ATT&CK Changes Between v9.0 and v10.0

[T1619] Cloud Storage Object Discovery

Current version: 1.0

Description: Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) on a local host, after identifying available storage services (i.e. [Cloud Infrastructure Discovery](https://attack.mitre.org/techniques/T1580)) adversaries may access the contents/objects stored in cloud infrastructure. Cloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS (Citation: ListObjectsV2) and List Blobs in Azure(Citation: List Blobs) .

[T1213.003] Data from Information Repositories: Code Repositories

Current version: 1.0

Description: Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git. Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or credentials contained within software's source code. Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)

[T1036.007] Masquerading: Double File Extension

Current version: 1.0

Description: Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: File.txt.exe may render in some views as just File.txt). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system’s policies.(Citation: PCMag DoubleExtension)(Citation: SOCPrime DoubleExtension) Adversaries may abuse double extensions to attempt to conceal dangerous file types of payloads. A very common usage involves tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain [Initial Access](https://attack.mitre.org/tactics/TA0001) into a user’s system via [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) then [User Execution](https://attack.mitre.org/techniques/T1204). For example, an executable file attachment named Evil.txt.exe may display as Evil.txt to a user. The user may then view it as a benign text file and open it, inadvertently executing the hidden malware.(Citation: SOCPrime DoubleExtension) Common file types, such as text files (.txt, .doc, etc.) and image files (.jpg, .gif, etc.) are typically used as the first extension to appear benign. Executable extensions commonly regarded as dangerous, such as .exe, .lnk, .hta, and .scr, often appear as the second extension and true file type.

[T1562.010] Impair Defenses: Downgrade Attack

Current version: 1.0

Description: Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging. For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to [Impair Defenses](https://attack.mitre.org/techniques/T1562) while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018) Adversaries may downgrade and use less-secure versions of various features of a system, such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s or even network protocols that can be abused to enable [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557).(Citation: Praetorian TLS Downgrade Attack 2014)

[T1564.008] Hide Artifacts: Email Hiding Rules

Current version: 1.0

Description: Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the New-InboxRule or Set-InboxRule [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule) Adversaries may utilize email rules within a compromised user's mailbox to delete and/or move emails to less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) emails sent from the compromised account. Any user or administrator within the organization (or adversary with valid credentials) may be able to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection had the email content been immediately seen by a user or defender. Malicious rules commonly filter out emails based on key words (such as malware, suspicious, phish, and hack) found in message bodies and subject lines. (Citation: Microsoft Cloud App Security)

[T1615] Group Policy Discovery

Current version: 1.0

Description: Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predicable network path \\SYSVOL\\Policies\.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016) Adversaries may use commands such as gpresult or various publicly available PowerShell functions, such as Get-DomainGPO and Get-DomainGPOLocalGroup, to gather information on Group Policy settings.(Citation: Microsoft gpresult)(Citation: Github PowerShell Empire) Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. [Domain Policy Modification](https://attack.mitre.org/techniques/T1484)) for their benefit.

[T1027.006] Obfuscated Files or Information: HTML Smuggling

Current version: 1.0

Description: Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018) Adversaries may deliver payloads to victims that bypass security controls through HTML Smuggling by abusing JavaScript Blobs and/or HTML5 download attributes. Security controls such as web content filters may not identify smuggled malicious files inside of HTML/JS files, as the content may be based on typically benign MIME types such as text/plain and/or text/html. Malicious files or data can be obfuscated and hidden inside of HTML files through Data URLs and/or JavaScript Blobs and can be deobfuscated when they reach the victim (i.e. [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)), potentially bypassing content filters. For example, JavaScript Blobs can be abused to dynamically generate malicious files in the victim machine and may be dropped to disk by abusing JavaScript functions such as msSaveBlob.(Citation: HTML Smuggling Menlo Security 2020)(Citation: MSTIC NOBELIUM May 2021)(Citation: Outlflank HTML Smuggling 2018)(Citation: nccgroup Smuggling HTA 2017)

[T1505.004] Server Software Component: IIS Components

Current version: 1.0

Description: Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: Get{Extension/Filter}Version, Http{Extension/Filter}Proc, and (optionally) Terminate{Extension/Filter}. IIS modules may also be installed to extend IIS web servers.(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: IIS Backdoor 2011)(Citation: Trustwave IIS Module 2013) Adversaries may install malicious ISAPI extensions and filters to observe and/or modify traffic, execute commands on compromised machines, or proxy command and control traffic. ISAPI extensions and filters may have access to all IIS web requests and responses. For example, an adversary may abuse these mechanisms to modify HTTP responses in order to distribute malicious commands/content to previously comprised hosts.(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Extension All Incoming 2017)(Citation: Dell TG-3390)(Citation: Trustwave IIS Module 2013)(Citation: MMPC ISAPI Filter 2012) Adversaries may also install malicious IIS modules to observe and/or modify traffic. IIS 7.0 introduced modules that provide the same unrestricted access to HTTP requests and responses as ISAPI extensions and filters. IIS modules can be written as a DLL that exports RegisterModule, or as a .NET application that interfaces with ASP.NET APIs to access IIS HTTP requests.(Citation: Microsoft IIS Modules Overview 2007)(Citation: Trustwave IIS Module 2013)(Citation: ESET IIS Malware 2021)

[T1547.015] Boot or Logon Autostart Execution: Login Items

Current version: 1.0

Description: Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call SMLoginItemSetEnabled. Login items installed using the Service Management Framework leverage launchd, are not visible in the System Preferences, and can only be removed by the application that created them.(Citation: Adding Login Items)(Citation: SMLoginItemSetEnabled Schroeder 2013) Login items created using a shared file list are visible in System Preferences, can hide the application when it launches, and are executed through LaunchServices, not launchd, to open applications, documents, or URLs without using Finder.(Citation: Launch Services Apple Developer) Users and applications use login items to configure their user environment to launch commonly used services or applications, such as email, chat, and music applications. Adversaries can utilize [AppleScript](https://attack.mitre.org/techniques/T1059/002) and [Native API](https://attack.mitre.org/techniques/T1106) calls to create a login item to spawn malicious executables.(Citation: ELC Running at startup) Prior to version 10.5 on macOS, adversaries can add login items by using [AppleScript](https://attack.mitre.org/techniques/T1059/002) to send an Apple events to the “System Events” process, which has an AppleScript dictionary for manipulating login items.(Citation: Login Items AE) Adversaries can use a command such as tell application “System Events” to make login item at end with properties /path/to/executable.(Citation: Startup Items Eclectic)(Citation: hexed osx.dok analysis 2019)(Citation: Add List Remove Login Items Apple Script) This command adds the path of the malicious executable to the login item file list located in ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm.(Citation: Startup Items Eclectic) Adversaries can also use login items to launch executables that can be used to control the victim system remotely or as a means to gain privilege escalation by prompting for user credentials.(Citation: objsee mac malware 2017)(Citation: CheckPoint Dok)(Citation: objsee netwire backdoor 2019)

[T1218.014] Signed Binary Proxy Execution: MMC

Current version: 1.0

Description: Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console, or MMC, is a signed Windows binary and is used in several ways in either its GUI or in a command prompt.(Citation: win_mmc)(Citation: what_is_mmc) MMC can be used to create, open, and save custom consoles that contain administrative tools created by Microsoft, called snap-ins. These snap-ins may be used to manage Windows systems locally or remotely. MMC can also be used to open Microsoft created .msc files to manage system configuration.(Citation: win_msc_files_overview) For example, mmc C:\Users\foo\admintools.msc /a will open a custom, saved console msc file in author mode.(Citation: win_mmc) Another common example is mmc gpedit.msc, which will open the Group Policy Editor application window. Adversaries may use MMC commands to perform malicious tasks. For example, mmc wbadmin.msc delete catalog -quiet deletes the backup catalog on the system (i.e. [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)) without prompts to the user (Note: wbadmin.msc may only be present by default on Windows Server operating systems).(Citation: win_wbadmin_delete_catalog)(Citation: phobos_virustotal) Adversaries may also abuse MMC to execute malicious .msc files. For example, adversaries may first create a malicious registry Class Identifier (CLSID) subkey, which uniquely identifies a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) class object.(Citation: win_clsid_key) Then, adversaries may create custom consoles with the “Link to Web Address” snap-in that is linked to the malicious CLSID subkey.(Citation: mmc_vulns) Once the .msc file is saved, adversaries may invoke the malicious CLSID payload with the following command: mmc.exe -Embedding C:\path\to\test.msc.(Citation: abusing_com_reg)

[T1218.013] Signed Binary Proxy Execution: Mavinject

Current version: 1.0

Description: Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V).(Citation: LOLBAS Mavinject) Adversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. [Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001)), allowing for arbitrary code execution (ex. C:\Windows\system32\mavinject.exe PID /INJECTRUNNING PATH_DLL).(Citation: ATT Lazarus TTP Evolution)(Citation: Reaqta Mavinject) Since mavinject.exe is digitally signed by Microsoft, proxying execution via this method may evade detection by security products because the execution is masked under a legitimate process. In addition to [Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001), Mavinject.exe can also be abused to perform import descriptor injection via its /HMODULE command-line parameter (ex. mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER). This command would inject an import table entry consisting of the specified DLL into the module at the given base address.(Citation: Mavinject Functionality Deconstructed)

[T1620] Reflective Code Loading

Current version: 1.0

Description: Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk. Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).(Citation: Introducing Donut)(Citation: S1 Custom Shellcode Tool)(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Mandiant BYOL) Reflective code injection is very similar to [Process Injection](https://attack.mitre.org/techniques/T1055) except that the “injection” loads code into the processes’ own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Intezer ACBackdoor)(Citation: S1 Old Rat New Tricks)

[T1564.009] Hide Artifacts: Resource Forking

Current version: 1.0

Description: Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes, using ls -l@ or xattr -l commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the /Resources folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes) Adversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.(Citation: sentinellabs resource named fork 2020)(Citation: tau bundlore erika noerenberg 2020)

[T1562.009] Impair Defenses: Safe Mode Boot

Current version: 1.0

Description: Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019) Adversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings.(Citation: Microsoft bcdedit 2021) Adversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)). Malicious [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) objects may also be registered and loaded in safe mode.(Citation: Sophos Snatch Ransomware 2019)(Citation: CyberArk Labs Safe Mode 2016)(Citation: Cybereason Nocturnus MedusaLocker 2020)(Citation: BleepingComputer REvil 2021)

[T1614.001] System Location Discovery: System Language Discovery

Current version: 1.0

Description: Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities.(Citation: Malware System Language Check) There are various sources of data an adversary could use to infer system language, such as system defaults and keyboard layouts. Specific checks will vary based on the target and/or adversary, but may involve behaviors such as [Query Registry](https://attack.mitre.org/techniques/T1012) and calls to [Native API](https://attack.mitre.org/techniques/T1106) functions.(Citation: CrowdStrike Ryuk January 2019) For example, on a Windows system adversaries may attempt to infer the language of a system by querying the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language or parsing the outputs of Windows API functions GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList and GetUserDefaultLangID.(Citation: Darkside Ransomware Cybereason)(Citation: Securelist JSWorm)(Citation: SecureList SynAck Doppelgänging May 2018) On a macOS or Linux system, adversaries may query locale to retrieve the value of the $LANG environment variable.

[T1557] Adversary-in-the-Middle

Current version: 2.0

Version changed from: 1.1 → 2.0

New Detections:

• DS0019: Service (Service Creation)
• DS0024: Windows Registry (Windows Registry Key Modification)
• DS0029: Network Traffic (Network Traffic Content)
• DS0029: Network Traffic (Network Traffic Flow)

[T1185] Browser Session Hijacking

Current version: 2.0

Version changed from: 1.0 → 2.0

New Detections:

• DS0009: Process (Process Access)
• DS0009: Process (Process Modification)
• DS0028: Logon Session (Logon Session Creation)

[T1557.002] Adversary-in-the-Middle: ARP Cache Poisoning

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

• DS0029: Network Traffic (Network Traffic Content)
• DS0029: Network Traffic (Network Traffic Flow)

[T1583] Acquire Infrastructure

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

• DS0035: Internet Scan (Response Content)
• DS0035: Internet Scan (Response Metadata)
• DS0038: Domain Name (Active DNS)
• DS0038: Domain Name (Domain Registration)
• DS0038: Domain Name (Passive DNS)

[T1137.006] Office Application Startup: Add-ins

Current version: 1.1

Version changed from: 1.0 → 1.1

New Mitigations:

• M1040: Behavior Prevention on Endpoint

New Detections:

• DS0009: Process (Process Creation)
• DS0017: Command (Command Execution)
• DS0022: File (File Creation)
• DS0022: File (File Modification)
• DS0024: Windows Registry (Windows Registry Key Creation)
• DS0024: Windows Registry (Windows Registry Key Modification)

[T1055.004] Process Injection: Asynchronous Procedure Call

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

• DS0009: Process (OS API Execution)
• DS0009: Process (Process Access)
• DS0009: Process (Process Modification)

[T1053.001] Scheduled Task/Job: At (Linux)

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

• DS0003: Scheduled Job (Scheduled Job Creation)
• DS0009: Process (Process Creation)
• DS0017: Command (Command Execution)

[T1027.001] Obfuscated Files or Information: Binary Padding

Current version: 1.2

Version changed from: 1.1 → 1.2

New Detections:

• DS0022: File (File Metadata)

[T1110] Brute Force

Current version: 2.3

Version changed from: 2.2 → 2.3

New Detections:

• DS0002: User Account (User Account Authentication)
• DS0015: Application Log (Application Log Content)
• DS0017: Command (Command Execution)

[T1612] Build Image on Host

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

• DS0007: Image (Image Creation)
• DS0029: Network Traffic (Network Connection Creation)
• DS0029: Network Traffic (Network Traffic Content)
• DS0029: Network Traffic (Network Traffic Flow)

[T1592.004] Gather Victim Host Information: Client Configurations

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

• DS0035: Internet Scan (Response Content)

[T1078.004] Valid Accounts: Cloud Accounts

Current version: 1.3

Version changed from: 1.2 → 1.3

New Mitigations:

• M1017: User Training

New Detections:

• DS0002: User Account (User Account Authentication)
• DS0028: Logon Session (Logon Session Creation)
• DS0028: Logon Session (Logon Session Metadata)

[T1069.003] Permission Groups Discovery: Cloud Groups

Current version: 1.3

Version changed from: 1.2 → 1.3

New Detections:

• DS0009: Process (Process Creation)
• DS0015: Application Log (Application Log Content)
• DS0017: Command (Command Execution)
• DS0036: Group (Group Enumeration)
• DS0036: Group (Group Metadata)

[T1580] Cloud Infrastructure Discovery

Current version: 1.2

Version changed from: 1.1 → 1.2

New Detections:

• DS0010: Cloud Storage (Cloud Storage Enumeration)
• DS0010: Cloud Storage (Cloud Storage Metadata)
• DS0020: Snapshot (Snapshot Enumeration)
• DS0020: Snapshot (Snapshot Metadata)
• DS0030: Instance (Instance Enumeration)
• DS0030: Instance (Instance Metadata)
• DS0034: Volume (Volume Enumeration)
• DS0034: Volume (Volume Metadata)

[T1587.002] Develop Capabilities: Code Signing Certificates

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

• DS0004: Malware Repository (Malware Metadata)

[T1588.003] Obtain Capabilities: Code Signing Certificates

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

• DS0004: Malware Repository (Malware Metadata)

[T1059] Command and Scripting Interpreter

Current version: 2.2

Version changed from: 2.1 → 2.2

New Mitigations:

• M1040: Behavior Prevention on Endpoint

New Detections:

• DS0009: Process (Process Creation)
• DS0011: Module (Module Load)
• DS0012: Script (Script Execution)
• DS0017: Command (Command Execution)

[T1559.001] Inter-Process Communication: Component Object Model

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

• DS0009: Process (Process Creation)
• DS0011: Module (Module Load)
• DS0012: Script (Script Execution)

[T1586] Compromise Accounts

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

• DS0021: Persona (Social Media)
• DS0029: Network Traffic (Network Traffic Content)

[T1584] Compromise Infrastructure

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

• DS0035: Internet Scan (Response Content)
• DS0035: Internet Scan (Response Metadata)
• DS0038: Domain Name (Active DNS)
• DS0038: Domain Name (Domain Registration)
• DS0038: Domain Name (Passive DNS)

[T1053.007] Scheduled Task/Job: Container Orchestration Job

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

• DS0003: Scheduled Job (Scheduled Job Creation)
• DS0022: File (File Creation)
• DS0032: Container (Container Creation)

[T1134.002] Access Token Manipulation: Create Process with Token

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

• DS0009: Process (OS API Execution)
• DS0017: Command (Command Execution)

[T1053.003] Scheduled Task/Job: Cron

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

• DS0003: Scheduled Job (Scheduled Job Creation)
• DS0009: Process (Process Creation)
• DS0017: Command (Command Execution)
• DS0022: File (File Modification)

[T1584.002] Compromise Infrastructure: DNS Server

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

• DS0038: Domain Name (Active DNS)
• DS0038: Domain Name (Passive DNS)

[T1486] Data Encrypted for Impact

Current version: 1.2

Version changed from: 1.1 → 1.2

New Mitigations:

• M1040: Behavior Prevention on Endpoint

New Detections:

• DS0009: Process (Process Creation)
• DS0010: Cloud Storage (Cloud Storage Metadata)
• DS0010: Cloud Storage (Cloud Storage Modification)
• DS0017: Command (Command Execution)
• DS0022: File (File Creation)
• DS0022: File (File Modification)

[T1213] Data from Information Repositories

Current version: 3.2

Version changed from: 3.1 → 3.2

New Detections:

• DS0015: Application Log (Application Log Content)
• DS0028: Logon Session (Logon Session Creation)

[T1005] Data from Local System

Current version: 1.3

Version changed from: 1.2 → 1.3

New Mitigations:

• M1057: Data Loss Prevention

New Detections:

• DS0012: Script (Script Execution)
• DS0017: Command (Command Execution)
• DS0022: File (File Access)

[T1025] Data from Removable Media

Current version: 1.2

Version changed from: 1.1 → 1.2

New Mitigations:

• M1057: Data Loss Prevention

New Detections:

• DS0017: Command (Command Execution)
• DS0022: File (File Access)

[T1591.001] Gather Victim Org Information: Determine Physical Locations

Current version: 1.1

Version changed from: 1.0 → 1.1

[T1587] Develop Capabilities

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

• DS0004: Malware Repository (Malware Content)
• DS0004: Malware Repository (Malware Metadata)
• DS0035: Internet Scan (Response Content)

[T1588.004] Obtain Capabilities: Digital Certificates

Current version: 1.2

Version changed from: 1.1 → 1.2

New Detections:

• DS0035: Internet Scan (Response Content)
• DS0037: Certificate (Certificate Registration)

[T1587.003] Develop Capabilities: Digital Certificates

Current version: 1.2

Version changed from: 1.1 → 1.2

New Detections:

• DS0035: Internet Scan (Response Content)

[T1562.002] Impair Defenses: Disable Windows Event Logging

Current version: 1.1

Version changed from: 1.0 → 1.1

New Mitigations:

• M1047: Audit

New Detections:

• DS0009: Process (Process Creation)
• DS0012: Script (Script Execution)
• DS0013: Sensor Health (Host Status)
• DS0015: Application Log (Application Log Content)
• DS0017: Command (Command Execution)
• DS0024: Windows Registry (Windows Registry Key Creation)

[T1562.001] Impair Defenses: Disable or Modify Tools

Current version: 1.2

Version changed from: 1.1 → 1.2

New Detections:

• DS0009: Process (Process Termination)
• DS0013: Sensor Health (Host Status)
• DS0017: Command (Command Execution)
• DS0019: Service (Service Metadata)
• DS0024: Windows Registry (Windows Registry Key Deletion)
• DS0024: Windows Registry (Windows Registry Key Modification)

[T1021.003] Remote Services: Distributed Component Object Model

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

• DS0009: Process (Process Creation)
• DS0011: Module (Module Load)
• DS0029: Network Traffic (Network Connection Creation)

[T1078.002] Valid Accounts: Domain Accounts

Current version: 1.2

Version changed from: 1.1 → 1.2

New Mitigations:

• M1017: User Training

New Detections:

• DS0002: User Account (User Account Authentication)
• DS0028: Logon Session (Logon Session Creation)
• DS0028: Logon Session (Logon Session Metadata)

[T1583.001] Acquire Infrastructure: Domains

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

• DS0038: Domain Name (Active DNS)
• DS0038: Domain Name (Domain Registration)
• DS0038: Domain Name (Passive DNS)

[T1584.001] Compromise Infrastructure: Domains

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

• DS0038: Domain Name (Active DNS)
• DS0038: Domain Name (Domain Registration)
• DS0038: Domain Name (Passive DNS)

[T1189] Drive-by Compromise

Current version: 1.3

Version changed from: 1.2 → 1.3

New Detections:

• DS0009: Process (Process Creation)
• DS0015: Application Log (Application Log Content)
• DS0022: File (File Creation)
• DS0029: Network Traffic (Network Connection Creation)
• DS0029: Network Traffic (Network Traffic Content)

[T1608.004] Stage Capabilities: Drive-by Target

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

• DS0035: Internet Scan (Response Content)

[T1559.002] Inter-Process Communication: Dynamic Data Exchange

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

• DS0009: Process (Process Creation)
• DS0011: Module (Module Load)
• DS0012: Script (Script Execution)

[T1055.001] Process Injection: Dynamic-link Library Injection

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

• DS0009: Process (OS API Execution)
• DS0009: Process (Process Access)
• DS0009: Process (Process Modification)
• DS0011: Module (Module Load)

[T1114] Email Collection

Current version: 2.3

Version changed from: 2.2 → 2.3

New Detections:

• DS0015: Application Log (Application Log Content)
• DS0017: Command (Command Execution)
• DS0022: File (File Access)
• DS0028: Logon Session (Logon Session Creation)
• DS0029: Network Traffic (Network Connection Creation)

[T1114.003] Email Collection: Email Forwarding Rule

Current version: 1.2

Version changed from: 1.1 → 1.2

New Mitigations:

• M1042: Disable or Remove Feature or Program

New Detections:

• DS0015: Application Log (Application Log Content)

[T1611] Escape to Host

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

• DS0009: Process (OS API Execution)
• DS0009: Process (Process Creation)
• DS0032: Container (Container Creation)

[T1585] Establish Accounts

Current version: 1.2

Version changed from: 1.1 → 1.2

New Detections:

• DS0021: Persona (Social Media)
• DS0029: Network Traffic (Network Traffic Content)

[T1098.002] Account Manipulation: Exchange Email Delegate Permissions

Current version: 1.1

Version changed from: 1.0 → 1.1

New Detections:

• DS0002: User Account (User Account Modification)
• DS0015: Application Log (Application Log Content)
• DS0036: Group (Group Modification)

[T1048] Exfiltration Over Alternative Protocol

Current version: 1.3

Version changed from: 1.2 → 1.3

New Mitigations:

• M1057: Data Loss Prevention

New Detections:

• DS0017: Command (Command Execution)
• DS0022: File (File Access)
• DS0029: Network Traffic (Network Connection Creation)
• DS0029: Network Traffic (Network Traffic Content)
• DS0029: Network Traffic (Network Traffic Flow)

[T1048.002] Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Current version: 1.1

Version changed from: 1.0 → 1.1

New Mitigations:

• M1057: Data Loss Prevention

New Detections:

• DS0017: Command (Command Execution)
• DS0022: File (File Access)
• DS0029: Network Traffic (Network Connection Creation)
• DS0029: Network Traffic (Network Traffic Content)
• DS0029: Network Traffic (Network Traffic Flow)

[T1041] Exfiltration Over C2 Channel

Current version: 2.1

Version changed from: 2.0 → 2.1

New Mitigations:

• M1057: Data Loss Prevention

New Detections:

• DS0017: Command (Command Execution)
• DS0022: File (File Access)
• DS0029: Network Traffic (Network Connection Creation)
• DS0029: Network Traffic (Network Traffic Content)
• DS0029: Network Traffic (Network Traffic Flow)

[T1052] Exfiltration Over Physical Medium