Updates - July 2019

Version Start Date End Date Data
ATT&CK v5 July 31, 2019 October 23, 2019 v5.2 on MITRE/CTI

The July 2019 release focuses on changes to how Mitigations in ATT&CK for Enterprise are represented and updates the Groups and Software entries. It does not contain updates to techniques- a larger technique update is planned for later this year. We're happy to check off another box on our planned changes this year, which was to modify how we represent mitigations in Enterprise so that the information is organized similar to how mitigations are handled in ATT&CK for Mobile.

Mitigations in Enterprise are now treated like categories and are represented by objects similar to Groups and Software- one example being "Multi-factor Authentication". In the previous free-text mitigation fields, several techniques may reference multi-factor authentication as a potential way to mitigate a technique, but it was difficult to see which techniques a particular mitigation applies to without scouring the text fields across the techniques. Now each technique that a mitigation applies to will be associated to that mitigation category and the details of how each mitigation applies to a technique will appear in a table under the mitigations section. Each mitigation category has a page that lists all the techniques associated with it to give an at-a-glance view of coverage. In all, 40 new mitigation categories were created based on a text analysis of each technique where we pulled apart the definitions and binned them into like categories to consolidate the mitigation information in Enterprise.

During the process of applying the new mitigation categories, we also did a bit of house cleaning on what mitigations are appropriate for certain techniques. We generally took the stance that if a mitigation does not directly apply to that specific behavior, then we removed it. For example, there were quite a few techniques that we removed application whitelisting (Execution Prevention) from because it was previously treated as a mitigation of last resort.

Mitigations are represented as courses of action in STIX and will have the same ID numbering as Mobile mitigations (M####). The old mitigation text for techniques were placed into temporary mitigations objects with the full text field and will be included as deprecated mitigation objects. They are listed in STIX objects for historical purposes, but will not be present in the website. Those mitigation objects are labeled with the same technique ID (T####) as the technique they were associated to.

The Effects tactic in ATT&CK for Mobile was renamed to Impact for consistency with the Enterprise Impact tactic.

We've also updated the Enterprise tactic descriptions based on a contribution from Elly Searle at CrowdStrike to make them more straightforward, uniform, and easier to understand.

Techniques

Enterprise

New Techniques: No changes

Technique changes: No changes

Technique revocations: No changes

Technique deprecations: No changes

Minor Technique changes: No changes

PRE-ATT&CK

New Techniques: No changes

Technique changes: No changes

Technique revocations: No changes

Technique deprecations: No changes

Minor Technique changes: No changes

Mobile

New Techniques: No changes

Technique changes: No changes

Technique revocations: No changes

Technique deprecations: No changes

Minor Technique changes: No changes

Software

Enterprise

New Software:

Software changes:

Software revocations: No changes

Software deprecations: No changes

Minor Software changes:

PRE-ATT&CK

New Software: No changes

Software changes: No changes

Software revocations: No changes

Software deprecations: No changes

Minor Software changes: No changes

Mobile

New Software:

Software changes: No changes

Software revocations: No changes

Software deprecations: No changes

Minor Software changes: No changes

Groups

Enterprise

New Groups:

Group changes:

Group revocations: No changes

Group deprecations: No changes

Minor Group changes:

PRE-ATT&CK

New Groups: No changes

Group changes:

Group revocations: No changes

Group deprecations: No changes

Minor Group changes: No changes

Mobile

New Groups:

Group changes:

Group revocations: No changes

Group deprecations: No changes

Minor Group changes: No changes

Mitigations

Enterprise

New Mitigations:

Mitigation changes: No changes

Mitigation revocations: No changes

Mitigation deprecations:

  • .bash_profile and .bashrc Mitigation
  • Access Token Manipulation Mitigation
  • Accessibility Features Mitigation
  • Account Discovery Mitigation
  • Account Manipulation Mitigation
  • AppCert DLLs Mitigation
  • AppInit DLLs Mitigation
  • AppleScript Mitigation
  • Application Deployment Software Mitigation
  • Application Shimming Mitigation
  • Application Window Discovery Mitigation
  • Audio Capture Mitigation
  • Authentication Package Mitigation
  • Automated Collection Mitigation
  • Automated Exfiltration Mitigation
  • BITS Jobs Mitigation
  • Bash History Mitigation
  • Binary Padding Mitigation
  • Bootkit Mitigation
  • Browser Bookmark Discovery Mitigation
  • Browser Extensions Mitigation
  • Brute Force Mitigation
  • Bypass User Account Control Mitigation
  • CMSTP Mitigation
  • Change Default File Association Mitigation
  • Clear Command History Mitigation
  • Clipboard Data Mitigation
  • Code Signing Mitigation
  • Command-Line Interface Mitigation
  • Commonly Used Port Mitigation
  • Communication Through Removable Media Mitigation
  • Compile After Delivery Mitigation
  • Compiled HTML File Mitigation
  • Component Firmware Mitigation
  • Component Object Model Hijacking Mitigation
  • Connection Proxy Mitigation
  • Control Panel Items Mitigation
  • Create Account Mitigation
  • Credential Dumping Mitigation
  • Credentials in Files Mitigation
  • Credentials in Registry Mitigation
  • Custom Command and Control Protocol Mitigation
  • Custom Cryptographic Protocol Mitigation
  • DCShadow Mitigation
  • DLL Search Order Hijacking Mitigation
  • DLL Side-Loading Mitigation
  • Data Compressed Mitigation
  • Data Destruction Mitigation
  • Data Encoding Mitigation
  • Data Encrypted Mitigation
  • Data Encrypted for Impact Mitigation
  • Data Obfuscation Mitigation
  • Data Staged Mitigation
  • Data Transfer Size Limits Mitigation
  • Data from Information Repositories Mitigation
  • Data from Local System Mitigation
  • Data from Network Shared Drive Mitigation
  • Data from Removable Media Mitigation
  • Defacement Mitigation
  • Deobfuscate/Decode Files or Information Mitigation
  • Disabling Security Tools Mitigation
  • Distributed Component Object Model Mitigation
  • Domain Fronting Mitigation
  • Domain Generation Algorithms Mitigation
  • Domain Trust Discovery Mitigation
  • Drive-by Compromise Mitigation
  • Dylib Hijacking Mitigation
  • Dynamic Data Exchange Mitigation
  • Email Collection Mitigation
  • Endpoint Denial of Service Mitigation
  • Environmental Keying Mitigation
  • Execution through API Mitigation
  • Execution through Module Load Mitigation
  • Exfiltration Over Alternative Protocol Mitigation
  • Exfiltration Over Command and Control Channel Mitigation
  • Exfiltration Over Other Network Medium Mitigation
  • Exfiltration Over Physical Medium Mitigation
  • Exploit Public-Facing Application Mitigation
  • Exploitation for Client Execution Mitigation
  • Exploitation for Credential Access Mitigation
  • Exploitation for Defense Evasion Mitigation
  • Exploitation for Privilege Escalation Mitigation
  • Exploitation of Remote Services Mitigation
  • External Remote Services Mitigation
  • Extra Window Memory Injection Mitigation
  • Fallback Channels Mitigation
  • File Deletion Mitigation
  • File Permissions Modification Mitigation
  • File System Logical Offsets Mitigation
  • File System Permissions Weakness Mitigation
  • File and Directory Discovery Mitigation
  • Firmware Corruption Mitigation
  • Forced Authentication Mitigation
  • Gatekeeper Bypass Mitigation
  • Graphical User Interface Mitigation
  • Group Policy Modification Mitigation
  • HISTCONTROL Mitigation
  • Hardware Additions Mitigation
  • Hidden Files and Directories Mitigation
  • Hidden Users Mitigation
  • Hidden Window Mitigation
  • Hooking Mitigation
  • Hypervisor Mitigation
  • Image File Execution Options Injection Mitigation
  • Indicator Blocking Mitigation
  • Indicator Removal from Tools Mitigation
  • Indicator Removal on Host Mitigation
  • Indirect Command Execution Mitigation
  • Inhibit System Recovery Mitigation
  • Input Capture Mitigation
  • Input Prompt Mitigation
  • Install Root Certificate Mitigation
  • InstallUtil Mitigation
  • Kerberoasting Mitigation
  • Kernel Modules and Extensions Mitigation
  • Keychain Mitigation
  • LC_LOAD_DYLIB Addition Mitigation
  • LC_MAIN Hijacking Mitigation
  • LLMNR/NBT-NS Poisoning Mitigation
  • LSASS Driver Mitigation
  • Launch Agent Mitigation
  • Launch Daemon Mitigation
  • Launchctl Mitigation
  • Login Item Mitigation
  • Logon Scripts Mitigation
  • Man in the Browser Mitigation
  • Masquerading Mitigation
  • Modify Existing Service Mitigation
  • Modify Registry Mitigation
  • Mshta Mitigation
  • Multi-Stage Channels Mitigation
  • Multi-hop Proxy Mitigation
  • Multiband Communication Mitigation
  • Multilayer Encryption Mitigation
  • NTFS File Attributes Mitigation
  • Netsh Helper DLL Mitigation
  • Network Denial of Service Mitigation
  • Network Service Scanning Mitigation
  • Network Share Connection Removal Mitigation
  • Network Share Discovery Mitigation
  • Network Sniffing Mitigation
  • New Service Mitigation
  • Obfuscated Files or Information Mitigation
  • Office Application Startup Mitigation
  • Pass the Hash Mitigation
  • Pass the Ticket Mitigation
  • Password Filter DLL Mitigation
  • Password Policy Discovery Mitigation
  • Path Interception Mitigation
  • Peripheral Device Discovery Mitigation
  • Permission Groups Discovery Mitigation
  • Plist Modification Mitigation
  • Port Knocking Mitigation
  • Port Monitors Mitigation
  • PowerShell Mitigation
  • Private Keys Mitigation
  • Process Discovery Mitigation
  • Process Doppelgänging Mitigation
  • Process Hollowing Mitigation
  • Process Injection Mitigation
  • Query Registry Mitigation
  • Rc.common Mitigation
  • Re-opened Applications Mitigation
  • Redundant Access Mitigation
  • Registry Run Keys / Startup Folder Mitigation
  • Regsvcs/Regasm Mitigation
  • Regsvr32 Mitigation
  • Remote Access Tools Mitigation
  • Remote Desktop Protocol Mitigation
  • Remote File Copy Mitigation
  • Remote Services Mitigation
  • Remote System Discovery Mitigation
  • Replication Through Removable Media Mitigation
  • Resource Hijacking Mitigation
  • Rootkit Mitigation
  • Rundll32 Mitigation
  • Runtime Data Manipulation Mitigation
  • SID-History Injection Mitigation
  • SIP and Trust Provider Hijacking Mitigation
  • SSH Hijacking Mitigation
  • Scheduled Task Mitigation
  • Scheduled Transfer Mitigation
  • Screen Capture Mitigation
  • Screensaver Mitigation
  • Scripting Mitigation
  • Security Software Discovery Mitigation
  • Security Support Provider Mitigation
  • Service Execution Mitigation
  • Service Registry Permissions Weakness Mitigation
  • Service Stop Mitigation
  • Setuid and Setgid Mitigation
  • Shared Webroot Mitigation
  • Shortcut Modification Mitigation
  • Signed Binary Proxy Execution Mitigation
  • Signed Script Proxy Execution Mitigation
  • Software Packing Mitigation
  • Source Mitigation
  • Space after Filename Mitigation
  • Spearphishing Attachment Mitigation
  • Spearphishing Link Mitigation
  • Spearphishing via Service Mitigation
  • Standard Application Layer Protocol Mitigation
  • Standard Cryptographic Protocol Mitigation
  • Standard Non-Application Layer Protocol Mitigation
  • Startup Items Mitigation
  • Stored Data Manipulation Mitigation
  • Sudo Caching Mitigation
  • Sudo Mitigation
  • Supply Chain Compromise Mitigation
  • System Firmware Mitigation
  • System Information Discovery Mitigation
  • System Network Configuration Discovery Mitigation
  • System Network Connections Discovery Mitigation
  • System Owner/User Discovery Mitigation
  • System Service Discovery Mitigation
  • System Time Discovery Mitigation
  • Systemd Service Mitigation
  • Taint Shared Content Mitigation
  • Template Injection Mitigation
  • Third-party Software Mitigation
  • Time Providers Mitigation
  • Timestomp Mitigation
  • Transmitted Data Manipulation Mitigation
  • Trap Mitigation
  • Trusted Developer Utilities Mitigation
  • Trusted Relationship Mitigation
  • Two-Factor Authentication Interception Mitigation
  • Uncommonly Used Port Mitigation
  • User Execution Mitigation
  • Valid Accounts Mitigation
  • Video Capture Mitigation
  • Virtualization/Sandbox Evasion Mitigation
  • Web Service Mitigation
  • Web Shell Mitigation
  • Windows Admin Shares Mitigation
  • Windows Management Instrumentation Event Subscription Mitigation
  • Windows Management Instrumentation Mitigation
  • Windows Remote Management Mitigation
  • Winlogon Helper DLL Mitigation
  • XSL Script Processing Mitigation

Minor Mitigation changes: No changes

PRE-ATT&CK

New Mitigations: No changes

Mitigation changes: No changes

Mitigation revocations: No changes

Mitigation deprecations: No changes

Minor Mitigation changes: No changes

Mobile

New Mitigations: No changes

Mitigation changes: No changes

Mitigation revocations: No changes

Mitigation deprecations: No changes

Minor Mitigation changes: No changes