Updates - October 2019

The October 2019 ATT&CK release updates techniques, Groups, and Software for both Enterprise and Mobile. The biggest change is the addition of cloud-focused techniques.

ATT&CK for Cloud

36 techniques have been added or updated to cover adversary behavior against cloud-based platforms. We’ve added three infrastructure as a service (IaaS) platforms, Amazon Web Services (AWS), Microsoft Azure (Azure), and Google Cloud Platform (GCP). The Software as a service (SaaS) platform will cover techniques against general cloud-based software platforms. Separately from IaaS and SaaS, we've also added two cloud software platforms, Azure Active Directory (Azure AD) and Office 365, to cover techniques against those specific platforms.

New techniques and updates for cloud:

• Application Access Token
• Cloud Instance Metadata API
• Cloud Service Dashboard
• Cloud Service Discovery
• Data from Cloud Storage Object
• Implant Container Image
• Internal Spearphishing
• Revert Cloud Instance
• Steal Application Access Token
• Steal Web Session Cookie
• Transfer Data to Cloud Account
• Unused Cloud Regions
• Web Session Cookie
• Account Discovery
• Account Manipulation
• Brute Force
• Create Account
• Credentials in Files
• Data from Information Repositories
• Data from Local System
• Data Staged
• Drive-by Compromise
• Email Collection
• Exploit Public-Facing Application
• Network Service Scanning
• Network Share Discovery
• Office Application Startup
• Permission Groups Discovery
• Redundant Access
• Remote System Discovery
• Resource Hijacking
• Spearphishing Link
• System Information Discovery
• System Network Connections Discovery
• Trusted Relationship
• Valid Accounts

The majority of the people and organizations we talked to while defining what ATT&CK means in a cloud environment said that they consider it an extension of an enterprise network, so we made it part of ATT&CK for Enterprise instead of creating a separate model. The ATT&CK for Cloud matrix along with the individual platforms can still be viewed separately from the rest of the Enterprise matrix. Due to web applications being thought of as the new perimeter with cloud, we've had to expand the definition of Lateral Movement a bit to cover access and interaction with cloud-based systems and services. Common credentialing material such as web browser cookies and application access tokens like OAuth are commonplace and are targeted for access to cloud-based software.

The current list of cloud platforms was selected based on input from contributors and what has been reported in incidents. We plan on re-evaluating them as needed to expand or refine them based on the threat landscape.

We shifted priorities a bit this year to this effort because of the overwhelming demand for cloud coverage in ATT&CK. The lack of public incident reporting made it difficult to do, but we were able to use a lot of the community's expertise and knowledge in building it. ATT&CK for Cloud is the first new technology domain that has been created based on almost 100% community contributions for technique ideas! Cloud is by no means finished. We will continue to build out additional cloud-based techniques for another release next year.

Techniques

Enterprise

View enterprise technique updates in the ATT&CK Navigator here.

New Techniques:

• Account Access Removal
• Application Access Token
• Cloud Instance Metadata API
• Cloud Service Dashboard
• Cloud Service Discovery
• Credentials from Web Browsers
• Data from Cloud Storage Object
• Elevated Execution with Prompt
• Emond
• Implant Container Image
• Internal Spearphishing
• Parent PID Spoofing
• PowerShell Profile
• Revert Cloud Instance
• Server Software Component
• Software Discovery
• Steal Application Access Token
• Steal Web Session Cookie
• System Shutdown/Reboot
• Transfer Data to Cloud Account
• Unused/Unsupported Cloud Regions
• Web Session Cookie

Technique deletions: No changes

Technique changes:

• .bash_profile and .bashrc
• Account Discovery
• Account Manipulation
• Binary Padding
• Brute Force
• Component Object Model and Distributed COM
• Connection Proxy
• Create Account
• Credential Dumping
• Credentials in Files
• Data Staged
• Data from Information Repositories
• Data from Local System
• Drive-by Compromise
• Email Collection
• Exfiltration Over Alternative Protocol
• Exploit Public-Facing Application
• Exploitation for Privilege Escalation
• File and Directory Discovery
• File and Directory Permissions Modification
• Forced Authentication
• Gatekeeper Bypass
• Hidden Window
• Indicator Blocking
• InstallUtil
• Masquerading
• Mshta
• Network Service Scanning
• Network Share Discovery
• Office Application Startup
• Peripheral Device Discovery
• Permission Groups Discovery
• Port Knocking
• Process Discovery
• Query Registry
• Re-opened Applications
• Redundant Access
• Regsvcs/Regasm
• Regsvr32
• Remote System Discovery
• Resource Hijacking
• Scheduled Task
• Security Software Discovery
• Service Registry Permissions Weakness
• Software Packing
• Source
• Spearphishing Link
• System Information Discovery
• System Network Configuration Discovery
• System Network Connections Discovery
• System Owner/User Discovery
• System Service Discovery
• Taint Shared Content
• Third-party Software
• Timestomp
• Trap
• Trusted Developer Utilities
• Trusted Relationship
• User Execution
• Valid Accounts
• Virtualization/Sandbox Evasion
• Windows Admin Shares
• Windows Management Instrumentation Event Subscription
• Windows Remote Management
• XSL Script Processing

Technique revocations: No changes

Technique deprecations: No changes

Minor Technique changes:

• Access Token Manipulation
• Accessibility Features
• AppCert DLLs
• AppInit DLLs
• AppleScript
• Application Deployment Software
• Application Shimming
• Audio Capture
• Authentication Package
• Automated Collection
• BITS Jobs
• Bash History
• Bootkit
• Browser Extensions
• Bypass User Account Control
• CMSTP
• Clear Command History
• Clipboard Data
• Command-Line Interface
• Commonly Used Port
• Communication Through Removable Media
• Compiled HTML File
• Component Firmware
• Control Panel Items
• Credentials in Registry
• Custom Command and Control Protocol
• Custom Cryptographic Protocol
• DLL Search Order Hijacking
• DLL Side-Loading
• Data Compressed
• Data Destruction
• Data Encoding
• Data Encrypted for Impact
• Data Obfuscation
• Data Transfer Size Limits
• Defacement
• Disabling Security Tools
• Disk Content Wipe
• Disk Structure Wipe
• Domain Fronting
• Domain Generation Algorithms
• Domain Trust Discovery
• Dylib Hijacking
• Dynamic Data Exchange
• Endpoint Denial of Service
• Execution Guardrails
• Execution through API
• Execution through Module Load
• Exfiltration Over Command and Control Channel
• Exfiltration Over Other Network Medium
• Exfiltration Over Physical Medium
• Exploitation for Client Execution
• Exploitation for Credential Access
• Exploitation for Defense Evasion
• Exploitation of Remote Services
• External Remote Services
• Fallback Channels
• File Deletion
• File System Permissions Weakness
• Firmware Corruption
• Graphical User Interface
• Group Policy Modification
• HISTCONTROL
• Hardware Additions
• Hidden Users
• Indicator Removal on Host
• Inhibit System Recovery
• Input Capture
• Input Prompt
• Install Root Certificate
• Kerberoasting
• Kernel Modules and Extensions
• Keychain
• LC_LOAD_DYLIB Addition
• LC_MAIN Hijacking
• LLMNR/NBT-NS Poisoning and Relay
• LSASS Driver
• Launch Agent
• Launch Daemon
• Launchctl
• Local Job Scheduling
• Login Item
• Logon Scripts
• Man in the Browser
• Modify Existing Service
• Modify Registry
• Multi-Stage Channels
• Multi-hop Proxy
• Multiband Communication
• Multilayer Encryption
• NTFS File Attributes
• Network Denial of Service
• Network Sniffing
• New Service
• Obfuscated Files or Information
• Pass the Hash
• Pass the Ticket
• Password Filter DLL
• Password Policy Discovery
• Path Interception
• Plist Modification
• PowerShell
• Private Keys
• Process Doppelgänging
• Process Injection
• Rc.common
• Registry Run Keys / Startup Folder
• Remote Access Tools
• Remote Desktop Protocol
• Remote File Copy
• Remote Services
• Replication Through Removable Media
• Rootkit
• Rundll32
• Runtime Data Manipulation
• SID-History Injection
• SIP and Trust Provider Hijacking
• SSH Hijacking
• Scheduled Transfer
• Screen Capture
• Screensaver
• Scripting
• Security Support Provider
• Service Execution
• Service Stop
• Setuid and Setgid
• Shared Webroot
• Shortcut Modification
• Signed Binary Proxy Execution
• Signed Script Proxy Execution
• Space after Filename
• Spearphishing Attachment
• Spearphishing via Service
• Standard Application Layer Protocol
• Standard Cryptographic Protocol
• Standard Non-Application Layer Protocol
• Startup Items
• Stored Data Manipulation
• Sudo Caching
• Sudo
• Supply Chain Compromise
• System Firmware
• System Time Discovery
• Systemd Service
• Template Injection
• Time Providers
• Transmitted Data Manipulation
• Two-Factor Authentication Interception
• Uncommonly Used Port
• Video Capture
• Web Service
• Web Shell
• Windows Management Instrumentation
• Winlogon Helper DLL

PRE-ATT&CK

New Techniques: No changes

Technique deletions: No changes

Technique changes: No changes

Technique revocations: No changes

Technique deprecations: No changes

Minor Technique changes: No changes

Mobile

View mobile technique updates in the ATT&CK Navigator here.

New Techniques:

• Access Notifications
• Capture Camera
• Clipboard Modification
• Data Encrypted
• Data from Local System
• Domain Generation Algorithms
• Evade Analysis Environment
• Input Injection
• Network Information Discovery
• Screen Capture
• Standard Cryptographic Protocol
• Suppress Application Icon
• Uncommonly Used Port

Technique deletions: No changes

Technique changes:

• Access Call Log
• Access Stored Application Data
• Capture Audio
• Capture Clipboard Data
• Capture SMS Messages
• Data Encrypted for Impact
• Delete Device Data
• Deliver Malicious App via Authorized App Store
• Deliver Malicious App via Other Means
• Device Lockout
• Download New Code at Runtime
• Input Capture
• Input Prompt
• Masquerade as Legitimate Application
• Modify Cached Executable Code
• Modify System Partition

Technique revocations:

• Device Type Discovery (revoked by System Information Discovery)

Technique deprecations:

• Abuse Accessibility Features

Minor Technique changes:

• App Auto-Start at Device Boot
• Commonly Used Port
• Generate Fraudulent Advertising Revenue
• Location Tracking
• Manipulate App Store Rankings or Ratings
• Obfuscated Files or Information
• Premium SMS Toll Fraud
• System Information Discovery

Software

Enterprise

Exaramel changed to Exaramel for Windows, and Exaramel for Linux was added separately.

New Software:

• BOOSTWRITE
• BabyShark
• Exaramel for Linux
• Fysbis
• GRIFFON
• Machete
• MailSniper
• OSX/Shlayer
• RDFSNIFFER
• RobbinHood
• ZxShell
• esentutl

Software deletions: No changes

Software changes:

• Astaroth
• BITSAdmin
• BONDUPDATER
• Downdelph
• Exaramel for Windows
• HAMMERTOSS
• KeyBoy
• LockerGoga
• More_eggs
• NotPetya
• OSX_OCEANLOTUS.D
• Olympic Destroyer
• Orz
• PoshC2
• Ursnif
• certutil

Software revocations: No changes

Software deprecations: No changes

Minor Software changes:

• Derusbi
• FinFisher
• HyperBro
• Revenge RAT
• UBoatRAT
• Volgmer

PRE-ATT&CK

New Software: No changes

Software deletions: No changes

Software changes: No changes

Software revocations: No changes

Software deprecations: No changes

Minor Software changes: No changes

Mobile

New Software:

• Exodus
• FlexiSpy
• Gustuff
• Monokle
• Riltok
• Rotexy

Software deletions:

• Android Overlay Malware (removed due to the determination that the name did not identify a specific malware family)

Software changes:

• ANDROIDOS_ANSERVER.A
• Android/Chuli.A
• Dendroid
• DroidJack
• Gooligan
• Pallas
• Pegasus for Android
• RCSAndroid
• RedDrop
• Skygofree
• SpyDealer
• SpyNote RAT
• Stealth Mango
• Tangelo

Software revocations: No changes

Software deprecations: No changes

Minor Software changes:

• Charger
• FinFisher

Groups

Enterprise

New Groups:

• APT41
• Kimsuky
• Machete

Group deletions: No changes

Group changes:

• APT19
• APT28
• APT32
• APT37
• APT38
• APT3
• Axiom
• CopyKittens
• DarkHydrus
• Deep Panda
• FIN6
• FIN7
• Gorgon Group
• Lazarus Group
• Leafminer
• Magic Hound
• OilRig
• Threat Group-3390
• Tropic Trooper
• admin@338
• menuPass

Group revocations: No changes

Group deprecations: No changes

Minor Group changes:

• APT1
• FIN8
• Leviathan

PRE-ATT&CK

New Groups: No changes

Group deletions: No changes

Group changes: No changes

Group revocations: No changes

Group deprecations: No changes

Minor Group changes: No changes

Mobile

New Groups: No changes

Group deletions: No changes

Group changes:

• APT28

Group revocations: No changes

Group deprecations: No changes

Minor Group changes: No changes

Mitigations

Enterprise

New Mitigations:

• Application Developer Guidance

Mitigation deletions: No changes

Mitigation changes:

• Filter Network Traffic

Mitigation revocations: No changes

Mitigation deprecations: No changes

Minor Mitigation changes: No changes

PRE-ATT&CK

New Mitigations: No changes

Mitigation deletions: No changes

Mitigation changes: No changes

Mitigation revocations: No changes

Mitigation deprecations: No changes

Minor Mitigation changes: No changes

Mobile

New Mitigations: No changes

Mitigation deletions:

• Use Device-Provided Credential Storage (this removal is temporary; the mitigation will be re-added in a future update)

Mitigation changes: No changes

Mitigation revocations: No changes

Mitigation deprecations: No changes

Minor Mitigation changes:

• Application Vetting
• Attestation
• Security Updates
• User Guidance