Updates - April 2019
NOTE: To see the content from this release, click here.
Previous Versions
Previous versions of the ATT&CK website are now being saved and displayed here to give a historical reference for prior content releases.
Tactics and Techniques
Enterprise
Impact Tactic:
The Impact Tactic was added to cover integrity and availability attacks against enterprise systems. Each technique will include an Impact Type label of 'Integrity' or 'Availability'.
The tactic covers 14 techniques that were added in this update:
- Data Destruction
- Data Encrypted for Impact
- Defacement
- Disk Content Wipe
- Disk Structure Wipe
- Endpoint Denial of Service
- Firmware Corruption
- Inhibit System Recovery
- Network Denial of Service
- Resource Hijacking
- Runtime Data Manipulation
- Service Stop
- Stored Data Manipulation
- Transmitted Data Manipulation
Seven additional techniques were added:
- Compile After Delivery (Defense Evasion)
- Domain Generation Algorithms (Command and Control)
- Domain Trust Discovery (Discovery)
- Execution Guardrails (Defense Evasion)
- Group Policy Modification (Defense Evasion)
- Systemd Service (Persistence)
- Virtualization/Sandbox Evasion (Defense Evasion, Discovery)
The following techniques were updated:
- External Remote Services - Added to Initial Access Tactic
- Input Prompt - Added Windows and examples
- LLMNR/NBT-NS Poisoning and Relay - Broadened scope to include hash relay
- Masquerading - Broadened scope to include right-to-left override, added adversary examples of moving and renaming system utilities to avoid detection
- Office Application Startup - Broadened scope to include Outlook Rules, Forms, Home Page, and Add-in persistence variations
- PowerShell - Updated description to include use of System.Management.Automation
- Remote System Discovery - Updated description to include accessing local hosts file
- Security Software Discovery - Removed virtualization
- Signed Binary Proxy Execution - Added msiexec.exe and odbcconf.exe variations
- Supply Chain Compromise - Added compromise of open source dependencies
- Valid Accounts - Broke out specific account types in description to include default accounts local accounts, and domain accounts
Added Digital Certificate Validation as a defense bypassed:
Miscellaneous minor changes:
- Brute Force - Minor description update
- Dynamic Data Exchange - Minor description update
- Exploit Public-Facing Application - Minor description update
- Screensaver - Minor description update
- Template Injection - Reference added
You can view the new and changed enterprise techniques in the ATT&CK Navigator by checking out the layer file we made available here. You can also check out a preview of the changes below! New techniques are green, and changed techniques are yellow.
PRE-ATT&CK
Technique deprecations:
- Domain Generation Algorithms (DGA) - Moved under Enterprise with a new definition
Mobile
New Techniques:
Groups
On both Group and Software pages, we have changed the term “Aliases” to “Associated Groups” and “Associated Software” respectively to better reflect what these terms represent. Analysts track clusters of activities using various analytic methodologies and terms such as threat groups, activity groups, threat actors, intrusion sets, and campaigns. Some groups have multiple names associated with similar activities due to various organizations tracking similar activities by different names. Malware/software faces the same challenge with different organizations assigning different names to the same or similar samples. Organizations' group and software names may partially overlap with names designated by other organizations and may disagree on specific activity.
The MITRE ATT&CK team believes that tracking overlaps in activity for both groups and malware/software is useful to analysts, which is why we began tracking the “Aliases” field many years ago. While we always recognized that these were not true, complete “aliases,” we have realized that calling these “Aliases” only furthers the confusion over group naming. Thus, we have decided to change the field “Aliases” to “Associated Groups” and “Associated Software” to more accurately represent what we are trying to express. We make a best effort to track overlapping groups and software, but we do not represent these names as exact overlaps and encourage analysts to do additional research. If you have input on associated groups or software, please contact us.
Enterprise
New Groups:
Group changes:
- APT18
- APT19
- APT1
- APT28
- APT29
- APT32
- APT33
- APT37
- APT3
- Cobalt Group
- CopyKittens
- Darkhotel
- Dragonfly 2.0
- Equation
- FIN10
- FIN6
- FIN7
- Gorgon Group
- Ke3chang
- Lazarus Group
- Leafminer
- Leviathan
- Lotus Blossom
- MuddyWater
- Night Dragon
- OilRig
- PLATINUM
- Rancor
- Scarlet Mimic
- Turla
- menuPass
PRE-ATT&CK
New Groups:
Group changes:
Mobile
Group changes:
Software
Enterprise
New Software:
- Agent Tesla
- Astaroth
- AuditCred
- Azorult
- BONDUPDATER
- BadPatch
- Cannon
- Carbon
- Cardinal RAT
- Cobian RAT
- CoinTicker
- DarkComet
- Denis
- Ebury
- Emotet
- Empire
- Exaramel
- Expand
- Final1stspy
- GreyEnergy
- HOPLIGHT
- Impacket
- KONNI
- LaZagne
- Linux Rabbit
- LockerGoga
- Micropsia
- NOKKI
- NanoCore
- Nltest
- NotPetya
- OSX_OCEANLOTUS.D
- OceanSalt
- Octopus
- Olympic Destroyer
- POWERTON
- PoshC2
- RawDisk
- Remcos
- Remexi
- Ruler
- SamSam
- Seasalt
- SpeakUp
- Twitoor
- UBoatRAT
- WannaCry
- Xbash
- Zeus Panda
- zwShell
Software changes:
- BBSRAT
- BISCUIT
- BlackEnergy
- CALENDAR
- CCBkdr
- CHOPSTICK
- CORESHELL
- China Chopper
- Cobalt Strike
- CozyCar
- DOGCALL
- Duqu
- Dyre
- Elise
- Epic
- FELIXROOT
- FinFisher
- GravityRAT
- H1N1
- HTRAN
- JHUHUGIT
- Kazuar
- Mimikatz
- Net
- OopsIE
- POSHSPY
- POWERSTATS
- PlugX
- PowerDuke
- PowerSploit
- Proxysvc
- Pupy
- ROKRAT
- RogueRobin
- SDelete
- Shamoon
- Smoke Loader
- TrickBot
- WEBC2
- XAgentOSX
- XTunnel
- Zebrocy
- dsquery
- gh0st RAT
- jRAT
- yty
Mobile
Software changes: