Updates - October 2024

Version Start Date End Date Data Changelogs
ATT&CK v16 October 31, 2024 Current version of ATT&CK v16.0 on MITRE/CTI
v16.1 on MITRE/CTI
15.1 - 16.0 Details (JSON)
16.0 - 16.1 Details (JSON)

The October 2024 (v16) ATT&CK release updates Techniques, Groups, Campaigns and Software for Enterprise.

The biggest changes in ATT&CK v16 are a refactoring of Cloud platforms to better reflect real-world adversary activity along with improvements to platform descriptions, a dramatic expansion in the number of techniques with detection notes and analytics, and continued improvements to coverage of criminal threat actors. As a result of Cloud platform refactoring, the Azure AD, Office 365, and Google Workspace platforms have been removed from Enterprise ATT&CK and the Identity Provider and Office Suite platforms have been added in their place. An accompanying blog post describes these changes as well as additional improvements across Enterprise ATT&CK's various platforms.

This release also includes a human-readable detailed changelog showing more specifically what changed in updated ATT&CK objects, and a machine-readable JSON changelog, whose format is described in ATT&CK's Github.

This version of ATT&CK contains 844 Pieces of Software, 186 Groups, and 42 Campaigns Broken out by domain:

  • Enterprise: 14 Tactics, 203 Techniques, 453 Sub-Techniques, 159 Groups, 710 Pieces of Software, 34 Campaigns, 44 Mitigations, and 37 Data Sources
  • Mobile: 12 Tactics, 73 Techniques, 46 Sub-Techniques, 13 Groups, 112 Pieces of Software, 2 Campaigns, 13 Mitigations, and 6 Data Sources
  • ICS: 12 Tactics, 83 Techniques, 0 Sub-Techniques, 14 Groups, 22 Pieces of Software, 6 Campaigns, 52 Mitigations, 14 Assets, and 17 Data Sources

Release Notes Terminology

  • New: ATT&CK objects which are only present in the new release.
  • Major version changes: ATT&CK objects that have a major version change. (e.g. 1.0 → 2.0)
  • Minor version changes: ATT&CK objects that have a minor version change. (e.g. 1.0 → 1.1)
  • Other version changes: ATT&CK objects that have a version change of any other kind. (e.g. 1.0 → 1.2)
  • Patches: ATT&CK objects that have been patched while keeping the version the same. (e.g., 1.0 → 1.0 but something immaterial like a typo, a URL, or some metadata was fixed)
  • Revocations: ATT&CK objects which are revoked by a different object.
  • Deprecations: ATT&CK objects which are deprecated and no longer in use, and not replaced.
  • Deletions: ATT&CK objects which are no longer found in the STIX data.

Techniques

Enterprise

New Techniques

Major Version Changes

Minor Version Changes

Patches

Mobile

Patches

ICS

Patches

Software

Enterprise

New Software

Major Version Changes

Minor Version Changes

Patches

Mobile

Patches

Deprecations

ICS

New Software

Major Version Changes

Groups

Enterprise

New Groups

Major Version Changes

Minor Version Changes

Patches

Mobile

Minor Version Changes

Patches

ICS

Minor Version Changes

Patches

Campaigns

Enterprise

New Campaigns

Minor Version Changes

Mitigations

Enterprise

New Mitigations

Minor Version Changes

Patches

Minor Version Changes

Data Sources

Enterprise

Patches

ICS

Patches

Contributors to this release

  • @grahamhelton3
  • Ale Houspanossian
  • Arun Seelagan, CISA
  • Asritha Narina
  • Aung Kyaw Min Naing, @Nolan
  • Barbara Louis-Sidney (OWN-CERT)
  • Catherine Williams, BT Security
  • Centre for Cybersecurity Belgium (CCB)
  • Cris Tomboc, Truswave SpiderLabs
  • Csaba Fitzl @theevilbit of Kandji
  • Daniel Acevedo, Blackbot
  • DeFord L. Smith
  • Denise Tan
  • Diego Sappa, Securonix
  • Domenico Mazzaferro Palmeri
  • Dray Agha, Huntress Labs
  • Eder Pérez Ignacio, @ch4ik0
  • Eduardo González Hernández (@codexlynx)
  • Fernando Bacchin
  • Furkan Celik, PURE7
  • Hakan KARABACAK
  • Harikrishnan Muthu, Cyble
  • Harry Hill, BT Security
  • Inna Danilevich
  • Jai Minton, CrowdStrike
  • James Emery-Callcott, Emerging Threats Team, Proofpoint
  • James P Callahan, Professional Paranoid
  • Jamie Williams (U ω U), PANW Unit 42
  • Jennifer Kim Roman, CrowdStrike
  • Joe Gumke, U.S. Bank
  • Jorge Orchilles
  • Liran Ravich, CardinalOps
  • Madhukar Raina (Senior Security Researcher - Hack The Box, UK)
  • Manikantan Srinivasan, NEC Corporation India
  • Marco Pedrinazzi, @pedrinazziM
  • Massimo Giaimo, Würth Group Cyber Defence Center
  • Matt Anderson, @‌nosecurething, Huntress
  • Matt Brenton
  • Menachem Goldstein
  • Michael Forret, Quorum Cyber
  • Mike Hartley @mikehartley10
  • Nagahama Hiroki – NEC Corporation Japan
  • Naveen Vijayaraghavan
  • Nilesh Dherange (Gurucul)
  • Obsidian Security
  • Onur Atali
  • OWN
  • Phyo Paing Htun (ChiLai)
  • Pooja Natarajan, NEC Corporation India
  • ReliaQuest
  • Riku Katsuse, NEC Corporation
  • Ruben Groenewoud, Elastic
  • Sam Seabrook, Duke Energy
  • Sarathkumar Rajendran, Microsoft Defender365
  • Sareena Karapoola, NEC Corporation India
  • Sharon Brizinov, Claroty Team82 Research
  • Sofia Sanchez Margolles
  • Subhash Thapa
  • Swachchhanda Shrawan Poudel
  • Takemasa Kamatani, NEC Corporation
  • TruKno
  • Vito Alfano, Group-IB
  • Wirapong Petshagun
  • Wojciech Reguła @_r3ggi
  • Ye Yint Min Thu Htut, Active Defense Team, DBS Bank
  • Yoshihiro Kori, NEC Corporation
  • Zaw Min Htun, @z3tae