Updates - July 2020

Version Start Date End Date Data
ATT&CK v7 July 8, 2020 This is the current version of ATT&CK v7.0 on MITRE/CTI

The July 2020 (v7) ATT&CK release updates Techniques, Groups, and Software for both Enterprise and Mobile. This is the first non-beta release of Enterprise ATT&CK represented with sub-techniques. The pre sub-technique version of ATT&CK has been preserved here. Most of this content was released as a beta in March 2020, and changes between the beta release and this release are documented separately.

In total, the sub-technique version of ATT&CK for Enterprise contains 156 techniques (reduced from 266) and 272 sub-techniques.

See the accompanying blog post for more details.

In this same release we have deprecated white/blacklist language in ATT&CK. Techniques and mitigations previously containing this language have either been reworded or the language has been replaced with allow/denylist. In line with industry terminology changes, application whitelisting and process whitelisting have both been replaced with application control.

Techniques

Enterprise

View enterprise technique updates in the ATT&CK Navigator here.

New Techniques:

Technique changes:

Technique changes are largely due to new sub-techniques being added, name changes, or both.

Minor Technique changes:

Technique revocations:

Technique deprecations:

  • Commonly Used Port - Deprecated from ATT&CK because the behavior is redundant and describes most benign network communications.
  • Component Object Model and Distributed COM - Deprecated and split into separate Component Object Model and Distributed Component Object Model sub-techniques. Existing Group/Software procedure examples were remapped appropriately
  • Graphical User Interface - Deprecated from ATT&CK because the behavior is redundant and implied by use of remote desktop tools like Remote Desktop Protocol. Existing Group/Software procedure examples were remapped appropriately
  • Hypervisor - Deprecated from ATT&CK due to lack of in the wild use
  • LC_MAIN Hijacking - Deprecated from ATT&CK due to lack of in the wild use
  • Multiband Communication - Deprecated from ATT&CK due to lack of in the wild use. Existing Group/Software procedure examples did not fit the core idea behind the technique
  • Path Interception - Deprecated and split into separate Unquoted Path, PATH Environment Variable, and Search Order Hijacking sub-techniques. Existing Group/Software procedure examples were remapped appropriately
  • Redundant Access - Deprecated from ATT&CK because the behavior is too high level and is sufficiently covered by Valid Accounts and External Remote Services. Existing Group/Software procedure examples were remapped appropriately
  • Scripting - Deprecated and split into separate Unix Shell, Visual Basic, JavaScript/Jscript, and Python sub-techniques of Command and Scripting Interpreter. Existing Group/Software procedure examples were remapped appropriately
  • Shared Webroot - Deprecated from ATT&CK due to lack of in the wild use
  • Source - Deprecated from ATT&CK due to lack of in the wild use

PRE-ATT&CK

New Techniques: No changes

Technique changes: No changes

Minor Technique changes: No changes

Technique revocations: No changes

Technique deprecations:

Mobile

View mobile technique updates in the ATT&CK Navigator here.

New Techniques:

Technique changes:

Minor Technique changes:

Technique revocations: No changes

Technique deprecations: No changes

Software

Enterprise

New Software:

Software changes:

Minor Software changes: No changes

Software revocations: No changes

Software deprecations: No changes

PRE-ATT&CK

New Software: No changes

Software changes: No changes

Minor Software changes: No changes

Software revocations: No changes

Software deprecations: No changes

Mobile

New Software:

Software changes:

Minor Software changes:

Software revocations: No changes

Software deprecations: No changes

Groups

Enterprise

New Groups:

Group changes:

Minor Group changes:

Group revocations: No changes

Group deprecations: No changes

Group deletions:

  • Charming Kitten

PRE-ATT&CK

New Groups: No changes

Group changes:

Minor Group changes: No changes

Group revocations: No changes

Group deprecations: No changes

Mobile

New Groups:

Group changes:

Minor Group changes: No changes

Group revocations: No changes

Group deprecations: No changes

Mitigations

Enterprise

New Mitigations: No changes

Mitigation changes:

Minor Mitigation changes:

Mitigation revocations: No changes

Mitigation deprecations: No changes

Mitigation deletions:

These are old mitigations that are no longer in use.

  • Account Manipulation Mitigation
  • Command-Line Interface Mitigation
  • Connection Proxy Mitigation
  • Execution through API Mitigation
  • Exfiltration Over Alternative Protocol Mitigation
  • File Permissions Modification Mitigation
  • Input Capture Mitigation
  • Obfuscated Files or Information Mitigation
  • Office Application Startup Mitigation
  • Process Injection Mitigation
  • Remote Services Mitigation
  • Signed Binary Proxy Execution Mitigation
  • Standard Application Layer Protocol Mitigation
  • Trusted Developer Utilities Mitigation
  • Virtualization/Sandbox Evasion Mitigation
  • Windows Management Instrumentation Mitigation

PRE-ATT&CK

New Mitigations: No changes

Mitigation changes: No changes

Minor Mitigation changes: No changes

Mitigation revocations: No changes

Mitigation deprecations: No changes

Mobile

New Mitigations: No changes

Mitigation changes: No changes

Minor Mitigation changes:

Mitigation revocations: No changes

Mitigation deprecations: No changes

The July 2020 (v7) ATT&CK release updates Techniques, Groups, and Software for both Enterprise and Mobile. ATT&CK with sub-techniques was released as a beta in March 2020 (v7-beta), this changelog represents the updates made between the beta and final release.

Major errata fixed from the v7 (March 2020) Beta

  • Traffic Signaling Was incorrectly re-IDd to T1545, restored to T1205 and its sub-technique was changed to T1205.001
  • Indicator Removal on Host Was incorrectly re-IDd to T1551, restored to T1070 and its sub-techniques were changed to T1070.001, T1070.002, T1070.003, T1070.004, T1070.005, and T1070.006
  • Commonly Used Port Was revoked by T1571 in the beta, corrected to now be deprecated

Techniques

Enterprise

View enterprise technique updates in the ATT&CK Navigator here.

New Techniques:

Technique changes:

Minor Technique changes:

Technique revocations:

Technique deprecations:

Technique deletions:

PRE-ATT&CK

New Techniques: No changes

Technique changes: No changes

Minor Technique changes: No changes

Technique revocations: No changes

Technique deprecations: No changes

Mobile

View mobile technique updates in the ATT&CK Navigator here.

New Techniques:

Technique changes:

Minor Technique changes:

Technique revocations: No changes

Technique deprecations: No changes

Software

Enterprise

New Software:

Software changes:

Minor Software changes:

Software revocations: No changes

Software deprecations: No changes

PRE-ATT&CK

New Software: No changes

Software changes: No changes

Minor Software changes: No changes

Software revocations: No changes

Software deprecations: No changes

Mobile

New Software:

Software changes: No changes

Minor Software changes: No changes

Software revocations: No changes

Software deprecations: No changes

Groups

Enterprise

New Groups:

Group changes:

Minor Group changes:

Group revocations: No changes

Group deprecations: No changes

Group deletions:

  • Charming Kitten

PRE-ATT&CK

New Groups: No changes

Group changes: No changes

Minor Group changes: No changes

Group revocations: No changes

Group deprecations: No changes

Mobile

New Groups: No changes

Group changes: No changes

Minor Group changes:

Group revocations: No changes

Group deprecations: No changes

Mitigations

Enterprise

New Mitigations: No changes

Mitigation changes:

Minor Mitigation changes:

Mitigation revocations: No changes

Mitigation deprecations: No changes

PRE-ATT&CK

New Mitigations: No changes

Mitigation changes: No changes

Minor Mitigation changes: No changes

Mitigation revocations: No changes

Mitigation deprecations: No changes

Mobile

New Mitigations: No changes

Mitigation changes: No changes

Minor Mitigation changes:

Mitigation revocations: No changes

Mitigation deprecations: No changes