Updates - October 2020

The October 2020 (v8) ATT&CK release updates Techniques, Groups, and Software for both Enterprise and Mobile. The biggest changes are the deprecation of the PRE-ATT&CK domain, the addition of two new Tactics to replace PRE-ATT&CK, and the addition of the Network platform to Enterprise ATT&CK.

This version of ATT&CK for Enterprise contains 14 Tactics, 177 Techniques, and 348 Sub-techniques.

Retirement of PRE-ATT&CK

This release deprecates and removes the PRE-ATT&CK domain from ATT&CK, replacing its scope with two new Tactics in Enterprise ATT&CK Reconnaissance and Resource Development. A new platform has also been added to ATT&CK to represent the environment these techniques occur in, PRE. The previous contents of PRE-ATT&CK have been preserved here. See the accompanying blog post for more details.

New techniques in Reconnaissance:

• Active Scanning
  • Scanning IP Blocks
  • Vulnerability Scanning
• Gather Victim Host Information
  • Client Configurations
  • Firmware
  • Hardware
  • Software
• Gather Victim Identity Information
  • Credentials
  • Email Addresses
  • Employee Names
• Gather Victim Network Information
  • DNS
  • Domain Properties
  • IP Addresses
  • Network Security Appliances
  • Network Topology
  • Network Trust Dependencies
• Gather Victim Org Information
  • Business Relationships
  • Determine Physical Locations
  • Identify Business Tempo
  • Identify Roles
• Phishing for Information
  • Spearphishing Attachment
  • Spearphishing Link
  • Spearphishing Service
• Search Closed Sources
  • Purchase Technical Data
  • Threat Intel Vendors
• Search Open Technical Databases
  • CDNs
  • DNS/Passive DNS
  • Digital Certificates
  • Scan Databases
  • WHOIS
• Search Open Websites/Domains
  • Search Engines
  • Social Media
• Search Victim-Owned Websites

New techniques in Resource Development:

• Acquire Infrastructure
  • Botnet
  • DNS Server
  • Domains
  • Server
  • Virtual Private Server
  • Web Services
• Compromise Accounts
  • Email Accounts
  • Social Media Accounts
• Compromise Infrastructure
  • Botnet
  • DNS Server
  • Domains
  • Server
  • Virtual Private Server
  • Web Services
• Develop Capabilities
  • Code Signing Certificates
  • Digital Certificates
  • Exploits
  • Malware
• Establish Accounts
  • Email Accounts
  • Social Media Accounts
• Obtain Capabilities
  • Code Signing Certificates
  • Digital Certificates
  • Exploits
  • Malware
  • Tool
  • Vulnerabilities

ATT&CK for Network Infrastructure Devices

13 techniques and 15 sub-techniques have been added or modified to cover adversary behavior against network infrastructure devices that constitute the fabric of enterprises' networks such as switches and routers. These techniques are represented by a new platform in ATT&CK for Enterprise, Network.

New and updated techniques for Network:

• Exploit Public-Facing Application
• Command and Scripting Interpreter
  • Network Device CLI
• Pre-OS Boot
  • ROMMONkit
  • TFTP Boot
• Traffic Signaling
  • Port Knocking
• Modify Authentication Process
  • Network Device Authentication
• Modify System Image
  • Downgrade System Image
  • Patch System Image
• Network Boundary Bridging
  • Network Address Translation Traversal
• Weaken Encryption
  • Disable Crypto Hardware
  • Reduce Key Space
• Data from Configuration Repository
  • Network Device Configuration Dump
  • SNMP (MIB Dump)
• Input Capture
  • Keylogging
• Non-Application Layer Protocol
• Proxy
  • Multi-hop Proxy
• Automated Exfiltration
  • Traffic Duplication

Many of the new Network techniques and sub-techniques focus on embedded network devices running closed source proprietary operating systems. This is largely driven by behaviors present in reported in the wild intrusions. Many newer devices leverage commodity embedded operating systems such as Linux or BSD variants, but accounts of adversary activity against these have been more sparse. However, network infrastructure devices running proprietary operating systems are still widely deployed on the Internet and within enterprises.

We will continue to build out additional Network techniques and sub-techniques as they become known. We welcome contributions and feedback from the community and look to improve this representation of behaviors in the network infrastructure devices space.

Techniques

Enterprise

We also added 1 additional new technique and 7 sub-techniques to Enterprise in this ATT&CK release beyond the scope of the above updates:

• Boot or Logon Autostart Execution: Print Processors
• Cloud Infrastructure Discovery
• Hide Artifacts: VBA Stomping
• Impair Defenses: Disable Cloud Logs
• Man-in-the-Middle: ARP Cache Poisoning
• Scheduled Task/Job: Systemd Timers
• Signed Binary Proxy Execution: Verclsid
• Steal or Forge Kerberos Tickets: AS-REP Roasting

All Enterprise technique changes are documented below.

New Techniques:

• Acquire Infrastructure
  • Botnet
  • DNS Server
  • Domains
  • Server
  • Virtual Private Server
  • Web Services
• Active Scanning
  • Scanning IP Blocks
  • Vulnerability Scanning
• Automated Exfiltration: Traffic Duplication
• Boot or Logon Autostart Execution: Print Processors
• Cloud Infrastructure Discovery
• Command and Scripting Interpreter: Network Device CLI
• Compromise Accounts
  • Email Accounts
  • Social Media Accounts
• Compromise Infrastructure
  • Botnet
  • DNS Server
  • Domains
  • Server
  • Virtual Private Server
  • Web Services
• Data from Configuration Repository
  • Network Device Configuration Dump
  • SNMP (MIB Dump)
• Develop Capabilities
  • Code Signing Certificates
  • Digital Certificates
  • Exploits
  • Malware
• Establish Accounts
  • Email Accounts
  • Social Media Accounts
• Gather Victim Host Information
  • Client Configurations
  • Firmware
  • Hardware
  • Software
• Gather Victim Identity Information
  • Credentials
  • Email Addresses
  • Employee Names
• Gather Victim Network Information
  • DNS
  • Domain Properties
  • IP Addresses
  • Network Security Appliances
  • Network Topology
  • Network Trust Dependencies
• Gather Victim Org Information
  • Business Relationships
  • Determine Physical Locations
  • Identify Business Tempo
  • Identify Roles
• Hide Artifacts: VBA Stomping
• Impair Defenses: Disable Cloud Logs
• Man-in-the-Middle: ARP Cache Poisoning
• Modify Authentication Process: Network Device Authentication
• Modify System Image
  • Downgrade System Image
  • Patch System Image
• Network Boundary Bridging
  • Network Address Translation Traversal
• Obtain Capabilities
  • Code Signing Certificates
  • Digital Certificates
  • Exploits
  • Malware
  • Tool
  • Vulnerabilities
• Phishing for Information
  • Spearphishing Attachment
  • Spearphishing Link
  • Spearphishing Service
• Pre-OS Boot: ROMMONkit
• Pre-OS Boot: TFTP Boot
• Scheduled Task/Job: Systemd Timers
• Search Closed Sources
  • Purchase Technical Data
  • Threat Intel Vendors
• Search Open Technical Databases
  • CDNs
  • DNS/Passive DNS
  • Digital Certificates
  • Scan Databases
  • WHOIS
• Search Open Websites/Domains
  • Search Engines
  • Social Media
• Search Victim-Owned Websites
• Signed Binary Proxy Execution: Verclsid
• Steal or Forge Kerberos Tickets: AS-REP Roasting
• Weaken Encryption
  • Disable Crypto Hardware
  • Reduce Key Space

Technique changes:

• Abuse Elevation Control Mechanism: Bypass User Account Control
• Account Discovery
  • Cloud Account
• Account Manipulation: Additional Cloud Credentials
• Automated Exfiltration
• Boot or Logon Autostart Execution
  • Registry Run Keys / Startup Folder
• Boot or Logon Initialization Scripts
• Brute Force: Credential Stuffing
• Brute Force: Password Cracking
• Brute Force: Password Guessing
• Brute Force: Password Spraying
• Command and Scripting Interpreter
  • AppleScript
  • Visual Basic
• Create or Modify System Process: Launch Daemon
• Create or Modify System Process: Systemd Service
• Create or Modify System Process: Windows Service
• Data from Information Repositories
• Endpoint Denial of Service: OS Exhaustion Flood
• Endpoint Denial of Service: Service Exhaustion Flood
• Event Triggered Execution
  • Image File Execution Options Injection
• Exploit Public-Facing Application
• File and Directory Discovery
• File and Directory Permissions Modification: Windows File and Directory Permissions Modification
• Hardware Additions
• Hijack Execution Flow: LD_PRELOAD
• Hijack Execution Flow: Path Interception by Unquoted Path
• Impair Defenses: Impair Command History Logging
• Indicator Removal on Host: Clear Command History
• Input Capture
  • Keylogging
• Man-in-the-Middle
• Modify Authentication Process
• Modify Registry
• Network Denial of Service: Direct Network Flood
• Network Denial of Service: Reflection Amplification
• Network Share Discovery
• Non-Application Layer Protocol
• Obfuscated Files or Information: Binary Padding
• Obfuscated Files or Information: Steganography
• Password Policy Discovery
• Permission Groups Discovery
  • Cloud Groups
• Phishing
  • Spearphishing Attachment
  • Spearphishing Link
  • Spearphishing via Service
• Pre-OS Boot
  • Bootkit
• Proxy
  • Domain Fronting
  • Multi-hop Proxy
• Remote System Discovery
• Server Software Component: Web Shell
• Service Stop
• Signed Binary Proxy Execution: Control Panel
• Software Deployment Tools
• Software Discovery
  • Security Software Discovery
• Steal or Forge Kerberos Tickets
  • Kerberoasting
• Traffic Signaling
  • Port Knocking
• Unsecured Credentials
  • Cloud Instance Metadata API
• Use Alternate Authentication Material: Application Access Token
• Use Alternate Authentication Material: Web Session Cookie
• Valid Accounts: Cloud Accounts
• Valid Accounts: Default Accounts
• Valid Accounts: Domain Accounts

Minor Technique changes:

• Abuse Elevation Control Mechanism
• Account Manipulation
• Application Layer Protocol
  • DNS
  • File Transfer Protocols
  • Mail Protocols
• Archive Collected Data
• Brute Force
• Create or Modify System Process
• Data Encrypted for Impact
• Data Staged
  • Remote Data Staging
• Domain Trust Discovery
• Dynamic Resolution
  • Domain Generation Algorithms
• Email Collection: Email Forwarding Rule
• Endpoint Denial of Service
• File and Directory Permissions Modification
• Hide Artifacts
  • Hidden Users
• Hijack Execution Flow
  • DLL Side-Loading
  • Dylib Hijacking
  • Path Interception by PATH Environment Variable
  • Path Interception by Search Order Hijacking
  • Services File Permissions Weakness
  • Services Registry Permissions Weakness
• Impair Defenses
  • Disable or Modify Cloud Firewall
• Indicator Removal on Host
• Internal Spearphishing
• Modify Authentication Process: Domain Controller Authentication
• Modify Cloud Compute Infrastructure
  • Create Cloud Instance
  • Create Snapshot
  • Delete Cloud Instance
• Network Denial of Service
• Obfuscated Files or Information
• Scheduled Task/Job
• Server Software Component
• Signed Binary Proxy Execution
• Supply Chain Compromise
• Use Alternate Authentication Material
• Valid Accounts

Technique revocations: No changes

Technique deprecations: No changes

Mobile

New Techniques:

• Geofencing
• SMS Control

Technique changes:

• Delete Device Data
• Supply Chain Compromise
• URI Hijacking

Minor Technique changes: No changes

Technique revocations:

• URL Scheme Hijacking (revoked by URI Hijacking)

Technique deprecations: No changes

Software

Enterprise

New Software:

• Anchor
• Bonadan
• Carberp
• CookieMiner
• CrackMapExec
• Cryptoistic
• Dacls
• Drovorub
• FatDuke
• FrameworkPOS
• GoldenSpy
• Hancitor
• IcedID
• Kessel
• MCMD
• Ngrok
• Pillowmint
• PipeMon
• PolyglotDuke
• RDAT
• REvil
• RegDuke
• SYNful Knock
• SoreFang
• StrongPity
• WellMail
• WellMess

Software changes:

• BADNEWS
• Cobalt Strike
• Ebury
• Emotet
• InvisiMole
• KONNI
• LoudMiner
• Machete
• Maze
• Metamorfo
• MiniDuke
• NETWIRE
• OnionDuke
• SDelete
• TrickBot
• Trojan.Karagany
• Valak
• WEBC2
• gh0st RAT
• njRAT

Minor Software changes:

• HiddenWasp
• JPIN
• OSX/Shlayer
• RATANKBA
• pwdump

Software revocations: No changes

Software deprecations: No changes

Software deletions:

• Twitoor

Mobile

New Software:

• Desert Scorpion
• FakeSpy
• Mandrake
• Twitoor
• ViperRAT
• WolfRAT
• XLoader for iOS
• Zen
• eSurv

Software changes:

• Anubis
• Bread
• Cerberus
• Corona Updates
• Dendroid
• Ginp
• Rotexy
• Stealth Mango
• TrickMo
• XLoader for Android

Minor Software changes: No changes

Software revocations: No changes

Software deprecations: No changes

Groups

Enterprise

New Groups:

• Bouncing Golf
• Chimera
• GOLD SOUTHFIELD

Group changes:

• APT1
• APT16
• APT17
• APT28
• APT29
• APT30
• APT37
• APT39
• Cleaver
• Dragonfly
• Dragonfly 2.0
• FIN6
• FIN7
• Gamaredon Group
• Lazarus Group
• Machete
• MuddyWater
• Night Dragon
• OilRig
• PROMETHIUM
• Patchwork
• TEMP.Veles
• Turla
• Winnti Group
• Wizard Spider
• menuPass

Minor Group changes:

• APT-C-36
• Honeybee

Group revocations: No changes

Group deprecations: No changes

Mobile

New Groups: No changes

Group changes:

• APT28

Minor Group changes: No changes

Group revocations: No changes

Group deprecations: No changes

Mitigations

Enterprise

New Mitigations:

• Pre-compromise

Mitigation changes:

• User Training

Minor Mitigation changes: No changes

Mitigation revocations: No changes

Mitigation deprecations: No changes

Mobile

New Mitigations: No changes

Mitigation changes: No changes

Minor Mitigation changes: No changes

Mitigation revocations: No changes

Mitigation deprecations: No changes