Updates - April 2018

Initial Access Tactic Addition

Initial Access was added to ATT&CK and some techniques were added to Execution to cover the Launch and Compromise techniques within PRE-ATT&CK. The techniques were refactored to fit the enterprise level of detail.

The following techniques were added under Initial Access:

• Drive-by Compromise
• Exploit Public-Facing Application
• Hardware Additions
• Spearphishing Attachment
• Spearphishing Link
• Spearphishing via Service
• Supply Chain Compromise
• Trusted Relationship

The following existing techniques were cross-referenced into Initial Access:

• Replication Through Removable Media
• Valid Accounts

The following techniques were added to Execution:

• Exploitation for Client Execution
• User Execution

Techniques

Aside from those added from PRE-ATT&CK, 23 additional new techniques were added - Up to 219 from 188:

• CMSTP
• Control Panel Items
• BITS Jobs
• SIP and Trust Provider Hijacking
• Password Policy Discovery
• Indirect Command Execution
• Exploitation for Client Execution
• User Execution
• Port Knocking
• Sudo Caching
• DCShadow
• Kerberoasting
• Time Providers
• Exploitation of Remote Services
• Exploitation for Defense Evasion
• Exploitation for Credential Access
• Data from Information Repositories
• Credentials in Registry
• Kernel Modules and Extensions
• Signed Script Proxy Execution
• Browser Bookmark Discovery
• Signed Binary Proxy Execution
• Remote Access Tools

One technique renamed

NTFS Extended Attributes -> NTFS File Attributes

Moderate to major updates to scope and/or content

• Winlogon Helper DLL
• Credential Dumping
• NTFS File Attributes
• Web Service
• Taint Shared Content

Groups and Software

Nine new groups:

• FIN8
• TA459
• BlackOasis
• APT33
• Leviathan
• Elderwood
• APT37
• PLATINUM
• MuddyWater

Group Updates Patchwork combined with Monsoon, G0042 redirects to G0040

Groups with New Techniques Added

• Axiom
• APT28
• APT29
• APT3
• Lazarus Group
• menuPass
• APT34
• Carbanak
• Night Dragon
• FIN7
• APT32

45 new software entries:

• ISMInjector
• BITSAdmin
• Winexe
• Pupy
• Forfiles
• PowerSploit
• SDelete
• PUNCHBUGGY
• PUNCHTRACK
• NETWIRE
• TURNEDUP
• Dipsind
• JPIN
• adbupd
• Hydraq
• Briba
• Naid
• Wiarp
• Vasport
• Pasam
• Darkmoon
• Nerex
• Linfo
• CORALDECK
• DOGCALL
• HAPPYWORK
• KARAE
• POORAIM
• SHUTTERSPEED
• SLOWDRIFT
• WINERACK
• Chaos
• Umbreon
• CCBkdr
• POWERSTATS
• Havij
• sqlmap
• Smoke Loader
• spwebmember
• NanHaiShu
• Orz
• ZeroT
• Invoke-PSImage
• HOMEFRY
• MURKYTOP

Other Changes

Exploitation of Vulnerability Breakout - With the addition of Initial Access, more clarity was needed to define software exploitation behavior. The original Exploitation of Vulnerability technique was broken out into six variations specifically for individual tactics.

• Initial Access - Exploit Public-Facing Application
• Execution - Exploitation for Client Execution
• Privilege Escalation - Exploitation for Privilege Escalation: maintains the original Exploitation of Vulnerability technique ID T1068
• Lateral Movement - Exploitation of Remote Services
• Defense Evasion - Exploitation for Defense Evasion
• Credential Access - Exploitation for Credential Access

Software Platforms - Added Windows, Linux, and macOS tags for software objects.

What's New in PRE-ATT&CK?

This release deprecates the Launch and Compromise tactics and most of the techniques that belong to them. In the future, these TTPs will be covered by techniques in the Initial Access and Execution tactics on ATT&CK.

• 2 tactics deprecated: Launch and Compromise
• Disseminate removable media has been moved from Launch to Stage Capabilities
• A new technique, Spearphishing for Information, has been added to Technical Information Gathering
• 23 techniques have been deprecated in this release
• PRE-ATT&CK now comprises 15 tactics and 151 techniques