Updates - July 2020

The July 2020 (v7) ATT&CK release updates Techniques, Groups, and Software for both Enterprise and Mobile. This is the first non-beta release of Enterprise ATT&CK represented with sub-techniques. The pre sub-technique version of ATT&CK has been preserved here. Most of this content was released as a beta in March 2020, and changes between the beta release and this release are documented separately.

In total, the sub-technique version of ATT&CK for Enterprise contains 156 techniques (reduced from 266) and 272 sub-techniques.

See the accompanying blog post for more details.

In this same release we have deprecated white/blacklist language in ATT&CK. Techniques and mitigations previously containing this language have either been reworded or the language has been replaced with allow/denylist. In line with industry terminology changes, application whitelisting and process whitelisting have both been replaced with application control.

Techniques

Enterprise

View enterprise technique updates in the ATT&CK Navigator here.

New Techniques:

• Abuse Elevation Control Mechanism - Created to consolidate similar behaviors that take advantage of elevation control
  • Bypass User Access Control - Existing technique that became a sub-technique
  • Elevated Execution with Prompt - Existing technique that became a sub-technique
  • Setuid and Setgid - Existing technique that became a sub-technique
  • Sudo and Sudo Caching - Existing technique that became a sub-technique
• Access Token Manipulation: Create Process with Token - Broken out from pre-defined behavior within Access Token Manipulation
• Access Token Manipulation: Make and Impersonate Token - Broken out from pre-defined behavior within Access Token Manipulation
• Access Token Manipulation: Parent PID Spoofing - Added due to manipulation of tokens
• Access Token Manipulation: SID-History Injection - Added due to manipulation of token information
• Access Token Manipulation: Token Impersonation/Theft - Broken out from pre-defined behavior within Access Token Manipulation
• Account Discovery: Cloud Account - Added for parity with Create Account
• Account Discovery: Domain Account - Added for parity with Create Account
• Account Discovery: Email Account - Broken out from pre-defined behavior within Account Discovery
• Account Discovery: Local Account - Added for parity with Create Account
• Account Manipulation: Add Office 365 Global Administrator Role - Broken out from pre-defined behavior within Account Manipulation
• Account Manipulation: Additional Azure Service Principal Credentials - Broken out from pre-defined behavior within Account Manipulation
• Account Manipulation: Exchange Email Delegate Permissions - Broken out from pre-defined behavior within Account Manipulation
• Account Manipulation: SSH Authorized Keys - Created as distinct behavior within Account Manipulation
• Application Layer Protocol: DNS - Created as distinct behavior due to how Application Layer Protocols are used for C2
• Application Layer Protocol: File Transfer Protocols - Created as distinct behavior due to how Application Layer Protocols are used for C2
• Application Layer Protocol: Mail Protocols - Created as distinct behavior due to how Application Layer Protocols are used for C2
• Application Layer Protocol: Web Protocols - Created as distinct behavior due to how Application Layer Protocols are used for C2
• Archive Collected Data - Created to consolidate behavior around encrypting and compressing collected data
• Archive via Custom Method - Broken out from pre-defined behavior within Archive Collected Data
• Archive via Library - Broken out from pre-defined behavior within Archive Collected Data
• Archive via Utility - Broken out from pre-defined behavior within Archive Collected Data
• Boot or Logon Autostart Execution - Created to consolidate similar autostart execution locations
  • Authentication Package - Existing technique that became a sub-technique
  • Kernel Modules and Extensions - Existing technique that became a sub-technique
  • LSASS Driver - Existing technique that became a sub-technique
  • Plist Modification - Existing technique that became a sub-technique
  • Port Monitors - Existing technique that became a sub-technique
  • Re-opened Applications - Existing technique that became a sub-technique
  • Registry Run Keys / Startup Folder - Existing technique that became a sub-technique
  • Security Support Provider - Existing technique that became a sub-technique
  • Shortcut Modification - Existing technique that became a sub-technique
  • Time Providers - Existing technique that became a sub-technique
  • Winlogon Helper DLL - Existing technique that became a sub-technique
• Boot or Logon Initialization Scripts: Logon Script (Mac) - Existing technique that became a sub-technique
• Boot or Logon Initialization Scripts: Logon Script (Windows) - Existing technique that became a sub-technique
• Boot or Logon Initialization Scripts: Network Logon Script - Existing technique that became a sub-technique
• Boot or Logon Initialization Scripts: Rc.common - Existing technique that became a sub-technique
• Boot or Logon Initialization Scripts: Startup Items - Existing technique that became a sub-technique
• Brute Force: Credential Stuffing - Created as distinct behavior variation of Brute Force
• Brute Force: Password Cracking - Broken out from pre-defined behavior within Brute Force
• Brute Force: Password Guessing - Broken out from pre-defined behavior within Brute Force
• Brute Force: Password Spraying - Broken out from pre-defined behavior within Brute Force
• Command and Scripting Interpreter: AppleScript - Existing technique that became a sub-technique
• Command and Scripting Interpreter: JavaScript/JScript - Created as distinct behavior within Command and Scripting Interpreter
• Command and Scripting Interpreter: PowerShell - Existing technique that became a sub-technique
• Command and Scripting Interpreter: Python - Created as distinct behavior within Command and Scripting Interpreter
• Command and Scripting Interpreter: Unix Shell - Existing technique that became a sub-technique
• Command and Scripting Interpreter: Visual Basic - Created as distinct behavior within Command and Scripting Interpreter
• Command and Scripting Interpreter: Windows Command Shell - Existing technique that became a sub-technique
• Compromise Client Software Binary - New technique based on contribution
• Create Account: Cloud Account - Broken out from pre-defined behavior within Create Account
• Create Account: Domain Account - Broken out from pre-defined behavior within Create Account
• Create Account: Local Account - Broken out from pre-defined behavior within Create Account
• Create or Modify System Process - Created to consolidate behavior around system-level processes
  • Launch Agent - Existing technique that became a sub-technique
  • Launch Daemon - Existing technique that became a sub-technique
  • Systemd Service - Existing technique that became a sub-technique
  • Windows Service - Existing technique that became a sub-technique. Consolidates Modify Existing Service and New Service techniques into one sub-technique
• Credentials from Password Stores - Created to consolidate locations where passwords are stored
  • Credentials from Web Browsers - Existing technique that became a sub-technique
  • Keychain - Existing technique that became a sub-technique
  • Securityd Memory - Existing technique that became a sub-technique
• Data Encoding: Non-Standard Encoding - Broken out from pre-defined behavior within Data Encoding
• Data Encoding: Standard Encoding - Broken out from pre-defined behavior within Data Encoding
  • Data Manipulation - Created to consolidate existing behaviors around data manipulation
  • Runtime Data Manipulation - Existing technique that became a sub-technique
  • Stored Data Manipulation - Existing technique that became a sub-technique
  • Transmitted Data Manipulation - Existing technique that became a sub-technique
• Data Obfuscation: Junk Data - Broken out from pre-defined behavior within Data Obfuscation
• Data Obfuscation: Protocol Impersonation - Broken out from pre-defined behavior within Data Obfuscation
• Data Obfuscation: Steganography - Broken out from pre-defined behavior within Data Obfuscation
• Data Staged: Local Data Staging - Broken out from pre-defined behavior within Data Staged
• Data Staged: Remote Data Staging - Broken out from pre-defined behavior within Data Staged
• Data from Information Repositories: Confluence - Broken out from pre-defined behavior within Data from Information Repositories
• Data from Information Repositories: Sharepoint - Broken out from pre-defined behavior within Data from Information Repositories
• Defacement: External Defacement - Broken out from pre-defined behavior within Defacement
• Defacement: Internal Defacement - Broken out from pre-defined behavior within Defacement
• Disk Wipe - Created to consolidate behavior around disk wiping
  • Disk Content Wipe - Existing technique that became a sub-technique
  • Disk Structure Wipe - Existing technique that became a sub-technique
• Dynamic Resolution - Created to consolidate behavior around dynamic C2 behavior
  • DNS Calculation - Existing PRE-ATT&CK technique that became a sub-technique in Enterprise
  • Domain Generation Algorithms - Existing technique that became a sub-technique
  • Fast Flux DNS - Existing PRE-ATT&CK technique that became a sub-technique in Enterprise
• Email Collection: Email Forwarding Rule - Broken out from pre-defined behavior within Email Collection
• Email Collection: Local Email Collection - Broken out from pre-defined behavior within Email Collection
• Email Collection: Remote Email Collection - Broken out from pre-defined behavior within Email Collection
• Encrypted Channel - Created to consolidate behavior around encrypted C2
  • Asymmetric Cryptography - Broken out from pre-defined behavior within Encrypted Channel
  • Symmetric Cryptography - Broken out from pre-defined behavior within Encrypted Channel
• Endpoint Denial of Service: Application Exhaustion Flood - Broken out from pre-defined behavior within Endpoint Denial of Service
• Endpoint Denial of Service: Application or System Exploitation - Broken out from pre-defined behavior within Endpoint Denial of Service
• Endpoint Denial of Service: OS Exhaustion Flood - Broken out from pre-defined behavior within Endpoint Denial of Service
• Endpoint Denial of Service: Service Exhaustion Flood - Broken out from pre-defined behavior within Endpoint Denial of Service
• Event Triggered Execution - Created to consolidate persistence behavior due to adversary or user initiated actions
  • .bash_profile and .bashrc - Existing technique that became a sub-technique
  • Accessibility Features - Existing technique that became a sub-technique
  • AppCert DLLs - Existing technique that became a sub-technique
  • AppInit DLLs - Existing technique that became a sub-technique
  • Application Shimming - Existing technique that became a sub-technique
  • Change Default File Association - Existing technique that became a sub-technique
  • Component Object Model Hijacking - Existing technique that became a sub-technique
  • Emond - Existing technique that became a sub-technique
  • Image File Execution Options Injection - Existing technique that became a sub-technique
  • LC_LOAD_DYLIB Addition - Existing technique that became a sub-technique
  • Netsh Helper DLL - Existing technique that became a sub-technique
  • PowerShell Profile - Existing technique that became a sub-technique
  • Screensaver - Existing technique that became a sub-technique
  • Trap - Existing technique that became a sub-technique
  • Windows Management Instrumentation Event Subscription - Existing technique that became a sub-technique
• Execution Guardrails: Environmental Keying - Broken out from pre-defined behavior within Execution Guardrails
• Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - Broken out from pre-defined behavior within Exfiltration Over Alternative Protocol
• Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - Broken out from pre-defined behavior within Exfiltration Over Alternative Protocol
• Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - Broken out from pre-defined behavior within Exfiltration Over Alternative Protocol
• Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth - Broken out from pre-defined behavior within Exfiltration over Other Network Medium
• Exfiltration Over Physical Medium: Exfiltration over USB - Broken out from pre-defined behavior within Exfiltration Over Physical Medium
• Exfiltration Over Web Service - Created to consolidate behaviors around exfiltration to legitimate web services
  • Exfiltration to Cloud Storage - Broken out from pre-defined behavior within Exfiltration Over Alternative Protocol
  • Exfiltration to Code Repository - Broken out from pre-defined behavior within Exfiltration Over Alternative Protocol
• File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification - Broken out from pre-defined behavior within File and Directory Permissions Modification
• File and Directory Permissions Modification: Windows File and Directory Permissions Modification - Broken out from pre-defined behavior within File and Directory Permissions Modification
• Hide Artifacts - Created to consolidate behaviors around defense evasion through creating hidden objects that may be difficult to see
  • Hidden File System - Created as distinct behavior within Hide Artifacts
  • Hidden Files and Directories - Existing technique that became a sub-technique
  • Hidden Users - Existing technique that became a sub-technique
  • Hidden Window - Existing technique that became a sub-technique
  • NTFS File Attributes - Existing technique that became a sub-technique
  • Run Virtual Instance - Created as distinct behavior within Hide Artifacts
• Hijack Execution Flow - Created to consolidate behaviors around running executable code by placing it where it would be executed by a legitimate process
  • COR_PROFILER - Created as distinct behavior within Hijack Execution Flow
  • DLL Search Order Hijacking - Existing technique that became a sub-technique
  • DLL Side-Loading - Existing technique that became a sub-technique
  • Dylib Hijacking - Existing technique that became a sub-technique
  • Executable Installer File Permissions Weakness - Existing technique that became a sub-technique
  • LD_PRELOAD - Existing technique that became a sub-technique
  • Path Interception by PATH Environment Variable - Broken out from pre-defined behavior within the prior Path Interception technique
  • Path Interception by Search Order Hijacking - Broken out from pre-defined behavior within the prior Path Interception technique
  • Path Interception by Unquoted Path - Broken out from pre-defined behavior within the prior Path Interception technique
  • Services File Permissions Weakness - Existing technique that became a sub-technique
  • Services Registry Permissions Weakness - Existing technique that became a sub-technique
• Impair Defenses - Created to consolidate behaviors that prevent a defense from working as intended
  • Disable Windows Event Logging - Existing technique that became a sub-technique
  • Disable or Modify Cloud Firewall - Created as distinct behavior within Impair Defenses
  • Disable or Modify System Firewall - Existing technique that became a sub-technique
  • Disable or Modify Tools - Existing technique that became a sub-technique
  • HISTCONTROL - Existing technique that became a sub-technique
  • Indicator Blocking - Existing technique that became a sub-technique
• Indicator Removal on Host: Clear Command History - Existing technique that became a sub-technique
• Indicator Removal on Host: Clear Linux or Mac System Logs - Broken out from pre-defined behavior within Indicator Removal on Host
• Indicator Removal on Host: Clear Windows Event Logs - Broken out from pre-defined behavior within Indicator Removal on Host
• Indicator Removal on Host: File Deletion - Existing technique that became a sub-technique
• Indicator Removal on Host: Network Share Connection Removal - Existing technique that became a sub-technique
• Indicator Removal on Host: Timestomp - Existing technique that became a sub-technique
• Input Capture: Credential API Hooking - Existing technique that became a sub-technique and was renamed from API Hooking. Scope change to only credential access for API hooking was based on available procedure examples
• Input Capture: GUI Input Capture - Broken out from pre-defined behavior within Input Capture
• Input Capture: Keylogging - Broken out from pre-defined behavior within Input Capture
• Input Capture: Web Portal Capture - Broken out from pre-defined behavior within Input Capture
• Inter-Process Communication - Created to consolidate behavior related to using IPC for local system execution
  • Component Object Model - Broken out from pre-defined behavior within the prior Component Object Model and Distributed COM technique
  • Dynamic Data Exchange - Existing technique that became a sub-technique
• Lateral Tool Transfer - Broken out from pre-defined behavior within the prior Remote File Copy technique to focus on file transfer within a network
• Man-in-the-Middle - Created to consolidate behavior related to setting up man-in-the-middle condition within a network
  • LLMNR/NBT-NS Poisoning and SMB Relay - Existing technique that became a sub-technique
• Masquerading: Invalid Code Signature - Created based on procedure examples within Code Signing as a distinct behavior using invalid digital signatures
• Masquerading: Masquerade Task or Service - Broken out from pre-defined behavior within Masquerading
• Masquerading: Match Legitimate Name or Location - Broken out from pre-defined behavior within Masquerading
• Masquerading: Rename System Utilities - Broken out from pre-defined behavior within Masquerading
• Masquerading: Right-to-Left Override - Broken out from pre-defined behavior within Masquerading
• Masquerading: Space after Filename - Existing technique that became a sub-technique
• Modify Authentication Process - Created to consolidate behavior related to changing the authentication process previously under Account Manipulation
  • Domain Controller Authentication - Broken out from pre-defined behavior within Account Manipulation
  • Password Filter DLL - Existing technique that became a sub-technique
  • Pluggable Authentication Modules - Created as distinct behavior within Modify Authentication Process
• Modify Cloud Compute Infrastructure - Created to consolidate behaviors around defense evasion through the cloud compute service
  • Create Cloud Instance - Created as distinct behavior within Modify Cloud Compute Infrastructure
  • Create Snapshot - Created as distinct behavior within Modify Cloud Compute Infrastructure
  • Delete Cloud Instance - Created as distinct behavior within Modify Cloud Compute Infrastructure
  • Revert Cloud Instance - Existing technique that became a sub-technique
• Network Denial of Service: Direct Network Flood - Broken out from pre-defined behavior within Network Denial of Service
• Network Denial of Service: Reflection Amplification - Broken out from pre-defined behavior within Network Denial of Service
• Non-Standard Port - Created to refine the idea behind Common and Uncommonly Used Port to focus the behavior on use of a non-standard port for C2 based on the protocol used
• OS Credential Dumping: /etc/passwd and /etc/shadow - Broken out from pre-defined behavior within OS Credential Dumping
• OS Credential Dumping: Cached Domain Credentials - Broken out from pre-defined behavior within OS Credential Dumping
• OS Credential Dumping: DCSync - Broken out from pre-defined behavior within OS Credential Dumping
• OS Credential Dumping: LSA Secrets - Broken out from pre-defined behavior within OS Credential Dumping
• OS Credential Dumping: LSASS Memory - Broken out from pre-defined behavior within OS Credential Dumping
• OS Credential Dumping: NTDS - Broken out from pre-defined behavior within OS Credential Dumping
• OS Credential Dumping: Proc Filesystem - Broken out from pre-defined behavior within OS Credential Dumping
• OS Credential Dumping: Security Account Manager - Broken out from pre-defined behavior within OS Credential Dumping
• Obfuscated Files or Information: Binary Padding - Existing technique that became a sub-technique
• Obfuscated Files or Information: Compile After Delivery - Existing technique that became a sub-technique
• Obfuscated Files or Information: Indicator Removal from Tools - Existing technique that became a sub-technique
• Obfuscated Files or Information: Software Packing - Existing technique that became a sub-technique
• Obfuscated Files or Information: Steganography - Broken out from pre-defined behavior within Obfuscated Files or Information
• Office Application Startup: Add-ins - Broken out from pre-defined behavior within Office Application Startup
• Office Application Startup: Office Template Macros - Broken out from pre-defined behavior within Office Application Startup
• Office Application Startup: Office Test - Broken out from pre-defined behavior within Office Application Startup
• Office Application Startup: Outlook Forms - Broken out from pre-defined behavior within Office Application Startup
• Office Application Startup: Outlook Home Page - Broken out from pre-defined behavior within Office Application Startup
• Office Application Startup: Outlook Rules - Broken out from pre-defined behavior within Office Application Startup
• Permission Groups Discovery: Cloud Groups - Broken out from pre-defined behavior within Permission Groups Discovery in a way that has parity with Account Discovery
• Permission Groups Discovery: Domain Groups - Broken out from pre-defined behavior within Permission Groups Discovery in a way that has parity with Account Discovery
• Permission Groups Discovery: Local Groups - Broken out from pre-defined behavior within Permission Groups Discovery in a way that has parity with Account Discovery
• Phishing - Created to consolidate behavior around phishing and spearphishing
  • Spearphishing Attachment - Existing technique that became a sub-technique
  • Spearphishing Link - Existing technique that became a sub-technique
  • Spearphishing via Service - Existing technique that became a sub-technique
• Pre-OS Boot - Created to consolidate behavior around persistence that loads before the OS boots
  • Bootkit - Existing technique that became a sub-technique
  • Component Firmware - Existing technique that became a sub-technique
  • System Firmware - Existing technique that became a sub-technique
• Process Injection: Asynchronous Procedure Call - Existing technique that became a sub-technique
• Process Injection: Dynamic-link Library Injection - Broken out from pre-defined behavior within Process Injection
• Process Injection: Extra Window Memory Injection - Broken out from pre-defined behavior within Process Injection
• Process Injection: Portable Executable Injection - Broken out from pre-defined behavior within Process Injection
• Process Injection: Proc Memory - Broken out from pre-defined behavior within Process Injection
• Process Injection: Process DoppelgÀnging - Existing technique that became a sub-technique
• Process Injection: Process Hollowing - Existing technique that became a sub-technique
• Process Injection: Ptrace System Calls - Broken out from pre-defined behavior within Process Injection
• Process Injection: Thread Execution Hijacking - Broken out from pre-defined behavior within Process Injection
• Process Injection: Thread Local Storage - Broken out from pre-defined behavior within Process Injection
• Process Injection: VDSO Hijacking - Broken out from pre-defined behavior within Process Injection
• Protocol Tunneling - Created to define behavior broken out from the prior Standard Application and Standard Cryptographic Protocol techniques
• Proxy: Domain Fronting - Existing technique that became a sub-technique
• Proxy: External Proxy - Broken out from pre-defined behavior within Connection Proxy
• Proxy: Internal Proxy - Broken out from pre-defined behavior within Connection Proxy
• Proxy: Multi-hop Proxy - Existing technique that became a sub-technique
• Remote Service Session Hijacking - Created to consolidate behavior related to hijacking existing remote connection sessions
  • RDP Hijacking - Broken out from pre-defined behavior within Remote Desktop Protocol
  • SSH Hijacking - Existing technique that became a sub-technique
• Remote Services: Distributed Component Object Model - Broken out from pre-defined behavior within Component Object Model and Distributed COM technique
• Remote Services: Remote Desktop Protocol - Existing technique that became a sub-technique
• Remote Services: SMB/Windows Admin Shares - Existing technique that became a sub-technique and was renamed from Windows Admin Shares
• Remote Services: SSH - Broken out from pre-defined behavior within Remote Services technique
• Remote Services: VNC - Broken out from pre-defined behavior within Remote Services technique
• Remote Services: Windows Remote Management - Existing technique that became a sub-technique
• Scheduled Task/Job: At (Linux) - Broken out from pre-defined behavior within prior Local Job Scheduling technique
• Scheduled Task/Job: At (Windows) - Broken out from pre-defined behavior within prior Scheduled Task technique
• Scheduled Task/Job: Cron - Broken out from pre-defined behavior within prior Local Job Scheduling technique
• Scheduled Task/Job: Launchd - Existing technique that became a sub-technique
• Scheduled Task/Job: Scheduled Task - Existing technique that became a sub-technique
• Server Software Component: SQL Stored Procedures - Broken out from pre-defined behavior within Server Software Component technique
• Server Software Component: Transport Agent - Broken out from pre-defined behavior within Server Software Component technique
• Server Software Component: Web Shell - Existing technique that became a sub-technique
• Signed Binary Proxy Execution: CMSTP - Existing technique that became a sub-technique
• Signed Binary Proxy Execution: Compiled HTML File - Existing technique that became a sub-technique
• Signed Binary Proxy Execution: Control Panel - Existing technique that became a sub-technique
• Signed Binary Proxy Execution: InstallUtil - Existing technique that became a sub-technique
• Signed Binary Proxy Execution: Mshta - Existing technique that became a sub-technique
• Signed Binary Proxy Execution: Msiexec - Broken out from pre-defined behavior within Signed Binary Proxy Execution technique
• Signed Binary Proxy Execution: Odbcconf - Broken out from pre-defined behavior within Signed Binary Proxy Execution technique
• Signed Binary Proxy Execution: Regsvcs/Regasm - Existing technique that became a sub-technique
• Signed Binary Proxy Execution: Regsvr32 - Existing technique that became a sub-technique
• Signed Binary Proxy Execution: Rundll32 - Existing technique that became a sub-technique
• Signed Script Proxy Execution: PubPrn - Existing technique that became a sub-technique
• Software Discovery: Security Software Discovery - Existing technique that became a sub-technique
• Steal or Forge Kerberos Tickets - Created to consolidate behavior related to Kerberos tickets
  • Golden Ticket - Broken out from pre-defined behavior within Pass the Ticket technique
  • Kerberoasting - Existing technique that became a sub-technique
  • Silver Ticket - Broken out from pre-defined behavior within Pass the Ticket technique
• Subvert Trust Controls - Created to consolidate behavior related to getting around trust controls
  • Code Signing - Existing technique that became a sub-technique
  • Gatekeeper Bypass - Existing technique that became a sub-technique
  • Install Root Certificate - Existing technique that became a sub-technique
  • SIP and Trust Provider Hijacking - Existing technique that became a sub-technique
• Supply Chain Compromise: Compromise Hardware Supply Chain - Broken out from pre-defined behavior within Supply Chain Compromise
• Supply Chain Compromise: Compromise Software Dependencies and Development Tools - Broken out from pre-defined behavior within Supply Chain Compromise
• Supply Chain Compromise: Compromise Software Supply Chain - Broken out from pre-defined behavior within Supply Chain Compromise
• System Services - Created to consolidate behaviors related to execution of binaries through system services
  • Launchctl - Existing technique that became a sub-technique
  • Service Execution - Existing technique that became a sub-technique
• Traffic Signaling: Port Knocking - Broken out from pre-defined behavior within Traffic Signaling
• Trusted Developer Utilities Proxy Execution: MSBuild - Broken out from pre-defined behavior within Trusted Developer Utilities Proxy Execution
• Unsecured Credentials - Created to consolidate places where unsecured credentials may be kept
  • Bash History - Existing technique that became a sub-technique
  • Cloud Instance Metadata API - Existing technique that became a sub-technique
  • Credentials In Files - Existing technique that became a sub-technique
  • Credentials in Registry - Existing technique that became a sub-technique
  • Group Policy Preferences - Existing technique that became a sub-technique
  • Private Keys - Existing technique that became a sub-technique
• Use Alternate Authentication Material - Created to consolidate behavior related to use of non-password based credential material
  • Application Access Token - Existing technique that became a sub-technique
  • Pass the Hash - Existing technique that became a sub-technique
  • Pass the Ticket - Existing technique that became a sub-technique
  • Web Session Cookie - Existing technique that became a sub-technique
• User Execution: Malicious File - Broken out from pre-defined behavior within User Execution
• User Execution: Malicious Link - Broken out from pre-defined behavior within User Execution
• Valid Accounts: Cloud Accounts - Broken out from pre-defined behavior Valid Accounts in a way that has parity with Create Account
• Valid Accounts: Default Accounts - Broken out from pre-defined behavior within Valid Accounts in a way that has parity with Create Account
• Valid Accounts: Domain Accounts - Broken out from pre-defined behavior within Valid Accounts in a way that has parity with Create Account
• Valid Accounts: Local Accounts - Broken out from pre-defined behavior within Valid Accounts in a way that has parity with Create Account
• Virtualization/Sandbox Evasion: System Checks - Broken out from pre-defined behavior within Virtualization/Sandbox Evasion
• Virtualization/Sandbox Evasion: Time Based Evasion - Broken out from pre-defined behavior within Virtualization/Sandbox Evasion
• Virtualization/Sandbox Evasion: User Activity Based Checks - Broken out from pre-defined behavior within Virtualization/Sandbox Evasion
• Web Service: Bidirectional Communication - Broken out from pre-defined behavior within Web Service
• Web Service: Dead Drop Resolver - Broken out from pre-defined behavior within Web Service
• Web Service: One-Way Communication - Broken out from pre-defined behavior within Web Service

Technique changes:

Technique changes are largely due to new sub-techniques being added, name changes, or both.

• Access Token Manipulation - New sub-techniques added
• Account Discovery - New sub-techniques added
• Account Manipulation - New sub-techniques added
• Application Layer Protocol - Name change from Standard Application Layer Protocol and new sub-techniques added
• Application Window Discovery - Fixed technique reference in description
• Automated Exfiltration - Fixed technique reference in description
• BITS Jobs - Fixed technique reference in description and minor description update
• Boot or Logon Initialization Scripts - Name change from Logon Scripts and new sub-techniques added
• Browser Extensions - Data sources changed and minor description update
• Brute Force - New sub-techniques added
• Clipboard Data - Minor description update
• Cloud Service Discovery - Minor description update
• Command and Scripting Interpreter - Name change from Command-Line Interface and new sub-techniques added
• Create Account - New sub-techniques added
• Data Encoding - New sub-techniques added
• Data Obfuscation - New sub-techniques added
• Data Staged - New sub-techniques added
• Data from Information Repositories - New sub-techniques added
• Data from Local System - Fixed technique reference in description and minor description update
• Data from Network Shared Drive - Fixed technique reference in description and minor description update
• Data from Removable Media - Fixed technique reference in description and minor description update
• Direct Volume Access - Name change from File System Logical Offsets
• Domain Trust Discovery - Fixed technique reference in description and minor description update
• Drive-by Compromise - Fixed technique reference in description and minor description update
• Email Collection - New sub-techniques added
• Execution Guardrails - New sub-technique added
• Exfiltration Over Alternative Protocol - New sub-techniques added
• Exfiltration Over C2 Channel - Name change from Exfiltration over Command and Control Channel and added data sources
• Exfiltration Over Other Network Medium - New sub-techniques added
• Exfiltration Over Physical Medium - New sub-techniques added
• Exploit Public-Facing Application - Minor description update
• Exploitation for Client Execution - Minor description update
• Exploitation for Credential Access - Minor description update
• Exploitation for Defense Evasion - Minor description update
• Exploitation for Privilege Escalation - Minor description update
• Exploitation of Remote Services - Minor description update
• External Remote Services - Minor description update
• File and Directory Discovery - Fixed technique reference in description and minor description update
• File and Directory Permissions Modification - New sub-techniques added
• Forced Authentication - Minor description update
• Group Policy Modification - Minor description update
• Indicator Removal on Host - New sub-techniques added
• Indirect Command Execution - Minor description update
• Ingress Tool Transfer - Name change from Remote File Copy
• Input Capture - New sub-techniques added
• Masquerading - New sub-techniques added
• Native API - Name change from Execution through API
• Network Service Scanning - Minor description update
• Network Share Discovery - Fixed technique reference in description, added Linux, and minor description update
• Network Sniffing - Minor description update
• Non-Application Layer Protocol - Name change from Standard Non-Application Layer Protocol
• OS Credential Dumping - Name change from Credential Dumping and new sub-techniques added
• Obfuscated Files or Information - Minor description update
• Password Policy Discovery - Fixed technique reference in description and minor description update
• Peripheral Device Discovery - Fixed technique reference in description and minor description update
• Permission Groups Discovery - New sub-techniques added
• Process Discovery - Fixed technique reference in description and minor description update
• Process Injection - New sub-techniques added
• Proxy - Name change from Connection Proxy and new sub-techniques added
• Query Registry - Fixed technique reference in description and minor description update
• Remote Access Software - Name change from Remote Access Tools and fixed technique reference in description
• Remote Services - New sub-techniques added
• Remote System Discovery - Fixed technique reference in description and minor description update
• Rogue Domain Controller - Name change from DCShadow
• Rootkit - Minor description update
• Scheduled Task/Job - New sub-techniques added
• Scheduled Transfer - Minor description update
• Screen Capture - Minor description update
• Server Software Component - New sub-techniques added
• Shared Modules - Name change from Execution through Module Load
• Signed Binary Proxy Execution - New sub-techniques added
• Signed Script Proxy Execution - New sub-techniques added
• Software Deployment Tools - Minor description update and data source added
• Software Discovery - New sub-techniques added
• Supply Chain Compromise - New sub-techniques added
• System Information Discovery - Fixed technique reference in description and minor description update
• System Network Configuration Discovery - Fixed technique reference in description and minor description update
• System Network Connections Discovery - Fixed technique reference in description and minor description update
• System Owner/User Discovery - Fixed technique reference in description and minor description update
• System Time Discovery - Minor description update
• Taint Shared Content - Minor description update
• Template Injection - Minor description update
• Traffic Signaling - Technique renamed and sub-technique added
• Trusted Developer Utilities Proxy Execution - Minor description update, sub-technique added
• Two-Factor Authentication Interception - Minor description update
• User Execution - New sub-techniques added
• Valid Accounts - New sub-techniques added
• Virtualization/Sandbox Evasion - New sub-techniques added
• Web Service - New sub-techniques added
• Windows Management Instrumentation - Minor description update
• XSL Script Processing - Minor description update

Minor Technique changes:

• Automated Collection
• Browser Bookmark Discovery
• Data Destruction
• Data Encrypted for Impact
• Endpoint Denial of Service
• Implant Container Image
• Internal Spearphishing
• Network Denial of Service
• Office Application Startup
• Steal Application Access Token
• Steal Web Session Cookie
• System Service Discovery
• System Shutdown/Reboot
• Transfer Data to Cloud Account

Technique revocations:

• .bash_profile and .bashrc (revoked by Event Triggered Execution: .bash_profile and .bashrc)
• Accessibility Features (revoked by Event Triggered Execution: Accessibility Features)
• AppCert DLLs (revoked by Event Triggered Execution: AppCert DLLs)
• AppInit DLLs (revoked by Event Triggered Execution: AppInit DLLs)
• AppleScript (revoked by Command and Scripting Interpreter: AppleScript)
• Application Access Token (revoked by Use Alternate Authentication Material: Application Access Token)
• Application Deployment Software (revoked by Software Deployment Tools)
• Application Shimming (revoked by Event Triggered Execution: Application Shimming)
• Authentication Package (revoked by Boot or Logon Autostart Execution: Authentication Package)
• Bash History (revoked by Unsecured Credentials: Bash History)
• Binary Padding (revoked by Obfuscated Files or Information: Binary Padding)
• Bootkit (revoked by Pre-OS Boot: Bootkit)
• Bypass User Account Control (revoked by Abuse Elevation Control Mechanism: Bypass User Access Control)
• CMSTP (revoked by Signed Binary Proxy Execution: CMSTP)
• Change Default File Association (revoked by Event Triggered Execution: Change Default File Association)
• Clear Command History (revoked by Indicator Removal on Host: Clear Command History)
• Cloud Instance Metadata API (revoked by Unsecured Credentials: Cloud Instance Metadata API)
• Code Signing (revoked by Subvert Trust Controls: Code Signing)
• Compile After Delivery (revoked by Obfuscated Files or Information: Compile After Delivery)
• Compiled HTML File (revoked by Signed Binary Proxy Execution: Compiled HTML File)
• Component Firmware (revoked by Pre-OS Boot: Component Firmware)
• Component Object Model Hijacking (revoked by Event Triggered Execution: Component Object Model Hijacking)
• Control Panel Items (revoked by Signed Binary Proxy Execution: Control Panel)
• Credentials from Web Browsers (revoked by Credentials from Password Stores: Credentials from Web Browsers)
• Credentials in Files (revoked by Unsecured Credentials: Credentials In Files)
• Credentials in Registry (revoked by Unsecured Credentials: Credentials in Registry)
• Custom Command and Control Protocol (revoked by Non-Application Layer Protocol)
• Custom Cryptographic Protocol (revoked by Encrypted Channel)
• DLL Search Order Hijacking (revoked by Hijack Execution Flow: DLL Search Order Hijacking)
• DLL Side-Loading (revoked by Hijack Execution Flow: DLL Side-Loading)
• Data Compressed (revoked by Archive Collected Data)
• Data Encrypted (revoked by Archive Collected Data)
• Disabling Security Tools (revoked by Impair Defenses: Disable or Modify Tools)
• Disk Content Wipe (revoked by Disk Wipe: Disk Content Wipe)
• Disk Structure Wipe (revoked by Disk Wipe: Disk Structure Wipe)
• Domain Fronting (revoked by Proxy: Domain Fronting)
• Domain Generation Algorithms (revoked by Dynamic Resolution: Domain Generation Algorithms)
• Dylib Hijacking (revoked by Hijack Execution Flow: Dylib Hijacking)
• Dynamic Data Exchange (revoked by Inter-Process Communication: Dynamic Data Exchange)
• Elevated Execution with Prompt (revoked by Abuse Elevation Control Mechanism: Elevated Execution with Prompt)
• Emond (revoked by Event Triggered Execution: Emond)
• Extra Window Memory Injection (revoked by Process Injection: Extra Window Memory Injection)
• File Deletion (revoked by Indicator Removal on Host: File Deletion)
• File System Permissions Weakness (revoked by Hijack Execution Flow: Services File Permissions Weakness)
• Gatekeeper Bypass (revoked by Subvert Trust Controls: Gatekeeper Bypass)
• HISTCONTROL (revoked by Impair Defenses: HISTCONTROL)
• Hidden Files and Directories (revoked by Hide Artifacts: Hidden Files and Directories)
• Hidden Users (revoked by Hide Artifacts: Hidden Users)
• Hidden Window (revoked by Hide Artifacts: Hidden Window)
• Hooking (revoked by Input Capture: Credential API Hooking)
• Image File Execution Options Injection (revoked by Event Triggered Execution: Image File Execution Options Injection)
• Indicator Blocking (revoked by Impair Defenses: Indicator Blocking)
• Indicator Removal from Tools (revoked by Obfuscated Files or Information: Indicator Removal from Tools)
• Input Prompt (revoked by Input Capture: GUI Input Capture)
• Install Root Certificate (revoked by Subvert Trust Controls: Install Root Certificate)
• InstallUtil (revoked by Signed Binary Proxy Execution: InstallUtil)
• Kerberoasting (revoked by Steal or Forge Kerberos Tickets: Kerberoasting)
• Kernel Modules and Extensions (revoked by Boot or Logon Autostart Execution: Kernel Modules and Extensions)
• Keychain (revoked by Credentials from Password Stores: Keychain)
• LC_LOAD_DYLIB Addition (revoked by Event Triggered Execution: LC_LOAD_DYLIB Addition)
• LLMNR/NBT-NS Poisoning and Relay (revoked by Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay)
• LSASS Driver (revoked by Boot or Logon Autostart Execution: LSASS Driver)
• Launch Agent (revoked by Create or Modify System Process: Launch Agent)
• Launch Daemon (revoked by Create or Modify System Process: Launch Daemon)
• Launchctl (revoked by System Services: Launchctl)
• Local Job Scheduling (revoked by Scheduled Task/Job)
• Login Item (revoked by Boot or Logon Autostart Execution: Plist Modification)
• Modify Existing Service (revoked by Create or Modify System Process: Windows Service)
• Mshta (revoked by Signed Binary Proxy Execution: Mshta)
• Multi-hop Proxy (revoked by Proxy: Multi-hop Proxy)
• Multilayer Encryption (revoked by Encrypted Channel)
• NTFS File Attributes (revoked by Hide Artifacts: NTFS File Attributes)
• Netsh Helper DLL (revoked by Event Triggered Execution: Netsh Helper DLL)
• Network Share Connection Removal (revoked by Indicator Removal on Host: Network Share Connection Removal)
• New Service (revoked by Create or Modify System Process: Windows Service)
• Parent PID Spoofing (revoked by Access Token Manipulation: Parent PID Spoofing)
• Pass the Hash (revoked by Use Alternate Authentication Material: Pass the Hash)
• Pass the Ticket (revoked by Use Alternate Authentication Material: Pass the Ticket)
• Password Filter DLL (revoked by Modify Authentication Process: Password Filter DLL)
• Plist Modification (revoked by Boot or Logon Autostart Execution: Plist Modification)
• Port Monitors (revoked by Boot or Logon Autostart Execution: Port Monitors)
• PowerShell (revoked by Command and Scripting Interpreter: PowerShell)
• PowerShell Profile (revoked by Event Triggered Execution: PowerShell Profile)
• Private Keys (revoked by Unsecured Credentials: Private Keys)
• Process DoppelgÀnging (revoked by Process Injection: Process DoppelgÀnging)
• Process Hollowing (revoked by Process Injection: Process Hollowing)
• Rc.common (revoked by Boot or Logon Initialization Scripts: Rc.common)
• Re-opened Applications (revoked by Boot or Logon Autostart Execution: Re-opened Applications)
• Registry Run Keys / Startup Folder (revoked by Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder)
• Regsvcs/Regasm (revoked by Signed Binary Proxy Execution: Regsvcs/Regasm)
• Regsvr32 (revoked by Signed Binary Proxy Execution: Regsvr32)
• Remote Desktop Protocol (revoked by Remote Services: Remote Desktop Protocol)
• Revert Cloud Instance (revoked by Modify Cloud Compute Infrastructure: Revert Cloud Instance)
• Rundll32 (revoked by Signed Binary Proxy Execution: Rundll32)
• Runtime Data Manipulation (revoked by Data Manipulation: Runtime Data Manipulation)
• SID-History Injection (revoked by Access Token Manipulation: SID-History Injection)
• SIP and Trust Provider Hijacking (revoked by Subvert Trust Controls: SIP and Trust Provider Hijacking)
• SSH Hijacking (revoked by Remote Service Session Hijacking: SSH Hijacking)
• Screensaver (revoked by Event Triggered Execution: Screensaver)
• Security Software Discovery (revoked by Software Discovery: Security Software Discovery)
• Security Support Provider (revoked by Boot or Logon Autostart Execution: Security Support Provider)
• Securityd Memory (revoked by Credentials from Password Stores: Securityd Memory)
• Service Execution (revoked by System Services: Service Execution)
• Service Registry Permissions Weakness (revoked by Hijack Execution Flow: Services Registry Permissions Weakness)
• Setuid and Setgid (revoked by Abuse Elevation Control Mechanism: Setuid and Setgid)
• Shortcut Modification (revoked by Boot or Logon Autostart Execution: Shortcut Modification)
• Software Packing (revoked by Obfuscated Files or Information: Software Packing)
• Space after Filename (revoked by Masquerading: Space after Filename)
• Spearphishing Attachment (revoked by Phishing: Spearphishing Attachment)
• Spearphishing Link (revoked by Phishing: Spearphishing Link)
• Spearphishing via Service (revoked by Phishing: Spearphishing via Service)
• Standard Cryptographic Protocol (revoked by Encrypted Channel)
• Startup Items (revoked by Boot or Logon Initialization Scripts: Startup Items)
• Stored Data Manipulation (revoked by Data Manipulation: Stored Data Manipulation)
• Sudo (revoked by Abuse Elevation Control Mechanism: Sudo and Sudo Caching)
• Sudo Caching (revoked by Abuse Elevation Control Mechanism: Sudo and Sudo Caching)
• System Firmware (revoked by Pre-OS Boot: System Firmware)
• Systemd Service (revoked by Create or Modify System Process: Systemd Service)
• Time Providers (revoked by Boot or Logon Autostart Execution: Time Providers)
• Timestomp (revoked by Indicator Removal on Host: Timestomp)
• Transmitted Data Manipulation (revoked by Data Manipulation: Transmitted Data Manipulation)
• Trap (revoked by Event Triggered Execution: Trap)
• Uncommonly Used Port (revoked by Non-Standard Port)
• Web Session Cookie (revoked by Use Alternate Authentication Material: Web Session Cookie)
• Web Shell (revoked by Server Software Component: Web Shell)
• Windows Admin Shares (revoked by Remote Services: SMB/Windows Admin Shares)
• Windows Management Instrumentation Event Subscription (revoked by Event Triggered Execution: Windows Management Instrumentation Event Subscription)
• Windows Remote Management (revoked by Remote Services: Windows Remote Management)
• Winlogon Helper DLL (revoked by Boot or Logon Autostart Execution: Winlogon Helper DLL)

Technique deprecations:

• Commonly Used Port - Deprecated from ATT&CK because the behavior is redundant and describes most benign network communications.
• Component Object Model and Distributed COM - Deprecated and split into separate Component Object Model and Distributed Component Object Model sub-techniques. Existing Group/Software procedure examples were remapped appropriately
• Graphical User Interface - Deprecated from ATT&CK because the behavior is redundant and implied by use of remote desktop tools like Remote Desktop Protocol. Existing Group/Software procedure examples were remapped appropriately
• Hypervisor - Deprecated from ATT&CK due to lack of in the wild use
• LC_MAIN Hijacking - Deprecated from ATT&CK due to lack of in the wild use
• Multiband Communication - Deprecated from ATT&CK due to lack of in the wild use. Existing Group/Software procedure examples did not fit the core idea behind the technique
• Path Interception - Deprecated and split into separate Unquoted Path, PATH Environment Variable, and Search Order Hijacking sub-techniques. Existing Group/Software procedure examples were remapped appropriately
• Redundant Access - Deprecated from ATT&CK because the behavior is too high level and is sufficiently covered by Valid Accounts and External Remote Services. Existing Group/Software procedure examples were remapped appropriately
• Scripting - Deprecated and split into separate Unix Shell, Visual Basic, JavaScript/Jscript, and Python sub-techniques of Command and Scripting Interpreter. Existing Group/Software procedure examples were remapped appropriately
• Shared Webroot - Deprecated from ATT&CK due to lack of in the wild use
• Source - Deprecated from ATT&CK due to lack of in the wild use

PRE-ATT&CK

New Techniques: No changes

Technique changes: No changes

Minor Technique changes: No changes

Technique revocations: No changes

Technique deprecations:

• DNSCalc
• Fast Flux DNS

Mobile

View mobile technique updates in the ATT&CK Navigator here.

New Techniques:

• Code Injection
• Compromise Application Executable
• Foreground Persistence
• Keychain
• Native Code
• Remote File Copy
• Uninstall Malicious Application

Technique changes:

• Broadcast Receivers
• Carrier Billing Fraud
• Input Capture
• Input Injection
• Input Prompt
• Masquerade as Legitimate Application
• Screen Capture
• Suppress Application Icon
• System Network Configuration Discovery

Minor Technique changes:

• Access Notifications
• Clipboard Modification
• Deliver Malicious App via Other Means
• System Information Discovery

Technique revocations: No changes

Technique deprecations: No changes

Software

Enterprise

New Software:

• ABK
• Aria-body
• Attor
• Avenger
• BBK
• BackConfig
• Bundlore
• CARROTBALL
• CARROTBAT
• Cadelspy
• Get2
• Goopy
• HotCroissant
• Imminent Monitor
• Kivars
• Lokibot
• LoudMiner
• MAZE
• MESSAGETAP
• MechaFlounder
• Metamorfo
• Netwalker
• Okrum
• PLEAD
• PoetRAT
• Pony
• PowerShower
• Ragnar Locker
• Ramsay
• Rifdoor
• Rising Sun
• Ryuk
• SDBot
• SHARPSTATS
• SYSCON
• ShimRat
• ShimRatReporter
• Skidmap
• TSCookie
• TajMahal
• USBferry
• VBShower
• Valak
• WindTail
• Winnti for Linux
• build_downer
• down_new

Software changes:

• 3PARA RAT
• 4H RAT
• ADVSTORESHELL
• ASPXSpy
• Agent Tesla
• Agent.btz
• Astaroth
• AuditCred
• AutoIt backdoor
• Azorult
• BACKSPACE
• BADCALL
• BADNEWS
• BBSRAT
• BISCUIT
• BITSAdmin
• BLACKCOFFEE
• BONDUPDATER
• BOOTRASH
• BS2005
• BUBBLEWRAP
• BabyShark
• Backdoor.Oldrea
• BadPatch
• Bandook
• Bankshot
• Bisonal
• BlackEnergy
• Brave Prince
• CALENDAR
• CCBkdr
• CHOPSTICK
• CORALDECK
• CORESHELL
• Cachedump
• Calisto
• CallMe
• Cannon
• Carbanak
• Carbon
• Cardinal RAT
• Catchamas
• ChChes
• Chaos
• Cherry Picker
• China Chopper
• CloudDuke
• Cobalt Strike
• Cobian RAT
• CoinTicker
• ComRAT
• Comnie
• CosmicDuke
• CozyCar
• Crimson
• CrossRAT
• DOGCALL
• DarkComet
• Daserf
• DealersChoice
• Denis
• Derusbi
• Dipsind
• Dok
• DownPaper
• Downdelph
• Dridex
• Duqu
• DustySky
• Dyre
• ELMER
• Ebury
• Elise
• Emissary
• Emotet
• Empire
• Epic
• EvilBunny
• EvilGrab
• Exaramel for Linux
• Exaramel for Windows
• Expand
• FALLCHILL
• FELIXROOT
• FLASHFLOOD
• FLIPSIDE
• FTP
• FakeM
• Felismus
• Fgdump
• FinFisher
• Final1stspy
• Flame
• FlawedAmmyy
• FruitFly
• Fysbis
• GLOOXMAIL
• GRIFFON
• Gazer
• GeminiDuke
• Gold Dragon
• GravityRAT
• GreyEnergy
• H1N1
• HAMMERTOSS
• HARDRAIN
• HAWKBALL
• HIDEDRV
• HOMEFRY
• HOPLIGHT
• HTTPBrowser
• Hacking Team UEFI Rootkit
• Helminth
• Hi-Zor
• HiddenWasp
• Hikit
• Hydraq
• HyperBro
• ISMInjector
• Impacket
• InnaputRAT
• InvisiMole
• Ixeshe
• JCry
• JHUHUGIT
• JPIN
• Janicab
• KARAE
• KEYMARBLE
• KOMPROGO
• KONNI
• Kasidet
• Kazuar
• KeyBoy
• Keydnap
• Koadic
• Komplex
• Kwampirs
• LOWBALL
• LaZagne
• LightNeuron
• Linfo
• Linux Rabbit
• LoJax
• LockerGoga
• Lslsass
• Lurid
• MURKYTOP
• MacSpy
• Machete
• MailSniper
• Matroyshka
• Micropsia
• MimiPenguin
• Mimikatz
• MiniDuke
• MirageFox
• Mis-Type
• Misdat
• Mivast
• MoonWind
• More_eggs
• Mosquito
• NDiskMonitor
• NETEAGLE
• NETWIRE
• NOKKI
• NanHaiShu
• NanoCore
• NavRAT
• Net
• Net Crawler
• NetTraveler
• Nidiran
• NotPetya
• OLDBAIT
• OSInfo
• OSX/Shlayer
• OSX_OCEANLOTUS.D
• OceanSalt
• Octopus
• Olympic Destroyer
• OnionDuke
• OopsIE
• Orz
• OwaAuth
• P2P ZeuS
• PHOREAL
• PLAINTEE
• POORAIM
• POSHSPY
• POWERSOURCE
• POWERSTATS
• POWERTON
• POWRUNER
• PUNCHBUGGY
• PUNCHTRACK
• Pasam
• PinchDuke
• Pisloader
• PlugX
• PoisonIvy
• PoshC2
• PowerDuke
• PowerSploit
• PowerStallion
• Prikormka
• Proton
• Proxysvc
• PsExec
• Psylo
• Pteranodon
• Pupy
• QUADAGENT
• QuasarRAT
• RARSTONE
• RATANKBA
• RGDoor
• RIPTIDE
• ROCKBOOT
• ROKRAT
• RTM
• RawPOS
• Reaver
• RedLeaves
• Regin
• Remcos
• Remexi
• RemoteCMD
• Remsec
• Revenge RAT
• RobbinHood
• RogueRobin
• Rover
• Ruler
• RunningRAT
• S-Type
• SEASHARPEE
• SHOTPUT
• SLOWDRIFT
• SNUGRIDE
• SOUNDBITE
• SPACESHIP
• SQLRat
• Sakula
• SeaDuke
• Seasalt
• ServHelper
• Shamoon
• Skeleton Key
• Smoke Loader
• Socksbot
• SpeakUp
• SslMM
• Starloader
• StoneDrill
• StreamEx
• Sykipot
• SynAck
• Sys10
• T9000
• TDTESS
• TEXTMATE
• TURNEDUP
• TYPEFRAME
• Taidoor
• TinyZBot
• Tor
• TrickBot
• Trojan.Karagany
• Trojan.Mebromi
• Truvasys
• Twitoor
• UBoatRAT
• UPPERCUT
• USBStealer
• Umbreon
• Unknown Logger
• Ursnif
• VERMIN
• Vasport
• Volgmer
• WEBC2
• WannaCry
• Wiarp
• WinMM
• Windows Credential Editor
• Wingbird
• Winnti for Windows
• XAgentOSX
• XTunnel
• Xbash
• YAHOYAH
• ZLib
• Zebrocy
• ZeroT
• Zeus Panda
• ZxShell
• adbupd
• at
• cmd
• dsquery
• esentutl
• gh0st RAT
• gsecdump
• hcdLoader
• httpclient
• iKitten
• jRAT
• netsh
• njRAT
• pngdowner
• pwdump
• schtasks
• spwebmember
• yty
• zwShell

Minor Software changes: No changes

Software revocations: No changes

Software deprecations: No changes

PRE-ATT&CK

New Software: No changes

Software changes: No changes

Minor Software changes: No changes

Software revocations: No changes

Software deprecations: No changes

Mobile

New Software:

• Agent Smith
• Anubis
• Bread
• Cerberus
• Concipit1248
• Corona Updates
• DEFENSOR ID
• Dvmap
• EventBot
• Ginp
• GolfSpy
• INSOMNIA
• SimBad
• Triada
• TrickMo
• ViceLeaker

Software changes:

• FinFisher
• Monokle

Minor Software changes:

• Pegasus for iOS

Software revocations: No changes

Software deprecations: No changes

Groups

Enterprise

New Groups:

• APT-C-36
• BlackTech
• Blue Mockingbird
• Bouncing Golf
• Charming Kitten
• DarkVishnya
• Frankenstein
• Inception
• Mofang
• Rocke
• Sharpshooter
• Whitefly
• Windshift
• Wizard Spider

Group changes:

• APT1
• APT12
• APT18
• APT19
• APT28
• APT29
• APT3
• APT32
• APT33
• APT37
• APT38
• APT39
• APT41
• Axiom
• BRONZE BUTLER
• Carbanak
• Cleaver
• Cobalt Group
• CopyKittens
• Dark Caracal
• DarkHydrus
• Darkhotel
• Deep Panda
• Dragonfly 2.0
• Elderwood
• Equation
• FIN10
• FIN4
• FIN5
• FIN6
• FIN7
• FIN8
• GCMAN
• Gallmaker
• Gamaredon Group
• Gorgon Group
• Group5
• Honeybee
• Ke3chang
• Kimsuky
• Lazarus Group
• Leafminer
• Leviathan
• Machete
• Magic Hound
• Moafee
• Molerats
• MuddyWater
• Naikon
• Night Dragon
• OilRig
• Orangeworm
• PLATINUM
• Patchwork
• PittyTiger
• Poseidon Group
• Putter Panda
• RTM
• Rancor
• Scarlet Mimic
• Silence
• SilverTerrier
• Soft Cell
• Sowbug
• Stealth Falcon
• Stolen Pencil
• Strider
• Suckfly
• TA459
• TA505
• TEMP.Veles
• The White Company
• Threat Group-1314
• Threat Group-3390
• Thrip
• Tropic Trooper
• Turla
• WIRTE
• admin@338
• menuPass

Minor Group changes:

• Sandworm Team
• Winnti Group

Group revocations: No changes

Group deprecations: No changes

Group deletions:

• Charming Kitten

PRE-ATT&CK

New Groups: No changes

Group changes:

• APT1
• APT28
• Cleaver
• Night Dragon
• TEMP.Veles

Minor Group changes: No changes

Group revocations: No changes

Group deprecations: No changes

Mobile

New Groups:

• Bouncing Golf

Group changes:

• APT28
• Dark Caracal

Minor Group changes: No changes

Group revocations: No changes

Group deprecations: No changes

Mitigations

Enterprise

New Mitigations: No changes

Mitigation changes:

• Active Directory Configuration - Sub or technique relationships updated
• Antivirus/Antimalware - Sub or technique relationships updated
• Application Isolation and Sandboxing - Sub or technique relationships updated
• Audit - Sub or technique relationships updated
• Code Signing - Sub or technique relationships updated
• Credential Access Protection - Sub or technique relationships updated
• Data Backup - Sub or technique relationships updated
• Disable or Remove Feature or Program - Sub or technique relationships updated
• Execution Prevention - Sub or technique relationships updated
• Exploit Protection - Sub or technique relationships updated
• Network Segmentation - Sub or technique relationships updated
• Operating System Configuration - Sub or technique relationships updated
• Privileged Account Management - Sub or technique relationships updated
• Privileged Process Integrity - Sub or technique relationships updated
• Restrict File and Directory Permissions - Sub or technique relationships updated
• Software Configuration - Sub or technique relationships updated
• User Account Control - Sub or technique relationships updated
• User Account Management - Sub or technique relationships updated
• User Training - Sub or technique relationships updated
• Vulnerability Scanning - Sub or technique relationships updated

Minor Mitigation changes:

• Boot Integrity
• Filter Network Traffic
• Limit Access to Resource Over Network
• Limit Hardware Installation

Mitigation revocations: No changes

Mitigation deprecations: No changes

Mitigation deletions:

These are old mitigations that are no longer in use.

• Account Manipulation Mitigation
• Command-Line Interface Mitigation
• Connection Proxy Mitigation
• Execution through API Mitigation
• Exfiltration Over Alternative Protocol Mitigation
• File Permissions Modification Mitigation
• Input Capture Mitigation
• Obfuscated Files or Information Mitigation
• Office Application Startup Mitigation
• Process Injection Mitigation
• Remote Services Mitigation
• Signed Binary Proxy Execution Mitigation
• Standard Application Layer Protocol Mitigation
• Trusted Developer Utilities Mitigation
• Virtualization/Sandbox Evasion Mitigation
• Windows Management Instrumentation Mitigation

PRE-ATT&CK

New Mitigations: No changes

Mitigation changes: No changes

Minor Mitigation changes: No changes

Mitigation revocations: No changes

Mitigation deprecations: No changes

Mobile

New Mitigations: No changes

Mitigation changes: No changes

Minor Mitigation changes:

• Enterprise Policy

Mitigation revocations: No changes

Mitigation deprecations: No changes