre.org/techniques/T1204) and [Phishing](https://attack.mitre.org/techniques/T1566)) that may have generated alerts or otherwise drawn attention from defenders.

[T1496.003] Resource Hijacking: SMS Pumping

Current version: 1.0

Description: Adversaries may leverage messaging services for SMS pumping, which may impact system and/or hosted service availability.(Citation: Twilio SMS Pumping) SMS pumping is a type of telecommunications fraud whereby a threat actor first obtains a set of phone numbers from a telecommunications provider, then leverages a victim’s messaging infrastructure to send large amounts of SMS messages to numbers in that set. By generating SMS traffic to their phone number set, a threat actor may earn payments from the telecommunications provider.(Citation: Twilio SMS Pumping Fraud) Threat actors often use publicly available web forms, such as one-time password (OTP) or account verification fields, in order to generate SMS traffic. These fields may leverage services such as Twilio, AWS SNS, and Amazon Cognito in the background.(Citation: Twilio SMS Pumping)(Citation: AWS RE:Inforce Threat Detection 2024) In response to the large quantity of requests, SMS costs may increase and communication channels may become overwhelmed.(Citation: Twilio SMS Pumping)

[T1546.017] Event Triggered Execution: Udev Rules

Current version: 1.0

Description: Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the `/dev` directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with `match keys` to specify the conditions a hardware event must meet and `action keys` to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, `/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and `/lib/udev/rules.d/`. Rule priority is determined by both directory and by the digit prefix in the rule filename.(Citation: Ignacio Udev research 2024)(Citation: Elastic Linux Persistence 2024) Adversaries may abuse the udev subsystem by adding or modifying rules in udev rule files to execute malicious content. For example, an adversary may configure a rule to execute their binary each time the pseudo-device file, such as `/dev/random`, is accessed by an application. Although udev is limited to running short tasks and is restricted by systemd-udevd's sandbox (blocking network and filesystem access), attackers may use scripting commands under the action key `RUN+=` to detach and run the malicious content’s process in the background to bypass these controls.(Citation: Reichert aon sedexp 2024)

[T1027.011] Obfuscated Files or Information: Fileless Storage

Current version: 2.0

Version changed from: 1.0 → 2.0

New Detections:

• DS0009: Process (Process Creation)

[T1578.005] Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations

Current version: 2.0

Version changed from: 1.0 → 2.0

[T1001.003] Data Obfuscation: Protocol or Service Impersonation

Current version: 2.0

Version changed from: 1.0 → 2.0

[T1496] Resource Hijacking

Current version: 2.0

Version changed from: 1.5 → 2.0

New Detections:

• DS0015: Application Log (Application Log Content)
• DS0025: Cloud Service (Cloud Service Modification)

[T1003.008] OS Credential Dumping: /etc/passwd and /etc/shadow

Current version: 1.1

Version changed from: 1.0 → 1.1

[T1558.004] Steal or Forge Kerberos Tickets: AS-REP Roasting

Current version: 1.1

Version changed from: 1.0 → 1.1

[T1548] Abuse Elevation Control Mechanism

Current version: 1.4

Version changed from: 1.3 → 1.4

[T1531] Account Access Removal

Current version: 1.3

Version changed from: 1.2 → 1.3

[T1087] Account Discovery

Current version: 2.5

Version changed from: 2.4 → 2.5

[T1098] Account Manipulation

Current version: 2.7

Version changed from: 2.6 → 2.7

New Mitigations:

• M1022: Restrict File and Directory Permissions
• M1042: Disable or Remove Feature or Program

[T1137.006] Office Application Startup: Add-ins

Current version: 1.2

Version changed from: 1.1 → 1.2

[T1098.001] Account Manipulation: Additional Cloud Credentials

Current version: 2.8

Version changed from: 2.7 → 2.8

New Mitigations:

• M1042: Disable or Remove Feature or Program

New Detections:

• DS0026: Active Directory (Active Directory Object Creation)
• DS0026: Active Directory (Active Directory Object Modification)

[T1098.003] Account Manipulation: Additional Cloud Roles

Current version: 2.5

Version changed from: 2.4 → 2.5

[T1098.002] Account Manipulation: Additional Email Delegate Permissions

Current version: 2.2

Version changed from: 2.1 → 2.2

[T1550.001] Use Alternate Authentication Material: Application Access Token

Current version: 1.7

Version changed from: 1.6 → 1.7

New Mitigations:

• M1036: Account Use Policies

[T1499.003] Endpoint Denial of Service: Application Exhaustion Flood

Current version: 1.3

Version changed from: 1.2 → 1.3

[T1071] Application Layer Protocol

Current version: 2.3

Version changed from: 2.2 → 2.3

[T1499.004] Endpoint Denial of Service: Application or System Exploitation

Current version: 1.3

Version changed from: 1.2 → 1.3

[T1053.002] Scheduled Task/Job: At

Current version: 2.3

Version changed from: 2.2 → 2.3

[T1119] Automated Collection

Current version: 1.3

Version changed from: 1.2 → 1.3

New Detections:

• DS0002: User Account (User Account Authentication)

[T1552.003] Unsecured Credentials: Bash History

Current version: 1.2

Version changed from: 1.1 → 1.2

[T1110] Brute Force

Current version: 2.6

Version changed from: 2.5 → 2.6

[T1552.008] Unsecured Credentials: Chat Messages

Current version: 1.1

Version changed from: 1.0 → 1.1

[T1070.008] Indicator Removal: Clear Mailbox Data

Current version: 1.2

Version changed from: 1.1 → 1.2

[T1059.009] Command and Scripting Interpreter: Cloud API

Current version: 1.1

Version changed from: 1.0 → 1.1

[T1087.004] Account Discovery: Cloud Account

Current version: 1.3

Version changed from: 1.2 → 1.3

[T1136.003] Create Account: Cloud Account

Current version: 1.6

Version changed from: 1.5 → 1.6

[T1078.004] Valid Accounts: Cloud Accounts

Current version: 1.8

Version changed from: 1.7 → 1.8

[T1586.003] Compromise Accounts: Cloud Accounts

Current version: 1.1

Version changed from: 1.0 → 1.1

[T1069.003] Permission Groups Discovery: Cloud Groups

Current version: 1.5

Version changed from: 1.4 → 1.5

[T1538] Cloud Service Dashboard

Current version: 1.4

Version changed from: 1.3 → 1.4

[T1526] Cloud Service Discovery

Current version: 1.4

Version changed from: 1.3 → 1.4

New Detections:

• DS0028: Logon Session (Logon Session Creation)

[T1021.007] Remote Services: Cloud Services

Current version: 1.1

Version changed from: 1.0 → 1.1

[T1213.003] Data from Information Repositories: Code Repositories

Current version: 1.2

Version changed from: 1.1 → 1.2

[T1059] Command and Scripting Interpreter

Current version: 2.5

Version changed from: 2.4 → 2.5

New Mitigations:

• M1033: Limit Software Installation
• M1047: Audit

[T1027.004] Obfuscated Files or Information: Compile After Delivery

Current version: 1.1

Version changed from: 1.0 → 1.1

[T1554] Compromise Host Software Binary

Current version: 2.1

Version changed from: 2.0 → 2.1

[T1556.009] Modify Authentication Process: Conditional Access Policies

Current version: 1.1

Version changed from: 1.0 → 1.1

[T1213.001] Data from Information Repositories: Confluence

Current version: 1.1

Version changed from: 1.0 → 1.1

[T1136] Create Account

Current version: 2.5

Version changed from: 2.4 → 2.5

[T1578.002] Modify Cloud Compute Infrastructure: Create Cloud Instance

Current version: 1.2

Version changed from: 1.1 → 1.2

[T1578.001] Modify Cloud Compute Infrastructure: Create Snapshot

Current version: 1.2

Version changed from: 1.1 → 1.2

[T1056.004] Input Capture: Credential API Hooking

Current version: 1.1

Version changed from: 1.0 → 1.1

[T1110.004] Brute Force: Credential Stuffing

Current version: 1.6

Version changed from: 1.5 → 1.6

[T1589.001] Gather Victim Identity Information: Credentials

Current version: 1.2

Version changed from: 1.1 → 1.2

[T1555.003] Credentials from Password Stores: Credentials from Web Browsers

Current version: 1.2

Version changed from: 1.1 → 1.2

New Mitigations:

• M1017: User Training
• M1018: User Account Management
• M1021: Restrict Web-Based Content
• M1051: Update Software

[T1053.003] Scheduled Task/Job: Cron

Current version: 1.2

Version changed from: 1.1 → 1.2

[T1003.006] OS Credential Dumping: DCSync

Current version: 1.1

Version changed from: 1.0 → 1.1

[T1574.001] Hijack Execution Flow: DLL Search Order Hijacking

Current version: 1.3

Version changed from: 1.2 → 1.3

[T1590.002] Gather Victim Network Information: DNS

Current version: 1.2

Version changed from: 1.1 → 1.2

New Mitigations:

• M1054: Software Configuration

Dropped Mitigations:

• M1056: Pre-compromise

[T1485] Data Destruction

Current version: 1.3

Version changed from: 1.2 → 1.3

New Mitigations:

• M1018: User Account Management
• M1032: Multi-factor Authentication

New Detections:

• DS0010: Cloud Storage (Cloud Storage Modification)

[T1530] Data from Cloud Storage

Current version: 2.2

Version changed from: 2.1 → 2.2

New Detections:

• DS0025: Cloud Service (Cloud Service Metadata)

[T1213] Data from Information Repositories

Current version: 3.4

Version changed from: 3.3 → 3.4

New Mitigations:

• M1041: Encrypt Sensitive Information
• M1054: Software Configuration
• M1060: Out-of-Band Communications Channel

[T1078.001] Valid Accounts: Default Accounts

Current version: 1.4

Version changed from: 1.3 → 1.4

New Mitigations:

• M1032: Multi-factor Authentication