Updates - March 2020

Version Start Date End Date Data
ATT&CK v7-beta March 31, 2020 July 7, 2020 v7.0-beta on MITRE/CTI

The March 2020 update for ATT&CK contains the beta release of sub-techniques for the Enterprise ATT&CK content. The beta site will be separate from the main (and still official) ATT&CK content for a period of approximately 3 months to allow for feedback and for users to assess their transition plans to ATT&CK with sub-techniques.

In total, the sub-technique version of ATT&CK for Enterprise contains 156 techniques (reduced from 266) and 260 sub-techniques.

See the accompanying blog post for more details.

Techniques

Enterprise

View enterprise technique updates in the ATT&CK Navigator here.

New Techniques:

  • Abuse Elevation Control Mechanism - Created to consolidate similar behaviors that take advantage of elevation control
  • Access Token Manipulation: Create Process with Token - Broken out from pre-defined behavior within Access Token Manipulation
  • Access Token Manipulation: Make and Impersonate Token - Broken out from pre-defined behavior within Access Token Manipulation
  • Access Token Manipulation: Parent PID Spoofing - Added due to manipulation of tokens
  • Access Token Manipulation: SID-History Injection - Added due to manipulation of token information
  • Access Token Manipulation: Token Impersonation/Theft - Broken out from pre-defined behavior within Access Token Manipulation
  • Account Discovery: Cloud Account - Added for parity with Create Account
  • Account Discovery: Domain Account - Added for parity with Create Account
  • Account Discovery: Email Account - Broken out from pre-defined behavior within Account Discovery
  • Account Discovery: Local Account - Added for parity with Create Account
  • Account Manipulation: Add Office 365 Global Administrator Role - Broken out from pre-defined behavior within Account Manipulation
  • Account Manipulation: Additional Azure Service Principal Credentials - Broken out from pre-defined behavior within Account Manipulation
  • Account Manipulation: Exchange Email Delegate Permissions - Broken out from pre-defined behavior within Account Manipulation
  • Application Layer Protocol: DNS - Created as distinct behavior due to how Application Layer Protocols are used for C2
  • Application Layer Protocol: File Transfer Protocols - Created as distinct behavior due to how Application Layer Protocols are used for C2
  • Application Layer Protocol: Mail Protocols - Created as distinct behavior due to how Application Layer Protocols are used for C2
  • Application Layer Protocol: Web Protocols - Created as distinct behavior due to how Application Layer Protocols are used for C2
  • Archive Collected Data - Created to consolidate behavior around encrypting and compressing collected data
  • Boot or Logon Autostart Execution - Created to consolidate similar autostart execution locations
  • Boot or Logon Initialization Scripts: Logon Script (Mac) - Existing technique that became a sub-technique
  • Boot or Logon Initialization Scripts: Logon Script (Windows) - Existing technique that became a sub-technique
  • Boot or Logon Initialization Scripts: Network Logon Script - Existing technique that became a sub-technique
  • Boot or Logon Initialization Scripts: Rc.common - Existing technique that became a sub-technique
  • Boot or Logon Initialization Scripts: Startup Items - Existing technique that became a sub-technique
  • Brute Force: Credential Stuffing - Created as distinct behavior variation of Brute Force
  • Brute Force: Password Cracking - Broken out from pre-defined behavior within Brute Force
  • Brute Force: Password Guessing - Broken out from pre-defined behavior within Brute Force
  • Brute Force: Password Spraying - Broken out from pre-defined behavior within Brute Force
  • Command and Scripting Interpreter: AppleScript - Existing technique that became a sub-technique
  • Command and Scripting Interpreter: Bash - Existing technique that became a sub-technique
  • Command and Scripting Interpreter: PowerShell - Existing technique that became a sub-technique
  • Command and Scripting Interpreter: Python - Created as distinct behavior within Command and Scripting Interpreter
  • Command and Scripting Interpreter: VBScript - Created as distinct behavior within Command and Scripting Interpreter
  • Command and Scripting Interpreter: Windows Command Shell - Existing technique that became a sub-technique
  • Compromise Client Software Binary - New technique based on contribution
  • Create Account: Cloud Account - Broken out from pre-defined behavior within Create Account
  • Create Account: Domain Account - Broken out from pre-defined behavior within Create Account
  • Create Account: Local Account - Broken out from pre-defined behavior within Create Account
  • Create or Modify System Process - Created to consolidate behavior around system-level processes
    • Launch Agent - Existing technique that became a sub-technique
    • Launch Daemon - Existing technique that became a sub-technique
    • Systemd Service - Existing technique that became a sub-technique
    • Windows Service - Existing technique that became a sub-technique. Consolidates Modify Existing Service and New Service techniques into one sub-technique
  • Credentials from Password Stores - Created to consolidate locations where passwords are stored
  • Data Encoding: Non-Standard Encoding - Broken out from pre-defined behavior within Data Encoding
  • Data Encoding: Standard Encoding - Broken out from pre-defined behavior within Data Encoding
  • Data Obfuscation: Junk Data - Broken out from pre-defined behavior within Data Obfuscation
  • Data Obfuscation: Protocol Impersonation - Broken out from pre-defined behavior within Data Obfuscation
  • Data Obfuscation: Steganography - Broken out from pre-defined behavior within Data Obfuscation
  • Data Staged: Local Data Staging - Broken out from pre-defined behavior within Data Staged
  • Data Staged: Remote Data Staging - Broken out from pre-defined behavior within Data Staged
  • Data from Information Repositories: Confluence - Broken out from pre-defined behavior within Data from Information Repositories
  • Data from Information Repositories: Sharepoint - Broken out from pre-defined behavior within Data from Information Repositories
  • Defacement: External Defacement - Broken out from pre-defined behavior within Defacement
  • Defacement: Internal Defacement - Broken out from pre-defined behavior within Defacement
  • Disk Wipe - Created to consolidate behavior around disk wiping
  • Dynamic Resolution - Created to consolidate behavior around dynamic C2 behavior
  • Email Collection: Email Forwarding Rule - Broken out from pre-defined behavior within Email Collection
  • Email Collection: Local Email Collection - Broken out from pre-defined behavior within Email Collection
  • Email Collection: Remote Email Collection - Broken out from pre-defined behavior within Email Collection
  • Encrypted Channel - Created to consolidate behavior around encrypted C2
  • Endpoint Denial of Service: Application Exhaustion Flood - Broken out from pre-defined behavior within Endpoint Denial of Service
  • Endpoint Denial of Service: Application or System Exploitation - Broken out from pre-defined behavior within Endpoint Denial of Service
  • Endpoint Denial of Service: OS Exhaustion Flood - Broken out from pre-defined behavior within Endpoint Denial of Service
  • Endpoint Denial of Service: Service Exhaustion Flood - Broken out from pre-defined behavior within Endpoint Denial of Service
  • Event Triggered Execution - Created to consolidate persistence behavior due to adversary or user initiated actions
  • Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - Broken out from pre-defined behavior within Exfiltration Over Alternative Protocol
  • Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - Broken out from pre-defined behavior within Exfiltration Over Alternative Protocol
  • Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - Broken out from pre-defined behavior within Exfiltration Over Alternative Protocol
  • Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth - Broken out from pre-defined behavior within Exfiltration over Other Network Medium
  • Exfiltration Over Physical Medium: Exfiltration over USB - Broken out from pre-defined behavior within Exfiltration Over Physical Medium
  • Exfiltration Over Web Service - Created to consolidate behaviors around exfiltration to legitimate web services
  • File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification - Broken out from pre-defined behavior within File and Directory Permissions Modification
  • File and Directory Permissions Modification: Windows File and Directory Permissions Modification - Broken out from pre-defined behavior within File and Directory Permissions Modification
  • Hide Artifacts - Created to consolidate behaviors around defense evasion through creating hidden objects that may be difficult to see
  • Hijack Execution Flow - Created to consolidate behaviors around running executable code by placing it where it would be executed by a legitimate process
  • Impair Defenses - Created to consolidate behaviors that prevent a defense from working as intended
  • Indicator Removal on Host: Clear Command History - Existing technique that became a sub-technique
  • Indicator Removal on Host: Clear Linux or Mac System Logs - Broken out from pre-defined behavior within Indicator Removal on Host
  • Indicator Removal on Host: Clear Windows Event Logs - Broken out from pre-defined behavior within Indicator Removal on Host
  • Indicator Removal on Host: File Deletion - Existing technique that became a sub-technique
  • Indicator Removal on Host: Network Share Connection Removal - Existing technique that became a sub-technique
  • Indicator Removal on Host: Timestomp - Existing technique that became a sub-technique
  • Input Capture: Credential API Hooking - Existing technique that became a sub-technique and was renamed from API Hooking. Scope change to only credential access for API hooking was based on available procedure examples
  • Input Capture: GUI Input Capture - Broken out from pre-defined behavior within Input Capture
  • Input Capture: Keylogging - Broken out from pre-defined behavior within Input Capture
  • Input Capture: Web Portal Capture - Broken out from pre-defined behavior within Input Capture
  • Inter-Process Communication - Created to consolidate behavior related to using IPC for local system execution
  • Lateral Tool Transfer - Broken out from pre-defined behavior within the prior Remote File Copy technique to focus on file transfer within a network
  • Man-in-the-Middle - Created to consolidate behavior related to setting up man-in-the-middle condition within a network
  • Masquerading: Invalid Code Signature - Created based on procedure examples within Code Signing as a distinct behavior using invalid digital signatures
  • Masquerading: Masquerade Task or Service - Broken out from pre-defined behavior within Masquerading
  • Masquerading: Match Legitimate Name or Location - Broken out from pre-defined behavior within Masquerading
  • Masquerading: Rename System Utilities - Broken out from pre-defined behavior within Masquerading
  • Masquerading: Right-to-Left Override - Broken out from pre-defined behavior within Masquerading
  • Masquerading: Space after Filename - Existing technique that became a sub-technique
  • Modify Authentication Process - Created to consolidate behavior related to changing the authentication process previously under Account Manipulation
  • Network Denial of Service: Direct Network Flood - Broken out from pre-defined behavior within Network Denial of Service
  • Network Denial of Service: Reflection Amplification - Broken out from pre-defined behavior within Network Denial of Service
  • Non-Standard Port - Created to refine the idea behind Common and Uncommonly Used Port to focus the behavior on use of a non-standard port for C2 based on the protocol used
  • OS Credential Dumping: /etc/passwd and /etc/shadow - Broken out from pre-defined behavior within OS Credential Dumping
  • OS Credential Dumping: Cached Domain Credentials - Broken out from pre-defined behavior within OS Credential Dumping
  • OS Credential Dumping: DCSync - Broken out from pre-defined behavior within OS Credential Dumping
  • OS Credential Dumping: LSA Secrets - Broken out from pre-defined behavior within OS Credential Dumping
  • OS Credential Dumping: LSASS Memory - Broken out from pre-defined behavior within OS Credential Dumping
  • OS Credential Dumping: NTDS - Broken out from pre-defined behavior within OS Credential Dumping
  • OS Credential Dumping: Proc Filesystem - Broken out from pre-defined behavior within OS Credential Dumping
  • OS Credential Dumping: Security Account Manager - Broken out from pre-defined behavior within OS Credential Dumping
  • Obfuscated Files or Information: Binary Padding - Existing technique that became a sub-technique
  • Obfuscated Files or Information: Compile After Delivery - Existing technique that became a sub-technique
  • Obfuscated Files or Information: Indicator Removal from Tools - Existing technique that became a sub-technique
  • Obfuscated Files or Information: Software Packing - Existing technique that became a sub-technique
  • Obfuscated Files or Information: Steganography - Broken out from pre-defined behavior within Obfuscated Files or Information
  • Office Application Startup: Add-ins - Broken out from pre-defined behavior within Office Application Startup
  • Office Application Startup: Office Template Macros - Broken out from pre-defined behavior within Office Application Startup
  • Office Application Startup: Office Test - Broken out from pre-defined behavior within Office Application Startup
  • Office Application Startup: Outlook Forms - Broken out from pre-defined behavior within Office Application Startup
  • Office Application Startup: Outlook Home Page - Broken out from pre-defined behavior within Office Application Startup
  • Office Application Startup: Outlook Rules - Broken out from pre-defined behavior within Office Application Startup
  • Permission Groups Discovery: Cloud Groups - Broken out from pre-defined behavior within Permission Groups Discovery in a way that has parity with Account Discovery
  • Permission Groups Discovery: Domain Groups - Broken out from pre-defined behavior within Permission Groups Discovery in a way that has parity with Account Discovery
  • Permission Groups Discovery: Local Groups - Broken out from pre-defined behavior within Permission Groups Discovery in a way that has parity with Account Discovery
  • Phishing - Created to consolidate behavior around phishing and spearphishing
  • Pre-OS Boot - Created to consolidate behavior around persistence that loads before the OS boots
  • Process Injection: Asynchronous Procedure Call - Existing technique that became a sub-technique
  • Process Injection: Dynamic-link Library Injection - Broken out from pre-defined behavior within Process Injection
  • Process Injection: Extra Window Memory Injection - Broken out from pre-defined behavior within Process Injection
  • Process Injection: Portable Executable Injection - Broken out from pre-defined behavior within Process Injection
  • Process Injection: Proc Memory - Broken out from pre-defined behavior within Process Injection
  • Process Injection: Process Doppelgänging - Existing technique that became a sub-technique
  • Process Injection: Process Hollowing - Existing technique that became a sub-technique
  • Process Injection: Ptrace System Calls - Broken out from pre-defined behavior within Process Injection
  • Process Injection: Thread Execution Hijacking - Broken out from pre-defined behavior within Process Injection
  • Process Injection: Thread Local Storage - Broken out from pre-defined behavior within Process Injection
  • Process Injection: VDSO Hijacking - Broken out from pre-defined behavior within Process Injection
  • Protocol Tunneling - Created to define behavior broken out from the prior Standard Application and Standard Cryptographic Protocol techniques
  • Proxy: Domain Fronting - Existing technique that became a sub-technique
  • Proxy: External Proxy - Broken out from pre-defined behavior within Connection Proxy
  • Proxy: Internal Proxy - Broken out from pre-defined behavior within Connection Proxy
  • Proxy: Multi-hop Proxy - Existing technique that became a sub-technique
  • Remote Service Session Hijacking - Created to consolidate behavior related to hijacking existing remote connection sessions
    • RDP Hijacking - Broken out from pre-defined behavior within Remote Desktop Protocol
    • SSH Hijacking - Existing technique that became a sub-technique
  • Remote Services: Distributed Component Object Model - Broken out from pre-defined behavior within Component Object Model and Distributed COM technique
  • Remote Services: Remote Desktop Protocol - Existing technique that became a sub-technique
  • Remote Services: SMB/Windows Admin Shares - Existing technique that became a sub-technique and was renamed from Windows Admin Shares
  • Remote Services: SSH - Broken out from pre-defined behavior within Remote Services technique
  • Remote Services: VNC - Broken out from pre-defined behavior within Remote Services technique
  • Remote Services: Windows Remote Management - Existing technique that became a sub-technique
  • Scheduled Task/Job: At (Linux) - Broken out from pre-defined behavior within prior Local Job Scheduling technique
  • Scheduled Task/Job: At (Windows) - Broken out from pre-defined behavior within prior Scheduled Task technique
  • Scheduled Task/Job: Cron - Broken out from pre-defined behavior within prior Local Job Scheduling technique
  • Scheduled Task/Job: Launchd - Existing technique that became a sub-technique
  • Scheduled Task/Job: Scheduled Task - Existing technique that became a sub-technique
  • Server Software Component: SQL Stored Procedures - Broken out from pre-defined behavior within Server Software Component technique
  • Server Software Component: Transport Agent - Broken out from pre-defined behavior within Server Software Component technique
  • Server Software Component: Web Shell - Existing technique that became a sub-technique
  • Signed Binary Proxy Execution: CMSTP - Existing technique that became a sub-technique
  • Signed Binary Proxy Execution: Compiled HTML File - Existing technique that became a sub-technique
  • Signed Binary Proxy Execution: Control Panel - Existing technique that became a sub-technique
  • Signed Binary Proxy Execution: InstallUtil - Existing technique that became a sub-technique
  • Signed Binary Proxy Execution: Mshta - Existing technique that became a sub-technique
  • Signed Binary Proxy Execution: Msiexec - Broken out from pre-defined behavior within Signed Binary Proxy Execution technique
  • Signed Binary Proxy Execution: Odbcconf - Broken out from pre-defined behavior within Signed Binary Proxy Execution technique
  • Signed Binary Proxy Execution: Regsvcs/Regasm - Existing technique that became a sub-technique
  • Signed Binary Proxy Execution: Regsvr32 - Existing technique that became a sub-technique
  • Signed Binary Proxy Execution: Rundll32 - Existing technique that became a sub-technique
  • Signed Script Proxy Execution: PubPrn - Existing technique that became a sub-technique
  • Software Discovery: Security Software Discovery - Existing technique that became a sub-technique
  • Steal or Forge Kerberos Tickets - Created to consolidate behavior related to Kerberos tickets
    • Golden Ticket - Broken out from pre-defined behavior within Pass the Ticket technique
    • Kerberoasting - Existing technique that became a sub-technique
    • Silver Ticket - Broken out from pre-defined behavior within Pass the Ticket technique
  • Subvert Trust Controls - Created to consolidate behavior related to getting around trust controls
  • Supply Chain Compromise: Compromise Hardware Supply Chain - Broken out from pre-defined behavior within Supply Chain Compromise
  • Supply Chain Compromise: Compromise Software Dependencies and Development Tools - Broken out from pre-defined behavior within Supply Chain Compromise
  • Supply Chain Compromise: Compromise Software Supply Chain - Broken out from pre-defined behavior within Supply Chain Compromise
  • System Services - Created to consolidate behaviors related to execution of binaries through system services
  • Traffic Signaling - Created to consolidate behaviors around specifically formed network traffic that is used as a trigger to take an action
    • Port Knocking - Existing technique that became a sub-technique
  • Trusted Developer Utilities Proxy Execution: MSBuild - Broken out from pre-defined behavior within Trusted Developer Utilities Proxy Execution
  • Unsecured Credentials - Created to consolidate places where unsecured credentials may be kept
  • Use Alternate Authentication Material - Created to consolidate behavior related to use of non-password based credential material
  • User Execution: Malicious File - Broken out from pre-defined behavior within User Execution
  • User Execution: Malicious Link - Broken out from pre-defined behavior within User Execution
  • Valid Accounts: Cloud Accounts - Broken out from pre-defined behavior Valid Accounts in a way that has parity with Create Account
  • Valid Accounts: Default Accounts - Broken out from pre-defined behavior within Valid Accounts in a way that has parity with Create Account
  • Valid Accounts: Domain Accounts - Broken out from pre-defined behavior within Valid Accounts in a way that has parity with Create Account
  • Valid Accounts: Local Accounts - Broken out from pre-defined behavior within Valid Accounts in a way that has parity with Create Account
  • Virtualization/Sandbox Evasion: System Checks - Broken out from pre-defined behavior within Virtualization/Sandbox Evasion
  • Virtualization/Sandbox Evasion: Time Based Evasion - Broken out from pre-defined behavior within Virtualization/Sandbox Evasion
  • Virtualization/Sandbox Evasion: User Activity Based Checks - Broken out from pre-defined behavior within Virtualization/Sandbox Evasion
  • Web Service: Bidirectional Communication - Broken out from pre-defined behavior within Web Service
  • Web Service: Dead Drop Resolver - Broken out from pre-defined behavior within Web Service
  • Web Service: One-Way Communication - Broken out from pre-defined behavior within Web Service

Technique changes:

Technique changes are largely due to new sub-techniques being added, name changes, or both.

Minor Technique changes:

Technique revocations:

Technique deprecations:

  • Component Object Model and Distributed COM - Deprecated and split into separate Component Object Model and Distributed Component Object Model sub-techniques. Existing Group/Software procedure examples were remapped appropriately
  • Graphical User Interface - Deprecated from ATT&CK because the behavior is redundant and implied by use of remote desktop tools like Remote Desktop Protocol. Existing Group/Software procedure examples were remapped appropriately
  • Hypervisor - Deprecated from ATT&CK due to lack of in the wild use
  • LC_MAIN Hijacking - Deprecated from ATT&CK due to lack of in the wild use
  • Multiband Communication - Deprecated from ATT&CK due to lack of in the wild use. Existing Group/Software procedure examples did not fit the core idea behind the technique
  • Path Interception - Deprecated and split into separate Unquoted Path, PATH Environment Variable, and Search Order Hijacking sub-techniques. Existing Group/Software procedure examples were remapped appropriately
  • Redundant Access - Deprecated from ATT&CK because the behavior is too high level and is sufficiently covered by Valid Accounts and External Remote Services. Existing Group/Software procedure examples were remapped appropriately
  • Scripting - Deprecated and split into separate Bash, VBScript, and Python sub-techniques of Command and Scripting Interpreter. Existing Group/Software procedure examples were remapped appropriately
  • Shared Webroot - Deprecated from ATT&CK due to lack of in the wild use
  • Source - Deprecated from ATT&CK due to lack of in the wild use

PRE-ATT&CK

New Techniques: No changes

Technique changes: No changes

Minor Technique changes: No changes

Technique revocations: No changes

Technique deprecations:

Mobile

View mobile technique updates in the ATT&CK Navigator here.

New Techniques:

Technique changes:

Minor Technique changes:

Technique revocations: No changes

Technique deprecations: No changes

Software

Enterprise

New Software: No changes

Software changes:

Minor Software changes: No changes

Software revocations: No changes

Software deprecations: No changes

PRE-ATT&CK

New Software: No changes

Software changes: No changes

Minor Software changes: No changes

Software revocations: No changes

Software deprecations: No changes

Mobile

New Software:

Software changes:

Minor Software changes:

Software revocations: No changes

Software deprecations: No changes

Groups

Enterprise

New Groups:

Group changes:

Minor Group changes: No changes

Group revocations: No changes

Group deprecations: No changes

PRE-ATT&CK

New Groups: No changes

Group changes:

Minor Group changes: No changes

Group revocations: No changes

Group deprecations: No changes

Mobile

New Groups:

Group changes:

Minor Group changes: No changes

Group revocations: No changes

Group deprecations: No changes

Mitigations

Enterprise

New Mitigations: No changes

Mitigation changes:

Minor Mitigation changes: No changes

Mitigation revocations: No changes

Mitigation deprecations: No changes

Mitigation deletions:

These are old mitigations that are no longer in use.

  • Account Manipulation Mitigation
  • Command-Line Interface Mitigation
  • Connection Proxy Mitigation
  • Execution through API Mitigation
  • Exfiltration Over Alternative Protocol Mitigation
  • File Permissions Modification Mitigation
  • Input Capture Mitigation
  • Obfuscated Files or Information Mitigation
  • Office Application Startup Mitigation
  • Process Injection Mitigation
  • Remote Services Mitigation
  • Signed Binary Proxy Execution Mitigation
  • Standard Application Layer Protocol Mitigation
  • Trusted Developer Utilities Mitigation
  • Virtualization/Sandbox Evasion Mitigation
  • Windows Management Instrumentation Mitigation

PRE-ATT&CK

New Mitigations: No changes

Mitigation changes: No changes

Minor Mitigation changes: No changes

Mitigation revocations: No changes

Mitigation deprecations: No changes

Mobile

New Mitigations: No changes

Mitigation changes: No changes

Minor Mitigation changes: No changes

Mitigation revocations: No changes

Mitigation deprecations: No changes