Updates - April 2023

The April 2023 (v13) ATT&CK release updates Techniques, Groups, Campaigns and Software for Enterprise, Mobile, and ICS. The biggest changes in ATT&CK v13 are the addition of detailed detection guidance to some Techniques in ATT&CK for Enterprise, Mobile Data Sources, and two new types of changelogs to help identify more precisely what has changed in ATT&CK. An accompanying blog post describes these changes as well as improvements across ATT&CK's various domains and platforms.

This release includes a new human-readable detailed changelog showing more specifically what changed in updated ATT&CK objects, and a new machine-readable JSON changelog, whose format is described in ATT&CK's Github. The terminology used in these release notes has also been updated to better describe the changes to various ATT&CK objects:

• New objects: ATT&CK objects which are only present in the new release.
• Major version changes: ATT&CK objects that have a major version change. (e.g., 1.0 → 2.0)
• Minor version changes: ATT&CK objects that have a minor version change. (e.g., 1.0 → 1.1)
• Patches: ATT&CK objects that have been patched while keeping the version the same. (e.g., 1.0 → 1.0 but something like a typo, a URL, or some metadata was fixed)
• Object revocations: ATT&CK objects which are revoked by a different object.
• Object deprecations: ATT&CK objects which are deprecated and no longer in use, and not replaced.
• Object deletions: ATT&CK objects which are no longer found in the STIX data.

This version of ATT&CK for Enterprise contains 14 Tactics, 196 Techniques, 411 Sub-techniques, 138 Groups, 22 Campaigns, and 740 Pieces of Software.

Table of Contents

Techniques

Enterprise

New Techniques

• Acquire Access (v1.0)
• Acquire Infrastructure: Malvertising (v1.0)
• Cloud Administration Command (v1.0)
• Command and Scripting Interpreter: Cloud API (v1.0)
• Device Driver Discovery (v1.0)
• Exfiltration Over Web Service: Exfiltration to Text Storage Sites (v1.0)
• Impair Defenses: Spoof Security Alerting (v1.0)
• Masquerading: Masquerade File Type (v1.0)
• Modify Authentication Process: Network Provider DLL (v1.0)
• Obfuscated Files or Information: Command Obfuscation (v1.0)
• Obfuscated Files or Information: Fileless Storage (v1.0)
• Remote Services: Cloud Services (v1.0)
• Unsecured Credentials: Chat Messages (v1.0)

Major Version Changes

• Browser Information Discovery (v1.0→v2.0)

Minor Version Changes

• Abuse Elevation Control Mechanism (v1.0→v1.1)
• Bypass User Account Control (v2.0→v2.1)
• Access Token Manipulation: Create Process with Token (v1.1→v1.2)
• Access Token Manipulation: Make and Impersonate Token (v1.0→v1.1)
• Access Token Manipulation: Token Impersonation/Theft (v1.0→v1.1)
• Account Access Removal (v1.1→v1.2)
• Account Discovery (v2.3→v2.4)
• Domain Account (v1.1→v1.2)
• Local Account (v1.3→v1.4)
• Account Manipulation (v2.4→v2.5)
• Additional Cloud Credentials (v2.4→v2.5)
• Additional Cloud Roles (v2.1→v2.2)
• Device Registration (v1.0→v1.1)
• SSH Authorized Keys (v1.1→v1.2)
• Acquire Infrastructure (v1.1→v1.2)
• Server (v1.1→v1.2)
• Web Services (v1.1→v1.2)
• Application Layer Protocol (v2.0→v2.1)
• Web Protocols (v1.0→v1.1)
• Application Window Discovery (v1.2→v1.3)
• Archive Collected Data: Archive via Utility (v1.1→v1.2)
• Automated Exfiltration: Traffic Duplication (v1.1→v1.2)
• BITS Jobs (v1.3→v1.4)
• Brute Force (v2.4→v2.5)
• Credential Stuffing (v1.2→v1.3)
• Password Guessing (v1.3→v1.4)
• Password Spraying (v1.2→v1.3)
• Build Image on Host (v1.2→v1.3)
• Clipboard Data (v1.1→v1.2)
• Cloud Service Discovery (v1.2→v1.3)
• Command and Scripting Interpreter (v2.3→v2.4)
• PowerShell (v1.2→v1.3)
• Visual Basic (v1.3→v1.4)
• Compromise Accounts (v1.1→v1.2)
• Email Accounts (v1.0→v1.1)
• Compromise Infrastructure (v1.2→v1.3)
• Domains (v1.2→v1.3)
• Server (v1.1→v1.2)
• Web Services (v1.1→v1.2)
• Container Administration Command (v1.1→v1.2)
• Container and Resource Discovery (v1.0→v1.1)
• Create Account (v2.2→v2.3)
• Cloud Account (v1.2→v1.3)
• Local Account (v1.1→v1.2)
• Create or Modify System Process: Systemd Service (v1.2→v1.3)
• Create or Modify System Process: Windows Service (v1.2→v1.3)
• Data Encoding (v1.1→v1.2)
• Data from Local System (v1.5→v1.6)
• Deobfuscate/Decode Files or Information (v1.1→v1.2)
• Deploy Container (v1.1→v1.2)
• Disk Wipe (v1.0→v1.1)
• Disk Structure Wipe (v1.0→v1.1)
• Drive-by Compromise (v1.4→v1.5)
• Email Collection (v2.3→v2.4)
• Email Forwarding Rule (v1.2→v1.3)
• Escape to Host (v1.3→v1.4)
• Event Triggered Execution: Accessibility Features (v1.0→v1.1)
• Event Triggered Execution: AppInit DLLs (v1.0→v1.1)
• Event Triggered Execution: Component Object Model Hijacking (v1.0→v1.1)
• Event Triggered Execution: Screensaver (v1.0→v1.1)
• Event Triggered Execution: Windows Management Instrumentation Event Subscription (v1.2→v1.3)
• Exfiltration Over Alternative Protocol (v1.3→v1.4)
• Exfiltration Over Unencrypted Non-C2 Protocol (v2.0→v2.1)
• Exfiltration Over C2 Channel (v2.1→v2.2)
• Exploit Public-Facing Application (v2.3→v2.4)
• Exploitation for Privilege Escalation (v1.4→v1.5)
• File and Directory Permissions Modification: Windows File and Directory Permissions Modification (v1.1→v1.2)
• Forge Web Credentials (v1.2→v1.3)
• Gather Victim Identity Information: Credentials (v1.0→v1.1)
• Group Policy Discovery (v1.0→v1.1)
• Hide Artifacts: Email Hiding Rules (v1.1→v1.2)
• Impair Defenses (v1.3→v1.4)
• Disable Cloud Logs (v1.2→v1.3)
• Disable Windows Event Logging (v1.1→v1.2)
• Disable or Modify Cloud Firewall (v1.1→v1.2)
• Disable or Modify System Firewall (v1.0→v1.1)
• Disable or Modify Tools (v1.3→v1.4)
• Indicator Blocking (v1.1→v1.2)
• Indicator Removal (v2.0→v2.1)
• Clear Command History (v1.3→v1.4)
• Clear Mailbox Data (v1.0→v1.1)
• Clear Persistence (v1.0→v1.1)
• Clear Windows Event Logs (v1.1→v1.2)
• Network Share Connection Removal (v1.0→v1.1)
• Ingress Tool Transfer (v2.1→v2.2)
• Inhibit System Recovery (v1.1→v1.2)
• Masquerading (v1.4→v1.5)
• Rename System Utilities (v1.0→v1.1)
• Modify Authentication Process (v2.2→v2.3)
• Modify Registry (v1.2→v1.3)
• Multi-Factor Authentication Interception (v2.0→v2.1)
• Network Sniffing (v1.3→v1.4)
• Non-Application Layer Protocol (v2.1→v2.2)
• Non-Standard Port (v1.0→v1.1)
• OS Credential Dumping: LSASS Memory (v1.1→v1.2)
• OS Credential Dumping: Proc Filesystem (v1.0→v1.1)
• Obfuscated Files or Information (v1.3→v1.4)
• Permission Groups Discovery (v2.4→v2.5)
• Cloud Groups (v1.3→v1.4)
• Domain Groups (v1.1→v1.2)
• Local Groups (v1.1→v1.2)
• Phishing (v2.2→v2.3)
• Spearphishing Link (v2.3→v2.4)
• Phishing for Information (v1.1→v1.2)
• Spearphishing Link (v1.3→v1.4)
• Process Discovery (v1.2→v1.3)
• Query Registry (v1.2→v1.3)
• Remote Services (v1.2→v1.3)
• Distributed Component Object Model (v1.1→v1.2)
• SMB/Windows Admin Shares (v1.0→v1.1)
• Scheduled Task/Job: Container Orchestration Job (v1.2→v1.3)
• Scheduled Task/Job: Scheduled Task (v1.2→v1.3)
• Software Discovery: Security Software Discovery (v1.3→v1.4)
• Stage Capabilities: Drive-by Target (v1.2→v1.3)
• Stage Capabilities: Link Target (v1.2→v1.3)
• Stage Capabilities: Upload Malware (v1.1→v1.2)
• Steal or Forge Authentication Certificates (v1.0→v1.1)
• System Binary Proxy Execution: CMSTP (v2.0→v2.1)
• System Binary Proxy Execution: Compiled HTML File (v2.0→v2.1)
• System Binary Proxy Execution: Regsvr32 (v2.0→v2.1)
• System Binary Proxy Execution: Rundll32 (v2.0→v2.1)
• System Owner/User Discovery (v1.3→v1.4)
• System Service Discovery (v1.4→v1.5)
• System Shutdown/Reboot (v1.2→v1.3)
• System Time Discovery (v1.2→v1.3)
• Unsecured Credentials (v1.2→v1.3)
• Cloud Instance Metadata API (v1.3→v1.4)
• Container API (v1.1→v1.2)
• Private Keys (v1.0→v1.1)
• Use Alternate Authentication Material: Application Access Token (v1.4→v1.5)
• User Execution: Malicious File (v1.2→v1.3)
• Valid Accounts (v2.5→v2.6)
• Cloud Accounts (v1.4→v1.5)
• Domain Accounts (v1.2→v1.3)
• Local Accounts (v1.2→v1.3)
• Windows Management Instrumentation (v1.2→v1.3)

Patches

• Abuse Elevation Control Mechanism: Setuid and Setgid (v1.1)
• Access Token Manipulation (v2.0)
• Acquire Infrastructure: Domains (v1.2)
• Active Scanning: Vulnerability Scanning (v1.0)
• Adversary-in-the-Middle (v2.2)
• Audio Capture (v1.0)
• Boot or Logon Autostart Execution (v1.1)
• Active Setup (v1.0)
• Registry Run Keys / Startup Folder (v1.2)
• Shortcut Modification (v1.2)
• Winlogon Helper DLL (v1.0)
• Boot or Logon Initialization Scripts (v2.1)
• Brute Force: Password Cracking (v1.2)
• Create or Modify System Process: Launch Daemon (v1.2)
• Data Encoding: Standard Encoding (v1.0)
• Data from Network Shared Drive (v1.3)
• Disk Wipe: Disk Content Wipe (v1.0)
• Domain Policy Modification: Group Policy Modification (v1.0)
• Endpoint Denial of Service (v1.1)
• OS Exhaustion Flood (v1.2)
• Service Exhaustion Flood (v1.3)
• Event Triggered Execution: Change Default File Association (v1.0)
• External Remote Services (v2.4)
• File and Directory Discovery (v1.5)
• Hardware Additions (v1.6)
• Hijack Execution Flow: DLL Search Order Hijacking (v1.1)
• Hijack Execution Flow: DLL Side-Loading (v2.0)
• Hijack Execution Flow: Dylib Hijacking (v2.0)
• Hijack Execution Flow: Dynamic Linker Hijacking (v2.0)
• Hijack Execution Flow: Path Interception by PATH Environment Variable (v1.0)
• Hijack Execution Flow: Path Interception by Search Order Hijacking (v1.0)
• Hijack Execution Flow: Path Interception by Unquoted Path (v1.1)
• Hijack Execution Flow: Services File Permissions Weakness (v1.0)
• Hijack Execution Flow: Services Registry Permissions Weakness (v1.1)
• Impair Defenses: Impair Command History Logging (v2.2)
• Input Capture (v1.2)
• GUI Input Capture (v1.2)
• Keylogging (v1.1)
• Web Portal Capture (v1.0)
• Masquerading: Match Legitimate Name or Location (v1.1)
• Masquerading: Space after Filename (v1.0)
• Modify Authentication Process: Multi-Factor Authentication (v1.0)
• Multi-Factor Authentication Request Generation (v1.0)
• Network Denial of Service: Direct Network Flood (v1.3)
• Network Denial of Service: Reflection Amplification (v1.3)
• Network Service Discovery (v3.0)
• Network Share Discovery (v3.1)
• Obfuscated Files or Information: Binary Padding (v1.2)
• Obfuscated Files or Information: Software Packing (v1.2)
• Obfuscated Files or Information: Steganography (v1.2)
• Peripheral Device Discovery (v1.3)
• Phishing: Spearphishing Attachment (v2.2)
• Phishing: Spearphishing via Service (v2.0)
• Pre-OS Boot: Bootkit (v1.1)
• Pre-OS Boot: System Firmware (v1.0)
• Process Injection (v1.3)
• Proxy: Domain Fronting (v1.1)
• Remote Services: Remote Desktop Protocol (v1.1)
• Remote Services: SSH (v1.1)
• Remote Services: VNC (v1.1)
• Remote System Discovery (v3.4)
• Rootkit (v1.1)
• Scheduled Task/Job (v2.2)
• Screen Capture (v1.1)
• Server Software Component: Web Shell (v1.3)
• Software Deployment Tools (v2.1)
• Software Discovery (v1.3)
• Stage Capabilities: SEO Poisoning (v1.0)
• Steal or Forge Kerberos Tickets (v1.4)
• Kerberoasting (v1.2)
• Subvert Trust Controls: Install Root Certificate (v1.1)
• Subvert Trust Controls: Mark-of-the-Web Bypass (v1.1)
• Supply Chain Compromise (v1.5)
• System Information Discovery (v2.5)
• System Network Configuration Discovery (v1.5)
• Taint Shared Content (v1.3)
• Unsecured Credentials: Credentials In Files (v1.1)
• Use Alternate Authentication Material: Pass the Hash (v1.1)
• Use Alternate Authentication Material: Pass the Ticket (v1.1)
• Use Alternate Authentication Material: Web Session Cookie (v1.3)
• Valid Accounts: Default Accounts (v1.2)
• Video Capture (v1.1)

Mobile

Minor Version Changes

• Abuse Elevation Control Mechanism (v1.0→v1.1)
• Device Administrator Permissions (v1.0→v1.1)
• Access Notifications (v1.1→v1.2)
• Account Access Removal (v1.0→v1.1)
• Adversary-in-the-Middle (v2.0→v2.1)
• Audio Capture (v3.0→v3.1)
• Boot or Logon Initialization Scripts (v2.0→v2.1)
• Call Control (v1.0→v1.1)
• Clipboard Data (v3.0→v3.1)
• Command and Scripting Interpreter (v1.0→v1.1)
• Unix Shell (v1.0→v1.1)
• Compromise Client Software Binary (v1.0→v1.1)
• Credentials from Password Store (v1.0→v1.1)
• Keychain (v1.0→v1.1)
• Data Encrypted for Impact (v3.1→v3.2)
• Data Manipulation (v1.0→v1.1)
• Transmitted Data Manipulation (v1.0→v1.1)
• Download New Code at Runtime (v1.3→v1.4)
• Drive-By Compromise (v2.0→v2.1)
• Endpoint Denial of Service (v1.0→v1.1)
• Event Triggered Execution (v1.0→v1.1)
• Broadcast Receivers (v1.0→v1.1)
• Execution Guardrails (v1.0→v1.1)
• Geofencing (v1.0→v1.1)
• Exploitation for Privilege Escalation (v2.0→v2.1)
• Exploitation of Remote Services (v1.1→v1.2)
• File and Directory Discovery (v1.1→v1.2)
• Foreground Persistence (v2.0→v2.1)
• Generate Traffic from Victim (v1.0→v1.1)
• Hide Artifacts (v1.0→v1.1)
• Suppress Application Icon (v1.0→v1.1)
• Hijack Execution Flow (v1.0→v1.1)
• System Runtime API Hijacking (v1.0→v1.1)
• Impair Defenses (v1.0→v1.1)
• Device Lockout (v1.0→v1.1)
• Disable or Modify Tools (v1.0→v1.1)
• Prevent Application Removal (v1.0→v1.1)
• Indicator Removal on Host (v1.0→v1.1)
• Disguise Root/Jailbreak Indicators (v1.0→v1.1)
• File Deletion (v1.0→v1.1)
• Uninstall Malicious Application (v1.0→v1.1)
• Ingress Tool Transfer (v2.0→v2.1)
• Input Capture (v2.2→v2.3)
• GUI Input Capture (v1.0→v1.1)
• Keylogging (v1.0→v1.1)
• Location Tracking (v1.1→v1.2)
• Impersonate SS7 Nodes (v1.0→v1.1)
• Remote Device Management Services (v1.0→v1.1)
• Network Denial of Service (v1.2→v1.3)
• Non-Standard Port (v2.0→v2.1)
• Obfuscated Files or Information: Software Packing (v1.0→v1.1)
• Out of Band Data (v2.0→v2.1)
• Process Discovery (v2.0→v2.1)
• Process Injection (v1.0→v1.1)
• Ptrace System Calls (v1.0→v1.1)
• Protected User Data (v1.0→v1.1)
• Calendar Entries (v1.0→v1.1)
• Call Log (v1.0→v1.1)
• Contact List (v1.0→v1.1)
• SMS Messages (v1.0→v1.1)
• Proxy Through Victim (v1.0→v1.1)
• SMS Control (v1.0→v1.1)
• Screen Capture (v1.2→v1.3)
• Software Discovery (v2.0→v2.1)
• Security Software Discovery (v1.0→v1.1)
• Steal Application Access Token (v1.0→v1.1)
• URI Hijacking (v1.0→v1.1)
• Stored Application Data (v3.0→v3.1)
• Subvert Trust Controls (v1.0→v1.1)
• Code Signing Policy Modification (v1.0→v1.1)
• Supply Chain Compromise (v2.0→v2.1)
• Compromise Hardware Supply Chain (v1.0→v1.1)
• Compromise Software Dependencies and Development Tools (v1.0→v1.1)
• Compromise Software Supply Chain (v1.0→v1.1)
• System Network Configuration Discovery (v2.2→v2.3)
• Video Capture (v2.0→v2.1)
• Virtualization/Sandbox Evasion (v1.0→v1.1)
• System Checks (v1.0→v1.1)
• Web Service (v1.1→v1.2)
• Bidirectional Communication (v1.0→v1.1)
• Dead Drop Resolver (v1.0→v1.1)
• One-Way Communication (v1.0→v1.1)

ICS

New Techniques

• Change Credential (v1.0)
• Data from Local System (v1.0)

Minor Version Changes

• Alarm Suppression (v1.1→v1.2)
• Brute Force I/O (v1.0→v1.1)
• Damage to Property (v1.0→v1.1)
• Data from Information Repositories (v1.1→v1.2)
• Denial of Control (v1.0→v1.1)
• Denial of Service (v1.0→v1.1)
• Denial of View (v1.0→v1.1)
• External Remote Services (v1.0→v1.1)
• Hooking (v1.1→v1.2)
• Modify Alarm Settings (v1.1→v1.2)
• Modify Parameter (v1.1→v1.2)
• Rogue Master (v1.1→v1.2)
• Spoof Reporting Message (v1.1→v1.2)
• Transient Cyber Asset (v1.1→v1.2)
• Unauthorized Command Message (v1.1→v1.2)
• Wireless Compromise (v1.1→v1.2)

Patches

• Adversary-in-the-Middle (v2.0)
• Automated Collection (v1.0)
• Change Operating Mode (v1.0)
• Command-Line Interface (v1.1)
• Commonly Used Port (v1.1)
• Connection Proxy (v1.1)
• Default Credentials (v1.0)
• Detect Operating Mode (v1.0)
• Drive-by Compromise (v1.0)
• Execution through API (v1.1)
• Exploit Public-Facing Application (v1.0)
• Exploitation for Evasion (v1.1)
• Exploitation of Remote Services (v1.0)
• Graphical User Interface (v1.1)
• Hardcoded Credentials (v1.0)
• I/O Image (v1.1)
• Indicator Removal on Host (v1.0)
• Internet Accessible Device (v1.0)
• Lateral Tool Transfer (v1.1)
• Loss of Availability (v1.0)
• Loss of Control (v1.0)
• Loss of Productivity and Revenue (v1.0)
• Loss of Protection (v1.0)
• Loss of Safety (v1.0)
• Loss of View (v1.0)
• Manipulation of Control (v1.0)
• Manipulation of View (v1.0)
• Masquerading (v1.1)
• Modify Controller Tasking (v1.1)
• Modify Program (v1.1)
• Module Firmware (v1.1)
• Monitor Process State (v1.0)
• Native API (v1.0)
• Network Connection Enumeration (v1.1)
• Network Sniffing (v1.0)
• Point & Tag Identification (v1.1)
• Program Download (v1.1)
• Program Upload (v1.0)
• Project File Infection (v1.0)
• Remote Services (v1.1)
• Remote System Discovery (v1.1)
• Remote System Information Discovery (v1.1)
• Replication Through Removable Media (v1.0)
• Rootkit (v1.1)
• Screen Capture (v1.0)
• Scripting (v1.0)
• Spearphishing Attachment (v1.1)
• Standard Application Layer Protocol (v1.0)
• Supply Chain Compromise (v1.1)
• System Firmware (v1.1)
• Theft of Operational Information (v1.0)
• User Execution (v1.1)
• Valid Accounts (v1.1)
• Wireless Sniffing (v1.1)

Software

Enterprise

New Software

• AvosLocker (v1.0)
• Black Basta (v1.0)
• BlackCat (v1.0)
• Brute Ratel C4 (v1.0)
• DEADEYE (v1.0)
• DarkTortilla (v1.0)
• Industroyer2 (v1.0)
• KEYPLUG (v1.0)
• Mafalda (v1.0)
• Prestige (v1.0)
• Royal (v1.0)
• Rubeus (v1.0)
• SVCReady (v1.0)
• Woody RAT (v1.0)
• metaMain (v1.0)

Minor Version Changes

• AADInternals (v1.1→v1.2)
• AdFind (v1.1→v1.2)
• Astaroth (v2.0→v2.1)
• BackConfig (v1.0→v1.1)
• BloodHound (v1.3→v1.4)
• CARROTBAT (v1.0→v1.1)
• CHOPSTICK (v2.2→v2.3)
• Chaes (v1.0→v1.1)
• China Chopper (v2.3→v2.4)
• Cobalt Strike (v1.9→v1.10)
• ComRAT (v1.3→v1.4)
• CookieMiner (v1.0→v1.1)
• DRATzarus (v1.0→v1.1)
• DarkWatchman (v1.0→v1.1)
• Denis (v1.1→v1.2)
• Emotet (v1.3→v1.4)
• Empire (v1.5→v1.6)
• Exaramel for Windows (v2.1→v2.2)
• FruitFly (v1.1→v1.2)
• Gelsemium (v1.0→v1.1)
• GoldFinder (v1.0→v1.1)
• GoldMax (v2.0→v2.1)
• Grandoreiro (v1.0→v1.1)
• HOPLIGHT (v1.1→v1.2)
• IceApple (v1.0→v1.1)
• Impacket (v1.3→v1.4)
• KOCTOPUS (v1.1→v1.2)
• LaZagne (v1.3→v1.4)
• LoudMiner (v1.2→v1.3)
• Machete (v2.0→v2.1)
• Mimikatz (v1.6→v1.7)
• Mosquito (v1.1→v1.2)
• NETWIRE (v1.4→v1.5)
• Net (v2.3→v2.4)
• Netwalker (v1.0→v1.1)
• POWERSTATS (v2.2→v2.3)
• Pillowmint (v1.1→v1.2)
• Ping (v1.2→v1.3)
• PipeMon (v1.0→v1.1)
• PlugX (v3.0→v3.1)
• PoetRAT (v2.1→v2.2)
• PolyglotDuke (v1.0→v1.1)
• PowerLess (v1.0→v1.1)
• PowerPunch (v1.0→v1.1)
• PowerSploit (v1.5→v1.6)
• PsExec (v1.3→v1.4)
• QUADAGENT (v1.1→v1.2)
• QakBot (v1.0→v1.1)
• RCSession (v1.0→v1.1)
• REvil (v2.0→v2.1)
• Raindrop (v1.1→v1.2)
• RegDuke (v1.0→v1.1)
• Remsec (v1.1→v1.2)
• Responder (v1.1→v1.2)
• RogueRobin (v2.1→v2.2)
• S-Type (v1.2→v1.3)
• SHARPSTATS (v1.0→v1.1)
• SMOKEDHAM (v1.1→v1.2)
• SQLRat (v1.1→v1.2)
• SUNBURST (v2.3→v2.4)
• SUNSPOT (v1.1→v1.2)
• ServHelper (v1.1→v1.2)
• ShadowPad (v1.1→v1.2)
• Sibot (v1.0→v1.1)
• Sliver (v1.0→v1.1)
• Stuxnet (v1.2→v1.3)
• SysUpdate (v1.0→v1.1)
• Systeminfo (v1.1→v1.2)
• TEARDROP (v1.1→v1.2)
• TYPEFRAME (v1.1→v1.2)
• ThreatNeedle (v1.0→v1.1)
• TinyTurla (v1.0→v1.1)
• Torisma (v1.0→v1.1)
• TrailBlazer (v1.0→v1.1)
• Ursnif (v1.3→v1.4)
• Valak (v1.2→v1.3)
• Volgmer (v1.1→v1.2)
• WhisperGate (v1.0→v1.1)
• Zeus Panda (v1.2→v1.3)
• certutil (v1.2→v1.3)
• dsquery (v1.3→v1.4)
• netsh (v1.1→v1.2)

Patches

• CORESHELL (v2.1)
• ChChes (v1.1)
• Conficker (v1.0)
• ConnectWise (v1.0)
• Crimson (v1.3)
• Derusbi (v1.2)
• Duqu (v1.2)
• EKANS (v2.0)
• EvilGrab (v1.1)
• HDoor (v1.0)
• Hikit (v1.3)
• Hydraq (v2.0)
• KeyBoy (v1.2)
• KillDisk (v1.1)
• LockerGoga (v2.0)
• Ngrok (v1.1)
• NotPetya (v2.0)
• OLDBAIT (v1.1)
• PoisonIvy (v2.1)
• Rclone (v1.0)
• RedLeaves (v1.1)
• Remcos (v1.3)
• SILENTTRINITY (v1.0)
• TrickBot (v2.0)
• WannaCry (v1.1)
• Winnti for Windows (v3.0)
• YAHOYAH (v1.1)
• Zox (v1.0)
• ZxShell (v1.2)
• gh0st RAT (v3.1)

Mobile

New Software

• AbstractEmu (v1.0)
• Drinik (v1.0)
• FluBot (v1.0)
• S.O.V.A. (v1.0)
• SharkBot (v1.0)
• TangleBot (v1.0)
• TianySpy (v1.0)

Major Version Changes

• YiSpecter (v1.0→v2.0)

Minor Version Changes

• Bread (v1.1→v1.2)
• HummingBad (v1.0→v1.1)

Patches

• BusyGasper (v1.0)

ICS

New Software

• Industroyer2 (v1.0)

Minor Version Changes

• REvil (v2.0→v2.1)
• Stuxnet (v1.2→v1.3)

Patches

• Conficker (v1.0)
• Duqu (v1.2)
• EKANS (v2.0)
• INCONTROLLER (v1.0)
• KillDisk (v1.1)
• LockerGoga (v2.0)
• NotPetya (v2.0)
• Triton (v1.0)
• WannaCry (v1.1)

Groups

Enterprise

New Groups

• CURIUM (v1.0)
• LuminousMoth (v1.0)
• Metador (v1.0)

Major Version Changes

• APT29 (v3.1→v4.0)
• GOLD SOUTHFIELD (v1.1→v2.0)
• Sandworm Team (v2.2→v3.0)

Minor Version Changes

• APT19 (v1.4→v1.5)
• APT32 (v2.5→v2.6)
• APT41 (v3.0→v3.1)
• Aquatic Panda (v1.0→v1.1)
• Chimera (v2.1→v2.2)
• Cobalt Group (v2.0→v2.1)
• Ember Bear (v1.0→v1.1)
• FIN6 (v3.2→v3.3)
• FIN7 (v2.1→v2.2)
• FIN8 (v1.2→v1.3)
• Fox Kitten (v1.0→v1.1)
• Gamaredon Group (v2.0→v2.1)
• HAFNIUM (v1.2→v1.3)
• HEXANE (v2.0→v2.1)
• LAPSUS$ (v1.0→v1.1)
• Lazarus Group (v3.1→v3.2)
• LazyScripter (v1.0→v1.1)
• Leafminer (v2.3→v2.4)
• Magic Hound (v5.0→v5.1)
• MuddyWater (v4.0→v4.1)
• Mustang Panda (v2.0→v2.1)
• OilRig (v3.0→v3.1)
• Patchwork (v1.4→v1.5)
• Sidewinder (v1.0→v1.1)
• Silence (v2.1→v2.2)
• TA505 (v2.0→v2.1)
• TA551 (v1.1→v1.2)
• Threat Group-3390 (v2.0→v2.1)
• Turla (v3.0→v3.1)
• Wizard Spider (v2.0→v2.1)
• ZIRCONIUM (v1.0→v1.1)

Patches

• APT28 (v4.0)
• APT33 (v1.4)
• Andariel (v1.0)
• Axiom (v2.0)
• Dragonfly (v3.1)
• FIN4 (v1.2)
• Kimsuky (v3.1)
• TEMP.Veles (v1.3)
• Winnti Group (v1.2)
• menuPass (v2.1)

Mobile

Major Version Changes

• Sandworm Team (v2.2→v3.0)

Patches

• APT28 (v4.0)

ICS

Major Version Changes

• GOLD SOUTHFIELD (v1.1→v2.0)
• Sandworm Team (v2.2→v3.0)

Minor Version Changes

• FIN6 (v3.2→v3.3)
• FIN7 (v2.1→v2.2)
• HEXANE (v2.0→v2.1)
• Lazarus Group (v3.1→v3.2)
• OilRig (v3.0→v3.1)
• Wizard Spider (v2.0→v2.1)

Patches

• APT33 (v1.4)
• Dragonfly (v3.1)
• TEMP.Veles (v1.3)

Campaigns

Enterprise

New Campaigns

• 2016 Ukraine Electric Power Attack (v1.0)
• C0017 (v1.0)
• C0018 (v1.0)
• C0021 (v1.0)
• Operation Dream Job (v1.0)
• Operation Ghost (v1.0)
• SolarWinds Compromise (v1.0)

Minor Version Changes

• Frankenstein (v1.0→v1.1)
• Operation CuckooBees (v1.0→v1.1)
• Operation Wocao (v1.0→v1.1)

Mobile

ICS

New Campaigns

• 2016 Ukraine Electric Power Attack (v1.0)
• Maroochy Water Breach (v1.0)

Mitigations

Enterprise

Minor Version Changes

• Audit (v1.1→v1.2)
• Operating System Configuration (v1.1→v1.2)
• Restrict Registry Permissions (v1.0→v1.1)

Mobile

ICS

New Mitigations

• Validate Program Inputs (v1.0)

Minor Version Changes

• Static Network Configuration (v1.0→v1.1)

Patches

• Access Management (v1.0)
• Account Use Policies (v1.0)
• Antivirus/Antimalware (v1.0)
• Application Developer Guidance (v1.0)
• Application Isolation and Sandboxing (v1.0)
• Audit (v1.0)
• Authorization Enforcement (v1.0)
• Boot Integrity (v1.0)
• Code Signing (v1.0)
• Communication Authenticity (v1.0)
• Data Backup (v1.0)
• Data Loss Prevention (v1.0)
• Disable or Remove Feature or Program (v1.0)
• Encrypt Network Traffic (v1.0)
• Encrypt Sensitive Information (v1.0)
• Execution Prevention (v1.0)
• Exploit Protection (v1.0)
• Filter Network Traffic (v1.0)
• Human User Authentication (v1.0)
• Limit Access to Resource Over Network (v1.0)
• Limit Hardware Installation (v1.0)
• Minimize Wireless Signal Propagation (v1.0)
• Multi-factor Authentication (v1.0)
• Network Allowlists (v1.0)
• Network Intrusion Prevention (v1.0)
• Network Segmentation (v1.0)
• Operating System Configuration (v1.0)
• Operational Information Confidentiality (v1.0)
• Out-of-Band Communications Channel (v1.0)
• Password Policies (v1.0)
• Privileged Account Management (v1.0)
• Redundancy of Service (v1.0)
• Restrict File and Directory Permissions (v1.0)
• Restrict Library Loading (v1.0)
• Restrict Registry Permissions (v1.0)
• Restrict Web-Based Content (v1.0)
• Software Configuration (v1.0)
• Software Process and Device Authentication (v1.0)
• Supply Chain Management (v1.0)
• Update Software (v1.0)
• User Account Management (v1.0)
• User Training (v1.0)
• Vulnerability Scanning (v1.0)
• Watchdog Timers (v1.0)

Data Sources

Enterprise

Patches

• Command (v1.1)
• File (v1.0)
• Logon Session (v1.1)
• Malware Repository (v1.1)
• Network Traffic (v1.1)
• Process (v1.1)
• Script (v1.1)
• Sensor Health (v1.1)
• User Account (v1.1)

Mobile

New Data Sources

• Application Vetting (v1.0)
• Command (v1.1)
• Network Traffic (v1.1)
• Process (v1.1)
• Sensor Health (v1.1)
• User Interface (v1.0)

ICS

Patches

• Asset (v1.0)
• Command (v1.1)
• File (v1.0)
• Logon Session (v1.1)
• Network Traffic (v1.1)
• Operational Databases (v1.0)
• Process (v1.1)
• Script (v1.1)
• User Account (v1.1)

Data Components

Enterprise

Patches

• OS API Execution (v1.0)

Mobile

New Data Components

• API Calls (v1.0)
• Command Execution (v1.1)
• Host Status (v1.1)
• Network Communication (v1.0)
• Network Connection Creation (v1.1)
• Network Traffic Content (v1.0)
• Network Traffic Flow (v1.0)
• Permissions Request (v1.0)
• Permissions Requests (v1.0)
• Process Creation (v1.1)
• Process Metadata (v1.0)
• Process Termination (v1.0)
• Protected Configuration (v1.0)
• System Notifications (v1.0)
• System Settings (v1.0)

ICS

Patches

• OS API Execution (v1.0)

Contributors to this release

• Adam Lichters
• Adrien Bataille
• Akiko To, NEC Corporation
• Akshat Pradhan, Qualys
• Anders Vejlby
• Austin Clark, @c2defense
• Ben Smith
• Bryan Onel
• Caio Silva
• Center for Threat-Informed Defense (CTID)
• Christopher Peacock
• Cisco
• CrowdStrike Falcon OverWatch
• Daniel Acevedo, @darmad0, ARMADO
• Daniyal Naeem, BT Security
• Denise Tan
• Dor Edry, Microsoft
• Douglas Weir
• Duane Michael
• Dylan
• Elpidoforos Maragkos, @emaragkos
• Emad Al-Mousa, Saudi Aramco
• ExtraHop
• Felix Eberstaller
• Filip Kafka, ESET
• Flavio Costa, Cisco
• Gavin Knapp
• George Thomas
• Goldstein Menachem
• Hiroki Nagahama, NEC Corporation
• Hubert Mank
• Inna Danilevich, U.S Bank
• Jared Wilson
• Jason Sevilla
• Jeffrey Barto
• Jeremy Kennelly
• Jimmy Wylie, Dragos, Inc.
• Joas Antonio dos Santos, @C0d3Cr4zy
• Joe Gumke, U.S. Bank
• Jonny Johnson
• Josh Arenas, Trustwave Spiderlabs
• Juan Carlos Campuzano - Mnemo-CERT
• Kuessner Consulting
• Kyaw Pyiyt Htet, @KyawPyiytHtet
• Liora Itkin
• Liran Ravich, CardinalOps
• Lucas Heiligenstein
• Manikantan Srinivasan, NEC Corporation India
• Marcus Weeks
• Mark Wee
• Massimiliano Romano, BT Security
• Mathieu Hinse
• Matt Brenton, Zurich Global Information Security
• Mayuresh Dani, Qualys
• Mindaugas Gudzis, BT Security
• Miroslav Babiš, ESET
• Muhammad Moiz Arshad, @5T34L7H
• Nader Zaveri
• Nichols Jasper
• Ohad Zaidenberg, @ohad_mz
• Ozan Olali
• Pallavi Sivakumaran
• Pooja Natarajan, NEC Corporation India
• Ross Brittain
• Scott Cook, Capital One
• Shailesh Tiwary (Indian Army)
• Simona David
• Sittikorn Sangrattanapitak
• Thanabodi
• Tim (Wadhwa-)Brown
• Tim Peck
• Tom Hegel
• Tristan Bennett, Seamless Intelligence
• TruKno
• Vinayak Wadhwa, SAFE Security
• Wataru Takahashi, NEC Corporation
• Yinon Engelsman, Talon Cyber Security
• Yonatan Gotlib, Talon Cyber Security
• Yoshihiro Kori, NEC Corporation
• Zaw Min Htun, @Z3TAE
• Zuzana Legáthová, ESET