Updates - April 2025

The April 2025 (v17) ATT&CK release updates Techniques, Groups, Campaigns and Software for Enterprise, Mobile, and ICS.

The biggest changes in ATT&CK v17 are the addition of an ESXi platform to ATT&CK's Enterprise domain describing adversary activity taking place on the VMWare ESXi hypervisor, a dramatic improvement of Enterprise Mitigation descriptions, and the renaming of the Network platform to Network Devices in order to more clearly communicate the scope of the platform. An accompanying blog post describes these changes as well as additional improvements across ATT&CK's various domains and platforms.

In this release we have revoked Hijack Execution Flow: DLL Side-Loading and merged it into Hijack Execution Flow: DLL, which itself was renamed from Hijack Execution Flow: DLL Search Order Hijacking. This change was made to reflect the previously overlapping scope of the two sub-techniques and frequent confusion between them.

This release also includes a human-readable detailed changelog showing more specifically what changed in updated ATT&CK objects, and a machine-readable JSON changelog, whose format is described in ATT&CK's Github.

This version of ATT&CK contains 877 Pieces of Software, 170 Groups, and 50 Campaigns
Broken out by domain:

• Enterprise: 14 Tactics, 211 Techniques, 468 Sub-Techniques, 166 Groups, 755 Pieces of Software, 47 Campaigns, 44 Mitigations, and 37 Data Sources
• Mobile: 12 Tactics, 75 Techniques, 46 Sub-Techniques, 15 Groups, 118 Pieces of Software, 3 Campaigns, 13 Mitigations, and 6 Data Sources
• ICS: 12 Tactics, 83 Techniques, 0 Sub-Techniques, 14 Groups, 23 Pieces of Software, 7 Campaigns, 52 Mitigations, 14 Assets, and 17 Data Sources

Release Notes Terminology

• New: ATT&CK objects which are only present in the new release.
• Major version changes: ATT&CK objects that have a major version change. (e.g. 1.0 → 2.0)
• Minor version changes: ATT&CK objects that have a minor version change. (e.g. 1.0 → 1.1)
• Other version changes: ATT&CK objects that have a version change of any other kind. (e.g. 1.0 → 1.2)
• Patches: ATT&CK objects that have been patched while keeping the version the same. (e.g., 1.0 → 1.0 but something immaterial like a typo, a URL, or some metadata was fixed)
• Revocations: ATT&CK objects which are revoked by a different object.
• Deprecations: ATT&CK objects which are deprecated and no longer in use, and not replaced.
• Deletions: ATT&CK objects which are no longer found in the STIX data.

Table of Contents

Techniques

Enterprise

New Techniques

• Cloud Application Integration (v1.0)
• Command and Scripting Interpreter: Hypervisor CLI (v1.0)
• ESXi Administration Command (v1.0)
• Email Bombing (v1.0)
• Email Spoofing (v1.0)
• Exclusive Control (v1.0)
• Hide Artifacts: Bind Mounts (v1.0)
• Hide Artifacts: Extended Attributes (v1.0)
• Input Injection (v1.0)
• Masquerading: Overwrite Process Arguments (v1.0)
• Obfuscated Files or Information: Compression (v1.0)
• Obfuscated Files or Information: Junk Code Insertion (v1.0)
• Obfuscated Files or Information: SVG Smuggling (v1.0)
• Remote Access Tools: IDE Tunneling (v1.0)
• Remote Access Tools: Remote Access Hardware (v1.0)
• Remote Access Tools: Remote Desktop Software (v1.0)
• Server Software Component: vSphere Installation Bundles (v1.0)
• Software Extensions: Browser Extensions (v1.0)
• Software Extensions: IDE Extensions (v1.0)
• System Services: Systemctl (v1.0)
• Trusted Developer Utilities Proxy Execution: JamPlus (v1.0)
• User Execution: Malicious Copy and Paste (v1.0)
• Virtual Machine Discovery (v1.0)
• Wi-Fi Networks (v1.0)

Major Version Changes

• Hijack Execution Flow: DLL (v1.3→v2.0)
• Masquerading: Match Legitimate Resource Name or Location (v1.2→v2.0)
• Masquerading: Rename Legitimate Utilities (v1.1→v2.0)
• Modify Registry (v1.4→v2.0)
• Remote Access Tools (v2.3→v3.0)
• Software Extensions (v1.3→v2.0)

Minor Version Changes

• Abuse Elevation Control Mechanism (v1.4→v1.5)
  • Bypass User Account Control (v2.1→v2.2)
  • Elevated Execution with Prompt (v1.0→v1.1)
  • Setuid and Setgid (v1.1→v1.2)
  • Sudo and Sudo Caching (v1.0→v1.1)
• Access Token Manipulation (v2.0→v2.1)
  • Create Process with Token (v1.2→v1.3)
  • Make and Impersonate Token (v1.1→v1.2)
  • Parent PID Spoofing (v1.0→v1.1)
  • SID-History Injection (v1.0→v1.1)
  • Token Impersonation/Theft (v1.2→v1.3)
• Account Access Removal (v1.3→v1.4)
• Account Discovery (v2.5→v2.6)
  • Local Account (v1.4→v1.5)
• Account Manipulation (v2.7→v2.8)
  • SSH Authorized Keys (v1.3→v1.4)
• Acquire Infrastructure: Botnet (v1.0→v1.1)
• Acquire Infrastructure: Web Services (v1.2→v1.3)
• Adversary-in-the-Middle (v2.4→v2.5)
  • Evil Twin (v1.0→v1.1)
• Application Layer Protocol (v2.3→v2.4)
  • DNS (v1.2→v1.3)
  • File Transfer Protocols (v1.2→v1.3)
  • Mail Protocols (v1.1→v1.2)
  • Publish/Subscribe Protocols (v1.0→v1.1)
  • Web Protocols (v1.3→v1.4)
• Automated Collection (v1.3→v1.4)
• Automated Exfiltration (v1.2→v1.3)
  • Traffic Duplication (v1.3→v1.4)
• BITS Jobs (v1.4→v1.5)
• Boot or Logon Autostart Execution (v1.2→v1.3)
  • Active Setup (v1.0→v1.1)
  • Authentication Package (v1.0→v1.1)
  • Kernel Modules and Extensions (v1.3→v1.4)
  • LSASS Driver (v1.0→v1.1)
  • Login Items (v1.0→v1.1)
  • Port Monitors (v1.2→v1.3)
  • Print Processors (v1.1→v1.2)
  • Re-opened Applications (v1.1→v1.2)
  • Registry Run Keys / Startup Folder (v2.0→v2.1)
  • Security Support Provider (v1.0→v1.1)
  • Shortcut Modification (v1.2→v1.3)
  • Time Providers (v1.1→v1.2)
  • Winlogon Helper DLL (v1.2→v1.3)
  • XDG Autostart Entries (v1.1→v1.2)
• Boot or Logon Initialization Scripts (v2.3→v2.4)
  • RC Scripts (v2.1→v2.2)
  • Startup Items (v1.0→v1.1)
• Browser Session Hijacking (v2.0→v2.1)
• Brute Force (v2.6→v2.7)
  • Credential Stuffing (v1.6→v1.7)
  • Password Cracking (v1.3→v1.4)
  • Password Guessing (v1.6→v1.7)
  • Password Spraying (v1.6→v1.7)
• Cloud Administration Command (v2.0→v2.1)
• Cloud Service Dashboard (v1.4→v1.5)
• Command and Scripting Interpreter (v2.5→v2.6)
  • AppleScript (v1.2→v1.3)
  • AutoHotKey & AutoIT (v1.0→v1.1)
  • Cloud API (v1.1→v1.2)
  • Lua (v1.0→v1.1)
  • Network Device CLI (v1.1→v1.2)
  • PowerShell (v1.4→v1.5)
  • Python (v1.0→v1.1)
  • Unix Shell (v1.2→v1.3)
  • Visual Basic (v1.4→v1.5)
  • Windows Command Shell (v1.4→v1.5)
• Compromise Host Software Binary (v2.1→v2.2)
• Compromise Infrastructure (v1.5→v1.6)
• Container Administration Command (v1.2→v1.3)
• Create Account (v2.5→v2.6)
  • Local Account (v1.3→v1.4)
• Create or Modify System Process: Launch Agent (v1.4→v1.5)
• Create or Modify System Process: Launch Daemon (v1.2→v1.3)
• Create or Modify System Process: Systemd Service (v1.5→v1.6)
• Create or Modify System Process: Windows Service (v1.5→v1.6)
• Data Destruction (v1.3→v1.4)
  • Lifecycle-Triggered Deletion (v1.0→v1.1)
• Data Encoding (v1.2→v1.3)
  • Non-Standard Encoding (v1.0→v1.1)
  • Standard Encoding (v1.0→v1.1)
• Data Encrypted for Impact (v1.4→v1.5)
• Data Obfuscation (v1.1→v1.2)
  • Junk Data (v1.0→v1.1)
  • Protocol or Service Impersonation (v2.0→v2.1)
  • Steganography (v1.0→v1.1)
• Data Staged (v1.4→v1.5)
  • Local Data Staging (v1.1→v1.2)
  • Remote Data Staging (v1.1→v1.2)
• Data Transfer Size Limits (v1.0→v1.1)
• Data from Configuration Repository (v1.0→v1.1)
  • Network Device Configuration Dump (v1.0→v1.1)
  • SNMP (MIB Dump) (v1.0→v1.1)
• Data from Local System (v1.6→v1.7)
• Data from Network Shared Drive (v1.4→v1.5)
• Data from Removable Media (v1.2→v1.3)
• Debugger Evasion (v1.0→v1.1)
• Defacement (v1.3→v1.4)
  • Internal Defacement (v1.1→v1.2)
• Deobfuscate/Decode Files or Information (v1.3→v1.4)
• Deploy Container (v1.3→v1.4)
• Direct Volume Access (v2.2→v2.3)
• Disk Wipe (v1.1→v1.2)
  • Disk Content Wipe (v1.1→v1.2)
  • Disk Structure Wipe (v1.1→v1.2)
• Domain or Tenant Policy Modification (v3.1→v3.2)
  • Group Policy Modification (v1.0→v1.1)
  • Trust Modification (v2.1→v2.2)
• Drive-by Compromise (v1.6→v1.7)
• Dynamic Resolution (v1.0→v1.1)
  • DNS Calculation (v1.0→v1.1)
  • Domain Generation Algorithms (v1.1→v1.2)
  • Fast Flux DNS (v1.0→v1.1)
• Email Collection: Local Email Collection (v1.0→v1.1)
• Encrypted Channel (v1.1→v1.2)
  • Asymmetric Cryptography (v1.1→v1.2)
  • Symmetric Cryptography (v1.1→v1.2)
• Escape to Host (v1.5→v1.6)
• Event Triggered Execution: Accessibility Features (v1.1→v1.2)
• Event Triggered Execution: AppCert DLLs (v1.0→v1.1)
• Event Triggered Execution: AppInit DLLs (v1.1→v1.2)
• Event Triggered Execution: Application Shimming (v1.0→v1.1)
• Event Triggered Execution: Change Default File Association (v1.0→v1.1)
• Event Triggered Execution: Component Object Model Hijacking (v1.1→v1.2)
• Event Triggered Execution: Emond (v1.0→v1.1)
• Event Triggered Execution: Image File Execution Options Injection (v1.1→v1.2)
• Event Triggered Execution: Installer Packages (v1.1→v1.2)
• Event Triggered Execution: LC_LOAD_DYLIB Addition (v1.0→v1.1)
• Event Triggered Execution: Netsh Helper DLL (v1.0→v1.1)
• Event Triggered Execution: PowerShell Profile (v1.1→v1.2)
• Event Triggered Execution: Screensaver (v1.2→v1.3)
• Event Triggered Execution: Trap (v1.0→v1.1)
• Event Triggered Execution: Unix Shell Configuration Modification (v2.1→v2.2)
• Event Triggered Execution: Windows Management Instrumentation Event Subscription (v1.4→v1.5)
• Execution Guardrails (v1.2→v1.3)
  • Environmental Keying (v1.0→v1.1)
• Exfiltration Over Alternative Protocol (v1.5→v1.6)
  • Exfiltration Over Asymmetric Encrypted Non-C2 Protocol (v1.1→v1.2)
  • Exfiltration Over Symmetric Encrypted Non-C2 Protocol (v1.0→v1.1)
  • Exfiltration Over Unencrypted Non-C2 Protocol (v2.1→v2.2)
• Exfiltration Over C2 Channel (v2.2→v2.3)
• Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth (v1.1→v1.2)
• Exfiltration Over Physical Medium (v1.2→v1.3)
  • Exfiltration over USB (v1.1→v1.2)
• Exfiltration Over Web Service (v1.4→v1.5)
  • Exfiltration Over Webhook (v1.1→v1.2)
  • Exfiltration to Cloud Storage (v1.2→v1.3)
  • Exfiltration to Code Repository (v1.1→v1.2)
  • Exfiltration to Text Storage Sites (v1.0→v1.1)
• Exploit Public-Facing Application (v2.6→v2.7)
• Exploitation for Client Execution (v1.4→v1.5)
• Exploitation for Defense Evasion (v1.4→v1.5)
• Exploitation for Privilege Escalation (v1.5→v1.6)
• Exploitation of Remote Services (v1.1→v1.2)
• Fallback Channels (v1.0→v1.1)
• File and Directory Discovery (v1.6→v1.7)
• File and Directory Permissions Modification (v2.2→v2.3)
• Firmware Corruption (v1.2→v1.3)
• Hardware Additions (v1.6→v1.7)
• Hide Artifacts (v1.3→v1.4)
  • Hidden File System (v1.0→v1.1)
  • Hidden Files and Directories (v1.0→v1.1)
  • Hidden Window (v1.2→v1.3)
  • NTFS File Attributes (v1.1→v1.2)
  • Process Argument Spoofing (v1.0→v1.1)
  • Resource Forking (v1.0→v1.1)
  • Run Virtual Instance (v1.1→v1.2)
  • VBA Stomping (v1.1→v1.2)
• Hide Infrastructure (v1.0→v1.1)
• Hijack Execution Flow (v1.2→v1.3)
  • COR_PROFILER (v1.0→v1.1)
  • Dylib Hijacking (v2.0→v2.1)
  • Dynamic Linker Hijacking (v2.0→v2.1)
  • Executable Installer File Permissions Weakness (v1.0→v1.1)
  • Path Interception by PATH Environment Variable (v1.1→v1.2)
  • Path Interception by Search Order Hijacking (v1.0→v1.1)
  • Services File Permissions Weakness (v1.0→v1.1)
  • Services Registry Permissions Weakness (v1.1→v1.2)
• Impair Defenses (v1.6→v1.7)
  • Disable Windows Event Logging (v1.3→v1.4)
  • Disable or Modify System Firewall (v1.2→v1.3)
  • Disable or Modify Tools (v1.5→v1.6)
  • Downgrade Attack (v1.2→v1.3)
  • Impair Command History Logging (v2.2→v2.3)
  • Indicator Blocking (v1.4→v1.5)
  • Safe Mode Boot (v1.0→v1.1)
• Implant Internal Image (v2.1→v2.2)
• Indicator Removal (v2.2→v2.3)
  • Clear Command History (v1.5→v1.6)
  • Clear Network Connection History and Configurations (v1.1→v1.2)
  • Clear Persistence (v1.1→v1.2)
  • Clear Windows Event Logs (v1.4→v1.5)
  • File Deletion (v1.1→v1.2)
  • Network Share Connection Removal (v1.1→v1.2)
  • Relocate Malware (v1.0→v1.1)
  • Timestomp (v1.1→v1.2)
• Indirect Command Execution (v1.2→v1.3)
• Ingress Tool Transfer (v2.4→v2.5)
• Inhibit System Recovery (v1.5→v1.6)
• Input Capture (v1.3→v1.4)
  • Credential API Hooking (v1.1→v1.2)
  • Keylogging (v1.2→v1.3)
  • Web Portal Capture (v1.0→v1.1)
• Inter-Process Communication (v1.3→v1.4)
  • Component Object Model (v1.1→v1.2)
  • Dynamic Data Exchange (v1.3→v1.4)
  • XPC Services (v1.0→v1.1)
• Lateral Tool Transfer (v1.3→v1.4)
• Log Enumeration (v1.1→v1.2)
• Masquerading (v1.7→v1.8)
  • Masquerade File Type (v1.0→v1.1)
  • Space after Filename (v1.0→v1.1)
• Modify Authentication Process (v2.5→v2.6)
  • Multi-Factor Authentication (v1.3→v1.4)
  • Network Device Authentication (v2.0→v2.1)
• Modify Cloud Compute Infrastructure: Revert Cloud Instance (v1.1→v1.2)
• Modify System Image (v1.0→v1.1)
  • Downgrade System Image (v1.0→v1.1)
  • Patch System Image (v1.0→v1.1)
• Multi-Stage Channels (v1.0→v1.1)
• Native API (v2.2→v2.3)
• Network Boundary Bridging (v1.1→v1.2)
  • Network Address Translation Traversal (v1.0→v1.1)
• Network Service Discovery (v3.1→v3.2)
• Network Sniffing (v1.6→v1.7)
• Non-Application Layer Protocol (v2.3→v2.4)
• Non-Standard Port (v1.1→v1.2)
• OS Credential Dumping: /etc/passwd and /etc/shadow (v1.1→v1.2)
• OS Credential Dumping: NTDS (v1.2→v1.3)
• Obfuscated Files or Information (v1.6→v1.7)
  • Binary Padding (v1.2→v1.3)
  • Compile After Delivery (v1.1→v1.2)
  • Embedded Payloads (v1.1→v1.2)
  • Encrypted/Encoded File (v1.0→v1.1)
  • HTML Smuggling (v1.1→v1.2)
  • Indicator Removal from Tools (v1.1→v1.2)
  • Polymorphic Code (v1.0→v1.1)
  • Software Packing (v1.2→v1.3)
  • Stripped Payloads (v1.1→v1.2)
• Obtain Capabilities: Artificial Intelligence (v1.0→v1.1)
• Password Policy Discovery (v1.6→v1.7)
• Peripheral Device Discovery (v1.3→v1.4)
• Phishing (v2.6→v2.7)
  • Spearphishing Voice (v1.1→v1.2)
• Phishing for Information (v1.3→v1.4)
  • Spearphishing Attachment (v1.1→v1.2)
• Power Settings (v1.0→v1.1)
• Pre-OS Boot (v1.2→v1.3)
  • Bootkit (v1.1→v1.2)
  • Component Firmware (v1.1→v1.2)
  • ROMMONkit (v1.0→v1.1)
  • System Firmware (v1.1→v1.2)
  • TFTP Boot (v1.0→v1.1)
• Process Discovery (v1.5→v1.6)
• Process Injection (v1.3→v1.4)
  • Asynchronous Procedure Call (v1.1→v1.2)
  • Dynamic-link Library Injection (v1.3→v1.4)
  • Extra Window Memory Injection (v1.0→v1.1)
  • ListPlanting (v1.1→v1.2)
  • Portable Executable Injection (v1.1→v1.2)
  • Proc Memory (v1.0→v1.1)
  • Process Doppelgänging (v1.0→v1.1)
  • Process Hollowing (v1.3→v1.4)
  • Ptrace System Calls (v1.1→v1.2)
  • Thread Execution Hijacking (v1.1→v1.2)
  • Thread Local Storage (v1.1→v1.2)
  • VDSO Hijacking (v1.1→v1.2)
• Protocol Tunneling (v1.0→v1.1)
• Proxy (v3.1→v3.2)
  • Domain Fronting (v1.1→v1.2)
  • External Proxy (v1.1→v1.2)
  • Internal Proxy (v1.1→v1.2)
  • Multi-hop Proxy (v2.2→v2.3)
• Reflective Code Loading (v1.2→v1.3)
• Remote Service Session Hijacking: SSH Hijacking (v1.0→v1.1)
• Remote Services (v1.5→v1.6)
  • Remote Desktop Protocol (v1.2→v1.3)
  • SMB/Windows Admin Shares (v1.2→v1.3)
  • SSH (v1.2→v1.3)
  • VNC (v1.1→v1.2)
• Remote System Discovery (v3.5→v3.6)
• Replication Through Removable Media (v1.2→v1.3)
• Rogue Domain Controller (v2.1→v2.2)
• Rootkit (v1.1→v1.2)
• Scheduled Task/Job (v2.3→v2.4)
  • At (v2.3→v2.4)
  • Container Orchestration Job (v1.3→v1.4)
  • Cron (v1.2→v1.3)
  • Scheduled Task (v1.6→v1.7)
  • Systemd Timers (v1.2→v1.3)
• Server Software Component (v1.4→v1.5)
  • IIS Components (v1.0→v1.1)
  • Transport Agent (v1.0→v1.1)
  • Web Shell (v1.4→v1.5)
• Serverless Execution (v1.1→v1.2)
• Service Stop (v1.2→v1.3)
• Shared Modules (v2.2→v2.3)
• Software Deployment Tools (v3.1→v3.2)
• Software Discovery (v1.4→v1.5)
• Steal Application Access Token (v1.4→v1.5)
• Steal or Forge Kerberos Tickets (v1.6→v1.7)
  • AS-REP Roasting (v1.1→v1.2)
  • Golden Ticket (v1.1→v1.2)
  • Kerberoasting (v1.2→v1.3)
  • Silver Ticket (v1.0→v1.1)
• Subvert Trust Controls (v1.2→v1.3)
  • Code Signing (v1.1→v1.2)
  • Code Signing Policy Modification (v1.0→v1.1)
  • Gatekeeper Bypass (v1.2→v1.3)
  • Install Root Certificate (v1.2→v1.3)
  • Mark-of-the-Web Bypass (v1.1→v1.2)
  • SIP and Trust Provider Hijacking (v1.0→v1.1)
• System Binary Proxy Execution (v3.1→v3.2)
  • CMSTP (v2.1→v2.2)
  • Compiled HTML File (v2.1→v2.2)
  • Control Panel (v2.0→v2.1)
  • InstallUtil (v2.0→v2.1)
  • MMC (v2.0→v2.1)
  • Mshta (v2.0→v2.1)
  • Msiexec (v2.0→v2.1)
  • Odbcconf (v2.0→v2.1)
  • Regsvcs/Regasm (v2.0→v2.1)
  • Regsvr32 (v2.1→v2.2)
  • Rundll32 (v2.3→v2.4)
  • Verclsid (v2.0→v2.1)
• System Information Discovery (v2.5→v2.6)
• System Location Discovery: System Language Discovery (v1.0→v1.1)
• System Network Configuration Discovery (v1.6→v1.7)
  • Internet Connection Discovery (v1.0→v1.1)
• System Network Connections Discovery (v2.4→v2.5)
• System Owner/User Discovery (v1.5→v1.6)
• System Script Proxy Execution (v2.0→v2.1)
  • PubPrn (v2.0→v2.1)
• System Services (v1.3→v1.4)
  • Launchctl (v1.2→v1.3)
  • Service Execution (v1.2→v1.3)
• System Shutdown/Reboot (v1.3→v1.4)
• System Time Discovery (v1.4→v1.5)
• Taint Shared Content (v1.5→v1.6)
• Template Injection (v1.3→v1.4)
• Traffic Signaling (v2.4→v2.5)
  • Port Knocking (v1.1→v1.2)
• Trusted Developer Utilities Proxy Execution (v1.2→v1.3)
  • ClickOnce (v1.0→v1.1)
  • MSBuild (v1.3→v1.4)
• Unsecured Credentials (v1.4→v1.5)
  • Credentials In Files (v1.2→v1.3)
  • Credentials in Registry (v1.1→v1.2)
  • Private Keys (v1.2→v1.3)
• Use Alternate Authentication Material (v1.4→v1.5)
  • Application Access Token (v1.7→v1.8)
  • Pass the Hash (v1.2→v1.3)
  • Pass the Ticket (v1.1→v1.2)
  • Web Session Cookie (v1.4→v1.5)
• User Execution (v1.7→v1.8)
  • Malicious File (v1.4→v1.5)
  • Malicious Image (v1.1→v1.2)
  • Malicious Link (v1.1→v1.2)
• Valid Accounts (v2.7→v2.8)
  • Cloud Accounts (v1.8→v1.9)
  • Default Accounts (v1.4→v1.5)
  • Domain Accounts (v1.4→v1.5)
  • Local Accounts (v1.4→v1.5)
• Video Capture (v1.1→v1.2)
• Virtualization/Sandbox Evasion (v1.3→v1.4)
  • System Checks (v2.2→v2.3)
  • Time Based Evasion (v1.2→v1.3)
  • User Activity Based Checks (v1.1→v1.2)
• Weaken Encryption (v1.0→v1.1)
  • Disable Crypto Hardware (v1.0→v1.1)
  • Reduce Key Space (v1.0→v1.1)
• Web Service (v1.2→v1.3)
  • Bidirectional Communication (v1.0→v1.1)
  • Dead Drop Resolver (v1.0→v1.1)
  • One-Way Communication (v1.0→v1.1)
• Windows Management Instrumentation (v1.5→v1.6)
• XSL Script Processing (v1.2→v1.3)

Patches

• Abuse Elevation Control Mechanism: TCC Manipulation (v1.1)
• Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (v1.2)
• Account Discovery: Cloud Account (v1.3)
• Account Discovery: Domain Account (v1.2)
• Account Discovery: Email Account (v1.2)
• Account Manipulation: Additional Cloud Credentials (v2.8)
• Account Manipulation: Additional Cloud Roles (v2.5)
• Account Manipulation: Additional Container Cluster Roles (v1.0)
• Account Manipulation: Additional Email Delegate Permissions (v2.2)
• Account Manipulation: Additional Local or Domain Groups (v1.0)
• Account Manipulation: Device Registration (v1.3)
• Acquire Access (v1.0)
• Acquire Infrastructure (v1.4)
  • DNS Server (v1.0)
  • Domains (v1.4)
  • Malvertising (v1.0)
  • Server (v1.3)
  • Serverless (v1.1)
  • Virtual Private Server (v1.1)
• Active Scanning (v1.0)
  • Scanning IP Blocks (v1.1)
  • Vulnerability Scanning (v1.0)
  • Wordlist Scanning (v1.0)
• Adversary-in-the-Middle: ARP Cache Poisoning (v1.1)
• Adversary-in-the-Middle: DHCP Spoofing (v1.1)
• Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (v1.4)
• Application Window Discovery (v1.3)
• Archive Collected Data (v1.0)
  • Archive via Custom Method (v1.0)
  • Archive via Library (v1.0)
  • Archive via Utility (v1.3)
• Audio Capture (v1.0)
• Boot or Logon Initialization Scripts: Login Hook (v2.0)
• Boot or Logon Initialization Scripts: Logon Script (Windows) (v1.0)
• Boot or Logon Initialization Scripts: Network Logon Script (v1.0)
• Browser Information Discovery (v2.0)
• Build Image on Host (v1.3)
• Clipboard Data (v1.2)
• Cloud Infrastructure Discovery (v1.3)
• Cloud Service Discovery (v1.4)
• Cloud Storage Object Discovery (v1.0)
• Command and Scripting Interpreter: JavaScript (v2.2)
• Communication Through Removable Media (v1.0)
• Compromise Accounts (v1.2)
  • Cloud Accounts (v1.1)
  • Email Accounts (v1.1)
  • Social Media Accounts (v1.1)
• Compromise Infrastructure: Botnet (v1.0)
• Compromise Infrastructure: DNS Server (v1.2)
• Compromise Infrastructure: Domains (v1.4)
• Compromise Infrastructure: Network Devices (v1.0)
• Compromise Infrastructure: Server (v1.2)
• Compromise Infrastructure: Serverless (v1.1)
• Compromise Infrastructure: Virtual Private Server (v1.1)
• Compromise Infrastructure: Web Services (v1.2)
• Container and Resource Discovery (v1.1)
• Content Injection (v1.0)
• Create Account: Cloud Account (v1.6)
• Create Account: Domain Account (v1.1)
• Create or Modify System Process (v1.2)
  • Container Service (v1.0)
• Credentials from Password Stores (v1.2)
  • Cloud Secrets Management Stores (v1.0)
  • Credentials from Web Browsers (v1.2)
  • Keychain (v1.1)
  • Password Managers (v1.1)
  • Securityd Memory (v1.2)
  • Windows Credential Manager (v1.1)
• Data Manipulation (v1.1)
  • Runtime Data Manipulation (v1.2)
  • Stored Data Manipulation (v1.1)
  • Transmitted Data Manipulation (v1.1)
• Data from Cloud Storage (v2.2)
• Data from Information Repositories (v3.4)
  • Code Repositories (v1.2)
  • Confluence (v1.1)
  • Customer Relationship Management Software (v1.0)
  • Messaging Applications (v1.0)
  • Sharepoint (v1.1)
• Defacement: External Defacement (v1.2)
• Develop Capabilities (v1.1)
  • Code Signing Certificates (v1.1)
  • Digital Certificates (v1.2)
  • Exploits (v1.0)
  • Malware (v1.2)
• Device Driver Discovery (v1.0)
• Domain Trust Discovery (v1.2)
• Email Collection (v2.6)
  • Email Forwarding Rule (v1.4)
  • Remote Email Collection (v1.3)
• Endpoint Denial of Service (v1.2)
  • Application Exhaustion Flood (v1.3)
  • Application or System Exploitation (v1.3)
  • OS Exhaustion Flood (v1.2)
  • Service Exhaustion Flood (v1.4)
• Establish Accounts (v1.3)
  • Cloud Accounts (v1.1)
  • Email Accounts (v1.1)
  • Social Media Accounts (v1.1)
• Event Triggered Execution (v1.4)
  • Udev Rules (v1.0)
• Execution Guardrails: Mutual Exclusion (v1.0)
• Exfiltration Over Other Network Medium (v1.2)
• Exploitation for Credential Access (v1.6)
• External Remote Services (v2.4)
• File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification (v1.2)
• File and Directory Permissions Modification: Windows File and Directory Permissions Modification (v1.2)
• Financial Theft (v1.2)
• Forced Authentication (v1.3)
• Forge Web Credentials (v1.5)
  • SAML Tokens (v1.4)
  • Web Cookies (v1.1)
• Gather Victim Host Information (v1.2)
  • Client Configurations (v1.1)
  • Firmware (v1.0)
  • Hardware (v1.1)
  • Software (v1.1)
• Gather Victim Identity Information (v1.3)
  • Credentials (v1.2)
  • Email Addresses (v1.2)
  • Employee Names (v1.0)
• Gather Victim Network Information (v1.0)
  • DNS (v1.2)
  • Domain Properties (v1.1)
  • IP Addresses (v1.0)
  • Network Security Appliances (v1.0)
  • Network Topology (v1.0)
  • Network Trust Dependencies (v1.0)
• Gather Victim Org Information (v1.1)
  • Business Relationships (v1.0)
  • Determine Physical Locations (v1.1)
  • Identify Business Tempo (v1.0)
  • Identify Roles (v1.0)
• Group Policy Discovery (v1.1)
• Hide Artifacts: Email Hiding Rules (v1.4)
• Hide Artifacts: File/Path Exclusions (v1.0)
• Hide Artifacts: Hidden Users (v1.2)
• Hide Artifacts: Ignore Process Interrupts (v1.0)
• Hijack Execution Flow: AppDomainManager (v1.0)
• Hijack Execution Flow: KernelCallbackTable (v1.0)
• Hijack Execution Flow: Path Interception by Unquoted Path (v1.1)
• Impair Defenses: Disable or Modify Cloud Firewall (v1.3)
• Impair Defenses: Disable or Modify Cloud Logs (v2.1)
• Impair Defenses: Disable or Modify Linux Audit System (v1.0)
• Impair Defenses: Spoof Security Alerting (v1.0)
• Impersonation (v1.1)
• Indicator Removal: Clear Linux or Mac System Logs (v1.0)
• Indicator Removal: Clear Mailbox Data (v1.2)
• Input Capture: GUI Input Capture (v1.3)
• Internal Spearphishing (v1.4)
• Masquerading: Break Process Trees (v1.0)
• Masquerading: Double File Extension (v1.0)
• Masquerading: Invalid Code Signature (v1.0)
• Masquerading: Masquerade Account Name (v1.0)
• Masquerading: Masquerade Task or Service (v1.2)
• Masquerading: Right-to-Left Override (v1.1)
• Modify Authentication Process: Conditional Access Policies (v1.1)
• Modify Authentication Process: Domain Controller Authentication (v2.1)
• Modify Authentication Process: Hybrid Identity (v1.1)
• Modify Authentication Process: Network Provider DLL (v1.0)
• Modify Authentication Process: Password Filter DLL (v2.1)
• Modify Authentication Process: Pluggable Authentication Modules (v2.1)
• Modify Authentication Process: Reversible Encryption (v1.1)
• Modify Cloud Compute Infrastructure (v1.2)
  • Create Cloud Instance (v1.2)
  • Create Snapshot (v1.2)
  • Delete Cloud Instance (v1.2)
  • Modify Cloud Compute Configurations (v2.0)
• Modify Cloud Resource Hierarchy (v1.0)
• Multi-Factor Authentication Interception (v2.1)
• Multi-Factor Authentication Request Generation (v1.2)
• Network Denial of Service (v1.2)
  • Direct Network Flood (v1.4)
  • Reflection Amplification (v1.4)
• Network Share Discovery (v3.2)
• OS Credential Dumping (v2.2)
  • Cached Domain Credentials (v1.1)
  • DCSync (v1.1)
  • LSA Secrets (v1.1)
  • LSASS Memory (v1.5)
  • Proc Filesystem (v1.2)
  • Security Account Manager (v1.1)
• Obfuscated Files or Information: Command Obfuscation (v1.0)
• Obfuscated Files or Information: Dynamic API Resolution (v1.0)
• Obfuscated Files or Information: Fileless Storage (v2.0)
• Obfuscated Files or Information: LNK Icon Smuggling (v1.0)
• Obfuscated Files or Information: Steganography (v1.2)
• Obtain Capabilities (v1.1)
  • Code Signing Certificates (v1.1)
  • Digital Certificates (v1.2)
  • Exploits (v1.0)
  • Malware (v1.1)
  • Tool (v1.1)
  • Vulnerabilities (v1.0)
• Office Application Startup (v1.4)
  • Add-ins (v1.2)
  • Office Template Macros (v1.2)
  • Office Test (v1.3)
  • Outlook Forms (v1.2)
  • Outlook Home Page (v1.2)
  • Outlook Rules (v1.2)
• Permission Groups Discovery (v2.6)
  • Cloud Groups (v1.5)
  • Domain Groups (v1.2)
  • Local Groups (v1.2)
• Phishing: Spearphishing Attachment (v2.2)
• Phishing: Spearphishing Link (v2.7)
• Phishing: Spearphishing via Service (v2.0)
• Phishing for Information: Spearphishing Link (v1.6)
• Phishing for Information: Spearphishing Service (v1.0)
• Phishing for Information: Spearphishing Voice (v1.0)
• Plist File Modification (v1.0)
• Query Registry (v1.3)
• Remote Service Session Hijacking (v1.1)
  • RDP Hijacking (v1.1)
• Remote Services: Cloud Services (v1.1)
• Remote Services: Direct Cloud VM Connections (v1.0)
• Remote Services: Distributed Component Object Model (v1.3)
• Remote Services: Windows Remote Management (v1.2)
• Resource Hijacking (v2.0)
  • Bandwidth Hijacking (v1.0)
  • Cloud Service Hijacking (v1.0)
  • Compute Hijacking (v1.0)
  • SMS Pumping (v1.0)
• Scheduled Transfer (v1.1)
• Screen Capture (v1.1)
• Search Closed Sources (v1.1)
  • Purchase Technical Data (v1.0)
  • Threat Intel Vendors (v1.0)
• Search Open Technical Databases (v1.0)
  • CDNs (v1.0)
  • DNS/Passive DNS (v1.0)
  • Digital Certificates (v1.0)
  • Scan Databases (v1.0)
  • WHOIS (v1.0)
• Search Open Websites/Domains (v1.1)
  • Code Repositories (v1.0)
  • Search Engines (v1.0)
  • Social Media (v1.0)
• Search Victim-Owned Websites (v1.1)
• Server Software Component: SQL Stored Procedures (v1.1)
• Server Software Component: Terminal Services DLL (v1.0)
• Software Discovery: Security Software Discovery (v1.5)
• Stage Capabilities (v1.2)
  • Drive-by Target (v1.3)
  • Install Digital Certificate (v1.1)
  • Link Target (v1.4)
  • SEO Poisoning (v1.1)
  • Upload Malware (v1.2)
  • Upload Tool (v1.2)
• Steal Web Session Cookie (v1.4)
• Steal or Forge Authentication Certificates (v1.2)
• Steal or Forge Kerberos Tickets: Ccache Files (v1.0)
• Supply Chain Compromise (v1.6)
  • Compromise Hardware Supply Chain (v1.1)
  • Compromise Software Dependencies and Development Tools (v1.2)
  • Compromise Software Supply Chain (v1.1)
• System Binary Proxy Execution: Electron Applications (v1.0)
• System Binary Proxy Execution: Mavinject (v2.0)
• System Location Discovery (v1.1)
• System Network Configuration Discovery: Wi-Fi Discovery (v1.0)
• System Script Proxy Execution: SyncAppvPublishingServer (v1.0)
• System Service Discovery (v1.5)
• Traffic Signaling: Socket Filters (v1.0)
• Transfer Data to Cloud Account (v1.5)
• Trusted Relationship (v2.4)
• Unsecured Credentials: Bash History (v1.2)
• Unsecured Credentials: Chat Messages (v1.1)
• Unsecured Credentials: Cloud Instance Metadata API (v1.4)
• Unsecured Credentials: Container API (v1.2)
• Unsecured Credentials: Group Policy Preferences (v1.1)
• Unused/Unsupported Cloud Regions (v1.1)

Revocations

• Hijack Execution Flow: DLL Side-Loading (revoked by Hijack Execution Flow: DLL) (v2.1)

Mobile

New Techniques

• Virtualization Solution (v1.0)

Major Version Changes

• SIM Card Swap (v1.2→v2.0)

Minor Version Changes

• Exploitation for Initial Access (v1.0→v1.1)

Patches

• Abuse Elevation Control Mechanism (v1.1)
  • Device Administrator Permissions (v1.1)
• Access Notifications (v1.2)
• Account Access Removal (v1.1)
• Application Layer Protocol (v1.2)
  • Web Protocols (v1.0)
• Archive Collected Data (v2.0)
• Audio Capture (v3.1)
• Boot or Logon Initialization Scripts (v2.1)
• Call Control (v1.2)
• Command and Scripting Interpreter (v1.2)
  • Unix Shell (v1.2)
• Compromise Application Executable (v1.0)
• Compromise Client Software Binary (v1.1)
• Credentials from Password Store (v1.1)
  • Keychain (v1.1)
• Data Encrypted for Impact (v3.2)
• Data Manipulation (v1.1)
  • Transmitted Data Manipulation (v1.1)
• Data from Local System (v1.1)
• Download New Code at Runtime (v1.5)
• Drive-By Compromise (v2.2)
• Dynamic Resolution (v1.1)
  • Domain Generation Algorithms (v1.1)
• Encrypted Channel (v2.0)
  • Asymmetric Cryptography (v1.0)
  • Symmetric Cryptography (v1.0)
• Endpoint Denial of Service (v1.1)
• Event Triggered Execution (v1.1)
  • Broadcast Receivers (v1.1)
• Execution Guardrails (v1.1)
  • Geofencing (v1.1)
• Exfiltration Over Alternative Protocol (v1.1)
  • Exfiltration Over Unencrypted Non-C2 Protocol (v1.1)
• Exfiltration Over C2 Channel (v1.1)
• Exploitation for Privilege Escalation (v2.1)
• Exploitation of Remote Services (v1.2)
• File and Directory Discovery (v1.2)
• Foreground Persistence (v2.1)
• Generate Traffic from Victim (v1.1)
• Hide Artifacts (v1.1)
  • User Evasion (v1.0)
• Hijack Execution Flow (v1.1)
  • System Runtime API Hijacking (v1.1)
• Hooking (v1.0)
• Impair Defenses (v1.1)
  • Device Lockout (v1.1)
  • Disable or Modify Tools (v1.1)
• Indicator Removal on Host (v1.1)
  • Disguise Root/Jailbreak Indicators (v1.1)
  • File Deletion (v1.1)
  • Uninstall Malicious Application (v1.1)
• Ingress Tool Transfer (v2.2)
• Input Capture (v2.3)
  • GUI Input Capture (v1.1)
  • Keylogging (v1.1)
• Input Injection (v1.2)
• Location Tracking (v1.2)
  • Impersonate SS7 Nodes (v1.1)
  • Remote Device Management Services (v1.1)
• Masquerading (v1.0)
  • Match Legitimate Name or Location (v1.0)
• Native API (v2.0)
• Network Denial of Service (v1.3)
• Network Service Scanning (v1.1)
• Non-Standard Port (v2.1)
• Obfuscated Files or Information (v3.1)
  • Software Packing (v1.1)
  • Steganography (v1.0)
• Out of Band Data (v2.1)
• Process Discovery (v2.1)
• Process Injection (v1.1)
  • Ptrace System Calls (v1.1)
• Protected User Data (v1.1)
  • Calendar Entries (v1.1)
  • Call Log (v1.1)
  • Contact List (v1.1)
  • SMS Messages (v1.1)
• Proxy Through Victim (v1.1)
• Remote Access Software (v1.0)
• Replication Through Removable Media (v2.1)
• SMS Control (v1.1)
• Scheduled Task/Job (v1.0)
• Screen Capture (v1.3)
• Software Discovery (v2.1)
  • Security Software Discovery (v1.1)
• Steal Application Access Token: URI Hijacking (v1.1)
• Stored Application Data (v3.1)
• Subvert Trust Controls (v1.1)
  • Code Signing Policy Modification (v1.1)
• Supply Chain Compromise (v2.1)
  • Compromise Hardware Supply Chain (v1.1)
  • Compromise Software Dependencies and Development Tools (v1.1)
  • Compromise Software Supply Chain (v1.1)
• System Information Discovery (v1.2)
• System Network Connections Discovery (v2.1)
• Video Capture (v2.1)
• Virtualization/Sandbox Evasion (v1.1)
  • System Checks (v1.1)
• Web Service (v1.3)
  • Bidirectional Communication (v1.2)
  • Dead Drop Resolver (v1.2)
  • One-Way Communication (v1.2)

ICS

Patches

• Activate Firmware Update Mode (v1.0)
• Adversary-in-the-Middle (v2.0)
• Alarm Suppression (v1.2)
• Automated Collection (v1.1)
• Autorun Image (v1.0)
• Block Command Message (v1.1)
• Block Reporting Message (v1.0)
• Block Serial COM (v1.1)
• Brute Force I/O (v1.1)
• Change Credential (v1.0)
• Change Operating Mode (v1.0)
• Command-Line Interface (v1.1)
• Commonly Used Port (v1.1)
• Connection Proxy (v1.1)
• Damage to Property (v1.1)
• Data Destruction (v1.0)
• Data from Information Repositories (v1.2)
• Data from Local System (v1.0)
• Default Credentials (v1.0)
• Denial of Control (v1.1)
• Denial of Service (v1.1)
• Denial of View (v1.1)
• Detect Operating Mode (v1.0)
• Device Restart/Shutdown (v1.1)
• Drive-by Compromise (v1.0)
• Execution through API (v1.1)
• Exploit Public-Facing Application (v1.0)
• Exploitation for Evasion (v1.1)
• Exploitation for Privilege Escalation (v1.1)
• Exploitation of Remote Services (v1.0)
• External Remote Services (v1.1)
• Graphical User Interface (v1.1)
• Hardcoded Credentials (v1.0)
• Hooking (v1.2)
• I/O Image (v1.1)
• Indicator Removal on Host (v1.0)
• Internet Accessible Device (v1.0)
• Lateral Tool Transfer (v1.1)
• Loss of Availability (v1.0)
• Loss of Control (v1.0)
• Loss of Productivity and Revenue (v1.0)
• Loss of Protection (v1.0)
• Loss of Safety (v1.0)
• Loss of View (v1.0)
• Manipulate I/O Image (v1.1)
• Manipulation of Control (v1.0)
• Manipulation of View (v1.0)
• Masquerading (v1.1)
• Modify Alarm Settings (v1.2)
• Modify Controller Tasking (v1.2)
• Modify Parameter (v1.3)
• Modify Program (v1.2)
• Module Firmware (v1.1)
• Monitor Process State (v1.0)
• Native API (v1.0)
• Network Connection Enumeration (v1.2)
• Network Sniffing (v1.0)
• Point & Tag Identification (v1.1)
• Program Download (v1.1)
• Program Upload (v1.0)
• Project File Infection (v1.0)
• Remote Services (v1.1)
• Remote System Discovery (v1.1)
• Remote System Information Discovery (v1.1)
• Replication Through Removable Media (v1.0)
• Rogue Master (v1.2)
• Rootkit (v1.1)
• Screen Capture (v1.0)
• Scripting (v1.0)
• Service Stop (v1.1)
• Spearphishing Attachment (v1.1)
• Spoof Reporting Message (v1.2)
• Standard Application Layer Protocol (v1.0)
• Supply Chain Compromise (v1.1)
• System Binary Proxy Execution (v1.0)
• System Firmware (v1.1)
• Theft of Operational Information (v1.0)
• Transient Cyber Asset (v1.2)
• Unauthorized Command Message (v1.2)
• User Execution (v1.1)
• Valid Accounts (v1.1)
• Wireless Compromise (v1.2)
• Wireless Sniffing (v1.1)

Software

Enterprise

New Software

• AcidPour (v1.0)
• Akira _v2 (v1.0)
• BOLDMOVE (v1.0)
• BlackByte 2.0 Ransomware (v1.0)
• BlackByte Ransomware (v1.0)
• Exbyte (v1.0)
• GoBear (v1.0)
• Gomir (v1.0)
• Hannotog (v1.0)
• J-magic (v1.0)
• JumbledPath (v1.0)
• Kapeka (v1.0)
• LightSpy (v1.0)
• Line Dancer (v1.0)
• Line Runner (v1.0)
• LockBit 2.0 (v1.0)
• LockBit 3.0 (v1.0)
• Lumma Stealer (v1.0)
• MagicRAT (v1.0)
• Mango (v1.0)
• Megazord (v1.0)
• NICECURL (v1.0)
• Neo-reGeorg (v1.0)
• ODAgent (v1.0)
• OilBooster (v1.0)
• OilCheck (v1.0)
• PowerExchange (v1.0)
• Quick Assist (v1.0)
• RansomHub (v1.0)
• Sagerunex (v1.0)
• SampleCheck5000 (v1.0)
• ShrinkLocker (v1.0)
• SnappyTCP (v1.0)
• Solar (v1.0)
• StealBit (v1.0)
• StrelaStealer (v1.0)
• TAMECAT (v1.0)
• TRANSLATEXT (v1.0)
• Troll Stealer (v1.0)
• UPSTYLE (v1.0)
• XLoader (v1.0)
• attrib (v1.0)
• cd00r (v1.0)
• cipher.exe (v1.0)
• reGeorg (v1.0)

Major Version Changes

• Akira (v1.0→v2.0)
• Sliver (v1.2→v2.0)

Minor Version Changes

• AcidRain (v1.0→v1.1)
• BPFDoor (v1.0→v1.1)
• BUSHWALK (v1.0→v1.1)
• Bad Rabbit (v1.0→v1.1)
• Black Basta (v1.0→v1.1)
• BloodHound (v1.6→v1.7)
• COATHANGER (v1.0→v1.1)
• Cheerscrypt (v1.0→v1.1)
• Cyclops Blink (v1.1→v1.2)
• Emotet (v1.6→v1.7)
• FRAMESTING (v1.0→v1.1)
• GLASSTOKEN (v1.0→v1.1)
• Impacket (v1.7→v1.8)
• LIGHTWIRE (v1.0→v1.1)
• LITTLELAMB.WOOLTEA (v1.0→v1.1)
• MegaCortex (v1.0→v1.1)
• Mimikatz (v1.9→v1.10)
• Net (v2.6→v2.7)
• PACEMAKER (v1.0→v1.1)
• PITSTOP (v1.0→v1.1)
• PULSECHECK (v1.0→v1.1)
• PlugX (v3.1→v3.2)
• QUIETEXIT (v1.0→v1.1)
• RAPIDPULSE (v1.0→v1.1)
• Royal (v1.0→v1.1)
• SLIGHTPULSE (v1.0→v1.1)
• SLOWPULSE (v1.0→v1.1)
• STEADYPULSE (v1.0→v1.1)
• SYNful Knock (v1.0→v1.1)
• Tor (v1.2→v1.3)
• VPNFilter (v2.0→v2.1)
• VersaMem (v1.0→v1.1)
• WARPWIRE (v1.0→v1.1)
• WIREFIRE (v1.0→v1.1)
• XCSSET (v1.2→v1.3)
• ZIPLINE (v1.0→v1.1)
• certutil (v1.4→v1.5)
• netsh (v1.2→v1.3)
• netstat (v1.3→v1.4)
• ngrok (v1.2→v1.3)

Patches

• 3PARA RAT (v1.1)
• 4H RAT (v1.1)
• AADInternals (v1.2)
• ABK (v1.0)
• ADVSTORESHELL (v1.1)
• Action RAT (v1.0)
• Agent Tesla (v1.3)
• Agent.btz (v1.1)
• AppleJeus (v1.1)
• AppleSeed (v1.1)
• Arp (v1.2)
• AuTo Stealer (v1.0)
• AutoIt backdoor (v1.1)
• Avaddon (v1.0)
• AvosLocker (v1.0)
• Azorult (v1.3)
• BACKSPACE (v1.1)
• BADCALL (v1.1)
• BADFLICK (v1.0)
• BADNEWS (v1.2)
• BBK (v1.0)
• BBSRAT (v1.2)
• BITSAdmin (v1.4)
• BLACKCOFFEE (v1.1)
• BONDUPDATER (v1.2)
• BOOTRASH (v1.1)
• BS2005 (v1.1)
• BUBBLEWRAP (v1.1)
• Babuk (v1.0)
• BackConfig (v1.1)
• Backdoor.Oldrea (v2.0)
• BadPatch (v1.1)
• Bandook (v2.0)
• Bankshot (v1.1)
• BlackCat (v1.0)
• BlackMould (v1.0)
• Bonadan (v1.0)
• BoomBox (v1.0)
• BoxCaon (v1.0)
• Brave Prince (v1.2)
• Briba (v1.0)
• Bundlore (v1.1)
• CALENDAR (v1.2)
• CARROTBALL (v1.0)
• CCBkdr (v1.2)
• CHOPSTICK (v2.3)
• CORALDECK (v1.1)
• CORESHELL (v2.1)
• CSPY Downloader (v1.0)
• Cachedump (v1.1)
• Cadelspy (v1.0)
• Calisto (v1.1)
• CallMe (v1.1)
• Cannon (v1.1)
• Carbanak (v1.1)
• Carbon (v1.2)
• Catchamas (v1.1)
• Caterpillar WebShell (v1.0)
• ChChes (v1.1)
• Chaes (v1.1)
• Chaos (v1.1)
• CharmPower (v1.0)
• Cherry Picker (v1.1)
• Clambling (v1.0)
• Clop (v1.0)
• CloudDuke (v1.1)
• Cobian RAT (v1.1)
• CoinTicker (v1.1)
• ComRAT (v1.4)
• Comnie (v1.1)
• Conficker (v1.0)
• ConnectWise (v1.0)
• Conti (v2.2)
• CookieMiner (v1.1)
• CosmicDuke (v1.1)
• CostaBricks (v1.1)
• CreepyDrive (v1.0)
• CreepySnail (v1.0)
• Crimson (v1.3)
• Crutch (v1.0)
• Cryptoistic (v1.0)
• Cuba (v1.0)
• DEATHRANSOM (v1.0)
• DOGCALL (v1.3)
• DRATzarus (v1.1)
• DarkComet (v1.1)
• DarkTortilla (v1.0)
• Daserf (v1.1)
• DealersChoice (v1.1)
• Denis (v1.2)
• Derusbi (v1.2)
• Diavol (v2.0)
• Dipsind (v1.1)
• DnsSystem (v1.0)
• Dok (v2.0)
• Doki (v1.0)
• Donut (v1.0)
• DownPaper (v1.1)
• Downdelph (v1.2)
• Dridex (v2.1)
• DropBook (v1.1)
• Drovorub (v1.0)
• Dtrack (v1.1)
• Duqu (v1.2)
• DustySky (v1.1)
• Dyre (v1.2)
• ECCENTRICBANDWAGON (v1.0)
• EKANS (v2.0)
• ELMER (v1.1)
• EVILNUM (v1.0)
• Ecipekac (v1.0)
• Egregor (v1.0)
• Elise (v1.3)
• Emissary (v1.3)
• Epic (v1.3)
• EvilGrab (v1.1)
• Exaramel for Windows (v2.2)
• Expand (v1.1)
• Explosive (v1.0)
• FALLCHILL (v1.2)
• FELIXROOT (v2.2)
• FLASHFLOOD (v1.1)
• FLIPSIDE (v1.1)
• FYAnti (v1.0)
• FakeM (v1.1)
• FatDuke (v1.1)
• Felismus (v1.1)
• Ferocious (v1.0)
• Fgdump (v1.1)
• Final1stspy (v1.1)
• Flame (v1.1)
• FlawedAmmyy (v1.2)
• Forfiles (v1.0)
• FrameworkPOS (v1.0)
• FruitFly (v1.2)
• GRIFFON (v1.1)
• GeminiDuke (v1.1)
• Get2 (v1.0)
• GoldFinder (v1.1)
• Goopy (v1.1)
• Green Lambert (v1.0)
• GuLoader (v2.0)
• H1N1 (v1.2)
• HALFBAKED (v1.0)
• HAMMERTOSS (v1.2)
• HAPPYWORK (v1.0)
• HARDRAIN (v1.1)
• HDoor (v1.0)
• HELLOKITTY (v1.0)
• HIDEDRV (v1.1)
• HTRAN (v1.2)
• HTTPBrowser (v1.1)
• Hacking Team UEFI Rootkit (v1.1)
• Hancitor (v1.0)
• Havij (v1.0)
• Hikit (v1.3)
• Hydraq (v2.0)
• HyperStack (v1.0)
• ISMInjector (v1.1)
• IceApple (v1.1)
• Industroyer2 (v1.0)
• InnaputRAT (v1.1)
• InvisiMole (v2.1)
• Invoke-PSImage (v1.1)
• Ixeshe (v1.2)
• JCry (v1.1)
• JHUHUGIT (v2.2)
• JPIN (v1.1)
• JSS Loader (v1.0)
• Javali (v1.0)
• KARAE (v1.1)
• KEYMARBLE (v1.1)
• KOCTOPUS (v1.2)
• KOMPROGO (v1.1)
• KOPILUWAK (v1.0)
• Kasidet (v1.1)
• Kazuar (v1.3)
• Kerrdown (v2.0)
• Kinsing (v1.1)
• Kivars (v1.0)
• Koadic (v2.0)
• Kobalos (v1.0)
• Komplex (v1.1)
• LOWBALL (v1.1)
• Linfo (v1.1)
• Linux Rabbit (v1.2)
• LiteDuke (v1.0)
• LitePower (v1.0)
• Lizar (v1.0)
• LoJax (v1.1)
• Lokibot (v2.0)
• LookBack (v1.0)
• Lslsass (v1.1)
• Lucifer (v1.1)
• Lurid (v1.1)
• MCMD (v1.1)
• MESSAGETAP (v1.0)
• MURKYTOP (v1.1)
• MacSpy (v1.1)
• Machete (v2.1)
• MarkiRAT (v1.0)
• Matryoshka (v2.0)
• Maze (v1.2)
• MechaFlounder (v1.0)
• Meteor (v1.0)
• MimiPenguin (v1.2)
• MiniDuke (v1.3)
• MirageFox (v1.1)
• Mis-Type (v1.2)
• Misdat (v1.2)
• Mivast (v1.1)
• MobileOrder (v1.0)
• MoleNet (v1.0)
• Mongall (v1.0)
• MoonWind (v1.1)
• Mori (v1.0)
• Mythic (v1.0)
• NBTscan (v1.0)
• NDiskMonitor (v1.1)
• NETEAGLE (v1.1)
• NETWIRE (v1.6)
• NOKKI (v1.1)
• Naid (v1.0)
• NativeZone (v1.0)
• NavRAT (v1.1)
• Nebulae (v1.0)
• Neoichor (v1.0)
• Nerex (v1.0)
• Net Crawler (v1.1)
• NetTraveler (v1.1)
• Netwalker (v1.1)
• Nidiran (v1.1)
• NotPetya (v2.0)
• OLDBAIT (v1.1)
• OSInfo (v1.1)
• OSX/Shlayer (v1.4)
• ObliqueRAT (v1.0)
• OceanSalt (v1.1)
• Octopus (v2.0)
• Okrum (v1.0)
• Olympic Destroyer (v2.0)
• OnionDuke (v1.2)
• OopsIE (v1.2)
• Orz (v2.2)
• Out1 (v1.0)
• OwaAuth (v1.2)
• P.A.S. Webshell (v1.0)
• P8RAT (v1.0)
• PHOREAL (v1.1)
• PLAINTEE (v1.1)
• PLEAD (v2.0)
• POORAIM (v1.1)
• POSHSPY (v1.2)
• POWERSOURCE (v1.1)
• POWERSTATS (v2.3)
• POWERTON (v1.1)
• POWRUNER (v1.1)
• PUNCHBUGGY (v2.1)
• PUNCHTRACK (v1.1)
• Pandora (v1.0)
• Pasam (v1.1)
• Pass-The-Hash Toolkit (v1.0)
• Pay2Key (v1.0)
• Peirates (v1.0)
• Peppy (v1.0)
• Pillowmint (v1.2)
• PinchDuke (v1.1)
• Ping (v1.4)
• PingPull (v1.0)
• Pisloader (v1.1)
• PoisonIvy (v2.2)
• PolyglotDuke (v1.1)
• Pony (v1.0)
• PoshC2 (v1.3)
• PowGoop (v1.0)
• Power Loader (v1.0)
• PowerDuke (v1.2)
• PowerLess (v1.1)
• PowerPunch (v1.1)
• PowerShower (v1.0)
• PowerSploit (v1.6)
• PowerStallion (v1.1)
• Prestige (v1.0)
• ProLock (v1.0)
• Proton (v1.2)
• Proxysvc (v1.2)
• Psylo (v1.1)
• Pteranodon (v2.1)
• Pysa (v1.0)
• QUADAGENT (v1.2)
• QUIETCANARY (v1.0)
• QakBot (v1.3)
• QuietSieve (v1.0)
• RARSTONE (v1.1)
• RATANKBA (v1.1)
• RDAT (v1.0)
• RDFSNIFFER (v1.0)
• REvil (v2.2)
• RGDoor (v1.2)
• RIPTIDE (v1.1)
• ROCKBOOT (v1.1)
• ROKRAT (v2.3)
• RTM (v1.2)
• Ragnar Locker (v1.2)
• Ramsay (v1.1)
• RawDisk (v1.1)
• RawPOS (v1.1)
• Reg (v1.1)
• RegDuke (v1.1)
• Remcos (v1.3)
• RemoteCMD (v1.1)
• RemoteUtilities (v1.0)
• Responder (v1.2)
• Revenge RAT (v1.2)
• RobbinHood (v1.1)
• RogueRobin (v2.2)
• Rover (v1.1)
• Rubeus (v1.1)
• Ruler (v1.1)
• RunningRAT (v1.1)
• Ryuk (v1.4)
• S-Type (v1.3)
• SDBbot (v2.1)
• SDelete (v1.2)
• SEASHARPEE (v2.0)
• SHARPSTATS (v1.1)
• SHIPSHAPE (v1.0)
• SHOTPUT (v1.1)
• SHUTTERSPEED (v1.0)
• SLOWDRIFT (v1.1)
• SMOKEDHAM (v1.2)
• SNUGRIDE (v1.1)
• SOUNDBITE (v1.1)
• SPACESHIP (v1.1)
• SQLRat (v1.2)
• SUGARDUMP (v1.0)
• SUGARUSH (v1.0)
• SUNSPOT (v1.2)
• SVCReady (v1.0)
• SYSCON (v1.1)
• SeaDuke (v1.1)
• ServHelper (v1.2)
• Seth-Locker (v1.0)
• ShadowPad (v1.2)
• Shamoon (v2.2)
• SharpDisco (v1.0)
• SharpStage (v1.1)
• ShimRat (v1.0)
• ShimRatReporter (v1.0)
• Sibot (v1.1)
• SideTwist (v1.0)
• Siloscape (v1.0)
• Small Sieve (v1.0)
• Socksbot (v1.1)
• SodaMaster (v1.0)
• SombRAT (v1.2)
• SoreFang (v1.0)
• Spark (v1.1)
• SpicyOmelette (v1.0)
• SslMM (v1.1)
• Starloader (v1.1)
• StreamEx (v1.1)
• StrifeWater (v1.0)
• Stuxnet (v1.4)
• Sykipot (v1.1)
• SynAck (v1.3)
• Sys10 (v1.1)
• Systeminfo (v1.2)
• T9000 (v1.1)
• TAINTEDSCRIBE (v1.0)
• TDTESS (v1.1)
• TEARDROP (v1.2)
• TEXTMATE (v1.1)
• TSCookie (v1.0)
• TURNEDUP (v1.1)
• TajMahal (v1.0)
• Tarrask (v1.0)
• ThiefQuest (v1.2)
• TinyTurla (v1.1)
• TinyZBot (v1.1)
• Tomiris (v1.0)
• TrailBlazer (v1.1)
• Trojan.Karagany (v3.0)
• Trojan.Mebromi (v1.1)
• Truvasys (v1.1)
• Turian (v1.0)
• UACMe (v1.0)
• UPPERCUT (v1.1)
• USBferry (v1.0)
• Umbreon (v1.1)
• Unknown Logger (v1.1)
• VBShower (v1.0)
• Valak (v1.3)
• VaporRage (v1.0)
• Vasport (v1.1)
• WINDSHIELD (v1.0)
• WINERACK (v1.0)
• WannaCry (v1.1)
• WellMail (v1.0)
• WellMess (v1.0)
• Wiarp (v1.1)
• WinMM (v1.1)
• WindTail (v1.1)
• Wingbird (v1.1)
• Wiper (v1.0)
• XAgentOSX (v1.3)
• XTunnel (v2.1)
• Xbash (v1.2)
• ZLib (v1.2)
• Zebrocy (v3.0)
• Zeroaccess (v1.0)
• ZxShell (v1.2)
• adbupd (v1.1)
• at (v1.3)
• build_downer (v1.0)
• ccf32 (v1.0)
• cmd (v1.2)
• down_new (v1.0)
• dsquery (v1.4)
• gsecdump (v1.2)
• hcdLoader (v1.1)
• httpclient (v1.1)
• iKitten (v1.1)
• ifconfig (v1.0)
• ipconfig (v1.1)
• macOS.OSAMiner (v1.0)
• meek (v1.0)
• nbtstat (v1.0)
• njRAT (v1.6)
• pngdowner (v1.1)
• pwdump (v1.1)
• route (v1.1)
• schtasks (v1.2)
• spwebmember (v1.1)
• sqlmap (v1.0)
• xCaon (v1.0)
• xCmd (v1.0)
• yty (v1.2)
• zwShell (v2.0)

Mobile

New Software

• Android/SpyAgent (v1.0)
• Binary Validator (v1.0)
• FjordPhantom (v1.0)
• LightSpy (v1.0)
• SpyC23 (v1.0)
• TriangleDB (v1.0)

Minor Version Changes

• Desert Scorpion (v1.1→v1.2)
• FluBot (v1.0→v1.1)
• FrozenCell (v1.0→v1.1)

Patches

• ANDROIDOS_ANSERVER.A (v1.3)
• AbstractEmu (v1.0)
• Adups (v1.0)
• Agent Smith (v1.0)
• AhRat (v1.0)
• Allwinner (v1.0)
• AndroRAT (v1.1)
• Android/AdDisplay.Ashas (v1.0)
• Android/Chuli.A (v1.2)
• AndroidOS/MalLocker.B (v1.0)
• Asacub (v1.0)
• BrainTest (v1.0)
• Bread (v1.2)
• BusyGasper (v1.0)
• CHEMISTGAMES (v1.0)
• CarbonSteal (v1.1)
• Cerberus (v1.1)
• Chameleon (v1.0)
• Charger (v1.1)
• Circles (v1.0)
• Concipit1248 (v1.0)
• Corona Updates (v1.1)
• DEFENSOR ID (v1.0)
• Dendroid (v2.0)
• DoubleAgent (v1.0)
• DressCode (v1.0)
• Drinik (v1.0)
• DroidJack (v1.2)
• DualToy (v1.0)
• Dvmap (v1.0)
• EventBot (v1.0)
• Exodus (v1.0)
• FakeSpy (v1.0)
• FlexiSpy (v1.0)
• GPlayed (v1.0)
• Ginp (v1.1)
• Golden Cup (v1.0)
• GoldenEagle (v1.0)
• GolfSpy (v1.0)
• Gooligan (v1.2)
• Gustuff (v1.0)
• HenBox (v1.0)
• HummingBad (v1.1)
• HummingWhale (v1.0)
• INSOMNIA (v1.0)
• Judy (v1.0)
• KeyRaider (v1.0)
• Mandrake (v1.0)
• MazarBOT (v1.0)
• Monokle (v1.2)
• NotCompatible (v1.0)
• OBAD (v1.0)
• OldBoot (v1.0)
• PJApps (v1.0)
• Pallas (v1.1)
• Pegasus for Android (v1.2)
• Phenakite (v1.0)
• RCSAndroid (v1.2)
• Red Alert 2.0 (v1.0)
• RedDrop (v1.2)
• Riltok (v1.0)
• Rotexy (v1.1)
• RuMMS (v1.0)
• S.O.V.A. (v1.0)
• SharkBot (v1.0)
• ShiftyBug (v1.0)
• SilkBean (v1.0)
• SimBad (v1.0)
• Skygofree (v1.2)
• SpyDealer (v1.2)
• SpyNote RAT (v1.2)
• Stealth Mango (v1.3)
• TERRACOTTA (v1.0)
• Tangelo (v1.2)
• TangleBot (v1.0)
• TianySpy (v1.0)
• Tiktok Pro (v1.0)
• Triada (v1.0)
• TrickMo (v1.1)
• Trojan-SMS.AndroidOS.Agent.ao (v1.0)
• Trojan-SMS.AndroidOS.FakeInst.a (v1.0)
• Trojan-SMS.AndroidOS.OpFake.a (v1.0)
• Twitoor (v2.0)
• ViceLeaker (v1.0)
• ViperRAT (v1.0)
• WireLurker (v1.0)
• WolfRAT (v1.0)
• X-Agent for Android (v1.0)
• XLoader for Android (v2.0)
• XLoader for iOS (v1.1)
• Xbot (v1.0)
• XcodeGhost (v1.0)
• YiSpecter (v2.0)
• Zen (v1.0)
• ZergHelper (v1.0)

ICS

New Software

• FrostyGoop (v1.0)

Minor Version Changes

• Bad Rabbit (v1.0→v1.1)
• VPNFilter (v2.0→v2.1)

Patches

• ACAD/Medre.A (v1.0)
• Backdoor.Oldrea (v2.0)
• Conficker (v1.0)
• Duqu (v1.2)
• EKANS (v2.0)
• Flame (v1.1)
• INCONTROLLER (v1.0)
• Industroyer2 (v1.0)
• NotPetya (v2.0)
• PLC-Blaster (v1.0)
• REvil (v2.2)
• Ryuk (v1.4)
• Stuxnet (v1.4)
• WannaCry (v1.1)

Groups

Enterprise

New Groups

• APT42 (v1.0)
• BlackByte (v1.0)
• RedEcho (v1.0)
• Salt Typhoon (v1.0)
• Sea Turtle (v1.0)
• Storm-1811 (v1.0)
• Velvet Ant (v1.0)

Major Version Changes

• Akira (v1.0→v2.0)
• HAFNIUM (v2.0→v3.0)
• Lotus Blossom (v3.0→v4.0)
• OilRig (v4.1→v5.0)

Minor Version Changes

• APT28 (v5.1→v5.2)
• APT29 (v6.1→v6.2)
• APT38 (v3.0→v3.1)
• APT5 (v1.0→v1.1)
• Ember Bear (v2.0→v2.1)
• Ke3chang (v3.0→v3.1)
• Kimsuky (v5.0→v5.1)
• LAPSUS$ (v2.0→v2.1)
• Lazarus Group (v4.0→v4.1)
• Leviathan (v4.0→v4.1)
• Sandworm Team (v4.1→v4.2)
• ZIRCONIUM (v2.1→v2.2)

Patches

• APT-C-23 (v1.0)
• APT-C-36 (v1.1)
• APT1 (v1.4)
• APT12 (v2.1)
• APT16 (v1.1)
• APT17 (v1.1)
• APT30 (v1.1)
• APT37 (v2.0)
• Aoqin Dragon (v1.0)
• Axiom (v2.0)
• BRONZE BUTLER (v1.3)
• BackdoorDiplomacy (v1.0)
• BlackOasis (v1.0)
• BlackTech (v2.0)
• Carbanak (v2.0)
• Cleaver (v1.3)
• Cobalt Group (v2.1)
• Confucius (v1.1)
• CopyKittens (v1.6)
• DarkHydrus (v1.3)
• DarkVishnya (v1.1)
• Deep Panda (v1.2)
• DragonOK (v1.0)
• EXOTIC LILY (v1.0)
• Elderwood (v1.3)
• Equation (v1.2)
• Evilnum (v1.0)
• FIN10 (v1.3)
• FIN4 (v1.2)
• FIN5 (v1.2)
• FIN6 (v4.0)
• FIN8 (v2.0)
• Ferocious Kitten (v1.0)
• GCMAN (v1.1)
• GOLD SOUTHFIELD (v2.0)
• Gallmaker (v1.1)
• Gorgon Group (v1.5)
• IndigoZebra (v1.0)
• LazyScripter (v1.1)
• Leafminer (v2.4)
• LuminousMoth (v1.0)
• Machete (v2.0)
• Magic Hound (v6.1)
• Moafee (v1.1)
• Molerats (v2.1)
• MoustachedBouncer (v1.0)
• Mustang Panda (v2.1)
• NEODYMIUM (v1.0)
• Naikon (v2.0)
• Nomadic Octopus (v1.0)
• PLATINUM (v1.3)
• Patchwork (v1.5)
• PittyTiger (v1.2)
• Poseidon Group (v1.1)
• Putter Panda (v1.2)
• RTM (v1.1)
• Rocke (v1.0)
• Scarlet Mimic (v1.2)
• SideCopy (v1.0)
• Silence (v2.2)
• Silent Librarian (v1.0)
• Sowbug (v1.1)
• Stealth Falcon (v1.2)
• Strider (v1.1)
• Suckfly (v1.1)
• TA459 (v1.1)
• TA551 (v1.2)
• The White Company (v1.1)
• Threat Group-1314 (v1.1)
• Thrip (v1.2)
• Tonto Team (v1.1)
• Volatile Cedar (v1.1)
• WIRTE (v2.0)
• Windigo (v1.0)
• Windshift (v1.1)
• Winnti Group (v1.2)
• Wizard Spider (v4.0)
• admin@338 (v1.2)
• menuPass (v3.0)

Mobile

New Groups

• APT41 (v4.1)
• LAPSUS$ (v2.1)

Minor Version Changes

• APT28 (v5.1→v5.2)
• Sandworm Team (v4.1→v4.2)

Patches

• APT-C-23 (v1.0)
• Bouncing Golf (v1.0)
• Confucius (v1.1)
• MoustachedBouncer (v1.0)
• Windshift (v1.1)

ICS

Major Version Changes

• OilRig (v4.1→v5.0)

Minor Version Changes

• APT38 (v3.0→v3.1)
• Lazarus Group (v4.0→v4.1)
• Sandworm Team (v4.1→v4.2)

Patches

• ALLANITE (v1.0)
• FIN6 (v4.0)
• GOLD SOUTHFIELD (v2.0)
• Wizard Spider (v4.0)

Campaigns

Enterprise

New Campaigns

• APT28 Nearest Neighbor Campaign (v1.0)
• ArcaneDoor (v1.0)
• FLORAHOX Activity (v1.0)
• FrostyGoop Incident (v1.0)
• Indian Critical Infrastructure Intrusions (v1.0)
• J-magic Campaign (v1.0)
• Juicy Mix (v1.0)
• Leviathan Australian Intrusions (v1.0)
• Operation MidnightEclipse (v1.0)
• Outer Space (v1.0)
• RedDelta Modified PlugX Infection Chain Operations (v1.0)
• SPACEHOP Activity (v1.0)
• ShadowRay (v1.0)

Patches

• 2015 Ukraine Electric Power Attack (v1.0)
• 2016 Ukraine Electric Power Attack (v1.0)
• C0010 (v1.0)
• C0011 (v1.0)
• C0015 (v1.0)
• C0017 (v1.0)
• C0018 (v1.0)
• C0021 (v1.0)
• C0027 (v1.0)
• CostaRicto (v1.0)
• Frankenstein (v1.1)
• FunnyDream (v1.0)
• Operation CuckooBees (v1.1)
• Operation Ghost (v1.0)
• Operation Sharpshooter (v1.0)
• Operation Wocao (v1.1)
• Triton Safety Instrumented System Attack (v1.0)

Mobile

New Campaigns

• Operation Triangulation (v1.0)

ICS

New Campaigns

• FrostyGoop Incident (v1.0)

Patches

• 2015 Ukraine Electric Power Attack (v1.0)
• 2016 Ukraine Electric Power Attack (v1.0)
• Maroochy Water Breach (v1.0)
• Triton Safety Instrumented System Attack (v1.0)

Mitigations

Enterprise

Minor Version Changes

• Account Use Policies (v1.0→v1.1)
• Antivirus/Antimalware (v1.1→v1.2)
• Application Developer Guidance (v1.1→v1.2)
• Application Isolation and Sandboxing (v1.1→v1.2)
• Audit (v1.2→v1.3)
• Behavior Prevention on Endpoint (v1.0→v1.1)
• Boot Integrity (v1.0→v1.1)
• Code Signing (v1.1→v1.2)
• Credential Access Protection (v1.1→v1.2)
• Data Backup (v1.1→v1.2)
• Data Loss Prevention (v1.0→v1.1)
• Disable or Remove Feature or Program (v1.1→v1.2)
• Do Not Mitigate (v1.0→v1.1)
• Encrypt Sensitive Information (v1.0→v1.1)
• Environment Variable Permissions (v1.0→v1.1)
• Execution Prevention (v1.2→v1.3)
• Exploit Protection (v1.1→v1.2)
• Filter Network Traffic (v1.1→v1.2)
• Limit Access to Resource Over Network (v1.0→v1.1)
• Limit Hardware Installation (v1.0→v1.1)
• Limit Software Installation (v1.0→v1.1)
• Multi-factor Authentication (v1.0→v1.1)
• Network Segmentation (v1.1→v1.2)
• Operating System Configuration (v1.2→v1.3)
• Password Policies (v1.0→v1.1)
• Pre-compromise (v1.0→v1.1)
• Privileged Account Management (v1.1→v1.2)
• Privileged Process Integrity (v1.1→v1.2)
• Remote Data Storage (v1.0→v1.1)
• Restrict File and Directory Permissions (v1.1→v1.2)
• Restrict Library Loading (v1.0→v1.1)
• Restrict Registry Permissions (v1.1→v1.2)
• Restrict Web-Based Content (v1.0→v1.1)
• SSL/TLS Inspection (v1.0→v1.1)
• Software Configuration (v1.2→v1.3)
• Threat Intelligence Program (v1.0→v1.1)
• Update Software (v1.0→v1.1)
• User Account Control (v1.1→v1.2)
• User Account Management (v1.1→v1.2)
• User Training (v1.2→v1.3)
• Vulnerability Scanning (v1.1→v1.2)

Patches

• Active Directory Configuration (v1.2)

Mobile

Minor Version Changes

• Application Developer Guidance (v1.1→v1.2)

Patches

• Antivirus/Antimalware (v1.0)
• Attestation (v1.0)
• Deploy Compromised Device Detection Method (v1.0)
• Encrypt Network Traffic (v1.0)
• Enterprise Policy (v1.0)
• Interconnection Filtering (v1.0)
• Lock Bootloader (v1.0)
• Security Updates (v1.0)
• System Partition Integrity (v1.0)
• Use Recent OS Version (v1.0)
• User Guidance (v1.0)

ICS

Patches

• Access Management (v1.0)
• Account Use Policies (v1.0)
• Active Directory Configuration (v1.0)
• Antivirus/Antimalware (v1.0)
• Application Developer Guidance (v1.0)
• Application Isolation and Sandboxing (v1.0)
• Audit (v1.0)
• Boot Integrity (v1.0)
• Code Signing (v1.0)
• Communication Authenticity (v1.0)
• Data Backup (v1.0)
• Data Loss Prevention (v1.0)
• Disable or Remove Feature or Program (v1.0)
• Encrypt Network Traffic (v1.0)
• Encrypt Sensitive Information (v1.0)
• Execution Prevention (v1.0)
• Exploit Protection (v1.0)
• Filter Network Traffic (v1.0)
• Limit Access to Resource Over Network (v1.0)
• Limit Hardware Installation (v1.0)
• Mechanical Protection Layers (v1.0)
• Minimize Wireless Signal Propagation (v1.0)
• Mitigation Limited or Not Effective (v1.0)
• Multi-factor Authentication (v1.0)
• Network Allowlists (v1.0)
• Network Intrusion Prevention (v1.0)
• Network Segmentation (v1.0)
• Operating System Configuration (v1.0)
• Operational Information Confidentiality (v1.0)
• Out-of-Band Communications Channel (v1.0)
• Password Policies (v1.0)
• Privileged Account Management (v1.0)
• Redundancy of Service (v1.0)
• Restrict File and Directory Permissions (v1.0)
• Restrict Library Loading (v1.0)
• Restrict Registry Permissions (v1.0)
• Restrict Web-Based Content (v1.0)
• SSL/TLS Inspection (v1.0)
• Safety Instrumented Systems (v1.0)
• Software Configuration (v1.0)
• Static Network Configuration (v1.1)
• Supply Chain Management (v1.0)
• Threat Intelligence Program (v1.0)
• Update Software (v1.0)
• User Account Management (v1.0)
• User Training (v1.0)
• Validate Program Inputs (v1.0)
• Vulnerability Scanning (v1.0)
• Watchdog Timers (v1.0)

Data Sources

Enterprise

Minor Version Changes

• Application Log (v1.0→v1.1)
• Command (v1.1→v1.2)
• File (v1.0→v1.1)
• Firewall (v1.0→v1.1)
• Logon Session (v1.1→v1.2)
• Network Traffic (v1.1→v1.2)
• Process (v1.1→v1.2)
• Scheduled Job (v1.0→v1.1)
• Script (v1.1→v1.2)
• Service (v1.0→v1.1)
• User Account (v1.1→v1.2)

Patches

• Active Directory (v1.0)
• Certificate (v1.0)
• Cloud Service (v1.0)
• Cloud Storage (v1.0)
• Container (v1.0)
• Domain Name (v1.0)
• Drive (v1.0)
• Driver (v1.0)
• Firmware (v1.0)
• Group (v1.0)
• Image (v1.0)
• Instance (v1.0)
• Internet Scan (v1.0)
• Kernel (v1.0)
• Malware Repository (v1.1)
• Module (v1.0)
• Named Pipe (v1.0)
• Network Share (v1.0)
• Persona (v1.0)
• Pod (v1.0)
• Sensor Health (v1.1)
• Snapshot (v1.0)
• Volume (v1.0)
• WMI (v1.0)
• Web Credential (v1.0)
• Windows Registry (v1.0)

Mobile

Minor Version Changes

• Command (v1.1→v1.2)
• Network Traffic (v1.1→v1.2)
• Process (v1.1→v1.2)

Patches

• Application Vetting (v1.0)
• Sensor Health (v1.1)
• User Interface (v1.0)

ICS

Minor Version Changes

• Application Log (v1.0→v1.1)
• Command (v1.1→v1.2)
• File (v1.0→v1.1)
• Logon Session (v1.1→v1.2)
• Network Traffic (v1.1→v1.2)
• Process (v1.1→v1.2)
• Scheduled Job (v1.0→v1.1)
• Script (v1.1→v1.2)
• Service (v1.0→v1.1)
• User Account (v1.1→v1.2)

Patches

• Asset (v1.0)
• Drive (v1.0)
• Firmware (v1.0)
• Module (v1.0)
• Network Share (v1.0)
• Operational Databases (v1.0)
• Windows Registry (v1.0)

Data Components

Enterprise

Minor Version Changes

• Active DNS (v1.0→v1.1)
• Active Directory Credential Request (v1.0→v1.1)
• Active Directory Object Access (v1.0→v1.1)
• Active Directory Object Creation (v1.0→v1.1)
• Active Directory Object Deletion (v1.0→v1.1)
• Active Directory Object Modification (v1.0→v1.1)
• Application Log Content (v1.0→v1.1)
• Certificate Registration (v1.0→v1.1)
• Cloud Service Disable (v1.0→v1.1)
• Cloud Service Enumeration (v1.0→v1.1)
• Cloud Service Metadata (v1.0→v1.1)
• Cloud Service Modification (v1.0→v1.1)
• Cloud Storage Access (v1.0→v1.1)
• Cloud Storage Creation (v1.0→v1.1)
• Cloud Storage Deletion (v1.0→v1.1)
• Cloud Storage Enumeration (v1.0→v1.1)
• Cloud Storage Metadata (v1.0→v1.1)
• Cloud Storage Modification (v1.0→v1.1)
• Command Execution (v1.1→v1.2)
• Container Creation (v1.0→v1.1)
• Container Enumeration (v1.0→v1.1)
• Container Start (v1.0→v1.1)
• Domain Registration (v1.0→v1.1)
• Drive Access (v1.0→v1.1)
• Drive Creation (v1.0→v1.1)
• Drive Modification (v1.0→v1.1)
• Driver Load (v1.0→v1.1)
• Driver Metadata (v1.0→v1.1)
• File Access (v1.0→v1.1)
• File Creation (v1.0→v1.1)
• File Deletion (v1.0→v1.1)
• File Metadata (v1.0→v1.1)
• File Modification (v1.0→v1.1)
• Firewall Disable (v1.0→v1.1)
• Firewall Enumeration (v1.0→v1.1)
• Firewall Metadata (v1.0→v1.1)
• Firewall Rule Modification (v1.0→v1.1)
• Firmware Modification (v1.0→v1.1)
• Group Enumeration (v1.0→v1.1)
• Group Metadata (v1.0→v1.1)
• Group Modification (v1.0→v1.1)
• Image Creation (v1.0→v1.1)
• Image Deletion (v1.0→v1.1)
• Image Metadata (v1.0→v1.1)
• Instance Creation (v1.0→v1.1)
• Instance Deletion (v1.0→v1.1)
• Instance Enumeration (v1.0→v1.1)
• Instance Modification (v1.0→v1.1)
• Instance Start (v1.0→v1.1)
• Instance Stop (v1.0→v1.1)
• Kernel Module Load (v1.0→v1.1)
• Logon Session Creation (v1.1→v1.2)
• Malware Content (v1.1→v1.2)
• Module Load (v1.0→v1.1)
• Named Pipe Metadata (v1.0→v1.1)
• Network Connection Creation (v1.1→v1.2)
• Network Share Access (v1.0→v1.1)
• Network Traffic Content (v1.0→v1.1)
• Network Traffic Flow (v1.0→v1.1)
• OS API Execution (v1.0→v1.1)
• Passive DNS (v1.0→v1.1)
• Pod Creation (v1.0→v1.1)
• Pod Enumeration (v1.0→v1.1)
• Pod Modification (v1.0→v1.1)
• Process Access (v1.0→v1.1)
• Process Creation (v1.1→v1.2)
• Process Modification (v1.0→v1.1)
• Process Termination (v1.0→v1.1)
• Response Content (v1.0→v1.1)
• Response Metadata (v1.0→v1.1)
• Scheduled Job Creation (v1.0→v1.1)
• Script Execution (v1.1→v1.2)
• Service Creation (v1.0→v1.1)
• Service Modification (v1.0→v1.1)
• Snapshot Creation (v1.0→v1.1)
• Snapshot Deletion (v1.0→v1.1)
• Snapshot Enumeration (v1.0→v1.1)
• Snapshot Modification (v1.0→v1.1)
• Social Media (v1.0→v1.1)
• User Account Authentication (v1.1→v1.2)
• User Account Creation (v1.0→v1.1)
• User Account Deletion (v1.0→v1.1)
• User Account Modification (v1.0→v1.1)
• Volume Creation (v1.0→v1.1)
• Volume Deletion (v1.0→v1.1)
• WMI Creation (v1.0→v1.1)
• Windows Registry Key Access (v1.0→v1.1)
• Windows Registry Key Creation (v1.0→v1.1)
• Windows Registry Key Deletion (v1.0→v1.1)
• Windows Registry Key Modification (v1.0→v1.1)

Patches

• Host Status (v1.1)
• Image Modification (v1.0)
• Instance Metadata (v1.0)
• Logon Session Metadata (v1.0)
• Malware Metadata (v1.1)
• Process Metadata (v1.0)
• Scheduled Job Metadata (v1.0)
• Scheduled Job Modification (v1.0)
• Service Metadata (v1.0)
• Snapshot Metadata (v1.0)
• User Account Metadata (v1.0)
• Volume Enumeration (v1.0)
• Volume Metadata (v1.0)
• Volume Modification (v1.0)
• Web Credential Creation (v1.0)
• Web Credential Usage (v1.0)

Mobile

New Data Components

• OS API Execution (v1.1)

Minor Version Changes

• Command Execution (v1.1→v1.2)
• Network Connection Creation (v1.1→v1.2)
• Network Traffic Content (v1.0→v1.1)
• Network Traffic Flow (v1.0→v1.1)
• Process Creation (v1.1→v1.2)
• Process Termination (v1.0→v1.1)

Patches

• API Calls (v1.0)
• Host Status (v1.1)
• Network Communication (v1.0)
• Permissions Request (v1.0)
• Permissions Requests (v1.0)
• Process Metadata (v1.0)
• Protected Configuration (v1.0)
• System Notifications (v1.0)
• System Settings (v1.0)

ICS

Minor Version Changes

• Application Log Content (v1.0→v1.1)
• Command Execution (v1.1→v1.2)
• Drive Creation (v1.0→v1.1)
• Drive Modification (v1.0→v1.1)
• File Access (v1.0→v1.1)
• File Creation (v1.0→v1.1)
• File Deletion (v1.0→v1.1)
• File Metadata (v1.0→v1.1)
• File Modification (v1.0→v1.1)
• Firmware Modification (v1.0→v1.1)
• Logon Session Creation (v1.1→v1.2)
• Module Load (v1.0→v1.1)
• Network Connection Creation (v1.1→v1.2)
• Network Share Access (v1.0→v1.1)
• Network Traffic Content (v1.0→v1.1)
• Network Traffic Flow (v1.0→v1.1)
• OS API Execution (v1.0→v1.1)
• Process Creation (v1.1→v1.2)
• Process Termination (v1.0→v1.1)
• Scheduled Job Creation (v1.0→v1.1)
• Script Execution (v1.1→v1.2)
• Service Creation (v1.0→v1.1)
• Service Modification (v1.0→v1.1)
• User Account Authentication (v1.1→v1.2)
• Windows Registry Key Deletion (v1.0→v1.1)
• Windows Registry Key Modification (v1.0→v1.1)

Patches

• Asset Inventory (v1.0)
• Device Alarm (v1.0)
• Logon Session Metadata (v1.0)
• Process History/Live Data (v1.0)
• Process Metadata (v1.0)
• Process/Event Alarm (v1.0)
• Scheduled Job Metadata (v1.0)
• Scheduled Job Modification (v1.0)
• Service Metadata (v1.0)
• Software (v1.0)

Contributors to this release

• Aaron Sullivan aka ZerkerEOD
• Adam Lichters
• Alden Schmidt
• Ale Houspanossian
• Alexey Kleymenov
• Alon Klayman, Hunters Security
• Amnon Kushnir, Sygnia
• Ben Smith, @cyberg3cko
• Caio Silva
• Cian Heasley
• Cristian Souza - Kaspersky GERT
• Cristóbal Martínez Martín
• David Hughes, BT Security
• Dhiraj Mishra (@RandomDhiraj)
• Dmitry Bestuzhev
• Dvir Sasson, Reco
• Eliraz Levi, Hunters Security
• Fabian Kammel
• Fernando Bacchin
• Flavio Costa, Cisco
• Frank Angiolelli
• Gabriel Currie
• Gerardo Santos
• Harikrishnan Muthu, Cyble
• Hiroki Nagahama, NEC Corporation
• Inna Danilevich, U.S. Bank
• Jaesang Oh, KC7 Foundation
• Janantha Marasinghe
• Jennifer Kim Roman
• Jiraput Thamsongkrah
• Joas Antonio dos Santos, @C0d3Cr4zy
• Joe Gumke, U.S. Bank
• Jun Hirata, NEC Corporation
• Kaung Zaw Hein
• Kevin Ward
• Kori Yoshihiro, NEC Corporation
• Kyaw Pyiyt Htet, @KyawPyiytHtet
• Liran Ravich, CardinalOps
• Lê Phương Nam, Group-IB
• Manikantan Srinivasan, NEC Corporation India
• Matt Anderson, @‌nosecurething, Huntress
• Matt Brenton, Zurich Insurance Group
• Menachem Goldstein
• Michael Davis, ServiceNow Threat Intelligence
• MyungUk Han, ASEC
• Natthawut Saexu
• Nikita Rostovcev, Group-IB
• Oren Biderman, Sygnia
• Peter Oakes
• Pooja Natarajan, NEC Corporation India
• Raghvendra Mishra
• ReliaQuest
• RoseSecurity
• Rouven Bissinger (SySS GmbH)
• Ruben Groenewoud (@RFGroenewoud)
• Ryan Perez
• Sareena Karapoola, NEC Corporation India
• Seungyoul Yoo, Ahnlab
• Sharmine Low, Group-IB
• Shun Miyazaki, NEC Corporation
• Shwetank Murarka
• Sittikorn Sangrattanapitak
• Suraj Khetani (@r00treaver)
• Vicky Ray, RayvenX
• Vijay Lalwani
• Wietze Beukema @Wietze
• Yoshihiro Kori, NEC Corporation