Updates - October 2020
Version | Start Date | End Date | Data |
---|---|---|---|
ATT&CK v8 | October 27, 2020 | This is the current version of ATT&CK | v8.2 on MITRE/CTI |
The October 2020 (v8) ATT&CK release updates Techniques, Groups, and Software for both Enterprise and Mobile. The biggest changes are the deprecation of the PRE-ATT&CK domain, the addition of two new Tactics to replace PRE-ATT&CK, and the addition of the Network platform to Enterprise ATT&CK.
This version of ATT&CK for Enterprise contains 14 Tactics, 177 Techniques, and 348 Sub-techniques.
Retirement of PRE-ATT&CK
This release deprecates and removes the PRE-ATT&CK domain from ATT&CK, replacing its scope with two new Tactics in Enterprise ATT&CK Reconnaissance and Resource Development. A new platform has also been added to ATT&CK to represent the environment these techniques occur in, PRE. The previous contents of PRE-ATT&CK have been preserved here. See the accompanying blog post for more details.
New techniques in Reconnaissance:
- Active Scanning
- Gather Victim Host Information
- Gather Victim Identity Information
- Gather Victim Network Information
- Gather Victim Org Information
- Phishing for Information
- Search Closed Sources
- Search Open Technical Databases
- Search Open Websites/Domains
- Search Victim-Owned Websites
New techniques in Resource Development:
- Acquire Infrastructure
- Compromise Accounts
- Compromise Infrastructure
- Develop Capabilities
- Establish Accounts
- Obtain Capabilities
ATT&CK for Network Infrastructure Devices
13 techniques and 15 sub-techniques have been added or modified to cover adversary behavior against network infrastructure devices that constitute the fabric of enterprises' networks such as switches and routers. These techniques are represented by a new platform in ATT&CK for Enterprise, Network.
New and updated techniques for Network:
- Exploit Public-Facing Application
- Command and Scripting Interpreter
- Pre-OS Boot
- Traffic Signaling
- Modify Authentication Process
- Modify System Image
- Network Boundary Bridging
- Weaken Encryption
- Data from Configuration Repository
- Input Capture
- Non-Application Layer Protocol
- Proxy
- Automated Exfiltration
Many of the new Network techniques and sub-techniques focus on embedded network devices running closed source proprietary operating systems. This is largely driven by behaviors present in reported in the wild intrusions. Many newer devices leverage commodity embedded operating systems such as Linux or BSD variants, but accounts of adversary activity against these have been more sparse. However, network infrastructure devices running proprietary operating systems are still widely deployed on the Internet and within enterprises.
We will continue to build out additional Network techniques and sub-techniques as they become known. We welcome contributions and feedback from the community and look to improve this representation of behaviors in the network infrastructure devices space.
Techniques
Enterprise
We also added 1 additional new technique and 7 sub-techniques to Enterprise in this ATT&CK release beyond the scope of the above updates:
- Boot or Logon Autostart Execution: Print Processors
- Cloud Infrastructure Discovery
- Hide Artifacts: VBA Stomping
- Impair Defenses: Disable Cloud Logs
- Man-in-the-Middle: ARP Cache Poisoning
- Scheduled Task/Job: Systemd Timers
- Signed Binary Proxy Execution: Verclsid
- Steal or Forge Kerberos Tickets: AS-REP Roasting
All Enterprise technique changes are documented below.
New Techniques:
- Acquire Infrastructure
- Active Scanning
- Automated Exfiltration: Traffic Duplication
- Boot or Logon Autostart Execution: Print Processors
- Cloud Infrastructure Discovery
- Command and Scripting Interpreter: Network Device CLI
- Compromise Accounts
- Compromise Infrastructure
- Data from Configuration Repository
- Develop Capabilities
- Establish Accounts
- Gather Victim Host Information
- Gather Victim Identity Information
- Gather Victim Network Information
- Gather Victim Org Information
- Hide Artifacts: VBA Stomping
- Impair Defenses: Disable Cloud Logs
- Man-in-the-Middle: ARP Cache Poisoning
- Modify Authentication Process: Network Device Authentication
- Modify System Image
- Network Boundary Bridging
- Obtain Capabilities
- Phishing for Information
- Pre-OS Boot: ROMMONkit
- Pre-OS Boot: TFTP Boot
- Scheduled Task/Job: Systemd Timers
- Search Closed Sources
- Search Open Technical Databases
- Search Open Websites/Domains
- Search Victim-Owned Websites
- Signed Binary Proxy Execution: Verclsid
- Steal or Forge Kerberos Tickets: AS-REP Roasting
- Weaken Encryption
Technique changes:
- Abuse Elevation Control Mechanism: Bypass User Account Control
- Account Discovery
- Account Manipulation: Additional Cloud Credentials
- Automated Exfiltration
- Boot or Logon Autostart Execution
- Boot or Logon Initialization Scripts
- Brute Force: Credential Stuffing
- Brute Force: Password Cracking
- Brute Force: Password Guessing
- Brute Force: Password Spraying
- Command and Scripting Interpreter
- Create or Modify System Process: Launch Daemon
- Create or Modify System Process: Systemd Service
- Create or Modify System Process: Windows Service
- Data from Information Repositories
- Endpoint Denial of Service: OS Exhaustion Flood
- Endpoint Denial of Service: Service Exhaustion Flood
- Event Triggered Execution
- Exploit Public-Facing Application
- File and Directory Discovery
- File and Directory Permissions Modification: Windows File and Directory Permissions Modification
- Hardware Additions
- Hijack Execution Flow: LD_PRELOAD
- Hijack Execution Flow: Path Interception by Unquoted Path
- Impair Defenses: Impair Command History Logging
- Indicator Removal on Host: Clear Command History
- Input Capture
- Man-in-the-Middle
- Modify Authentication Process
- Modify Registry
- Network Denial of Service: Direct Network Flood
- Network Denial of Service: Reflection Amplification
- Network Share Discovery
- Non-Application Layer Protocol
- Obfuscated Files or Information: Binary Padding
- Obfuscated Files or Information: Steganography
- Password Policy Discovery
- Permission Groups Discovery
- Phishing
- Pre-OS Boot
- Proxy
- Remote System Discovery
- Server Software Component: Web Shell
- Service Stop
- Signed Binary Proxy Execution: Control Panel
- Software Deployment Tools
- Software Discovery
- Steal or Forge Kerberos Tickets
- Traffic Signaling
- Unsecured Credentials
- Use Alternate Authentication Material: Application Access Token
- Use Alternate Authentication Material: Web Session Cookie
- Valid Accounts: Cloud Accounts
- Valid Accounts: Default Accounts
- Valid Accounts: Domain Accounts
Minor Technique changes:
- Abuse Elevation Control Mechanism
- Account Manipulation
- Application Layer Protocol
- Archive Collected Data
- Brute Force
- Create or Modify System Process
- Data Encrypted for Impact
- Data Staged
- Domain Trust Discovery
- Dynamic Resolution
- Email Collection: Email Forwarding Rule
- Endpoint Denial of Service
- File and Directory Permissions Modification
- Hide Artifacts
- Hijack Execution Flow
- Impair Defenses
- Indicator Removal on Host
- Internal Spearphishing
- Modify Authentication Process: Domain Controller Authentication
- Modify Cloud Compute Infrastructure
- Network Denial of Service
- Obfuscated Files or Information
- Scheduled Task/Job
- Server Software Component
- Signed Binary Proxy Execution
- Supply Chain Compromise
- Use Alternate Authentication Material
- Valid Accounts
Technique revocations: No changes
Technique deprecations: No changes
Mobile
New Techniques:
Technique changes:
Minor Technique changes: No changes
Technique revocations:
- URL Scheme Hijacking (revoked by URI Hijacking)
Technique deprecations: No changes
Software
Enterprise
New Software:
- Anchor
- Bonadan
- Carberp
- CookieMiner
- CrackMapExec
- Cryptoistic
- Dacls
- Drovorub
- FatDuke
- FrameworkPOS
- GoldenSpy
- Hancitor
- IcedID
- Kessel
- MCMD
- Ngrok
- Pillowmint
- PipeMon
- PolyglotDuke
- RDAT
- REvil
- RegDuke
- SYNful Knock
- SoreFang
- StrongPity
- WellMail
- WellMess
Software changes:
- BADNEWS
- Cobalt Strike
- Ebury
- Emotet
- InvisiMole
- KONNI
- LoudMiner
- Machete
- Maze
- Metamorfo
- MiniDuke
- NETWIRE
- OnionDuke
- SDelete
- TrickBot
- Trojan.Karagany
- Valak
- WEBC2
- gh0st RAT
- njRAT
Minor Software changes:
Software revocations: No changes
Software deprecations: No changes
Software deletions:
- Twitoor
Mobile
New Software:
Software changes:
Minor Software changes: No changes
Software revocations: No changes
Software deprecations: No changes
Groups
Enterprise
New Groups:
Group changes:
- APT1
- APT16
- APT17
- APT28
- APT29
- APT30
- APT37
- APT39
- Cleaver
- Dragonfly
- Dragonfly 2.0
- FIN6
- FIN7
- Gamaredon Group
- Lazarus Group
- Machete
- MuddyWater
- Night Dragon
- OilRig
- PROMETHIUM
- Patchwork
- TEMP.Veles
- Turla
- Winnti Group
- Wizard Spider
- menuPass
Minor Group changes:
Group revocations: No changes
Group deprecations: No changes
Mobile
New Groups: No changes
Group changes:
Minor Group changes: No changes
Group revocations: No changes
Group deprecations: No changes
Mitigations
Enterprise
New Mitigations:
Mitigation changes:
Minor Mitigation changes: No changes
Mitigation revocations: No changes
Mitigation deprecations: No changes
Mobile
New Mitigations: No changes
Mitigation changes: No changes
Minor Mitigation changes: No changes
Mitigation revocations: No changes
Mitigation deprecations: No changes