Updates - April 2025
The April 2025 (v17) ATT&CK release updates Techniques, Groups, Campaigns and Software for Enterprise, Mobile, and ICS.
The biggest changes in ATT&CK v17 are the addition of an ESXi platform to ATT&CK's Enterprise domain describing adversary activity taking place on the VMWare ESXi hypervisor, a dramatic improvement of Enterprise Mitigation descriptions, and the renaming of the Network platform to Network Devices in order to more clearly communicate the scope of the platform. An accompanying blog post describes these changes as well as additional improvements across ATT&CK's various domains and platforms.
In this release we have revoked Hijack Execution Flow: DLL Side-Loading and merged it into Hijack Execution Flow: DLL, which itself was renamed from Hijack Execution Flow: DLL Search Order Hijacking. This change was made to reflect the previously overlapping scope of the two sub-techniques and frequent confusion between them.
This release also includes a human-readable detailed changelog showing more specifically what changed in updated ATT&CK objects, and a machine-readable JSON changelog, whose format is described in ATT&CK's Github.
This version of ATT&CK contains 877 Pieces of Software, 170 Groups, and 50 Campaigns
Broken out by domain:
- Enterprise: 14 Tactics, 211 Techniques, 468 Sub-Techniques, 166 Groups, 755 Pieces of Software, 47 Campaigns, 44 Mitigations, and 37 Data Sources
- Mobile: 12 Tactics, 75 Techniques, 46 Sub-Techniques, 15 Groups, 118 Pieces of Software, 3 Campaigns, 13 Mitigations, and 6 Data Sources
- ICS: 12 Tactics, 83 Techniques, 0 Sub-Techniques, 14 Groups, 23 Pieces of Software, 7 Campaigns, 52 Mitigations, 14 Assets, and 17 Data Sources
Release Notes Terminology
- New: ATT&CK objects which are only present in the new release.
- Major version changes: ATT&CK objects that have a major version change. (e.g. 1.0 → 2.0)
- Minor version changes: ATT&CK objects that have a minor version change. (e.g. 1.0 → 1.1)
- Other version changes: ATT&CK objects that have a version change of any other kind. (e.g. 1.0 → 1.2)
- Patches: ATT&CK objects that have been patched while keeping the version the same. (e.g., 1.0 → 1.0 but something immaterial like a typo, a URL, or some metadata was fixed)
- Revocations: ATT&CK objects which are revoked by a different object.
- Deprecations: ATT&CK objects which are deprecated and no longer in use, and not replaced.
- Deletions: ATT&CK objects which are no longer found in the STIX data.
Techniques
Enterprise
New Techniques
Major Version Changes
Minor Version Changes
Patches
Revocations
- Hijack Execution Flow: DLL Side-Loading (revoked by Hijack Execution Flow: DLL) (v2.1)
Mobile
New Techniques
Major Version Changes
Minor Version Changes
Patches
ICS
Patches
Software
Enterprise
New Software
Major Version Changes
Minor Version Changes
Patches
Mobile
New Software
Minor Version Changes
Patches
ICS
New Software
Minor Version Changes
Patches
Groups
Enterprise
New Groups
Major Version Changes
Minor Version Changes
Patches
Mobile
New Groups
Minor Version Changes
Patches
ICS
Major Version Changes
Minor Version Changes
Patches
Campaigns
Enterprise
New Campaigns
Patches
Mobile
New Campaigns
ICS
New Campaigns
Patches
Mitigations
Enterprise
Minor Version Changes
Patches
Mobile
Minor Version Changes
Patches
ICS
Patches
Data Sources
Enterprise
Minor Version Changes
Patches
Mobile
Minor Version Changes
Patches
ICS
Minor Version Changes
Patches
Data Components
Enterprise
Minor Version Changes
Patches
Mobile
New Data Components
Minor Version Changes
Patches
ICS
Minor Version Changes
Patches
Contributors to this release
- Aaron Sullivan aka ZerkerEOD
- Adam Lichters
- Alden Schmidt
- Ale Houspanossian
- Alexey Kleymenov
- Alon Klayman, Hunters Security
- Amnon Kushnir, Sygnia
- Ben Smith, @cyberg3cko
- Caio Silva
- Cian Heasley
- Cristian Souza - Kaspersky GERT
- Cristóbal Martínez Martín
- David Hughes, BT Security
- Dhiraj Mishra (@RandomDhiraj)
- Dmitry Bestuzhev
- Dvir Sasson, Reco
- Eliraz Levi, Hunters Security
- Fabian Kammel
- Fernando Bacchin
- Flavio Costa, Cisco
- Frank Angiolelli
- Gabriel Currie
- Gerardo Santos
- Harikrishnan Muthu, Cyble
- Hiroki Nagahama, NEC Corporation
- Inna Danilevich, U.S. Bank
- Jaesang Oh, KC7 Foundation
- Janantha Marasinghe
- Jennifer Kim Roman
- Jiraput Thamsongkrah
- Joas Antonio dos Santos, @C0d3Cr4zy
- Joe Gumke, U.S. Bank
- Jun Hirata, NEC Corporation
- Kaung Zaw Hein
- Kevin Ward
- Kori Yoshihiro, NEC Corporation
- Kyaw Pyiyt Htet, @KyawPyiytHtet
- Liran Ravich, CardinalOps
- Lê Phương Nam, Group-IB
- Manikantan Srinivasan, NEC Corporation India
- Matt Anderson, @nosecurething, Huntress
- Matt Brenton, Zurich Insurance Group
- Menachem Goldstein
- Michael Davis, ServiceNow Threat Intelligence
- MyungUk Han, ASEC
- Natthawut Saexu
- Nikita Rostovcev, Group-IB
- Oren Biderman, Sygnia
- Peter Oakes
- Pooja Natarajan, NEC Corporation India
- Raghvendra Mishra
- ReliaQuest
- RoseSecurity
- Rouven Bissinger (SySS GmbH)
- Ruben Groenewoud (@RFGroenewoud)
- Ryan Perez
- Sareena Karapoola, NEC Corporation India
- Seungyoul Yoo, Ahnlab
- Sharmine Low, Group-IB
- Shun Miyazaki, NEC Corporation
- Shwetank Murarka
- Sittikorn Sangrattanapitak
- Suraj Khetani (@r00treaver)
- Vicky Ray, RayvenX
- Vijay Lalwani
- Wietze Beukema @Wietze
- Yoshihiro Kori, NEC Corporation