The sub-techniques beta is now live! Read the release blog post for more info.

Updates - October 2019

The October 2019 ATT&CK release updates techniques, Groups, and Software for both Enterprise and Mobile. The biggest change is the addition of cloud-focused techniques.

ATT&CK for Cloud

36 techniques have been added or updated to cover adversary behavior against cloud-based platforms. We’ve added three infrastructure as a service (IaaS) platforms, Amazon Web Services (AWS), Microsoft Azure (Azure), and Google Cloud Platform (GCP). The Software as a service (SaaS) platform will cover techniques against general cloud-based software platforms. Separately from IaaS and SaaS, we've also added two cloud software platforms, Azure Active Directory (Azure AD) and Office 365, to cover techniques against those specific platforms.

New techniques and updates for cloud:

The majority of the people and organizations we talked to while defining what ATT&CK means in a cloud environment said that they consider it an extension of an enterprise network, so we made it part of ATT&CK for Enterprise instead of creating a separate model. The ATT&CK for Cloud matrix along with the individual platforms can still be viewed separately from the rest of the Enterprise matrix. Due to web applications being thought of as the new perimeter with cloud, we've had to expand the definition of Lateral Movement a bit to cover access and interaction with cloud-based systems and services. Common credentialing material such as web browser cookies and application access tokens like OAuth are commonplace and are targeted for access to cloud-based software.

The current list of cloud platforms was selected based on input from contributors and what has been reported in incidents. We plan on re-evaluating them as needed to expand or refine them based on the threat landscape.

We shifted priorities a bit this year to this effort because of the overwhelming demand for cloud coverage in ATT&CK. The lack of public incident reporting made it difficult to do, but we were able to use a lot of the community's expertise and knowledge in building it. ATT&CK for Cloud is the first new technology domain that has been created based on almost 100% community contributions for technique ideas! Cloud is by no means finished. We will continue to build out additional cloud-based techniques for another release next year.

Techniques

Enterprise

View enterprise technique updates in the ATT&CK Navigator here.

New Techniques:

Technique deletions: No changes

Technique changes:

Technique revocations: No changes

Technique deprecations: No changes

Minor Technique changes:

PRE-ATT&CK

New Techniques: No changes

Technique deletions: No changes

Technique changes: No changes

Technique revocations: No changes

Technique deprecations: No changes

Minor Technique changes: No changes

Mobile

View mobile technique updates in the ATT&CK Navigator here.

New Techniques:

Technique deletions: No changes

Technique changes:

Technique revocations:

Technique deprecations:

Minor Technique changes:

Software

Enterprise

Exaramel changed to Exaramel for Windows, and Exaramel for Linux was added separately.

New Software:

Software deletions: No changes

Software changes:

Software revocations: No changes

Software deprecations: No changes

Minor Software changes:

PRE-ATT&CK

New Software: No changes

Software deletions: No changes

Software changes: No changes

Software revocations: No changes

Software deprecations: No changes

Minor Software changes: No changes

Mobile

New Software:

Software deletions:

  • Android Overlay Malware (removed due to the determination that the name did not identify a specific malware family)

Software changes:

Software revocations: No changes

Software deprecations: No changes

Minor Software changes:

Groups

Enterprise

New Groups:

Group deletions: No changes

Group changes:

Group revocations: No changes

Group deprecations: No changes

Minor Group changes:

PRE-ATT&CK

New Groups: No changes

Group deletions: No changes

Group changes: No changes

Group revocations: No changes

Group deprecations: No changes

Minor Group changes: No changes

Mobile

New Groups: No changes

Group deletions: No changes

Group changes:

Group revocations: No changes

Group deprecations: No changes

Minor Group changes: No changes

Mitigations

Enterprise

New Mitigations:

Mitigation deletions: No changes

Mitigation changes:

Mitigation revocations: No changes

Mitigation deprecations: No changes

Minor Mitigation changes: No changes

PRE-ATT&CK

New Mitigations: No changes

Mitigation deletions: No changes

Mitigation changes: No changes

Mitigation revocations: No changes

Mitigation deprecations: No changes

Minor Mitigation changes: No changes

Mobile

New Mitigations: No changes

Mitigation deletions:

  • Use Device-Provided Credential Storage (this removal is temporary; the mitigation will be re-added in a future update)

Mitigation changes: No changes

Mitigation revocations: No changes

Mitigation deprecations: No changes

Minor Mitigation changes: