Updates - October 2022

Version Start Date End Date Data Changelogs
ATT&CK v12 October 25, 2022 April 24, 2023 v12.0 on MITRE/CTI
v12.1 on MITRE/CTI
11.3 - 12.0 Details (JSON)
12.0 - 12.1 Details (JSON)

The October 2022 (v12) ATT&CK release updates Techniques, Groups, and Software for Enterprise, Mobile, and ICS. The biggest changes in ATT&CK v12 are the addition of detections to ATT&CK for ICS, and the introduction of Campaigns.

Matching the model introduced to ATT&CK for Enterprise in ATT&CK v11, ATT&CK for ICS detections describe ways of detecting various ICS techniques and are each tied to specific Data Sources and Data Components. This detection format was described in detail in our ATT&CK v11 release blog post. The new detections added leverage both traditional host and network-based collection as well as ICS specific sources such as Asset and Operational Databases. As there are overlaps between the Enterprise and ICS ATT&CK domains some ICS detections include references to Enterprise techniques where the additional context may assist defenders.

This release introduces the Campaign data structure to ATT&CK and an initial limited set of Campaigns. ATT&CK's Campaigns are defined as a grouping of intrusion activity conducted over a specific period of time with common targets and objectives. A key aspect of Campaigns is that the activity may or may not be linked to a specific threat actor. Campaigns are described in detail in the blog post Introducing Campaigns to MITRE ATT&CK. Specifics on how Campaigns are implemented in ATT&CK's Enterprise, ICS, and Mobile STIX representations are described in ATT&CK's STIX 2.0 Data Model and STIX 2.1 Data Model. Several existing Groups were identified as more closely matching the Campaign than the Group definition and were converted to Campaigns. The 7 impacted groups were deprecated (noted below) and new Campaigns were created in their place.

In this release we have renamed the Enterprise Technique "Indicator Removal on Host" to Indicator Removal (T1070) and rescoped it to better account for adversary behavior in cloud environments.

This version of ATT&CK for Enterprise contains 14 Tactics, 193 Techniques, 401 Sub-techniques, 135 Groups, 14 Campaigns, and 718 Pieces of Software.

New Campaigns in ATT&CK

Techniques

Enterprise

New Techniques

Technique Changes

Minor Technique Changes

Technique Revocations

  • No changes

Technique Deprecations

  • No changes

Mobile

New Techniques

  • No changes

Technique Changes

  • No changes

Minor Technique Changes

Technique Revocations

  • No changes

Technique Deprecations

  • No changes

ICS

New Techniques

Technique Changes

Minor Technique Changes

Technique Revocations

  • No changes

Technique Deprecations

  • No changes

Software

Enterprise

New Software

Software Changes

Minor Software Changes

Software Revocations

  • No changes

Software Deprecations

  • No changes

Mobile

New Software

  • No changes

Software Changes

  • No changes

Minor Software Changes

  • No changes

Software Revocations

  • No changes

Software Deprecations

  • No changes

ICS

New Software

Software Changes

Minor Software Changes

Software Revocations

  • No changes

Software Deprecations

  • No changes

Groups

Enterprise

New Groups

Group Changes

Minor Group Changes

Group Revocations

  • No changes

Group Deprecations

Mobile

New Groups

Group Changes

  • No changes

Minor Group Changes

Group Revocations

  • No changes

Group Deprecations

  • No changes

ICS

New Groups

  • No changes

Group Changes

Minor Group Changes

Group Revocations

  • No changes

Group Deprecations

  • No changes

Mitigations

Enterprise

New Mitigations

  • No changes

Mitigation Changes

  • No changes

Minor Mitigation Changes

Mitigation Revocations

  • No changes

Mitigation Deprecations

  • No changes

Mobile

New Mitigations

  • No changes

Mitigation Changes

  • No changes

Minor Mitigation Changes

  • No changes

Mitigation Revocations

  • No changes

Mitigation Deprecations

  • No changes

ICS

New Mitigations

  • No changes

Mitigation Changes

  • No changes

Minor Mitigation Changes

  • No changes

Mitigation Revocations

  • No changes

Mitigation Deprecations

  • No changes

Data Sources and/or Components

Enterprise

New Data Sources and/or Components

  • No changes

Data Source and/or Component Changes

Minor Data Source and/or Component Changes

  • No changes

Data Source and/or Component Revocations

  • No changes

Data Source and/or Component Deprecations

Mobile

ATT&CK for Mobile does not support structured data sources

ICS

New Data Sources and/or Components

Data Source and/or Component Changes

Minor Data Source and/or Component Changes

  • No changes

Data Source and/or Component Revocations

  • No changes

Data Source and/or Component Deprecations

  • No changes

Contributors to this release

  • Aagam Shah, @neutrinoguy, ABB
  • Andrea Serrano Urea, Telefónica Tech
  • Andrew Allen, @whitehat_zero
  • AppOmni
  • AttackIQ
  • Austin Clark, @c2defense
  • Awake Security
  • Blake Strom, Microsoft 365 Defender
  • Boominathan Sundaram
  • Brandon Dalton @PartyD0lphin
  • Catherine Williams, BT Security
  • Chris Heald
  • Cian Heasley
  • Cisco
  • CrowdStrike
  • CrowdStrike Falcon OverWatch
  • Daniel Feichter, @VirtualAllocEx, Infosec Tirol
  • Daniyal Naeem, BT Security
  • Darin Smith, Cisco
  • David Hughes, BT Security
  • David Tayouri
  • Dragos Threat Intelligence
  • Dray Agha, @Purp1eW0lf, Huntress Labs
  • Edward Millington
  • Eran Ayalon, Cybereason
  • Erik Schamper, @Schamperr, Fox-IT
  • ExtraHop
  • Flavio Costa, Cisco
  • Francesco Bigarella
  • Goldstein Menachem
  • Hannah Simes, BT Security
  • Harry Hill, BT Security
  • Harshal Tupsamudre, Qualys
  • Hiroki Nagahama, NEC Corporation
  • Ian Davila, Tidal Cyber
  • Ian McKay
  • Ilan Sokol, Cybereason
  • Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
  • Joas Antonio dos Santos, @Cr4zyC0d3
  • Kyaw Pyiyt Htet, @KyawPyiytHtet
  • Lee Christensen, SpecterOps
  • Liran Ravich, CardinalOps
  • Lucas Heiligenstein
  • Maarten van Dantzig, @MaartenVDantzig, Fox-IT
  • Manikanran Srinivasan, NEC Corporation India
  • Matt Brenton, Zurich Insurance Group
  • Matt Burrough, @mattburrough, Microsoft
  • Menachem Goldstein
  • Mindaugas Gudzis, BT Security
  • Miriam Wiesner, @miriamxyra, Microsoft Security
  • Nick Cairns, @grotezinfosec
  • Oleg Kolesnikov, Securonix
  • Oren Ofer, Cybereason
  • Ozer Sarilar, @ozersarilar, STM
  • Phill Taylor, BT Security
  • Pooja Natarajan, NEC Corporation India
  • Praetorian
  • Raphaël Lheureux
  • SarathKumar Rajendran, Trimble Inc
  • Sebastian Showell-Westrip, BT Security
  • Sekhar Sarukkai, McAfee
  • Shailesh Tiwary (Indian Army)
  • Shanief Webb
  • Sittikorn Sangrattanapitak
  • Swasti Bhushan Deb, IBM India Pvt. Ltd.
  • Thirumalai Natarajan, Mandiant
  • Tim (Wadhwa-)Brown
  • Tristan Bennett, Seamless Intelligence
  • Uriel Kosayev
  • Vadim Khrykov
  • Varonis Threat Labs
  • Vijay Lalwani
  • Vinayak Wadhwa, Lucideus
  • Will Thomas, Equinix Threat Analysis Center (ETAC)
  • Yoshihiro Kori, NEC Corporation