Updates - July 2017

Big update for July 2017. ATT&CK now totals 169 techniques across Windows, Mac, and Linux:

Rollout of Mac and Linux ATT&CK for Enterprise techniques

• 89 total techniques, including 29 additions for MacOS/OS X - Mac Technique Matrix
• 80 total techniques, including 12 additions for Linux - Linux Technique Matrix
• Many existing techniques also received content updates to include details for Mac and/or Linux

Up to 140 techniques for Windows:

New techniques:

• Access Token Manipulation
• Network Share Discovery
• Create Account
• Office Application Startup
• Application Shimming
• Deobfuscate/Decode Files or Information
• Private Keys
• Hidden Files and Directories

Updated techniques:

• Brute Force - Added password spraying
• Trusted Developer Utilities - Renamed from Msbuild, added examples for DNX, RCSI, and WinDbg/CDB
• System Network Configuration Discovery - Renamed from 'local' to incorporate both local and remote actions
• System Network Connections Discovery - Renamed from 'local' to incorporate both local and remote actions
• Valid Accounts - Renamed from Legitimate Credentials to account for accounts created by adversaries in Create Account
• Account Manipulation - Renamed from Credential Manipulation to better suit the intent of the technique
• Accessibility Features - Large update to technical details
• System Firmware - Generalized name from Basic Input/Output System to account for (U)EFI firmware persistence
• Pass the Ticket - Updated detection and mitigation information

Changes to Groups include three new groups:

• OilRig
• APT32
• FIN10

Changes to Software include new software profiles:

• POSHSPY
• HALFBAKED
• EvilGrab
• RedLeaves
• Cobalt Strike
• WINDSHIELD
• KOMPROGO
• SOUNDBITE
• PHOREAL
• SNUGRIDE
• certutil
• XAgentOSX
• Komplex
• Janicab