Updates - April 2025

Version Start Date End Date Data Changelogs
ATT&CK v17 April 22, 2025 Current version of ATT&CK v17.0 on MITRE/CTI
v17.1 on MITRE/CTI
16.1 - 17.0 Details (JSON)
17.0 - 17.1 Details (JSON)

The April 2025 (v17) ATT&CK release updates Techniques, Groups, Campaigns and Software for Enterprise, Mobile, and ICS.

The biggest changes in ATT&CK v17 are the addition of an ESXi platform to ATT&CK's Enterprise domain describing adversary activity taking place on the VMWare ESXi hypervisor, a dramatic improvement of Enterprise Mitigation descriptions, and the renaming of the Network platform to Network Devices in order to more clearly communicate the scope of the platform. An accompanying blog post describes these changes as well as additional improvements across ATT&CK's various domains and platforms.

In this release we have revoked Hijack Execution Flow: DLL Side-Loading and merged it into Hijack Execution Flow: DLL, which itself was renamed from Hijack Execution Flow: DLL Search Order Hijacking. This change was made to reflect the previously overlapping scope of the two sub-techniques and frequent confusion between them.

This release also includes a human-readable detailed changelog showing more specifically what changed in updated ATT&CK objects, and a machine-readable JSON changelog, whose format is described in ATT&CK's Github.

This version of ATT&CK contains 877 Pieces of Software, 170 Groups, and 50 Campaigns Broken out by domain:

  • Enterprise: 14 Tactics, 211 Techniques, 468 Sub-Techniques, 166 Groups, 755 Pieces of Software, 47 Campaigns, 44 Mitigations, and 37 Data Sources
  • Mobile: 12 Tactics, 75 Techniques, 46 Sub-Techniques, 15 Groups, 118 Pieces of Software, 3 Campaigns, 13 Mitigations, and 6 Data Sources
  • ICS: 12 Tactics, 83 Techniques, 0 Sub-Techniques, 14 Groups, 23 Pieces of Software, 7 Campaigns, 52 Mitigations, 14 Assets, and 17 Data Sources

Release Notes Terminology

  • New: ATT&CK objects which are only present in the new release.
  • Major version changes: ATT&CK objects that have a major version change. (e.g. 1.0 → 2.0)
  • Minor version changes: ATT&CK objects that have a minor version change. (e.g. 1.0 → 1.1)
  • Other version changes: ATT&CK objects that have a version change of any other kind. (e.g. 1.0 → 1.2)
  • Patches: ATT&CK objects that have been patched while keeping the version the same. (e.g., 1.0 → 1.0 but something immaterial like a typo, a URL, or some metadata was fixed)
  • Revocations: ATT&CK objects which are revoked by a different object.
  • Deprecations: ATT&CK objects which are deprecated and no longer in use, and not replaced.
  • Deletions: ATT&CK objects which are no longer found in the STIX data.

Techniques

Enterprise

New Techniques

Major Version Changes

Minor Version Changes

Patches

Revocations

  • Hijack Execution Flow: DLL Side-Loading (revoked by Hijack Execution Flow: DLL) (v2.1)

Mobile

New Techniques

Major Version Changes

Minor Version Changes

Patches

ICS

Patches

Software

Enterprise

New Software

Major Version Changes

Minor Version Changes

Patches

Mobile

New Software

Minor Version Changes

Patches

ICS

New Software

Minor Version Changes

Patches

Groups

Enterprise

New Groups

Major Version Changes

Minor Version Changes

Patches

Mobile

New Groups

Minor Version Changes

Patches

ICS

Major Version Changes

Minor Version Changes

Patches

Campaigns

Enterprise

New Campaigns

Patches

Mobile

New Campaigns

ICS

New Campaigns

Patches

Mitigations

Enterprise

Minor Version Changes

Patches

Mobile

Minor Version Changes

Patches

ICS

Patches

Data Sources

Enterprise

Minor Version Changes

Patches

Mobile

Minor Version Changes

Patches

ICS

Minor Version Changes

Patches

Data Components

Enterprise

Minor Version Changes

Patches

Mobile

New Data Components

Minor Version Changes

Patches

ICS

Minor Version Changes

Patches

Contributors to this release

  • Aaron Sullivan aka ZerkerEOD
  • Adam Lichters
  • Alden Schmidt
  • Ale Houspanossian
  • Alexey Kleymenov
  • Alon Klayman, Hunters Security
  • Amnon Kushnir, Sygnia
  • Ben Smith, @cyberg3cko
  • Caio Silva
  • Cian Heasley
  • Cristian Souza - Kaspersky GERT
  • Cristóbal Martínez Martín
  • David Hughes, BT Security
  • Dhiraj Mishra (@RandomDhiraj)
  • Dmitry Bestuzhev
  • Dvir Sasson, Reco
  • Eliraz Levi, Hunters Security
  • Fabian Kammel
  • Fernando Bacchin
  • Flavio Costa, Cisco
  • Frank Angiolelli
  • Gabriel Currie
  • Gerardo Santos
  • Harikrishnan Muthu, Cyble
  • Hiroki Nagahama, NEC Corporation
  • Inna Danilevich, U.S. Bank
  • Jaesang Oh, KC7 Foundation
  • Janantha Marasinghe
  • Jennifer Kim Roman
  • Jiraput Thamsongkrah
  • Joas Antonio dos Santos, @C0d3Cr4zy
  • Joe Gumke, U.S. Bank
  • Jun Hirata, NEC Corporation
  • Kaung Zaw Hein
  • Kevin Ward
  • Kori Yoshihiro, NEC Corporation
  • Kyaw Pyiyt Htet, @KyawPyiytHtet
  • Liran Ravich, CardinalOps
  • Lê Phương Nam, Group-IB
  • Manikantan Srinivasan, NEC Corporation India
  • Matt Anderson, @‌nosecurething, Huntress
  • Matt Brenton, Zurich Insurance Group
  • Menachem Goldstein
  • Michael Davis, ServiceNow Threat Intelligence
  • MyungUk Han, ASEC
  • Natthawut Saexu
  • Nikita Rostovcev, Group-IB
  • Oren Biderman, Sygnia
  • Peter Oakes
  • Pooja Natarajan, NEC Corporation India
  • Raghvendra Mishra
  • ReliaQuest
  • RoseSecurity
  • Rouven Bissinger (SySS GmbH)
  • Ruben Groenewoud (@RFGroenewoud)
  • Ryan Perez
  • Sareena Karapoola, NEC Corporation India
  • Seungyoul Yoo, Ahnlab
  • Sharmine Low, Group-IB
  • Shun Miyazaki, NEC Corporation
  • Shwetank Murarka
  • Sittikorn Sangrattanapitak
  • Suraj Khetani (@r00treaver)
  • Vicky Ray, RayvenX
  • Vijay Lalwani
  • Wietze Beukema @Wietze
  • Yoshihiro Kori, NEC Corporation