Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

Updates - October 2018


Transition from MediaWiki

The MediaWiki version of ATT&CK was moved to attack-old.mitre.org and will remain up until the end of January 2019. The old website will not be receiving content updates during this timeframe, so you will need to use the new website and STIX/TAXII to get the most up-to-date ATT&CK information.

Consolidated Technique and Software IDs

As of the October 2018 update all techniques across Enterprise ATT&CK, PRE-ATT&CK, and Mobile will have the same T#### numbering scheme. Existing PRE-ATT&CK and Mobile technique IDs have been converted over to the Enterprise IDs. Links to specific pages on the old wiki or to the new site with the old IDs will hit pages that redirect to the appropriate technique page.

Mobile software IDs were converted to the Enterprise format of S####.

NOTE: If you have created layers for the ATT&CK Navigator that include PRE-ATT&CK or Mobile ATT&CK techniques, you will need to update your layer files to use the new ATT&CK technique IDs.

Tactic IDs

Tactics have been given ID numbers formatted as TA####.

Mobile Mitigation IDs

Mobile migitations have been given ID numbers formatted as M####.

Versioning

We've implemented a versioning system to all ATT&CK objects (techniques, groups, software, Mobile mitigations) to enable better tracking of incremental changes to existing ATT&CK content. The system will consist of a MAJOR.MINOR number. All objects will start at version 1.0 with the October release.

Techniques

Major version changes

  • Name change
  • Technique scope change - Change in definition resulting in broadening or focusing the scope of the technique

Minor version changes

  • Minor descriptive information - technical information, examples, detection, mitigation, references
  • Metadata change - platform, permissions, data sources, defense bypassed, etc.

Groups

Major version changes

  • Adding or changing an alias
  • Big changes to description and scope of a group

Minor version changes

  • Relationship to new techniques or software
  • New references

Software

Major version changes

  • Adding or changing an alias
  • High level description or information changes
  • Metadata change (type)

Minor version changes

  • Relationship to new techniques or software
  • New references

Mobile Mitigations

Major version changes

  • Name change
  • Scope, description, or information changes

Minor version changes

  • Metadata change
  • Relationship to new techniques
  • New references

In addition, the ATT&CK Matrix view of techniques within an ATT&CK domain will be timestamped with the last change that impacts its structure and organization which will act as a version number for it.

Techniques

Enterprise

New techniques:

Technique Changes:

You can view the new and changed enterprise techniques in the ATT&CK Navigator by checking out the layer file we made available here. You can also check out a preview of the changes below! New techniques are green, and changed techniques are yellow.

ATT&CK Navigator - October 2018 Updates


PRE-ATT&CK

No changes

Mobile

The Obtain Device Access Matrix was collapsed into an Initial Access tactic to match the formatting of Enterprise.

The Network-Based Effects Matrix was consolidated into two tactic categories: Network Effects and Remote Service Effects.

Technique Additions and Changes:

Updated Content:

User interface spoofing

You can view the new and changed mobile techniques in the ATT&CK Navigator by checking out the layer file we made available here.

Groups

APT34 and OilRig were combined due to additional reporting increasing confidence in the overlap

Software

Enterprise

Poison Ivy and Darkmoon pages were combined into Poison Ivy

51 new software entries added

Mobile