ATT&CK Changes Between v17.1 and v18.0

[T1518.002] Software Discovery: Backup Software Discovery

Current version: 1.0

Description:

Adversaries may attempt to get a listing of backup software or configurations that are installed on a system. Adversaries may use this information to shape follow-on behaviors, such as Data Destruction, Inhibit System Recovery, or Data Encrypted for Impact.

Commands that can be used to obtain security software information are netsh, reg query with Reg, dir with cmd, and Tasklist, but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for, such as Veeam, Acronis, Dropbox, or Paragon.(Citation: Symantec Play Ransomware 2023)

[T1036.012] Masquerading: Browser Fingerprint

Current version: 1.0

Description:

Adversaries may attempt to blend in with legitimate traffic by spoofing browser and system attributes like operating system, system language, platform, user-agent string, resolution, time zone, etc. The HTTP User-Agent request header is a string that lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.(Citation: Mozilla User Agent)

Adversaries may gather this information through System Information Discovery or by users navigating to adversary-controlled websites, and then use that information to craft their web traffic to evade defenses.(Citation: Gummy Browsers: Targeted Browser Spoofing against State-of-the-Art Fingerprinting Techniques)

[T1059.013] Command and Scripting Interpreter: Container CLI/API

Current version: 1.0

Description:

Adversaries may abuse built-in CLI tools or API calls to execute malicious commands in containerized environments.

The Docker CLI is used for managing containers via an exposed API point from the dockerd daemon. Some common examples of Docker CLI include Docker Desktop CLI and Docker Compose, but users are also able to use SDKs to interact with the API. For example, Docker SDK for Python can be used to run commands within a Python application.(Citation: Docker Desktop CLI)

Adversaries may leverage the Docker CLI, API, or SDK to pull or build Docker images (i.e., Ingress Tool Transfer, Build Image on Host), run containers (i.e., Deploy Container), or execute commands inside running containers (i.e., Container Administration Command). In some cases, threat actors may pull legitimate images that include scripts or tools that they can leverage - for example, using an image that includes the curl command to download payloads.(Citation: Intezer) Adversaries may also utilize docker inspect and docker ps to scan for cloud environment variables and other running containers (i.e., Container and Resource Discovery).(Citation: Cisco Talos Blog)(Citation: aquasec)

Kubernetes is responsible for the management and orchestration of containers across clusters. The Kubernetes control plane, which manages the state of the cluster and is responsible for scheduling, communication, and resource monitoring, can be invoked directly via the API or indirectly via CLI tools such as kubectl. It may also be accessed within client libraries such as Go or Python. By utilizing the API, administrators can interact with resources within the cluster such as listing or creating pods, which is a group of one or more containers. Adversaries call the API server via curl or other tools, allowing them to obtain further information about the environment such as pods, deployments, daemonsets, namespaces, or sysvars.(Citation: aquasec) They may also run various commands regarding resource management.

[T1213.006] Data from Information Repositories: Databases

Current version: 1.0

Description:

Adversaries may leverage databases to mine valuable information. These databases may be hosted on-premises or in the cloud (both in platform-as-a-service and software-as-a-service environments).

Examples of databases from which information may be collected include MySQL, PostgreSQL, MongoDB, Amazon Relational Database Service, Azure SQL Database, Google Firebase, and Snowflake. Databases may include a variety of information of interest to adversaries, such as usernames, hashed passwords, personally identifiable information, and financial data. Data collected from databases may be used for Lateral Movement, Command and Control, or Exfiltration. Data exfiltrated from databases may also be used to extort victims or may be sold for profit.(Citation: Google Cloud Threat Intelligence UNC5537 Snowflake 2024)

[T1678] Delay Execution

Current version: 1.0

Description:

Adversaries may employ various time-based methods to evade detection and analysis. These techniques often exploit system clocks, delays, or timing mechanisms to obscure malicious activity, blend in with benign activity, and avoid scrutiny. Adversaries can perform this behavior within virtualization/sandbox environments or natively on host systems.

Adversaries may utilize programmatic sleep commands or native system scheduling functionality, for example Scheduled Task/Job. Benign commands or other operations may also be used to delay malware execution or ensure prior commands have had time to execute properly. Loops or otherwise needless repetitions of commands, such as ping, may be used to delay malware execution and potentially exceed time thresholds of automated analysis environments.(Citation: Revil Independence Day)(Citation: Netskope Nitol) Another variation, commonly referred to as API hammering, involves making various calls to Native API functions in order to delay execution (while also potentially overloading analysis environments with junk data).(Citation: Joe Sec Nymaim)(Citation: Joe Sec Trickbot)

[T1562.013] Impair Defenses: Disable or Modify Network Device Firewall

Current version: 1.0

Description:

Adversaries may disable network device-based firewall mechanisms entirely or add, delete, or modify particular rules in order to bypass controls limiting network usage.

Modifying or disabling a network firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add new network firewall rules to allow access to all internal network subnets without restrictions.(Citation: Exposed Fortinet Fortigate firewall interface leads to LockBit Ransomware)

Adversaries may gain access to the firewall management console via Valid Accounts or by exploiting a vulnerability. In some cases, threat actors may target firewalls that have been exposed to the internet Exploit Public-Facing Application.(Citation: CVE-2024-55591 Detail)

[T1680] Local Storage Discovery

Current version: 1.0

Description:

Adversaries may enumerate local drives, disks, and/or volumes and their attributes like total or free space and volume serial number. This can be done to prepare for ransomware-related encryption, to perform Lateral Movement, or as a precursor to Direct Volume Access.

On ESXi systems, adversaries may use Hypervisor CLI commands such as esxcli to list storage connected to the host as well as .vmdk files.(Citation: TrendMicro)(Citation: TrendMicro ESXI Ransomware)

On Windows systems, adversaries can use wmic logicaldisk get to find information about local network drives. They can also use Get-PSDrive in PowerShell to retrieve drives and may additionally use Windows API functions such as GetDriveType.(Citation: Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024)(Citation: Volexity)

Linux has commands such as parted, lsblk, fdisk, lshw, and df that can list information about disk partitions such as size, type, file system types, and free space. The command diskutil on MacOS can be used to list disks while system_profiler SPStorageDataType can additionally show information such as a volume’s mount path, file system, and the type of drive in the system.

Infrastructure as a Service (IaaS) cloud providers also have commands for storage discovery such as describe volume in AWS, gcloud compute disks list in GCP, and az disk list in Azure.(Citation: AWS docs describe volumes)(Citation: GCP gcloud compute disks list)(Citation: azure az disk)

[T1204.005] User Execution: Malicious Library

Current version: 1.0

Description:

Adversaries may rely on a user installing a malicious library to facilitate execution. Threat actors may Upload Malware to package managers such as NPM and PyPi, as well as to public code repositories such as GitHub. User may install libraries without realizing they are malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that establishes persistence, steals data, or mines cryptocurrency.(Citation: Datadog Security Labs Malicious PyPi Packages 2024)(Citation: Fortinet Malicious NPM Packages 2023)

In some cases, threat actors may compromise and backdoor existing popular libraries (i.e., Compromise Software Dependencies and Development Tools). Alternatively, they may create entirely new packages and leverage behaviors such as typosquatting to encourage users to install them.

[T1677] Poisoned Pipeline Execution

Current version: 1.0

Description:

Adversaries may manipulate continuous integration / continuous development (CI/CD) processes by injecting malicious code into the build process. There are several mechanisms for poisoning pipelines:

• In a Direct Pipeline Execution scenario, the threat actor directly modifies the CI configuration file (e.g., gitlab-ci.yml in GitLab). They may include a command to exfiltrate credentials leveraged in the build process to a remote server, or to export them as a workflow artifact.(Citation: Unit 42 Palo Alto GitHub Actions Supply Chain Attack 2025)(Citation: OWASP CICD-SEC-4)
• In an Indirect Pipeline Execution scenario, the threat actor injects malicious code into files referenced by the CI configuration file. These may include makefiles, scripts, unit tests, and linters.(Citation: OWASP CICD-SEC-4)
• In a Public Pipeline Execution scenario, the threat actor does not have direct access to the repository but instead creates a malicious pull request from a fork that triggers a part of the CI/CD pipeline. For example, in GitHub Actions, the pull_request_target trigger allows workflows running from forked repositories to access secrets. If this trigger is combined with an explicit pull request checkout and a location for a threat actor to insert malicious code (e.g., an npm build command), a threat actor may be able to leak pipeline credentials.(Citation: Unit 42 Palo Alto GitHub Actions Supply Chain Attack 2025)(Citation: GitHub Security Lab GitHub Actions Security 2021) Similarly, threat actors may craft pull requests with malicious inputs (such as branch names) if the build pipeline treats those inputs as trusted.(Citation: Wiz Ultralytics AI Library Hijack 2024)(Citation: Synactiv Hijacking GitHub Runners)(Citation: GitHub Security Labs GitHub Actions Security Part 2 2021) Finally, if a pipeline leverages a self-hosted runner, a threat actor may be able to execute arbitrary code on a host inside the organization’s network.(Citation: John Stawinski PyTorch Supply Chain Attack 2024)

By poisoning CI/CD pipelines, threat actors may be able to gain access to credentials, laterally move to additional hosts, or input malicious components to be shipped further down the pipeline (i.e., Supply Chain Compromise).

[T1546.018] Event Triggered Execution: Python Startup Hooks

Current version: 1.0

Description:

Adversaries may achieve persistence by leveraging Python’s startup mechanisms, including path configuration (.pth) files and the sitecustomize.py or usercustomize.py modules. These files are automatically processed during the initialization of the Python interpreter, allowing for the execution of arbitrary code whenever Python is invoked.(Citation: Volexity GlobalProtect CVE 2024)

Path configuration files are designed to extend Python’s module search paths through the use of import statements. If a .pth file is placed in Python's site-packages or dist-packages directories, any lines beginning with import will be executed automatically on Python invocation.(Citation: DFIR Python Persistence 2025) Similarly, if sitecustomize.py or usercustomize.py is present in the Python path, these files will be imported during interpreter startup, and any code they contain will be executed.(Citation: Python Site Configuration Hook)

Adversaries may abuse these mechanisms to establish persistence on systems where Python is widely used (e.g., for automation or scripting in production environments).

[T1681] Search Threat Vendor Data

Current version: 1.0

Description:

Threat actors may seek information/indicators from closed or open threat intelligence sources gathered about their own campaigns, as well as those conducted by other adversaries that may align with their target industries, capabilities/objectives, or other operational concerns. These reports may include descriptions of behavior, detailed breakdowns of attacks, atomic indicators such as malware hashes or IP addresses, timelines of a group’s activity, and more. Adversaries may change their behavior when planning their future operations.

Adversaries have been observed replacing atomic indicators mentioned in blog posts in under a week.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023) Adversaries have also been seen searching for their own domain names in threat vendor data and then taking them down, likely to avoid seizure or further investigation.(Citation: Sentinel One Contagious Interview ClickFix September 2025)

This technique is distinct from Threat Intel Vendors in that it describes threat actors performing reconnaissance on their own activity, not in search of victim information.

[T1679] Selective Exclusion

Current version: 1.0

Description:

Adversaries may intentionally exclude certain files, folders, directories, file types, or system components from encryption or tampering during a ransomware or malicious payload execution. Some file extensions that adversaries may avoid encrypting include .dll, .exe, and .lnk.(Citation: Palo Alto Unit 42 Medusa Group Medusa Ransomware January 2024)

Adversaries may perform this behavior to avoid alerting users, to evade detection by security tools and analysts, or, in the case of ransomware, to ensure that the system remains operational enough to deliver the ransom notice.

Exclusions may target files and components whose corruption would cause instability, break core services, or immediately expose the attack. By carefully avoiding these areas, adversaries maintain system responsiveness while minimizing indicators that could trigger alarms or otherwise inhibit achieving their goals.

[T1552.003] Unsecured Credentials: Shell History

Current version: 2.0

Version changed from: 1.2 → 2.0

Dropped Detections (Data Components -> Technique):

• DS0017: Command (Command Execution)
• DS0022: File (File Access)

New Detections (Detection Strategies -> Technique):

• DET0385: Detect Access and Parsing of .bash_history Files for Credential Harvesting

[T1082] System Information Discovery

Current version: 3.0

Version changed from: 2.6 → 3.0

Dropped Detections (Data Components -> Technique):

• DS0009: Process (OS API Execution)
• DS0009: Process (Process Creation)
• DS0017: Command (Command Execution)

New Detections (Detection Strategies -> Technique):

• DET0525: System Discovery via Native and Remote Utilities

[T1597.001] Search Closed Sources: Threat Intel Vendors

Current version: 2.0

Version changed from: 1.0 → 2.0

New Detections (Detection Strategies -> Technique):

• DET0816: Detection of Threat Intel Vendors

[T1497.003] Virtualization/Sandbox Evasion: Time Based Checks

Current version: 2.0

Version changed from: 1.3 → 2.0

Dropped Detections (Data Components -> Technique):

• DS0009: Process (OS API Execution)
• DS0009: Process (Process Creation)
• DS0017: Command (Command Execution)

New Detections (Detection Strategies -> Technique):

• DET0141: Detect Time-Based Evasion via Sleep, Timer Loops, and Delayed Execution

[T1531] Account Access Removal

Current version: 1.5

Version changed from: 1.4 → 1.5

Dropped Detections (Data Components -> Technique):

• DS0002: User Account (User Account Deletion)
• DS0002: User Account (User Account Modification)
• DS0026: Active Directory (Active Directory Object Modification)

New Detections (Detection Strategies -> Technique):

• DET0120: Account Access Removal via Multi-Platform Audit Correlation

[T1583] Acquire Infrastructure

Current version: 1.5

Version changed from: 1.4 → 1.5

Dropped Detections (Data Components -> Technique):

• DS0035: Internet Scan (Response Content)
• DS0035: Internet Scan (Response Metadata)
• DS0038: Domain Name (Active DNS)
• DS0038: Domain Name (Domain Registration)
• DS0038: Domain Name (Passive DNS)

New Detections (Detection Strategies -> Technique):

• DET0895: Detection of Acquire Infrastructure

[T1098.007] Account Manipulation: Additional Local or Domain Groups

Current version: 1.1

Version changed from: 1.0 → 1.1

Dropped Detections (Data Components -> Technique):

• DS0002: User Account (User Account Modification)

New Detections (Detection Strategies -> Technique):

• DET0310: Suspicious Addition to Local or Domain Groups

[T1583.005] Acquire Infrastructure: Botnet

Current version: 1.2

Version changed from: 1.1 → 1.2

New Detections (Detection Strategies -> Technique):

• DET0837: Detection of Botnet

[T1176.001] Software Extensions: Browser Extensions

Current version: 1.1

Version changed from: 1.0 → 1.1

Dropped Detections (Data Components -> Technique):

• DS0009: Process (Process Creation)
• DS0017: Command (Command Execution)
• DS0022: File (File Creation)
• DS0024: Windows Registry (Windows Registry Key Creation)
• DS0029: Network Traffic (Network Connection Creation)

New Detections (Detection Strategies -> Technique):

• DET0044: Detecting Malicious Browser Extensions Across Platforms

[T1110] Brute Force

Current version: 2.8

Version changed from: 2.7 → 2.8

Dropped Detections (Data Components -> Technique):

• DS0002: User Account (User Account Authentication)
• DS0015: Application Log (Application Log Content)
• DS0017: Command (Command Execution)

New Detections (Detection Strategies -> Technique):

• DET0463: Brute Force Authentication Failures with Multi-Platform Log Correlation

[T1546.015] Event Triggered Execution: Component Object Model Hijacking

Current version: 1.3

Version changed from: 1.2 → 1.3

Dropped Detections (Data Components -> Technique):

• DS0009: Process (Process Creation)
• DS0011: Module (Module Load)
• DS0017: Command (Command Execution)
• DS0024: Windows Registry (Windows Registry Key Modification)

New Detections (Detection Strategies -> Technique):

• DET0481: Windows COM Hijacking Detection via Registry and DLL Load Correlation

[T1195.001] Supply Chain Compromise: Compromise Software Dependencies and Development Tools

Current version: 1.3

Version changed from: 1.2 → 1.3

Dropped Detections (Data Components -> Technique):

• DS0022: File (File Metadata)

New Detections (Detection Strategies -> Technique):

• DET0009: Supply-chain tamper in dependencies/dev-tools (manager→write/install→first-run→egress)

[T1574.001] Hijack Execution Flow: DLL

Current version: 2.1

Version changed from: 2.0 → 2.1

Dropped Detections (Data Components -> Technique):

• DS0009: Process (Process Creation)
• DS0011: Module (Module Load)
• DS0022: File (File Creation)
• DS0022: File (File Modification)

New Detections (Detection Strategies -> Technique):

• DET0201: Detection Strategy for Hijack Execution Flow for DLLs

[T1071.004] Application Layer Protocol: DNS

Current version: 1.4

Version changed from: 1.3 → 1.4

Dropped Detections (Data Components -> Technique):

• DS0029: Network Traffic (Network Traffic Content)
• DS0029: Network Traffic (Network Traffic Flow)

New Detections (Detection Strategies -> Technique):

• DET0400: Behavioral Detection of DNS Tunneling and Application Layer Abuse

[T1584.002] Compromise Infrastructure: DNS Server

Current version: 1.3

Version changed from: 1.2 → 1.3

Dropped Detections (Data Components -> Technique):

• DS0038: Domain Name (Active DNS)
• DS0038: Domain Name (Passive DNS)

New Detections (Detection Strategies -> Technique):

• DET0891: Detection of DNS Server

[T1005] Data from Local System

Current version: 1.8

Version changed from: 1.7 → 1.8

Dropped Detections (Data Components -> Technique):

• DS0009: Process (OS API Execution)
• DS0009: Process (Process Creation)
• DS0012: Script (Script Execution)
• DS0017: Command (Command Execution)
• DS0022: File (File Access)

New Detections (Detection Strategies -> Technique):

• DET0380: Detection of Local Data Collection Prior to Exfiltration

[T1098.005] Account Manipulation: Device Registration

Current version: 1.4

Version changed from: 1.3 → 1.4

Dropped Detections (Data Components -> Technique):

• DS0002: User Account (User Account Modification)
• DS0015: Application Log (Application Log Content)
• DS0026: Active Directory (Active Directory Object Creation)

New Detections (Detection Strategies -> Technique):

• DET0036: Suspicious Device Registration via Entra ID or MFA Platform

[T1562.001] Impair Defenses: Disable or Modify Tools

Current version: 1.7

Version changed from: 1.6 → 1.7

Dropped Detections (Data Components -> Technique):

• DS0009: Process (Process Creation)
• DS0009: Process (Process Termination)
• DS0013: Sensor Health (Host Status)
• DS0017: Command (Command Execution)
• DS0019: Service (Service Metadata)
• DS0024: Windows Registry (Windows Registry Key Deletion)
• DS0024: Windows Registry (Windows Registry Key Modification)
• DS0027: Driver (Driver Load)

New Detections (Detection Strategies -> Technique):

• DET0497: Detection of Impair Defenses through Disabled or Modified Tools across OS Platforms.

[T1589.002] Gather Victim Identity Information: Email Addresses

Current version: 1.3

Version changed from: 1.2 → 1.3

Dropped Detections (Data Components -> Technique):

• DS0029: Network Traffic (Network Traffic Content)

New Detections (Detection Strategies -> Technique):

• DET0814: Detection of Email Addresses

[T1672] Email Spoofing

Current version: 1.1

Version changed from: 1.0 → 1.1

Dropped Detections (Data Components -> Technique):

• DS0015: Application Log (Application Log Content)

New Detections (Detection Strategies -> Technique):

• DET0431: Detection Strategy for Email Spoofing

[T1190] Exploit Public-Facing Application

Current version: 2.8

Version changed from: 2.7 → 2.8

New Mitigations:

• M1037: Filter Network Traffic

Dropped Detections (Data Components -> Technique):

• DS0015: Application Log (Application Log Content)
• DS0029: Network Traffic (Network Traffic Content)

New Detections (Detection Strategies -> Technique):

• DET0080: Exploit Public-Facing Application – multi-signal correlation (request → error → post-exploit process/egress)

[T1090.002] Proxy: External Proxy

Current version: 1.3

Version changed from: 1.2 → 1.3

Dropped Detections (Data Components -> Technique):

• DS0029: Network Traffic (Network Connection Creation)
• DS0029: Network Traffic (Network Traffic Content)
• DS0029: Network Traffic (Network Traffic Flow)

New Detections (Detection Strategies -> Technique):

• DET0325: External Proxy Behavior via Outbound Relay to Intermediate Infrastructure

[T1133] External Remote Services

Current version: 2.5

Version changed from: 2.4 → 2.5

New Mitigations:

• M1021: Restrict Web-Based Content

Dropped Detections (Data Components -> Technique):

• DS0015: Application Log (Application Log Content)
• DS0028: Logon Session (Logon Session Metadata)
• DS0029: Network Traffic (Network Connection Creation)
• DS0029: Network Traffic (Network Traffic Content)
• DS0029: Network Traffic (Network Traffic Flow)

New Detections (Detection Strategies -> Technique):

• DET0354: Behavior-chain detection for T1133 External Remote Services across Windows, Linux, macOS, Containers

[T1071.002] Application Layer Protocol: File Transfer Protocols

Current version: 1.4

Version changed from: 1.3 → 1.4

New Mitigations:

• M1037: Filter Network Traffic

Dropped Detections (Data Components -> Technique):

• DS0029: Network Traffic (Network Traffic Content)
• DS0029: Network Traffic (Network Traffic Flow)

New Detections (Detection Strategies -> Technique):

• DET0416: Detection of File Transfer Protocol-Based C2 (FTP, FTPS, SMB, TFTP)

[T1027.011] Obfuscated Files or Information: Fileless Storage

Current version: 2.1

Version changed from: 2.0 → 2.1

Dropped Detections (Data Components -> Technique):

• DS0005: WMI (WMI Creation)
• DS0009: Process (Process Creation)
• DS0024: Windows Registry (Windows Registry Key Creation)

New Detections (Detection Strategies -> Technique):

• DET0344: Detection Strategy for Fileless Storage via Registry, WMI, and Shared Memory

[T1187] Forced Authentication

Current version: 1.4

Version changed from: 1.3 → 1.4

Dropped Detections (Data Components -> Technique):

• DS0022: File (File Access)
• DS0022: File (File Creation)
• DS0022: File (File Modification)
• DS0029: Network Traffic (Network Traffic Content)
• DS0029: Network Traffic (Network Traffic Flow)

New Detections (Detection Strategies -> Technique):

• DET0022: Detect Forced SMB/WebDAV Authentication via lure files and outbound NTLM

[T1027.006] Obfuscated Files or Information: HTML Smuggling

Current version: 1.3

Version changed from: 1.2 → 1.3

Dropped Detections (Data Components -> Technique):

• DS0022: File (File Creation)

New Detections (Detection Strategies -> Technique):

• DET0313: Detection Strategy for HTML Smuggling via JavaScript Blob + Dynamic File Drop

[T1564.001] Hide Artifacts: Hidden Files and Directories

Current version: 1.2

Version changed from: 1.1 → 1.2

Dropped Detections (Data Components -> Technique):

• DS0009: Process (Process Creation)
• DS0017: Command (Command Execution)
• DS0022: File (File Creation)
• DS0022: File (File Metadata)

New Detections (Detection Strategies -> Technique):

• DET0032: Detection Strategy for Hidden Files and Directories