Updates - July 2020
Version | Start Date | End Date | Data |
---|---|---|---|
ATT&CK v7 | July 8, 2020 | October 26, 2020 | v7.0 on MITRE/CTI |
The July 2020 (v7) ATT&CK release updates Techniques, Groups, and Software for both Enterprise and Mobile. This is the first non-beta release of Enterprise ATT&CK represented with sub-techniques. The pre sub-technique version of ATT&CK has been preserved here. Most of this content was released as a beta in March 2020, and changes between the beta release and this release are documented separately.
In total, the sub-technique version of ATT&CK for Enterprise contains 156 techniques (reduced from 266) and 272 sub-techniques.
See the accompanying blog post for more details.
In this same release we have deprecated white/blacklist language in ATT&CK. Techniques and mitigations previously containing this language have either been reworded or the language has been replaced with allow/denylist. In line with industry terminology changes, application whitelisting and process whitelisting have both been replaced with application control.
Techniques
Enterprise
View enterprise technique updates in the ATT&CK Navigator here.
New Techniques:
- Abuse Elevation Control Mechanism - Created to consolidate similar behaviors that take advantage of elevation control
- Bypass User Access Control - Existing technique that became a sub-technique
- Elevated Execution with Prompt - Existing technique that became a sub-technique
- Setuid and Setgid - Existing technique that became a sub-technique
- Sudo and Sudo Caching - Existing technique that became a sub-technique
- Access Token Manipulation: Create Process with Token - Broken out from pre-defined behavior within Access Token Manipulation
- Access Token Manipulation: Make and Impersonate Token - Broken out from pre-defined behavior within Access Token Manipulation
- Access Token Manipulation: Parent PID Spoofing - Added due to manipulation of tokens
- Access Token Manipulation: SID-History Injection - Added due to manipulation of token information
- Access Token Manipulation: Token Impersonation/Theft - Broken out from pre-defined behavior within Access Token Manipulation
- Account Discovery: Cloud Account - Added for parity with Create Account
- Account Discovery: Domain Account - Added for parity with Create Account
- Account Discovery: Email Account - Broken out from pre-defined behavior within Account Discovery
- Account Discovery: Local Account - Added for parity with Create Account
- Account Manipulation: Add Office 365 Global Administrator Role - Broken out from pre-defined behavior within Account Manipulation
- Account Manipulation: Additional Azure Service Principal Credentials - Broken out from pre-defined behavior within Account Manipulation
- Account Manipulation: Exchange Email Delegate Permissions - Broken out from pre-defined behavior within Account Manipulation
- Account Manipulation: SSH Authorized Keys - Created as distinct behavior within Account Manipulation
- Application Layer Protocol: DNS - Created as distinct behavior due to how Application Layer Protocols are used for C2
- Application Layer Protocol: File Transfer Protocols - Created as distinct behavior due to how Application Layer Protocols are used for C2
- Application Layer Protocol: Mail Protocols - Created as distinct behavior due to how Application Layer Protocols are used for C2
- Application Layer Protocol: Web Protocols - Created as distinct behavior due to how Application Layer Protocols are used for C2
- Archive Collected Data - Created to consolidate behavior around encrypting and compressing collected data
- Archive via Custom Method - Broken out from pre-defined behavior within Archive Collected Data
- Archive via Library - Broken out from pre-defined behavior within Archive Collected Data
- Archive via Utility - Broken out from pre-defined behavior within Archive Collected Data
- Boot or Logon Autostart Execution - Created to consolidate similar autostart execution locations
- Authentication Package - Existing technique that became a sub-technique
- Kernel Modules and Extensions - Existing technique that became a sub-technique
- LSASS Driver - Existing technique that became a sub-technique
- Plist Modification - Existing technique that became a sub-technique
- Port Monitors - Existing technique that became a sub-technique
- Re-opened Applications - Existing technique that became a sub-technique
- Registry Run Keys / Startup Folder - Existing technique that became a sub-technique
- Security Support Provider - Existing technique that became a sub-technique
- Shortcut Modification - Existing technique that became a sub-technique
- Time Providers - Existing technique that became a sub-technique
- Winlogon Helper DLL - Existing technique that became a sub-technique
- Boot or Logon Initialization Scripts: Logon Script (Mac) - Existing technique that became a sub-technique
- Boot or Logon Initialization Scripts: Logon Script (Windows) - Existing technique that became a sub-technique
- Boot or Logon Initialization Scripts: Network Logon Script - Existing technique that became a sub-technique
- Boot or Logon Initialization Scripts: Rc.common - Existing technique that became a sub-technique
- Boot or Logon Initialization Scripts: Startup Items - Existing technique that became a sub-technique
- Brute Force: Credential Stuffing - Created as distinct behavior variation of Brute Force
- Brute Force: Password Cracking - Broken out from pre-defined behavior within Brute Force
- Brute Force: Password Guessing - Broken out from pre-defined behavior within Brute Force
- Brute Force: Password Spraying - Broken out from pre-defined behavior within Brute Force
- Command and Scripting Interpreter: AppleScript - Existing technique that became a sub-technique
- Command and Scripting Interpreter: JavaScript/JScript - Created as distinct behavior within Command and Scripting Interpreter
- Command and Scripting Interpreter: PowerShell - Existing technique that became a sub-technique
- Command and Scripting Interpreter: Python - Created as distinct behavior within Command and Scripting Interpreter
- Command and Scripting Interpreter: Unix Shell - Existing technique that became a sub-technique
- Command and Scripting Interpreter: Visual Basic - Created as distinct behavior within Command and Scripting Interpreter
- Command and Scripting Interpreter: Windows Command Shell - Existing technique that became a sub-technique
- Compromise Client Software Binary - New technique based on contribution
- Create Account: Cloud Account - Broken out from pre-defined behavior within Create Account
- Create Account: Domain Account - Broken out from pre-defined behavior within Create Account
- Create Account: Local Account - Broken out from pre-defined behavior within Create Account
- Create or Modify System Process - Created to consolidate behavior around system-level processes
- Launch Agent - Existing technique that became a sub-technique
- Launch Daemon - Existing technique that became a sub-technique
- Systemd Service - Existing technique that became a sub-technique
- Windows Service - Existing technique that became a sub-technique. Consolidates Modify Existing Service and New Service techniques into one sub-technique
- Credentials from Password Stores - Created to consolidate locations where passwords are stored
- Credentials from Web Browsers - Existing technique that became a sub-technique
- Keychain - Existing technique that became a sub-technique
- Securityd Memory - Existing technique that became a sub-technique
- Data Encoding: Non-Standard Encoding - Broken out from pre-defined behavior within Data Encoding
- Data Encoding: Standard Encoding - Broken out from pre-defined behavior within Data Encoding
- Data Manipulation - Created to consolidate existing behaviors around data manipulation
- Runtime Data Manipulation - Existing technique that became a sub-technique
- Stored Data Manipulation - Existing technique that became a sub-technique
- Transmitted Data Manipulation - Existing technique that became a sub-technique
- Data Obfuscation: Junk Data - Broken out from pre-defined behavior within Data Obfuscation
- Data Obfuscation: Protocol Impersonation - Broken out from pre-defined behavior within Data Obfuscation
- Data Obfuscation: Steganography - Broken out from pre-defined behavior within Data Obfuscation
- Data Staged: Local Data Staging - Broken out from pre-defined behavior within Data Staged
- Data Staged: Remote Data Staging - Broken out from pre-defined behavior within Data Staged
- Data from Information Repositories: Confluence - Broken out from pre-defined behavior within Data from Information Repositories
- Data from Information Repositories: Sharepoint - Broken out from pre-defined behavior within Data from Information Repositories
- Defacement: External Defacement - Broken out from pre-defined behavior within Defacement
- Defacement: Internal Defacement - Broken out from pre-defined behavior within Defacement
- Disk Wipe - Created to consolidate behavior around disk wiping
- Disk Content Wipe - Existing technique that became a sub-technique
- Disk Structure Wipe - Existing technique that became a sub-technique
- Dynamic Resolution - Created to consolidate behavior around dynamic C2 behavior
- DNS Calculation - Existing PRE-ATT&CK technique that became a sub-technique in Enterprise
- Domain Generation Algorithms - Existing technique that became a sub-technique
- Fast Flux DNS - Existing PRE-ATT&CK technique that became a sub-technique in Enterprise
- Email Collection: Email Forwarding Rule - Broken out from pre-defined behavior within Email Collection
- Email Collection: Local Email Collection - Broken out from pre-defined behavior within Email Collection
- Email Collection: Remote Email Collection - Broken out from pre-defined behavior within Email Collection
- Encrypted Channel - Created to consolidate behavior around encrypted C2
- Asymmetric Cryptography - Broken out from pre-defined behavior within Encrypted Channel
- Symmetric Cryptography - Broken out from pre-defined behavior within Encrypted Channel
- Endpoint Denial of Service: Application Exhaustion Flood - Broken out from pre-defined behavior within Endpoint Denial of Service
- Endpoint Denial of Service: Application or System Exploitation - Broken out from pre-defined behavior within Endpoint Denial of Service
- Endpoint Denial of Service: OS Exhaustion Flood - Broken out from pre-defined behavior within Endpoint Denial of Service
- Endpoint Denial of Service: Service Exhaustion Flood - Broken out from pre-defined behavior within Endpoint Denial of Service
- Event Triggered Execution - Created to consolidate persistence behavior due to adversary or user initiated actions
- .bash_profile and .bashrc - Existing technique that became a sub-technique
- Accessibility Features - Existing technique that became a sub-technique
- AppCert DLLs - Existing technique that became a sub-technique
- AppInit DLLs - Existing technique that became a sub-technique
- Application Shimming - Existing technique that became a sub-technique
- Change Default File Association - Existing technique that became a sub-technique
- Component Object Model Hijacking - Existing technique that became a sub-technique
- Emond - Existing technique that became a sub-technique
- Image File Execution Options Injection - Existing technique that became a sub-technique
- LC_LOAD_DYLIB Addition - Existing technique that became a sub-technique
- Netsh Helper DLL - Existing technique that became a sub-technique
- PowerShell Profile - Existing technique that became a sub-technique
- Screensaver - Existing technique that became a sub-technique
- Trap - Existing technique that became a sub-technique
- Windows Management Instrumentation Event Subscription - Existing technique that became a sub-technique
- Execution Guardrails: Environmental Keying - Broken out from pre-defined behavior within Execution Guardrails
- Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - Broken out from pre-defined behavior within Exfiltration Over Alternative Protocol
- Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - Broken out from pre-defined behavior within Exfiltration Over Alternative Protocol
- Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - Broken out from pre-defined behavior within Exfiltration Over Alternative Protocol
- Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth - Broken out from pre-defined behavior within Exfiltration over Other Network Medium
- Exfiltration Over Physical Medium: Exfiltration over USB - Broken out from pre-defined behavior within Exfiltration Over Physical Medium
- Exfiltration Over Web Service - Created to consolidate behaviors around exfiltration to legitimate web services
- Exfiltration to Cloud Storage - Broken out from pre-defined behavior within Exfiltration Over Alternative Protocol
- Exfiltration to Code Repository - Broken out from pre-defined behavior within Exfiltration Over Alternative Protocol
- File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification - Broken out from pre-defined behavior within File and Directory Permissions Modification
- File and Directory Permissions Modification: Windows File and Directory Permissions Modification - Broken out from pre-defined behavior within File and Directory Permissions Modification
- Hide Artifacts - Created to consolidate behaviors around defense evasion through creating hidden objects that may be difficult to see
- Hidden File System - Created as distinct behavior within Hide Artifacts
- Hidden Files and Directories - Existing technique that became a sub-technique
- Hidden Users - Existing technique that became a sub-technique
- Hidden Window - Existing technique that became a sub-technique
- NTFS File Attributes - Existing technique that became a sub-technique
- Run Virtual Instance - Created as distinct behavior within Hide Artifacts
- Hijack Execution Flow - Created to consolidate behaviors around running executable code by placing it where it would be executed by a legitimate process
- COR_PROFILER - Created as distinct behavior within Hijack Execution Flow
- DLL Search Order Hijacking - Existing technique that became a sub-technique
- DLL Side-Loading - Existing technique that became a sub-technique
- Dylib Hijacking - Existing technique that became a sub-technique
- Executable Installer File Permissions Weakness - Existing technique that became a sub-technique
- LD_PRELOAD - Existing technique that became a sub-technique
- Path Interception by PATH Environment Variable - Broken out from pre-defined behavior within the prior Path Interception technique
- Path Interception by Search Order Hijacking - Broken out from pre-defined behavior within the prior Path Interception technique
- Path Interception by Unquoted Path - Broken out from pre-defined behavior within the prior Path Interception technique
- Services File Permissions Weakness - Existing technique that became a sub-technique
- Services Registry Permissions Weakness - Existing technique that became a sub-technique
- Impair Defenses - Created to consolidate behaviors that prevent a defense from working as intended
- Disable Windows Event Logging - Existing technique that became a sub-technique
- Disable or Modify Cloud Firewall - Created as distinct behavior within Impair Defenses
- Disable or Modify System Firewall - Existing technique that became a sub-technique
- Disable or Modify Tools - Existing technique that became a sub-technique
- HISTCONTROL - Existing technique that became a sub-technique
- Indicator Blocking - Existing technique that became a sub-technique
- Indicator Removal on Host: Clear Command History - Existing technique that became a sub-technique
- Indicator Removal on Host: Clear Linux or Mac System Logs - Broken out from pre-defined behavior within Indicator Removal on Host
- Indicator Removal on Host: Clear Windows Event Logs - Broken out from pre-defined behavior within Indicator Removal on Host
- Indicator Removal on Host: File Deletion - Existing technique that became a sub-technique
- Indicator Removal on Host: Network Share Connection Removal - Existing technique that became a sub-technique
- Indicator Removal on Host: Timestomp - Existing technique that became a sub-technique
- Input Capture: Credential API Hooking - Existing technique that became a sub-technique and was renamed from API Hooking. Scope change to only credential access for API hooking was based on available procedure examples
- Input Capture: GUI Input Capture - Broken out from pre-defined behavior within Input Capture
- Input Capture: Keylogging - Broken out from pre-defined behavior within Input Capture
- Input Capture: Web Portal Capture - Broken out from pre-defined behavior within Input Capture
- Inter-Process Communication - Created to consolidate behavior related to using IPC for local system execution
- Component Object Model - Broken out from pre-defined behavior within the prior Component Object Model and Distributed COM technique
- Dynamic Data Exchange - Existing technique that became a sub-technique
- Lateral Tool Transfer - Broken out from pre-defined behavior within the prior Remote File Copy technique to focus on file transfer within a network
- Man-in-the-Middle - Created to consolidate behavior related to setting up man-in-the-middle condition within a network
- LLMNR/NBT-NS Poisoning and SMB Relay - Existing technique that became a sub-technique
- Masquerading: Invalid Code Signature - Created based on procedure examples within Code Signing as a distinct behavior using invalid digital signatures
- Masquerading: Masquerade Task or Service - Broken out from pre-defined behavior within Masquerading
- Masquerading: Match Legitimate Name or Location - Broken out from pre-defined behavior within Masquerading
- Masquerading: Rename System Utilities - Broken out from pre-defined behavior within Masquerading
- Masquerading: Right-to-Left Override - Broken out from pre-defined behavior within Masquerading
- Masquerading: Space after Filename - Existing technique that became a sub-technique
- Modify Authentication Process - Created to consolidate behavior related to changing the authentication process previously under Account Manipulation
- Domain Controller Authentication - Broken out from pre-defined behavior within Account Manipulation
- Password Filter DLL - Existing technique that became a sub-technique
- Pluggable Authentication Modules - Created as distinct behavior within Modify Authentication Process
- Modify Cloud Compute Infrastructure - Created to consolidate behaviors around defense evasion through the cloud compute service
- Create Cloud Instance - Created as distinct behavior within Modify Cloud Compute Infrastructure
- Create Snapshot - Created as distinct behavior within Modify Cloud Compute Infrastructure
- Delete Cloud Instance - Created as distinct behavior within Modify Cloud Compute Infrastructure
- Revert Cloud Instance - Existing technique that became a sub-technique
- Network Denial of Service: Direct Network Flood - Broken out from pre-defined behavior within Network Denial of Service
- Network Denial of Service: Reflection Amplification - Broken out from pre-defined behavior within Network Denial of Service
- Non-Standard Port - Created to refine the idea behind Common and Uncommonly Used Port to focus the behavior on use of a non-standard port for C2 based on the protocol used
- OS Credential Dumping: /etc/passwd and /etc/shadow - Broken out from pre-defined behavior within OS Credential Dumping
- OS Credential Dumping: Cached Domain Credentials - Broken out from pre-defined behavior within OS Credential Dumping
- OS Credential Dumping: DCSync - Broken out from pre-defined behavior within OS Credential Dumping
- OS Credential Dumping: LSA Secrets - Broken out from pre-defined behavior within OS Credential Dumping
- OS Credential Dumping: LSASS Memory - Broken out from pre-defined behavior within OS Credential Dumping
- OS Credential Dumping: NTDS - Broken out from pre-defined behavior within OS Credential Dumping
- OS Credential Dumping: Proc Filesystem - Broken out from pre-defined behavior within OS Credential Dumping
- OS Credential Dumping: Security Account Manager - Broken out from pre-defined behavior within OS Credential Dumping
- Obfuscated Files or Information: Binary Padding - Existing technique that became a sub-technique
- Obfuscated Files or Information: Compile After Delivery - Existing technique that became a sub-technique
- Obfuscated Files or Information: Indicator Removal from Tools - Existing technique that became a sub-technique
- Obfuscated Files or Information: Software Packing - Existing technique that became a sub-technique
- Obfuscated Files or Information: Steganography - Broken out from pre-defined behavior within Obfuscated Files or Information
- Office Application Startup: Add-ins - Broken out from pre-defined behavior within Office Application Startup
- Office Application Startup: Office Template Macros - Broken out from pre-defined behavior within Office Application Startup
- Office Application Startup: Office Test - Broken out from pre-defined behavior within Office Application Startup
- Office Application Startup: Outlook Forms - Broken out from pre-defined behavior within Office Application Startup
- Office Application Startup: Outlook Home Page - Broken out from pre-defined behavior within Office Application Startup
- Office Application Startup: Outlook Rules - Broken out from pre-defined behavior within Office Application Startup
- Permission Groups Discovery: Cloud Groups - Broken out from pre-defined behavior within Permission Groups Discovery in a way that has parity with Account Discovery
- Permission Groups Discovery: Domain Groups - Broken out from pre-defined behavior within Permission Groups Discovery in a way that has parity with Account Discovery
- Permission Groups Discovery: Local Groups - Broken out from pre-defined behavior within Permission Groups Discovery in a way that has parity with Account Discovery
- Phishing - Created to consolidate behavior around phishing and spearphishing
- Spearphishing Attachment - Existing technique that became a sub-technique
- Spearphishing Link - Existing technique that became a sub-technique
- Spearphishing via Service - Existing technique that became a sub-technique
- Pre-OS Boot - Created to consolidate behavior around persistence that loads before the OS boots
- Bootkit - Existing technique that became a sub-technique
- Component Firmware - Existing technique that became a sub-technique
- System Firmware - Existing technique that became a sub-technique
- Process Injection: Asynchronous Procedure Call - Existing technique that became a sub-technique
- Process Injection: Dynamic-link Library Injection - Broken out from pre-defined behavior within Process Injection
- Process Injection: Extra Window Memory Injection - Broken out from pre-defined behavior within Process Injection
- Process Injection: Portable Executable Injection - Broken out from pre-defined behavior within Process Injection
- Process Injection: Proc Memory - Broken out from pre-defined behavior within Process Injection
- Process Injection: Process DoppelgÀnging - Existing technique that became a sub-technique
- Process Injection: Process Hollowing - Existing technique that became a sub-technique
- Process Injection: Ptrace System Calls - Broken out from pre-defined behavior within Process Injection
- Process Injection: Thread Execution Hijacking - Broken out from pre-defined behavior within Process Injection
- Process Injection: Thread Local Storage - Broken out from pre-defined behavior within Process Injection
- Process Injection: VDSO Hijacking - Broken out from pre-defined behavior within Process Injection
- Protocol Tunneling - Created to define behavior broken out from the prior Standard Application and Standard Cryptographic Protocol techniques
- Proxy: Domain Fronting - Existing technique that became a sub-technique
- Proxy: External Proxy - Broken out from pre-defined behavior within Connection Proxy
- Proxy: Internal Proxy - Broken out from pre-defined behavior within Connection Proxy
- Proxy: Multi-hop Proxy - Existing technique that became a sub-technique
- Remote Service Session Hijacking - Created to consolidate behavior related to hijacking existing remote connection sessions
- RDP Hijacking - Broken out from pre-defined behavior within Remote Desktop Protocol
- SSH Hijacking - Existing technique that became a sub-technique
- Remote Services: Distributed Component Object Model - Broken out from pre-defined behavior within Component Object Model and Distributed COM technique
- Remote Services: Remote Desktop Protocol - Existing technique that became a sub-technique
- Remote Services: SMB/Windows Admin Shares - Existing technique that became a sub-technique and was renamed from Windows Admin Shares
- Remote Services: SSH - Broken out from pre-defined behavior within Remote Services technique
- Remote Services: VNC - Broken out from pre-defined behavior within Remote Services technique
- Remote Services: Windows Remote Management - Existing technique that became a sub-technique
- Scheduled Task/Job: At (Linux) - Broken out from pre-defined behavior within prior Local Job Scheduling technique
- Scheduled Task/Job: At (Windows) - Broken out from pre-defined behavior within prior Scheduled Task technique
- Scheduled Task/Job: Cron - Broken out from pre-defined behavior within prior Local Job Scheduling technique
- Scheduled Task/Job: Launchd - Existing technique that became a sub-technique
- Scheduled Task/Job: Scheduled Task - Existing technique that became a sub-technique
- Server Software Component: SQL Stored Procedures - Broken out from pre-defined behavior within Server Software Component technique
- Server Software Component: Transport Agent - Broken out from pre-defined behavior within Server Software Component technique
- Server Software Component: Web Shell - Existing technique that became a sub-technique
- Signed Binary Proxy Execution: CMSTP - Existing technique that became a sub-technique
- Signed Binary Proxy Execution: Compiled HTML File - Existing technique that became a sub-technique
- Signed Binary Proxy Execution: Control Panel - Existing technique that became a sub-technique
- Signed Binary Proxy Execution: InstallUtil - Existing technique that became a sub-technique
- Signed Binary Proxy Execution: Mshta - Existing technique that became a sub-technique
- Signed Binary Proxy Execution: Msiexec - Broken out from pre-defined behavior within Signed Binary Proxy Execution technique
- Signed Binary Proxy Execution: Odbcconf - Broken out from pre-defined behavior within Signed Binary Proxy Execution technique
- Signed Binary Proxy Execution: Regsvcs/Regasm - Existing technique that became a sub-technique
- Signed Binary Proxy Execution: Regsvr32 - Existing technique that became a sub-technique
- Signed Binary Proxy Execution: Rundll32 - Existing technique that became a sub-technique
- Signed Script Proxy Execution: PubPrn - Existing technique that became a sub-technique
- Software Discovery: Security Software Discovery - Existing technique that became a sub-technique
- Steal or Forge Kerberos Tickets - Created to consolidate behavior related to Kerberos tickets
- Golden Ticket - Broken out from pre-defined behavior within Pass the Ticket technique
- Kerberoasting - Existing technique that became a sub-technique
- Silver Ticket - Broken out from pre-defined behavior within Pass the Ticket technique
- Subvert Trust Controls - Created to consolidate behavior related to getting around trust controls
- Code Signing - Existing technique that became a sub-technique
- Gatekeeper Bypass - Existing technique that became a sub-technique
- Install Root Certificate - Existing technique that became a sub-technique
- SIP and Trust Provider Hijacking - Existing technique that became a sub-technique
- Supply Chain Compromise: Compromise Hardware Supply Chain - Broken out from pre-defined behavior within Supply Chain Compromise
- Supply Chain Compromise: Compromise Software Dependencies and Development Tools - Broken out from pre-defined behavior within Supply Chain Compromise
- Supply Chain Compromise: Compromise Software Supply Chain - Broken out from pre-defined behavior within Supply Chain Compromise
- System Services - Created to consolidate behaviors related to execution of binaries through system services
- Launchctl - Existing technique that became a sub-technique
- Service Execution - Existing technique that became a sub-technique
- Traffic Signaling: Port Knocking - Broken out from pre-defined behavior within Traffic Signaling
- Trusted Developer Utilities Proxy Execution: MSBuild - Broken out from pre-defined behavior within Trusted Developer Utilities Proxy Execution
- Unsecured Credentials - Created to consolidate places where unsecured credentials may be kept
- Bash History - Existing technique that became a sub-technique
- Cloud Instance Metadata API - Existing technique that became a sub-technique
- Credentials In Files - Existing technique that became a sub-technique
- Credentials in Registry - Existing technique that became a sub-technique
- Group Policy Preferences - Existing technique that became a sub-technique
- Private Keys - Existing technique that became a sub-technique
- Use Alternate Authentication Material - Created to consolidate behavior related to use of non-password based credential material
- Application Access Token - Existing technique that became a sub-technique
- Pass the Hash - Existing technique that became a sub-technique
- Pass the Ticket - Existing technique that became a sub-technique
- Web Session Cookie - Existing technique that became a sub-technique
- User Execution: Malicious File - Broken out from pre-defined behavior within User Execution
- User Execution: Malicious Link - Broken out from pre-defined behavior within User Execution
- Valid Accounts: Cloud Accounts - Broken out from pre-defined behavior Valid Accounts in a way that has parity with Create Account
- Valid Accounts: Default Accounts - Broken out from pre-defined behavior within Valid Accounts in a way that has parity with Create Account
- Valid Accounts: Domain Accounts - Broken out from pre-defined behavior within Valid Accounts in a way that has parity with Create Account
- Valid Accounts: Local Accounts - Broken out from pre-defined behavior within Valid Accounts in a way that has parity with Create Account
- Virtualization/Sandbox Evasion: System Checks - Broken out from pre-defined behavior within Virtualization/Sandbox Evasion
- Virtualization/Sandbox Evasion: Time Based Evasion - Broken out from pre-defined behavior within Virtualization/Sandbox Evasion
- Virtualization/Sandbox Evasion: User Activity Based Checks - Broken out from pre-defined behavior within Virtualization/Sandbox Evasion
- Web Service: Bidirectional Communication - Broken out from pre-defined behavior within Web Service
- Web Service: Dead Drop Resolver - Broken out from pre-defined behavior within Web Service
- Web Service: One-Way Communication - Broken out from pre-defined behavior within Web Service
Technique changes:
Technique changes are largely due to new sub-techniques being added, name changes, or both.
- Access Token Manipulation - New sub-techniques added
- Account Discovery - New sub-techniques added
- Account Manipulation - New sub-techniques added
- Application Layer Protocol - Name change from Standard Application Layer Protocol and new sub-techniques added
- Application Window Discovery - Fixed technique reference in description
- Automated Exfiltration - Fixed technique reference in description
- BITS Jobs - Fixed technique reference in description and minor description update
- Boot or Logon Initialization Scripts - Name change from Logon Scripts and new sub-techniques added
- Browser Extensions - Data sources changed and minor description update
- Brute Force - New sub-techniques added
- Clipboard Data - Minor description update
- Cloud Service Discovery - Minor description update
- Command and Scripting Interpreter - Name change from Command-Line Interface and new sub-techniques added
- Create Account - New sub-techniques added
- Data Encoding - New sub-techniques added
- Data Obfuscation - New sub-techniques added
- Data Staged - New sub-techniques added
- Data from Information Repositories - New sub-techniques added
- Data from Local System - Fixed technique reference in description and minor description update
- Data from Network Shared Drive - Fixed technique reference in description and minor description update
- Data from Removable Media - Fixed technique reference in description and minor description update
- Direct Volume Access - Name change from File System Logical Offsets
- Domain Trust Discovery - Fixed technique reference in description and minor description update
- Drive-by Compromise - Fixed technique reference in description and minor description update
- Email Collection - New sub-techniques added
- Execution Guardrails - New sub-technique added
- Exfiltration Over Alternative Protocol - New sub-techniques added
- Exfiltration Over C2 Channel - Name change from Exfiltration over Command and Control Channel and added data sources
- Exfiltration Over Other Network Medium - New sub-techniques added
- Exfiltration Over Physical Medium - New sub-techniques added
- Exploit Public-Facing Application - Minor description update
- Exploitation for Client Execution - Minor description update
- Exploitation for Credential Access - Minor description update
- Exploitation for Defense Evasion - Minor description update
- Exploitation for Privilege Escalation - Minor description update
- Exploitation of Remote Services - Minor description update
- External Remote Services - Minor description update
- File and Directory Discovery - Fixed technique reference in description and minor description update
- File and Directory Permissions Modification - New sub-techniques added
- Forced Authentication - Minor description update
- Group Policy Modification - Minor description update
- Indicator Removal on Host - New sub-techniques added
- Indirect Command Execution - Minor description update
- Ingress Tool Transfer - Name change from Remote File Copy
- Input Capture - New sub-techniques added
- Masquerading - New sub-techniques added
- Native API - Name change from Execution through API
- Network Service Scanning - Minor description update
- Network Share Discovery - Fixed technique reference in description, added Linux, and minor description update
- Network Sniffing - Minor description update
- Non-Application Layer Protocol - Name change from Standard Non-Application Layer Protocol
- OS Credential Dumping - Name change from Credential Dumping and new sub-techniques added
- Obfuscated Files or Information - Minor description update
- Password Policy Discovery - Fixed technique reference in description and minor description update
- Peripheral Device Discovery - Fixed technique reference in description and minor description update
- Permission Groups Discovery - New sub-techniques added
- Process Discovery - Fixed technique reference in description and minor description update
- Process Injection - New sub-techniques added
- Proxy - Name change from Connection Proxy and new sub-techniques added
- Query Registry - Fixed technique reference in description and minor description update
- Remote Access Software - Name change from Remote Access Tools and fixed technique reference in description
- Remote Services - New sub-techniques added
- Remote System Discovery - Fixed technique reference in description and minor description update
- Rogue Domain Controller - Name change from DCShadow
- Rootkit - Minor description update
- Scheduled Task/Job - New sub-techniques added
- Scheduled Transfer - Minor description update
- Screen Capture - Minor description update
- Server Software Component - New sub-techniques added
- Shared Modules - Name change from Execution through Module Load
- Signed Binary Proxy Execution - New sub-techniques added
- Signed Script Proxy Execution - New sub-techniques added
- Software Deployment Tools - Minor description update and data source added
- Software Discovery - New sub-techniques added
- Supply Chain Compromise - New sub-techniques added
- System Information Discovery - Fixed technique reference in description and minor description update
- System Network Configuration Discovery - Fixed technique reference in description and minor description update
- System Network Connections Discovery - Fixed technique reference in description and minor description update
- System Owner/User Discovery - Fixed technique reference in description and minor description update
- System Time Discovery - Minor description update
- Taint Shared Content - Minor description update
- Template Injection - Minor description update
- Traffic Signaling - Technique renamed and sub-technique added
- Trusted Developer Utilities Proxy Execution - Minor description update, sub-technique added
- Two-Factor Authentication Interception - Minor description update
- User Execution - New sub-techniques added
- Valid Accounts - New sub-techniques added
- Virtualization/Sandbox Evasion - New sub-techniques added
- Web Service - New sub-techniques added
- Windows Management Instrumentation - Minor description update
- XSL Script Processing - Minor description update
Minor Technique changes:
- Automated Collection
- Browser Bookmark Discovery
- Data Destruction
- Data Encrypted for Impact
- Endpoint Denial of Service
- Implant Container Image
- Internal Spearphishing
- Network Denial of Service
- Office Application Startup
- Steal Application Access Token
- Steal Web Session Cookie
- System Service Discovery
- System Shutdown/Reboot
- Transfer Data to Cloud Account
Technique revocations:
- .bash_profile and .bashrc (revoked by Event Triggered Execution: .bash_profile and .bashrc)
- Accessibility Features (revoked by Event Triggered Execution: Accessibility Features)
- AppCert DLLs (revoked by Event Triggered Execution: AppCert DLLs)
- AppInit DLLs (revoked by Event Triggered Execution: AppInit DLLs)
- AppleScript (revoked by Command and Scripting Interpreter: AppleScript)
- Application Access Token (revoked by Use Alternate Authentication Material: Application Access Token)
- Application Deployment Software (revoked by Software Deployment Tools)
- Application Shimming (revoked by Event Triggered Execution: Application Shimming)
- Authentication Package (revoked by Boot or Logon Autostart Execution: Authentication Package)
- Bash History (revoked by Unsecured Credentials: Bash History)
- Binary Padding (revoked by Obfuscated Files or Information: Binary Padding)
- Bootkit (revoked by Pre-OS Boot: Bootkit)
- Bypass User Account Control (revoked by Abuse Elevation Control Mechanism: Bypass User Access Control)
- CMSTP (revoked by Signed Binary Proxy Execution: CMSTP)
- Change Default File Association (revoked by Event Triggered Execution: Change Default File Association)
- Clear Command History (revoked by Indicator Removal on Host: Clear Command History)
- Cloud Instance Metadata API (revoked by Unsecured Credentials: Cloud Instance Metadata API)
- Code Signing (revoked by Subvert Trust Controls: Code Signing)
- Compile After Delivery (revoked by Obfuscated Files or Information: Compile After Delivery)
- Compiled HTML File (revoked by Signed Binary Proxy Execution: Compiled HTML File)
- Component Firmware (revoked by Pre-OS Boot: Component Firmware)
- Component Object Model Hijacking (revoked by Event Triggered Execution: Component Object Model Hijacking)
- Control Panel Items (revoked by Signed Binary Proxy Execution: Control Panel)
- Credentials from Web Browsers (revoked by Credentials from Password Stores: Credentials from Web Browsers)
- Credentials in Files (revoked by Unsecured Credentials: Credentials In Files)
- Credentials in Registry (revoked by Unsecured Credentials: Credentials in Registry)
- Custom Command and Control Protocol (revoked by Non-Application Layer Protocol)
- Custom Cryptographic Protocol (revoked by Encrypted Channel)
- DLL Search Order Hijacking (revoked by Hijack Execution Flow: DLL Search Order Hijacking)
- DLL Side-Loading (revoked by Hijack Execution Flow: DLL Side-Loading)
- Data Compressed (revoked by Archive Collected Data)
- Data Encrypted (revoked by Archive Collected Data)
- Disabling Security Tools (revoked by Impair Defenses: Disable or Modify Tools)
- Disk Content Wipe (revoked by Disk Wipe: Disk Content Wipe)
- Disk Structure Wipe (revoked by Disk Wipe: Disk Structure Wipe)
- Domain Fronting (revoked by Proxy: Domain Fronting)
- Domain Generation Algorithms (revoked by Dynamic Resolution: Domain Generation Algorithms)
- Dylib Hijacking (revoked by Hijack Execution Flow: Dylib Hijacking)
- Dynamic Data Exchange (revoked by Inter-Process Communication: Dynamic Data Exchange)
- Elevated Execution with Prompt (revoked by Abuse Elevation Control Mechanism: Elevated Execution with Prompt)
- Emond (revoked by Event Triggered Execution: Emond)
- Extra Window Memory Injection (revoked by Process Injection: Extra Window Memory Injection)
- File Deletion (revoked by Indicator Removal on Host: File Deletion)
- File System Permissions Weakness (revoked by Hijack Execution Flow: Services File Permissions Weakness)
- Gatekeeper Bypass (revoked by Subvert Trust Controls: Gatekeeper Bypass)
- HISTCONTROL (revoked by Impair Defenses: HISTCONTROL)
- Hidden Files and Directories (revoked by Hide Artifacts: Hidden Files and Directories)
- Hidden Users (revoked by Hide Artifacts: Hidden Users)
- Hidden Window (revoked by Hide Artifacts: Hidden Window)
- Hooking (revoked by Input Capture: Credential API Hooking)
- Image File Execution Options Injection (revoked by Event Triggered Execution: Image File Execution Options Injection)
- Indicator Blocking (revoked by Impair Defenses: Indicator Blocking)
- Indicator Removal from Tools (revoked by Obfuscated Files or Information: Indicator Removal from Tools)
- Input Prompt (revoked by Input Capture: GUI Input Capture)
- Install Root Certificate (revoked by Subvert Trust Controls: Install Root Certificate)
- InstallUtil (revoked by Signed Binary Proxy Execution: InstallUtil)
- Kerberoasting (revoked by Steal or Forge Kerberos Tickets: Kerberoasting)
- Kernel Modules and Extensions (revoked by Boot or Logon Autostart Execution: Kernel Modules and Extensions)
- Keychain (revoked by Credentials from Password Stores: Keychain)
- LC_LOAD_DYLIB Addition (revoked by Event Triggered Execution: LC_LOAD_DYLIB Addition)
- LLMNR/NBT-NS Poisoning and Relay (revoked by Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay)
- LSASS Driver (revoked by Boot or Logon Autostart Execution: LSASS Driver)
- Launch Agent (revoked by Create or Modify System Process: Launch Agent)
- Launch Daemon (revoked by Create or Modify System Process: Launch Daemon)
- Launchctl (revoked by System Services: Launchctl)
- Local Job Scheduling (revoked by Scheduled Task/Job)
- Login Item (revoked by Boot or Logon Autostart Execution: Plist Modification)
- Modify Existing Service (revoked by Create or Modify System Process: Windows Service)
- Mshta (revoked by Signed Binary Proxy Execution: Mshta)
- Multi-hop Proxy (revoked by Proxy: Multi-hop Proxy)
- Multilayer Encryption (revoked by Encrypted Channel)
- NTFS File Attributes (revoked by Hide Artifacts: NTFS File Attributes)
- Netsh Helper DLL (revoked by Event Triggered Execution: Netsh Helper DLL)
- Network Share Connection Removal (revoked by Indicator Removal on Host: Network Share Connection Removal)
- New Service (revoked by Create or Modify System Process: Windows Service)
- Parent PID Spoofing (revoked by Access Token Manipulation: Parent PID Spoofing)
- Pass the Hash (revoked by Use Alternate Authentication Material: Pass the Hash)
- Pass the Ticket (revoked by Use Alternate Authentication Material: Pass the Ticket)
- Password Filter DLL (revoked by Modify Authentication Process: Password Filter DLL)
- Plist Modification (revoked by Boot or Logon Autostart Execution: Plist Modification)
- Port Monitors (revoked by Boot or Logon Autostart Execution: Port Monitors)
- PowerShell (revoked by Command and Scripting Interpreter: PowerShell)
- PowerShell Profile (revoked by Event Triggered Execution: PowerShell Profile)
- Private Keys (revoked by Unsecured Credentials: Private Keys)
- Process DoppelgÀnging (revoked by Process Injection: Process DoppelgÀnging)
- Process Hollowing (revoked by Process Injection: Process Hollowing)
- Rc.common (revoked by Boot or Logon Initialization Scripts: Rc.common)
- Re-opened Applications (revoked by Boot or Logon Autostart Execution: Re-opened Applications)
- Registry Run Keys / Startup Folder (revoked by Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder)
- Regsvcs/Regasm (revoked by Signed Binary Proxy Execution: Regsvcs/Regasm)
- Regsvr32 (revoked by Signed Binary Proxy Execution: Regsvr32)
- Remote Desktop Protocol (revoked by Remote Services: Remote Desktop Protocol)
- Revert Cloud Instance (revoked by Modify Cloud Compute Infrastructure: Revert Cloud Instance)
- Rundll32 (revoked by Signed Binary Proxy Execution: Rundll32)
- Runtime Data Manipulation (revoked by Data Manipulation: Runtime Data Manipulation)
- SID-History Injection (revoked by Access Token Manipulation: SID-History Injection)
- SIP and Trust Provider Hijacking (revoked by Subvert Trust Controls: SIP and Trust Provider Hijacking)
- SSH Hijacking (revoked by Remote Service Session Hijacking: SSH Hijacking)
- Screensaver (revoked by Event Triggered Execution: Screensaver)
- Security Software Discovery (revoked by Software Discovery: Security Software Discovery)
- Security Support Provider (revoked by Boot or Logon Autostart Execution: Security Support Provider)
- Securityd Memory (revoked by Credentials from Password Stores: Securityd Memory)
- Service Execution (revoked by System Services: Service Execution)
- Service Registry Permissions Weakness (revoked by Hijack Execution Flow: Services Registry Permissions Weakness)
- Setuid and Setgid (revoked by Abuse Elevation Control Mechanism: Setuid and Setgid)
- Shortcut Modification (revoked by Boot or Logon Autostart Execution: Shortcut Modification)
- Software Packing (revoked by Obfuscated Files or Information: Software Packing)
- Space after Filename (revoked by Masquerading: Space after Filename)
- Spearphishing Attachment (revoked by Phishing: Spearphishing Attachment)
- Spearphishing Link (revoked by Phishing: Spearphishing Link)
- Spearphishing via Service (revoked by Phishing: Spearphishing via Service)
- Standard Cryptographic Protocol (revoked by Encrypted Channel)
- Startup Items (revoked by Boot or Logon Initialization Scripts: Startup Items)
- Stored Data Manipulation (revoked by Data Manipulation: Stored Data Manipulation)
- Sudo (revoked by Abuse Elevation Control Mechanism: Sudo and Sudo Caching)
- Sudo Caching (revoked by Abuse Elevation Control Mechanism: Sudo and Sudo Caching)
- System Firmware (revoked by Pre-OS Boot: System Firmware)
- Systemd Service (revoked by Create or Modify System Process: Systemd Service)
- Time Providers (revoked by Boot or Logon Autostart Execution: Time Providers)
- Timestomp (revoked by Indicator Removal on Host: Timestomp)
- Transmitted Data Manipulation (revoked by Data Manipulation: Transmitted Data Manipulation)
- Trap (revoked by Event Triggered Execution: Trap)
- Uncommonly Used Port (revoked by Non-Standard Port)
- Web Session Cookie (revoked by Use Alternate Authentication Material: Web Session Cookie)
- Web Shell (revoked by Server Software Component: Web Shell)
- Windows Admin Shares (revoked by Remote Services: SMB/Windows Admin Shares)
- Windows Management Instrumentation Event Subscription (revoked by Event Triggered Execution: Windows Management Instrumentation Event Subscription)
- Windows Remote Management (revoked by Remote Services: Windows Remote Management)
- Winlogon Helper DLL (revoked by Boot or Logon Autostart Execution: Winlogon Helper DLL)
Technique deprecations:
- Commonly Used Port - Deprecated from ATT&CK because the behavior is redundant and describes most benign network communications.
- Component Object Model and Distributed COM - Deprecated and split into separate Component Object Model and Distributed Component Object Model sub-techniques. Existing Group/Software procedure examples were remapped appropriately
- Graphical User Interface - Deprecated from ATT&CK because the behavior is redundant and implied by use of remote desktop tools like Remote Desktop Protocol. Existing Group/Software procedure examples were remapped appropriately
- Hypervisor - Deprecated from ATT&CK due to lack of in the wild use
- LC_MAIN Hijacking - Deprecated from ATT&CK due to lack of in the wild use
- Multiband Communication - Deprecated from ATT&CK due to lack of in the wild use. Existing Group/Software procedure examples did not fit the core idea behind the technique
- Path Interception - Deprecated and split into separate Unquoted Path, PATH Environment Variable, and Search Order Hijacking sub-techniques. Existing Group/Software procedure examples were remapped appropriately
- Redundant Access - Deprecated from ATT&CK because the behavior is too high level and is sufficiently covered by Valid Accounts and External Remote Services. Existing Group/Software procedure examples were remapped appropriately
- Scripting - Deprecated and split into separate Unix Shell, Visual Basic, JavaScript/Jscript, and Python sub-techniques of Command and Scripting Interpreter. Existing Group/Software procedure examples were remapped appropriately
- Shared Webroot - Deprecated from ATT&CK due to lack of in the wild use
- Source - Deprecated from ATT&CK due to lack of in the wild use
PRE-ATT&CK
New Techniques: No changes
Technique changes: No changes
Minor Technique changes: No changes
Technique revocations: No changes
Technique deprecations:
- DNSCalc
- Fast Flux DNS
Mobile
View mobile technique updates in the ATT&CK Navigator here.
New Techniques:
- Code Injection
- Compromise Application Executable
- Foreground Persistence
- Keychain
- Native Code
- Remote File Copy
- Uninstall Malicious Application
Technique changes:
- Broadcast Receivers
- Carrier Billing Fraud
- Input Capture
- Input Injection
- Input Prompt
- Masquerade as Legitimate Application
- Screen Capture
- Suppress Application Icon
- System Network Configuration Discovery
Minor Technique changes:
- Access Notifications
- Clipboard Modification
- Deliver Malicious App via Other Means
- System Information Discovery
Technique revocations: No changes
Technique deprecations: No changes
Software
Enterprise
New Software:
- ABK
- Aria-body
- Attor
- Avenger
- BBK
- BackConfig
- Bundlore
- CARROTBALL
- CARROTBAT
- Cadelspy
- Get2
- Goopy
- HotCroissant
- Imminent Monitor
- Kivars
- Lokibot
- LoudMiner
- MAZE
- MESSAGETAP
- MechaFlounder
- Metamorfo
- Netwalker
- Okrum
- PLEAD
- PoetRAT
- Pony
- PowerShower
- Ragnar Locker
- Ramsay
- Rifdoor
- Rising Sun
- Ryuk
- SDBot
- SHARPSTATS
- SYSCON
- ShimRat
- ShimRatReporter
- Skidmap
- TSCookie
- TajMahal
- USBferry
- VBShower
- Valak
- WindTail
- Winnti for Linux
- build_downer
- down_new
Software changes:
- 3PARA RAT
- 4H RAT
- ADVSTORESHELL
- ASPXSpy
- Agent Tesla
- Agent.btz
- Astaroth
- AuditCred
- AutoIt backdoor
- Azorult
- BACKSPACE
- BADCALL
- BADNEWS
- BBSRAT
- BISCUIT
- BITSAdmin
- BLACKCOFFEE
- BONDUPDATER
- BOOTRASH
- BS2005
- BUBBLEWRAP
- BabyShark
- Backdoor.Oldrea
- BadPatch
- Bandook
- Bankshot
- Bisonal
- BlackEnergy
- Brave Prince
- CALENDAR
- CCBkdr
- CHOPSTICK
- CORALDECK
- CORESHELL
- Cachedump
- Calisto
- CallMe
- Cannon
- Carbanak
- Carbon
- Cardinal RAT
- Catchamas
- ChChes
- Chaos
- Cherry Picker
- China Chopper
- CloudDuke
- Cobalt Strike
- Cobian RAT
- CoinTicker
- ComRAT
- Comnie
- CosmicDuke
- CozyCar
- Crimson
- CrossRAT
- DOGCALL
- DarkComet
- Daserf
- DealersChoice
- Denis
- Derusbi
- Dipsind
- Dok
- DownPaper
- Downdelph
- Dridex
- Duqu
- DustySky
- Dyre
- ELMER
- Ebury
- Elise
- Emissary
- Emotet
- Empire
- Epic
- EvilBunny
- EvilGrab
- Exaramel for Linux
- Exaramel for Windows
- Expand
- FALLCHILL
- FELIXROOT
- FLASHFLOOD
- FLIPSIDE
- FTP
- FakeM
- Felismus
- Fgdump
- FinFisher
- Final1stspy
- Flame
- FlawedAmmyy
- FruitFly
- Fysbis
- GLOOXMAIL
- GRIFFON
- Gazer
- GeminiDuke
- Gold Dragon
- GravityRAT
- GreyEnergy
- H1N1
- HAMMERTOSS
- HARDRAIN
- HAWKBALL
- HIDEDRV
- HOMEFRY
- HOPLIGHT
- HTTPBrowser
- Hacking Team UEFI Rootkit
- Helminth
- Hi-Zor
- HiddenWasp
- Hikit
- Hydraq
- HyperBro
- ISMInjector
- Impacket
- InnaputRAT
- InvisiMole
- Ixeshe
- JCry
- JHUHUGIT
- JPIN
- Janicab
- KARAE
- KEYMARBLE
- KOMPROGO
- KONNI
- Kasidet
- Kazuar
- KeyBoy
- Keydnap
- Koadic
- Komplex
- Kwampirs
- LOWBALL
- LaZagne
- LightNeuron
- Linfo
- Linux Rabbit
- LoJax
- LockerGoga
- Lslsass
- Lurid
- MURKYTOP
- MacSpy
- Machete
- MailSniper
- Matroyshka
- Micropsia
- MimiPenguin
- Mimikatz
- MiniDuke
- MirageFox
- Mis-Type
- Misdat
- Mivast
- MoonWind
- More_eggs
- Mosquito
- NDiskMonitor
- NETEAGLE
- NETWIRE
- NOKKI
- NanHaiShu
- NanoCore
- NavRAT
- Net
- Net Crawler
- NetTraveler
- Nidiran
- NotPetya
- OLDBAIT
- OSInfo
- OSX/Shlayer
- OSX_OCEANLOTUS.D
- OceanSalt
- Octopus
- Olympic Destroyer
- OnionDuke
- OopsIE
- Orz
- OwaAuth
- P2P ZeuS
- PHOREAL
- PLAINTEE
- POORAIM
- POSHSPY
- POWERSOURCE
- POWERSTATS
- POWERTON
- POWRUNER
- PUNCHBUGGY
- PUNCHTRACK
- Pasam
- PinchDuke
- Pisloader
- PlugX
- PoisonIvy
- PoshC2
- PowerDuke
- PowerSploit
- PowerStallion
- Prikormka
- Proton
- Proxysvc
- PsExec
- Psylo
- Pteranodon
- Pupy
- QUADAGENT
- QuasarRAT
- RARSTONE
- RATANKBA
- RGDoor
- RIPTIDE
- ROCKBOOT
- ROKRAT
- RTM
- RawPOS
- Reaver
- RedLeaves
- Regin
- Remcos
- Remexi
- RemoteCMD
- Remsec
- Revenge RAT
- RobbinHood
- RogueRobin
- Rover
- Ruler
- RunningRAT
- S-Type
- SEASHARPEE
- SHOTPUT
- SLOWDRIFT
- SNUGRIDE
- SOUNDBITE
- SPACESHIP
- SQLRat
- Sakula
- SeaDuke
- Seasalt
- ServHelper
- Shamoon
- Skeleton Key
- Smoke Loader
- Socksbot
- SpeakUp
- SslMM
- Starloader
- StoneDrill
- StreamEx
- Sykipot
- SynAck
- Sys10
- T9000
- TDTESS
- TEXTMATE
- TURNEDUP
- TYPEFRAME
- Taidoor
- TinyZBot
- Tor
- TrickBot
- Trojan.Karagany
- Trojan.Mebromi
- Truvasys
- Twitoor
- UBoatRAT
- UPPERCUT
- USBStealer
- Umbreon
- Unknown Logger
- Ursnif
- VERMIN
- Vasport
- Volgmer
- WEBC2
- WannaCry
- Wiarp
- WinMM
- Windows Credential Editor
- Wingbird
- Winnti for Windows
- XAgentOSX
- XTunnel
- Xbash
- YAHOYAH
- ZLib
- Zebrocy
- ZeroT
- Zeus Panda
- ZxShell
- adbupd
- at
- cmd
- dsquery
- esentutl
- gh0st RAT
- gsecdump
- hcdLoader
- httpclient
- iKitten
- jRAT
- netsh
- njRAT
- pngdowner
- pwdump
- schtasks
- spwebmember
- yty
- zwShell
Minor Software changes: No changes
Software revocations: No changes
Software deprecations: No changes
PRE-ATT&CK
New Software: No changes
Software changes: No changes
Minor Software changes: No changes
Software revocations: No changes
Software deprecations: No changes
Mobile
New Software:
- Agent Smith
- Anubis
- Bread
- Cerberus
- Concipit1248
- Corona Updates
- DEFENSOR ID
- Dvmap
- EventBot
- Ginp
- GolfSpy
- INSOMNIA
- SimBad
- Triada
- TrickMo
- ViceLeaker
Software changes:
Minor Software changes:
Software revocations: No changes
Software deprecations: No changes
Groups
Enterprise
New Groups:
- APT-C-36
- BlackTech
- Blue Mockingbird
- Bouncing Golf
- Charming Kitten
- DarkVishnya
- Frankenstein
- Inception
- Mofang
- Rocke
- Sharpshooter
- Whitefly
- Windshift
- Wizard Spider
Group changes:
- APT1
- APT12
- APT18
- APT19
- APT28
- APT29
- APT3
- APT32
- APT33
- APT37
- APT38
- APT39
- APT41
- Axiom
- BRONZE BUTLER
- Carbanak
- Cleaver
- Cobalt Group
- CopyKittens
- Dark Caracal
- DarkHydrus
- Darkhotel
- Deep Panda
- Dragonfly 2.0
- Elderwood
- Equation
- FIN10
- FIN4
- FIN5
- FIN6
- FIN7
- FIN8
- GCMAN
- Gallmaker
- Gamaredon Group
- Gorgon Group
- Group5
- Honeybee
- Ke3chang
- Kimsuky
- Lazarus Group
- Leafminer
- Leviathan
- Machete
- Magic Hound
- Moafee
- Molerats
- MuddyWater
- Naikon
- Night Dragon
- OilRig
- Orangeworm
- PLATINUM
- Patchwork
- PittyTiger
- Poseidon Group
- Putter Panda
- RTM
- Rancor
- Scarlet Mimic
- Silence
- SilverTerrier
- Soft Cell
- Sowbug
- Stealth Falcon
- Stolen Pencil
- Strider
- Suckfly
- TA459
- TA505
- TEMP.Veles
- The White Company
- Threat Group-1314
- Threat Group-3390
- Thrip
- Tropic Trooper
- Turla
- WIRTE
- admin@338
- menuPass
Minor Group changes:
Group revocations: No changes
Group deprecations: No changes
Group deletions:
- Charming Kitten
PRE-ATT&CK
New Groups: No changes
Group changes:
Minor Group changes: No changes
Group revocations: No changes
Group deprecations: No changes
Mobile
New Groups:
Group changes:
Minor Group changes: No changes
Group revocations: No changes
Group deprecations: No changes
Mitigations
Enterprise
New Mitigations: No changes
Mitigation changes:
- Active Directory Configuration - Sub or technique relationships updated
- Antivirus/Antimalware - Sub or technique relationships updated
- Application Isolation and Sandboxing - Sub or technique relationships updated
- Audit - Sub or technique relationships updated
- Code Signing - Sub or technique relationships updated
- Credential Access Protection - Sub or technique relationships updated
- Data Backup - Sub or technique relationships updated
- Disable or Remove Feature or Program - Sub or technique relationships updated
- Execution Prevention - Sub or technique relationships updated
- Exploit Protection - Sub or technique relationships updated
- Network Segmentation - Sub or technique relationships updated
- Operating System Configuration - Sub or technique relationships updated
- Privileged Account Management - Sub or technique relationships updated
- Privileged Process Integrity - Sub or technique relationships updated
- Restrict File and Directory Permissions - Sub or technique relationships updated
- Software Configuration - Sub or technique relationships updated
- User Account Control - Sub or technique relationships updated
- User Account Management - Sub or technique relationships updated
- User Training - Sub or technique relationships updated
- Vulnerability Scanning - Sub or technique relationships updated
Minor Mitigation changes:
- Boot Integrity
- Filter Network Traffic
- Limit Access to Resource Over Network
- Limit Hardware Installation
Mitigation revocations: No changes
Mitigation deprecations: No changes
Mitigation deletions:
These are old mitigations that are no longer in use.
- Account Manipulation Mitigation
- Command-Line Interface Mitigation
- Connection Proxy Mitigation
- Execution through API Mitigation
- Exfiltration Over Alternative Protocol Mitigation
- File Permissions Modification Mitigation
- Input Capture Mitigation
- Obfuscated Files or Information Mitigation
- Office Application Startup Mitigation
- Process Injection Mitigation
- Remote Services Mitigation
- Signed Binary Proxy Execution Mitigation
- Standard Application Layer Protocol Mitigation
- Trusted Developer Utilities Mitigation
- Virtualization/Sandbox Evasion Mitigation
- Windows Management Instrumentation Mitigation
PRE-ATT&CK
New Mitigations: No changes
Mitigation changes: No changes
Minor Mitigation changes: No changes
Mitigation revocations: No changes
Mitigation deprecations: No changes
Mobile
New Mitigations: No changes
Mitigation changes: No changes
Minor Mitigation changes:
Mitigation revocations: No changes
Mitigation deprecations: No changes
The July 2020 (v7) ATT&CK release updates Techniques, Groups, and Software for both Enterprise and Mobile. ATT&CK with sub-techniques was released as a beta in March 2020 (v7-beta), this changelog represents the updates made between the beta and final release.
Major errata fixed from the v7 (March 2020) Beta
- Traffic Signaling Was incorrectly re-IDd to T1545, restored to T1205 and its sub-technique was changed to T1205.001
- Indicator Removal on Host Was incorrectly re-IDd to T1551, restored to T1070 and its sub-techniques were changed to T1070.001, T1070.002, T1070.003, T1070.004, T1070.005, and T1070.006
- Commonly Used Port Was revoked by T1571 in the beta, corrected to now be deprecated
Techniques
Enterprise
View enterprise technique updates in the ATT&CK Navigator here.
New Techniques:
- Account Manipulation: SSH Authorized Keys - Created as distinct behavior within Account Manipulation
- Command and Scripting Interpreter: JavaScript/JScript - Created as distinct behavior within Command and Scripting Interpreter
- Execution Guardrails: Environmental Keying - Broken out from pre-defined behavior within Execution Guardrails
- Hide Artifacts: Hidden File System - Created as distinct behavior within Hide Artifacts
- Hide Artifacts: Run Virtual Instance - Created as distinct behavior within Hide Artifacts
- Hijack Execution Flow: COR_PROFILER - Created as distinct behavior within Hijack Execution Flow
- Impair Defenses: Disable or Modify Cloud Firewall - Created as distinct behavior within Impair Defenses
- Modify Authentication Process: Pluggable Authentication Modules - Created as distinct behavior within Modify Authentication Process
- Modify Cloud Compute Infrastructure - Created to consolidate behaviors around defense evasion through the cloud compute service
- Create Cloud Instance - Created as distinct behavior within Modify Cloud Compute Infrastructure
- Create Snapshot - Created as distinct behavior within Modify Cloud Compute Infrastructure
- Delete Cloud Instance - Created as distinct behavior within Modify Cloud Compute Infrastructure
- Revert Cloud Instance - Existing technique that became a sub-technique
Technique changes:
- Account Manipulation - New sub-technique added
- Cloud Service Discovery - Minor description update
- Command and Scripting Interpreter New sub-techniques added
- Unix Shell - Sub-technique renamed
- Execution Guardrails - New sub-technique added
- Hide Artifacts - New sub-techniques added
- Hijack Execution Flow - New sub-technique added
- Impair Defenses - New sub-technique added
- Indicator Removal on Host - Technique renumbered
- Clear Command History - Sub-technique renumbered
- Clear Linux or Mac System Logs - Sub-technique renumbered
- Clear Windows Event Logs - Sub-technique renumbered
- File Deletion - Sub-technique renumbered
- Network Share Connection Removal - Sub-technique renumbered
- Timestomp - Sub-technique renumbered
- Modify Authentication Process - New sub-technique added
- Process Injection: Ptrace System Calls - Platform removed
- Process Injection: VDSO Hijacking - Platform removed
- Process Injection: Proc Memory - Platform removed
- Traffic Signaling - Technique renumbered and scope broadened
- Port Knocking - Sub-technique renumbered
Minor Technique changes:
- Abuse Elevation Control Mechanism
- Access Token Manipulation
- Account Manipulation: Additional Azure Service Principal Credentials
- Account Manipulation: Exchange Email Delegate Permissions
- Automated Collection
- Boot or Logon Autostart Execution
- Clipboard Data
- Command and Scripting Interpreter: AppleScript
- Command and Scripting Interpreter: PowerShell
- Command and Scripting Interpreter: Python
- Command and Scripting Interpreter: Visual Basic
- Data Staged
- Data from Information Repositories
- Data from Local System
- Defacement
- Event Triggered Execution
- External Remote Services
- Forced Authentication
- Hijack Execution Flow: DLL Side-Loading
- Hijack Execution Flow: Dylib Hijacking
- Hijack Execution Flow: LD_PRELOAD
- Hijack Execution Flow: Path Interception by PATH Environment Variable
- Hijack Execution Flow: Services Registry Permissions Weakness
- Indirect Command Execution
- Internal Spearphishing
- Masquerading
- Native API
- OS Credential Dumping
- Obfuscated Files or Information
- Office Application Startup
- Pre-OS Boot
- Process Injection
- Proxy
- Remote Access Software
- Remote System Discovery
- Rootkit
- Server Software Component
- Signed Binary Proxy Execution
- Signed Script Proxy Execution
- Software Discovery
- Steal Web Session Cookie
- Subvert Trust Controls
- System Services
- Taint Shared Content
- Template Injection
- Trusted Developer Utilities Proxy Execution
- Unsecured Credentials
- Valid Accounts
- Virtualization/Sandbox Evasion
- Windows Management Instrumentation
- XSL Script Processing
Technique revocations:
- Revert Cloud Instance (revoked by Modify Cloud Compute Infrastructure: Revert Cloud Instance)
Technique deprecations:
- Commonly Used Port - Was incorrectly revoked in the beta release, is now deprecated
Technique deletions:
PRE-ATT&CK
New Techniques: No changes
Technique changes: No changes
Minor Technique changes: No changes
Technique revocations: No changes
Technique deprecations: No changes
Mobile
View mobile technique updates in the ATT&CK Navigator here.
New Techniques:
Technique changes:
- Input Capture
- Input Injection
- Input Prompt
- Masquerade as Legitimate Application
- Screen Capture
- System Network Configuration Discovery
Minor Technique changes:
Technique revocations: No changes
Technique deprecations: No changes
Software
Enterprise
New Software:
- ABK
- Aria-body
- Attor
- Avenger
- BBK
- BackConfig
- Bundlore
- CARROTBALL
- CARROTBAT
- Cadelspy
- Get2
- Goopy
- HotCroissant
- Imminent Monitor
- Kivars
- Lokibot
- LoudMiner
- MAZE
- MESSAGETAP
- MechaFlounder
- Metamorfo
- Netwalker
- Okrum
- PLEAD
- PoetRAT
- Pony
- PowerShower
- Ragnar Locker
- Ramsay
- Rifdoor
- Rising Sun
- Ryuk
- SDBot
- SHARPSTATS
- SYSCON
- ShimRat
- ShimRatReporter
- Skidmap
- TSCookie
- TajMahal
- USBferry
- VBShower
- Valak
- WindTail
- Winnti for Linux
- build_downer
- down_new
Software changes:
Minor Software changes:
- Agent Tesla
- Astaroth
- BOOTRASH
- BlackEnergy
- Brave Prince
- Chaos
- Cobalt Strike
- ComRAT
- Denis
- DustySky
- Dyre
- Emotet
- Exaramel for Windows
- GRIFFON
- Gold Dragon
- Hi-Zor
- Hikit
- HyperBro
- Impacket
- NanHaiShu
- NotPetya
- OSX_OCEANLOTUS.D
- POWERSTATS
- PUNCHBUGGY
- PlugX
- Proton
- Pteranodon
- Pupy
- ROKRAT
- RTM
- Regin
- Ruler
- RunningRAT
- ServHelper
- Shamoon
- Sykipot
- TYPEFRAME
- Tor
- Umbreon
- Ursnif
- WannaCry
- Xbash
- YAHOYAH
- jRAT
Software revocations: No changes
Software deprecations: No changes
PRE-ATT&CK
New Software: No changes
Software changes: No changes
Minor Software changes: No changes
Software revocations: No changes
Software deprecations: No changes
Mobile
New Software:
- Agent Smith
- Anubis
- Bread
- Cerberus
- Concipit1248
- Corona Updates
- DEFENSOR ID
- EventBot
- Ginp
- INSOMNIA
- Triada
- TrickMo
Software changes: No changes
Minor Software changes: No changes
Software revocations: No changes
Software deprecations: No changes
Groups
Enterprise
New Groups:
- APT-C-36
- BlackTech
- Blue Mockingbird
- Charming Kitten
- DarkVishnya
- Frankenstein
- Inception
- Mofang
- Rocke
- Sharpshooter
- Whitefly
- Windshift
- Wizard Spider
Group changes:
Minor Group changes:
- APT19
- APT33
- APT37
- APT39
- APT41
- BRONZE BUTLER
- Cobalt Group
- Dark Caracal
- DarkHydrus
- Deep Panda
- Equation
- FIN4
- FIN6
- FIN7
- Gamaredon Group
- Honeybee
- Lazarus Group
- Leafminer
- Molerats
- MuddyWater
- OilRig
- Patchwork
- RTM
- Sandworm Team
- Silence
- SilverTerrier
- Strider
- TA505
- Tropic Trooper
- Turla
- Winnti Group
Group revocations: No changes
Group deprecations: No changes
Group deletions:
- Charming Kitten
PRE-ATT&CK
New Groups: No changes
Group changes: No changes
Minor Group changes: No changes
Group revocations: No changes
Group deprecations: No changes
Mobile
New Groups: No changes
Group changes: No changes
Minor Group changes:
Group revocations: No changes
Group deprecations: No changes
Mitigations
Enterprise
New Mitigations: No changes
Mitigation changes:
Minor Mitigation changes:
- Active Directory Configuration
- Boot Integrity
- Execution Prevention
- Exploit Protection
- Filter Network Traffic
- Limit Access to Resource Over Network
- Limit Hardware Installation
- Network Segmentation
- Operating System Configuration
- Privileged Process Integrity
- Restrict File and Directory Permissions
- User Account Management
Mitigation revocations: No changes
Mitigation deprecations: No changes
PRE-ATT&CK
New Mitigations: No changes
Mitigation changes: No changes
Minor Mitigation changes: No changes
Mitigation revocations: No changes
Mitigation deprecations: No changes
Mobile
New Mitigations: No changes
Mitigation changes: No changes
Minor Mitigation changes:
Mitigation revocations: No changes
Mitigation deprecations: No changes