Updates - October 2021

The October 2021 (v10) ATT&CK release updates Techniques, Groups, and Software for Enterprise, Mobile, and ICS. The biggest change is the addition of a new set of Data Source and Data Component objects in Enterprise ATT&CK, complementing the ATT&CK Data Source name changes released in ATT&CK v9. An accompanying blog post describes these changes as well as improvements across ATT&CK's various domains and platforms.

In this release we have renamed T1185 and T1557 to be more inclusive, and deprecated T1053.004 to better reflect adversary behavior.

This version of ATT&CK for Enterprise contains 14 Tactics, 188 Techniques, 379 Sub-techniques, 129 Groups, and 637 Pieces of Software.

New Data Sources and/or Components in Enterprise ATT&CK:

• Active Directory
  • Active Directory Credential Request
  • Active Directory Object Access
  • Active Directory Object Creation
  • Active Directory Object Deletion
  • Active Directory Object Modification
• Application Log
  • Application Log Content
• Certificate
  • Certificate Registration
• Cloud Service
  • Cloud Service Disable
  • Cloud Service Enumeration
  • Cloud Service Metadata
  • Cloud Service Modification
• Cloud Storage
  • Cloud Storage Access
  • Cloud Storage Creation
  • Cloud Storage Deletion
  • Cloud Storage Enumeration
  • Cloud Storage Metadata
  • Cloud Storage Modification
• Cluster
  • Cluster Metadata
• Command
  • Command Execution
• Container
  • Container Creation
  • Container Enumeration
  • Container Metadata
  • Container Start
• Domain Name
  • Active DNS
  • Domain Registration
  • Passive DNS
• Drive
  • Drive Access
  • Drive Creation
  • Drive Modification
• Driver
  • Driver Load
  • Driver Metadata
• File
  • File Access
  • File Creation
  • File Deletion
  • File Metadata
  • File Modification
• Firewall
  • Firewall Disable
  • Firewall Enumeration
  • Firewall Metadata
  • Firewall Rule Modification
• Firmware
  • Firmware Modification
• Group
  • Group Enumeration
  • Group Metadata
  • Group Modification
• Image
  • Image Creation
  • Image Deletion
  • Image Metadata
  • Image Modification
• Instance
  • Instance Creation
  • Instance Deletion
  • Instance Enumeration
  • Instance Metadata
  • Instance Modification
  • Instance Start
  • Instance Stop
• Internet Scan
  • Response Content
  • Response Metadata
• Kernel
  • Kernel Module Load
• Logon Session
  • Logon Session Creation
  • Logon Session Metadata
• Malware Repository
  • Malware Content
  • Malware Metadata
• Module
  • Module Load
• Named Pipe
  • Named Pipe Metadata
• Network Share
  • Network Share Access
• Network Traffic
  • Network Connection Creation
  • Network Traffic Content
  • Network Traffic Flow
• Persona
  • Social Media
• Pod
  • Pod Creation
  • Pod Enumeration
  • Pod Metadata
  • Pod Modification
• Process
  • OS API Execution
  • Process Access
  • Process Creation
  • Process Metadata
  • Process Modification
  • Process Termination
• Scheduled Job
  • Scheduled Job Creation
  • Scheduled Job Metadata
  • Scheduled Job Modification
• Script
  • Script Execution
• Sensor Health
  • Host Status
• Service
  • Service Creation
  • Service Metadata
  • Service Modification
• Snapshot
  • Snapshot Creation
  • Snapshot Deletion
  • Snapshot Enumeration
  • Snapshot Metadata
  • Snapshot Modification
• User Account
  • User Account Authentication
  • User Account Creation
  • User Account Deletion
  • User Account Metadata
  • User Account Modification
• Volume
  • Volume Creation
  • Volume Deletion
  • Volume Enumeration
  • Volume Metadata
  • Volume Modification
• WMI
  • WMI Creation
• Web Credential
  • Web Credential Creation
  • Web Credential Usage
• Windows Registry
  • Windows Registry Key Access
  • Windows Registry Key Creation
  • Windows Registry Key Deletion
  • Windows Registry Key Modification

Techniques

Enterprise

New Techniques:

• Boot or Logon Autostart Execution: Login Items
• Cloud Storage Object Discovery
• Data from Information Repositories: Code Repositories
• Group Policy Discovery
• Hide Artifacts: Email Hiding Rules
• Hide Artifacts: Resource Forking
• Impair Defenses: Downgrade Attack
• Impair Defenses: Safe Mode Boot
• Masquerading: Double File Extension
• Obfuscated Files or Information: HTML Smuggling
• Reflective Code Loading
• Server Software Component: IIS Components
• Signed Binary Proxy Execution: MMC
• Signed Binary Proxy Execution: Mavinject
• System Location Discovery: System Language Discovery

Technique changes:

• Access Token Manipulation: Create Process with Token
• Account Discovery: Local Account
• Account Manipulation: Exchange Email Delegate Permissions
• Acquire Infrastructure
  • Domains
  • Server
  • Virtual Private Server
  • Web Services
• Adversary-in-the-Middle
  • ARP Cache Poisoning
  • LLMNR/NBT-NS Poisoning and SMB Relay
• Automated Exfiltration: Traffic Duplication
• Boot or Logon Autostart Execution: Kernel Modules and Extensions
• Boot or Logon Autostart Execution: Plist Modification
• Browser Session Hijacking
• Brute Force
• Build Image on Host
• Cloud Infrastructure Discovery
• Command and Scripting Interpreter
  • JavaScript
  • Network Device CLI
  • PowerShell
  • Unix Shell
  • Visual Basic
  • Windows Command Shell
• Compromise Accounts
  • Social Media Accounts
• Compromise Infrastructure
  • DNS Server
  • Domains
  • Server
  • Virtual Private Server
  • Web Services
• Create Account: Local Account
• Create or Modify System Process: Launch Agent
• Create or Modify System Process: Launch Daemon
• Data Encrypted for Impact
• Data from Information Repositories
• Data from Local System
• Data from Removable Media
• Develop Capabilities
  • Code Signing Certificates
  • Digital Certificates
  • Malware
• Drive-by Compromise
• Email Collection
  • Email Forwarding Rule
• Escape to Host
• Establish Accounts
  • Social Media Accounts
• Event Triggered Execution: Unix Shell Configuration Modification
• Event Triggered Execution: Windows Management Instrumentation Event Subscription
• Exfiltration Over Alternative Protocol
  • Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
  • Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
• Exfiltration Over C2 Channel
• Exfiltration Over Physical Medium
  • Exfiltration over USB
• Exfiltration Over Web Service
• Exploitation for Client Execution
• External Remote Services
• File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification
• Forge Web Credentials
  • SAML Tokens
  • Web Cookies
• Gather Victim Host Information
  • Client Configurations
  • Hardware
  • Software
• Gather Victim Org Information
  • Determine Physical Locations
• Hardware Additions
• Hide Artifacts
  • Hidden Users
  • Run Virtual Instance
  • VBA Stomping
• Hijack Execution Flow: Services Registry Permissions Weakness
• Impair Defenses
  • Disable Windows Event Logging
  • Disable or Modify Tools
• Input Capture: GUI Input Capture
• Inter-Process Communication
  • Component Object Model
  • Dynamic Data Exchange
• Lateral Tool Transfer
• Masquerading: Masquerade Task or Service
• Masquerading: Right-to-Left Override
• Native API
• Network Share Discovery
• OS Credential Dumping
  • LSASS Memory
• Obfuscated Files or Information
  • Binary Padding
  • Software Packing
  • Steganography
• Obtain Capabilities
  • Code Signing Certificates
  • Digital Certificates
  • Malware
  • Tool
• Office Application Startup
  • Add-ins
  • Office Template Macros
  • Office Test
  • Outlook Forms
  • Outlook Home Page
  • Outlook Rules
• Password Policy Discovery
• Permission Groups Discovery
  • Cloud Groups
• Phishing
  • Spearphishing Attachment
• Process Injection
  • Asynchronous Procedure Call
  • Dynamic-link Library Injection
  • Portable Executable Injection
  • Process Hollowing
  • Ptrace System Calls
  • Thread Execution Hijacking
  • Thread Local Storage
• Remote Services
  • Distributed Component Object Model
  • SSH
  • VNC
  • Windows Remote Management
• Remote System Discovery
• Replication Through Removable Media
• Scheduled Task/Job: At (Linux)
• Scheduled Task/Job: Container Orchestration Job
• Scheduled Task/Job: Cron
• Scheduled Task/Job: Systemd Timers
• Server Software Component
  • Web Shell
• Shared Modules
• Signed Binary Proxy Execution: Mshta
• Signed Binary Proxy Execution: Rundll32
• Signed Script Proxy Execution: PubPrn
• Stage Capabilities
  • Drive-by Target
  • Install Digital Certificate
  • Link Target
  • Upload Malware
  • Upload Tool
• Steal Web Session Cookie
• Steal or Forge Kerberos Tickets
• Subvert Trust Controls
  • Gatekeeper Bypass
  • Install Root Certificate
• System Information Discovery
• System Network Configuration Discovery
• System Owner/User Discovery
• System Service Discovery
• System Services
  • Launchctl
  • Service Execution
• Taint Shared Content
• Trusted Developer Utilities Proxy Execution: MSBuild
• Use Alternate Authentication Material
  • Web Session Cookie
• User Execution
  • Malicious File
  • Malicious Image
• Valid Accounts
  • Cloud Accounts
  • Domain Accounts
  • Local Accounts
• Virtualization/Sandbox Evasion
  • System Checks
  • Time Based Evasion
  • User Activity Based Checks
• Windows Management Instrumentation

Minor Technique changes:

• Access Token Manipulation
• Account Discovery
  • Domain Account
• Account Manipulation
• Automated Exfiltration
• Boot or Logon Autostart Execution
• Command and Scripting Interpreter: Python
• Compromise Client Software Binary
• Create Account
• Create or Modify System Process
• Credentials from Password Stores
  • Password Managers
• Data from Information Repositories: Confluence
• Data from Information Repositories: Sharepoint
• Event Triggered Execution
• Execution Guardrails
  • Environmental Keying
• Exploit Public-Facing Application
• File and Directory Discovery
• File and Directory Permissions Modification
• Hijack Execution Flow
  • COR_PROFILER
• Indicator Removal on Host
• Input Capture
• Masquerading
• Modify Authentication Process
  • Pluggable Authentication Modules
• Proxy
• Scheduled Task/Job
• Server Software Component: Transport Agent
• Signed Binary Proxy Execution
  • Msiexec
• Signed Script Proxy Execution
• Steal or Forge Kerberos Tickets: AS-REP Roasting
• System Location Discovery
• Trusted Developer Utilities Proxy Execution
• Use Alternate Authentication Material: Application Access Token
• Use Alternate Authentication Material: Pass the Hash
• Use Alternate Authentication Material: Pass the Ticket

Technique revocations: No changes

Technique deprecations:

• Scheduled Task/Job: Launchd

Mobile

New Techniques:

• Call Control
• Hooking
• User Evasion

Technique changes:

• Exploit SS7 to Redirect Phone Calls/SMS
• Manipulate Device Communication
• SIM Card Swap

Minor Technique changes: No changes

Technique revocations: No changes

Technique deprecations: No changes

Software

Enterprise

New Software:

• AppleSeed
• Avaddon
• BADFLICK
• BLUELIGHT
• Babuk
• Bad Rabbit
• BoomBox
• BoxCaon
• Chaes
• Clop
• Conficker
• CostaBricks
• Cuba
• DEATHRANSOM
• EKANS
• Ecipekac
• EnvyScout
• FIVEHANDS
• FYAnti
• GrimAgent
• HELLOKITTY
• Industroyer
• JSS Loader
• KillDisk
• Kobalos
• LiteDuke
• MarkiRAT
• NativeZone
• Nebulae
• ObliqueRAT
• P8RAT
• PS1
• Peppy
• ProLock
• QakBot
• RainyDay
• SMOKEDHAM
• Seth-Locker
• SideTwist
• Siloscape
• Sliver
• SodaMaster
• SombRAT
• SpicyOmelette
• Stuxnet
• Turian
• VaporRage
• WastedLocker
• Wevtutil
• XCSSET
• xCaon

Software changes:

• Aria-body
• Bandook
• Bazar
• Bisonal
• BloodHound
• Bundlore
• Carberp
• China Chopper
• Cobalt Strike
• Conti
• Crimson
• Dok
• Dridex
• DropBook
• Emissary
• Empire
• FatDuke
• GuLoader
• Hildegard
• Impacket
• Kerrdown
• Keydnap
• Kinsing
• LaZagne
• Lokibot
• LoudMiner
• Lucifer
• Maze
• Metamorfo
• MimiPenguin
• Mimikatz
• MiniDuke
• NETWIRE
• Net
• Nltest
• OSX/Shlayer
• OSX_OCEANLOTUS.D
• Octopus
• OwaAuth
• PoisonIvy
• PowerSploit
• PsExec
• QuasarRAT
• REvil
• RGDoor
• Ryuk
• SUNBURST
• SharpStage
• Spark
• SynAck
• Taidoor
• ThiefQuest
• TrickBot
• Zeus Panda
• certutil
• esentutl

Minor Software changes:

• BADNEWS
• BOOTRASH
• ECCENTRICBANDWAGON
• Egregor
• Hikit
• HyperBro
• Reg
• WindTail
• zwShell

Software revocations: No changes

Software deprecations: No changes

Mobile

New Software:

• BusyGasper

Software changes:

• Anubis
• CarbonSteal
• Monokle

Minor Software changes: No changes

Software revocations: No changes

Software deprecations: No changes

Groups

Enterprise

New Groups:

• Andariel
• BackdoorDiplomacy
• CostaRicto
• Ferocious Kitten
• IndigoZebra
• Nomadic Octopus
• TeamTNT
• Tonto Team
• Transparent Tribe

Group changes:

• APT-C-36
• APT1
• APT19
• APT28
• APT29
• APT3
• APT32
• APT33
• APT37
• APT38
• APT39
• APT41
• BRONZE BUTLER
• Blue Mockingbird
• Carbanak
• Chimera
• Cleaver
• Cobalt Group
• CopyKittens
• Dark Caracal
• DarkHydrus
• DarkVishnya
• Dragonfly
• Dragonfly 2.0
• FIN10
• FIN4
• FIN5
• FIN6
• FIN7
• FIN8
• Frankenstein
• Gorgon Group
• Inception
• Indrik Spider
• Ke3chang
• Kimsuky
• Lazarus Group
• Leafminer
• Leviathan
• Magic Hound
• Mustang Panda
• Naikon
• Night Dragon
• OilRig
• Patchwork
• PittyTiger
• Sandworm Team
• Silence
• TA505
• TA551
• TEMP.Veles
• Threat Group-3390
• Thrip
• Turla
• WIRTE
• Whitefly
• Wizard Spider
• menuPass

Minor Group changes:

• Machete

Group revocations:

• Stolen Pencil (revoked by Kimsuky)

Group deprecations:

• Taidoor

Mobile

New Groups: No changes

Group changes:

• APT28
• Dark Caracal
• Sandworm Team

Minor Group changes: No changes

Group revocations: No changes

Group deprecations: No changes

Mitigations

Enterprise

New Mitigations:

• Data Loss Prevention

Mitigation changes: No changes

Minor Mitigation changes: No changes

Mitigation revocations: No changes

Mitigation deprecations: No changes

Mobile

New Mitigations: No changes

Mitigation changes: No changes

Minor Mitigation changes: No changes

Mitigation revocations: No changes

Mitigation deprecations: No changes

Contributors to this release

• @ionstorm
• Achute Sharma, Keysight
• Arnim Rupp, Deutsche Lufthansa AG
• Atul Nair, Qualys
• Austin Clark
• Ayan Saha, Keysight
• Center for Threat-Informed Defense (CTID)
• Christoffer Strömblad
• Christopher Glyer, Mandiant, @cglyer
• Cody Thomas, SpecterOps
• Dan Borges, @1njection
• Daniel Prizmant, Palo Alto Networks
• Daniyal Naeem, BT Security
• Dor Edry, Microsoft
• Edward Millington
• Eli Salem, @elisalem9
• ExtraHop
• Gaetan van Diemen, ThreatFabric
• Gareth Phillips, Seek Ltd.
• Gordon Long, Box, Inc., @ethicalhax
• Harshal Tupsamudre, Qualys
• Hiroki Nagahama, NEC Corporation
• Isif Ibrahima
• Itamar Mizrahi, Cymptom
• Ivan Sinyakov
• Jack Burns, HubSpot
• Janantha Marasinghe
• Jaron Bradley @jbradley89
• Jeff Felling, Red Canary
• Joas Antonio dos Santos, @C0d3Cr4zy
• Johann Rehberger
• Jon Sheedy
• Jon Sternstein, Stern Security
• Jonathan Boucher, @crash_wave, Bank of Canada
• Jonhnathan Ribeiro, 3CORESec, @_w0rk3r
• Jorell Magtibay, National Australia Bank Limited
• Jorge Orchilles, SCYTHE
• Jose Luis Sánchez Martinez
• Josh Liburdi, @jshlbrd
• João Paulo de A. Filho, @Hug1nN__
• Jörg Abraham, EclecticIQ
• Karim Hasanen, @_karimhasanen
• Kiyohito Yamamoto, RedLark, NTT Communications
• Kyaw Pyiyt Htet, @KyawPyiytHtet
• Kyoung-ju Kwak (S2W)
• Lior Ribak, SentinelOne
• Manikantan Srinivasan, NEC Corporation India
• Maril Vernon, @shewhohacks
• Matt Brenton, Zurich Global Information Security
• Microsoft Detection and Response Team (DART)
• Microsoft Security
• Mike Burns, Mandiant
• Mnemonic AS
• Nagahama Hiroki, NEC Corporation
• Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
• Nick Carr, Mandiant
• Omkar Gudhate
• Patrick Sungbahadoor
• Pooja Natarajan, NEC Corporation India
• Prasanth Sadanala, Cigna Information Protection (CIP) - Threat Response Engineering Team
• Regina Elwell
• Rex Guo, @Xiaofei_REX, Confluera
• Rick Cole, Mandiant
• Ruben Dodge, @shotgunner101
• Shlomi Salem, SentinelOne
• SOCCRATES
• Stan Hegt, Outflank
• Ted Samuels, Rapid7
• Tim (Wadhwa-)Brown
• Toby Kohlenberg
• Vadim Khrykov
• Viren Chaudhari, Qualys
• Wes Hurd
• Will Thomas, Cyjax
• William Cain
• Yoshihiro Kori, NEC Corporation
• Yossi Nisani, Cymptom
• Yusuke Kubo, RedLark, NTT Communications
• Yuval Avrahami, Palo Alto Networks
• Zaw Min Htun, @Z3TAE
• Ziv Kaspersky, Cymptom