Updates - April 2018

Version Start Date End Date Data
ATT&CK v2 April 13, 2018 October 22, 2018 v2.0 on MITRE/CTI

Initial Access Tactic Addition

Initial Access was added to ATT&CK and some techniques were added to Execution to cover the Launch and Compromise techniques within PRE-ATT&CK. The techniques were refactored to fit the enterprise level of detail.

The following techniques were added under Initial Access:

The following existing techniques were cross-referenced into Initial Access:

The following techniques were added to Execution:


Aside from those added from PRE-ATT&CK, 23 additional new techniques were added - Up to 219 from 188:

One technique renamed

NTFS Extended Attributes -> NTFS File Attributes

Moderate to major updates to scope and/or content

Groups and Software

Nine new groups:

Group Updates Patchwork combined with Monsoon, G0042 redirects to G0040

Groups with New Techniques Added

45 new software entries:

Other Changes

Exploitation of Vulnerability Breakout - With the addition of Initial Access, more clarity was needed to define software exploitation behavior. The original Exploitation of Vulnerability technique was broken out into six variations specifically for individual tactics.

Software Platforms - Added Windows, Linux, and macOS tags for software objects.

What's New in PRE-ATT&CK?

This release deprecates the Launch and Compromise tactics and most of the techniques that belong to them. In the future, these TTPs will be covered by techniques in the Initial Access and Execution tactics on ATT&CK.

  • 2 tactics deprecated: Launch and Compromise
  • Disseminate removable media has been moved from Launch to Stage Capabilities
  • A new technique, Spearphishing for Information, has been added to Technical Information Gathering
  • 23 techniques have been deprecated in this release
  • PRE-ATT&CK now comprises 15 tactics and 151 techniques