Updates - October 2024

The October 2024 (v16) ATT&CK release updates Techniques, Groups, Campaigns and Software for Enterprise.

The biggest changes in ATT&CK v16 are a refactoring of Cloud platforms to better reflect real-world adversary activity along with improvements to platform descriptions, a dramatic expansion in the number of techniques with detection notes and analytics, and continued improvements to coverage of criminal threat actors. As a result of Cloud platform refactoring, the Azure AD, Office 365, and Google Workspace platforms have been removed from Enterprise ATT&CK and the Identity Provider and Office Suite platforms have been added in their place. An accompanying blog post describes these changes as well as additional improvements across Enterprise ATT&CK's various platforms.

This release also includes a human-readable detailed changelog showing more specifically what changed in updated ATT&CK objects, and a machine-readable JSON changelog, whose format is described in ATT&CK's Github.

This version of ATT&CK contains 844 Pieces of Software, 186 Groups, and 42 Campaigns
Broken out by domain:

• Enterprise: 14 Tactics, 203 Techniques, 453 Sub-Techniques, 159 Groups, 710 Pieces of Software, 34 Campaigns, 44 Mitigations, and 37 Data Sources
• Mobile: 12 Tactics, 73 Techniques, 46 Sub-Techniques, 13 Groups, 112 Pieces of Software, 2 Campaigns, 13 Mitigations, and 6 Data Sources
• ICS: 12 Tactics, 83 Techniques, 0 Sub-Techniques, 14 Groups, 22 Pieces of Software, 6 Campaigns, 52 Mitigations, 14 Assets, and 17 Data Sources

Release Notes Terminology

• New: ATT&CK objects which are only present in the new release.
• Major version changes: ATT&CK objects that have a major version change. (e.g. 1.0 → 2.0)
• Minor version changes: ATT&CK objects that have a minor version change. (e.g. 1.0 → 1.1)
• Other version changes: ATT&CK objects that have a version change of any other kind. (e.g. 1.0 → 1.2)
• Patches: ATT&CK objects that have been patched while keeping the version the same. (e.g., 1.0 → 1.0 but something immaterial like a typo, a URL, or some metadata was fixed)
• Revocations: ATT&CK objects which are revoked by a different object.
• Deprecations: ATT&CK objects which are deprecated and no longer in use, and not replaced.
• Deletions: ATT&CK objects which are no longer found in the STIX data.

Table of Contents

Techniques

Enterprise

New Techniques

• Account Manipulation: Additional Local or Domain Groups (v1.0)
• Adversary-in-the-Middle: Evil Twin (v1.0)
• Application Layer Protocol: Publish/Subscribe Protocols (v1.0)
• Command and Scripting Interpreter: Lua (v1.0)
• Data Destruction: Lifecycle-Triggered Deletion (v1.0)
• Data from Information Repositories: Customer Relationship Management Software (v1.0)
• Data from Information Repositories: Messaging Applications (v1.0)
• Event Triggered Execution: Udev Rules (v1.0)
• Execution Guardrails: Mutual Exclusion (v1.0)
• Indicator Removal: Relocate Malware (v1.0)
• Masquerading: Masquerade Account Name (v1.0)
• Modify Cloud Resource Hierarchy (v1.0)
• Obfuscated Files or Information: Polymorphic Code (v1.0)
• Resource Hijacking: Bandwidth Hijacking (v1.0)
• Resource Hijacking: Cloud Service Hijacking (v1.0)
• Resource Hijacking: Compute Hijacking (v1.0)
• Resource Hijacking: SMS Pumping (v1.0)
• Steal or Forge Kerberos Tickets: Ccache Files (v1.0)
• Trusted Developer Utilities Proxy Execution: ClickOnce (v1.0)

Major Version Changes

• Data Obfuscation: Protocol or Service Impersonation (v1.0→v2.0)
• Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations (v1.0→v2.0)
• Obfuscated Files or Information: Fileless Storage (v1.0→v2.0)
• Resource Hijacking (v1.5→v2.0)

Minor Version Changes

• Abuse Elevation Control Mechanism (v1.3→v1.4)
  • TCC Manipulation (v1.0→v1.1)
  • Temporary Elevated Cloud Access (v1.1→v1.2)
• Account Access Removal (v1.2→v1.3)
• Account Discovery (v2.4→v2.5)
  • Cloud Account (v1.2→v1.3)
  • Email Account (v1.1→v1.2)
• Account Manipulation (v2.6→v2.7)
  • Additional Cloud Credentials (v2.7→v2.8)
  • Additional Cloud Roles (v2.4→v2.5)
  • Additional Email Delegate Permissions (v2.1→v2.2)
  • Device Registration (v1.2→v1.3)
• Acquire Infrastructure: Domains (v1.3→v1.4)
• Acquire Infrastructure: Serverless (v1.0→v1.1)
• Active Scanning: Scanning IP Blocks (v1.0→v1.1)
• Application Layer Protocol (v2.2→v2.3)
• Automated Collection (v1.2→v1.3)
• Automated Exfiltration: Traffic Duplication (v1.2→v1.3)
• Brute Force (v2.5→v2.6)
  • Credential Stuffing (v1.5→v1.6)
  • Password Cracking (v1.2→v1.3)
  • Password Guessing (v1.5→v1.6)
  • Password Spraying (v1.5→v1.6)
• Cloud Service Dashboard (v1.3→v1.4)
• Cloud Service Discovery (v1.3→v1.4)
• Command and Scripting Interpreter (v2.4→v2.5)
  • Cloud API (v1.0→v1.1)
  • JavaScript (v2.1→v2.2)
• Compromise Accounts: Cloud Accounts (v1.0→v1.1)
• Compromise Host Software Binary (v2.0→v2.1)
• Compromise Infrastructure: Domains (v1.3→v1.4)
• Compromise Infrastructure: Serverless (v1.0→v1.1)
• Create Account (v2.4→v2.5)
  • Cloud Account (v1.5→v1.6)
• Credentials from Password Stores: Credentials from Web Browsers (v1.1→v1.2)
• Credentials from Password Stores: Password Managers (v1.0→v1.1)
• Data Destruction (v1.2→v1.3)
• Data Manipulation: Runtime Data Manipulation (v1.1→v1.2)
• Data from Cloud Storage (v2.1→v2.2)
• Data from Information Repositories (v3.3→v3.4)
  • Code Repositories (v1.1→v1.2)
  • Confluence (v1.0→v1.1)
  • Sharepoint (v1.0→v1.1)
• Domain or Tenant Policy Modification (v3.0→v3.1)
  • Trust Modification (v2.0→v2.1)
• Drive-by Compromise (v1.5→v1.6)
• Dynamic Resolution: Domain Generation Algorithms (v1.0→v1.1)
• Email Collection (v2.5→v2.6)
  • Email Forwarding Rule (v1.3→v1.4)
  • Remote Email Collection (v1.2→v1.3)
• Endpoint Denial of Service (v1.1→v1.2)
  • Application Exhaustion Flood (v1.2→v1.3)
  • Application or System Exploitation (v1.2→v1.3)
  • Service Exhaustion Flood (v1.3→v1.4)
• Event Triggered Execution (v1.3→v1.4)
• Execution Guardrails (v1.1→v1.2)
• Exfiltration Over Alternative Protocol (v1.4→v1.5)
• Exfiltration Over Web Service (v1.3→v1.4)
  • Exfiltration Over Webhook (v1.0→v1.1)
• Exploit Public-Facing Application (v2.5→v2.6)
• Exploitation for Credential Access (v1.5→v1.6)
• Financial Theft (v1.1→v1.2)
• Forge Web Credentials (v1.4→v1.5)
  • SAML Tokens (v1.3→v1.4)
• Gather Victim Host Information (v1.1→v1.2)
• Gather Victim Identity Information: Credentials (v1.1→v1.2)
• Gather Victim Network Information: DNS (v1.1→v1.2)
• Hide Artifacts (v1.2→v1.3)
  • Email Hiding Rules (v1.3→v1.4)
• Hijack Execution Flow: DLL Search Order Hijacking (v1.2→v1.3)
• Impair Defenses (v1.5→v1.6)
  • Disable or Modify Cloud Firewall (v1.2→v1.3)
  • Disable or Modify Cloud Logs (v2.0→v2.1)
• Impersonation (v1.0→v1.1)
• Indicator Removal (v2.1→v2.2)
  • Clear Mailbox Data (v1.1→v1.2)
  • Timestomp (v1.0→v1.1)
• Indirect Command Execution (v1.1→v1.2)
• Inhibit System Recovery (v1.4→v1.5)
• Input Capture (v1.2→v1.3)
  • Credential API Hooking (v1.0→v1.1)
• Inter-Process Communication (v1.2→v1.3)
• Internal Spearphishing (v1.3→v1.4)
• Log Enumeration (v1.0→v1.1)
• Modify Authentication Process (v2.4→v2.5)
  • Conditional Access Policies (v1.0→v1.1)
  • Domain Controller Authentication (v2.0→v2.1)
  • Hybrid Identity (v1.0→v1.1)
  • Multi-Factor Authentication (v1.2→v1.3)
  • Password Filter DLL (v2.0→v2.1)
  • Pluggable Authentication Modules (v2.0→v2.1)
  • Reversible Encryption (v1.0→v1.1)
• Modify Cloud Compute Infrastructure: Create Cloud Instance (v1.1→v1.2)
• Modify Cloud Compute Infrastructure: Create Snapshot (v1.1→v1.2)
• Modify Cloud Compute Infrastructure: Delete Cloud Instance (v1.1→v1.2)
• Multi-Factor Authentication Request Generation (v1.1→v1.2)
• Network Denial of Service (v1.1→v1.2)
  • Direct Network Flood (v1.3→v1.4)
  • Reflection Amplification (v1.3→v1.4)
• OS Credential Dumping: /etc/passwd and /etc/shadow (v1.0→v1.1)
• OS Credential Dumping: DCSync (v1.0→v1.1)
• OS Credential Dumping: LSA Secrets (v1.0→v1.1)
• OS Credential Dumping: LSASS Memory (v1.4→v1.5)
• Obfuscated Files or Information: Compile After Delivery (v1.0→v1.1)
• Office Application Startup (v1.3→v1.4)
  • Add-ins (v1.1→v1.2)
  • Office Template Macros (v1.1→v1.2)
  • Office Test (v1.2→v1.3)
  • Outlook Forms (v1.1→v1.2)
  • Outlook Home Page (v1.1→v1.2)
  • Outlook Rules (v1.1→v1.2)
• Password Policy Discovery (v1.5→v1.6)
• Permission Groups Discovery (v2.5→v2.6)
  • Cloud Groups (v1.4→v1.5)
• Phishing (v2.5→v2.6)
  • Spearphishing Link (v2.6→v2.7)
  • Spearphishing Voice (v1.0→v1.1)
• Process Injection: ListPlanting (v1.0→v1.1)
• Proxy: Multi-hop Proxy (v2.1→v2.2)
• Remote Services: Cloud Services (v1.0→v1.1)
• Scheduled Task/Job: At (v2.2→v2.3)
• Scheduled Task/Job: Cron (v1.1→v1.2)
• Scheduled Task/Job: Scheduled Task (v1.5→v1.6)
• Search Closed Sources (v1.0→v1.1)
• Search Victim-Owned Websites (v1.0→v1.1)
• Server Software Component: SQL Stored Procedures (v1.0→v1.1)
• Serverless Execution (v1.0→v1.1)
• Software Deployment Tools (v3.0→v3.1)
• Stage Capabilities: SEO Poisoning (v1.0→v1.1)
• Steal Application Access Token (v1.3→v1.4)
• Steal Web Session Cookie (v1.3→v1.4)
• Steal or Forge Authentication Certificates (v1.1→v1.2)
• Steal or Forge Kerberos Tickets (v1.5→v1.6)
  • AS-REP Roasting (v1.0→v1.1)
• System Binary Proxy Execution: Rundll32 (v2.2→v2.3)
• System Location Discovery (v1.0→v1.1)
• System Services (v1.2→v1.3)
  • Launchctl (v1.1→v1.2)
• Taint Shared Content (v1.4→v1.5)
• Transfer Data to Cloud Account (v1.4→v1.5)
• Trusted Relationship (v2.3→v2.4)
• Unsecured Credentials (v1.3→v1.4)
  • Bash History (v1.1→v1.2)
  • Chat Messages (v1.0→v1.1)
  • Group Policy Preferences (v1.0→v1.1)
  • Private Keys (v1.1→v1.2)
• Use Alternate Authentication Material (v1.3→v1.4)
  • Application Access Token (v1.6→v1.7)
  • Web Session Cookie (v1.3→v1.4)
• User Execution (v1.6→v1.7)
  • Malicious File (v1.3→v1.4)
  • Malicious Link (v1.0→v1.1)
• Valid Accounts (v2.6→v2.7)
  • Cloud Accounts (v1.7→v1.8)
  • Default Accounts (v1.3→v1.4)
• Web Service (v1.1→v1.2)

Patches

• Account Discovery: Domain Account (v1.2)
• Acquire Infrastructure (v1.4)
  • Malvertising (v1.0)
  • Virtual Private Server (v1.1)
• Active Scanning: Vulnerability Scanning (v1.0)
• Adversary-in-the-Middle: DHCP Spoofing (v1.1)
• Application Window Discovery (v1.3)
• Audio Capture (v1.0)
• Boot or Logon Autostart Execution (v1.2)
  • Kernel Modules and Extensions (v1.3)
  • Port Monitors (v1.2)
  • Registry Run Keys / Startup Folder (v2.0)
  • Shortcut Modification (v1.2)
• Browser Extensions (v1.3)
• Cloud Administration Command (v2.0)
• Cloud Infrastructure Discovery (v1.3)
• Command and Scripting Interpreter: AppleScript (v1.2)
• Command and Scripting Interpreter: PowerShell (v1.4)
• Command and Scripting Interpreter: Unix Shell (v1.2)
• Command and Scripting Interpreter: Visual Basic (v1.4)
• Command and Scripting Interpreter: Windows Command Shell (v1.4)
• Compromise Infrastructure (v1.5)
  • Network Devices (v1.0)
  • Web Services (v1.2)
• Container Administration Command (v1.2)
• Credentials from Password Stores (v1.2)
  • Cloud Secrets Management Stores (v1.0)
  • Keychain (v1.1)
  • Securityd Memory (v1.2)
  • Windows Credential Manager (v1.1)
• Data Manipulation: Stored Data Manipulation (v1.1)
• Data Manipulation: Transmitted Data Manipulation (v1.1)
• Data Obfuscation (v1.1)
• Data Staged (v1.4)
  • Local Data Staging (v1.1)
  • Remote Data Staging (v1.1)
• Data from Removable Media (v1.2)
• Deploy Container (v1.3)
• Develop Capabilities (v1.1)
• Disk Wipe: Disk Structure Wipe (v1.1)
• Domain or Tenant Policy Modification: Group Policy Modification (v1.0)
• Event Triggered Execution: Change Default File Association (v1.0)
• Event Triggered Execution: Unix Shell Configuration Modification (v2.1)
• Exploitation for Client Execution (v1.4)
• Forced Authentication (v1.3)
• Gather Victim Identity Information (v1.3)
  • Employee Names (v1.0)
• Hide Artifacts: NTFS File Attributes (v1.1)
• Hijack Execution Flow: Path Interception by Search Order Hijacking (v1.0)
• Hijack Execution Flow: Services Registry Permissions Weakness (v1.1)
• Impair Defenses: Disable or Modify System Firewall (v1.2)
• Impair Defenses: Spoof Security Alerting (v1.0)
• Indicator Removal: File Deletion (v1.1)
• Input Capture: Web Portal Capture (v1.0)
• Inter-Process Communication: XPC Services (v1.0)
• Masquerading (v1.7)
  • Match Legitimate Name or Location (v1.2)
  • Rename System Utilities (v1.1)
• Modify Cloud Compute Infrastructure (v1.2)
• Multi-Factor Authentication Interception (v2.1)
• Native API (v2.2)
• Network Sniffing (v1.6)
• Non-Standard Port (v1.1)
• OS Credential Dumping (v2.2)
  • Cached Domain Credentials (v1.1)
  • Proc Filesystem (v1.2)
  • Security Account Manager (v1.1)
• Obfuscated Files or Information: Command Obfuscation (v1.0)
• Obfuscated Files or Information: Encrypted/Encoded File (v1.0)
• Obfuscated Files or Information: HTML Smuggling (v1.1)
• Obtain Capabilities (v1.1)
  • Artificial Intelligence (v1.0)
  • Digital Certificates (v1.2)
  • Tool (v1.1)
• Phishing: Spearphishing Attachment (v2.2)
• Phishing: Spearphishing via Service (v2.0)
• Phishing for Information (v1.3)
  • Spearphishing Attachment (v1.1)
  • Spearphishing Link (v1.6)
• Power Settings (v1.0)
• Process Injection: Process Hollowing (v1.3)
• Protocol Tunneling (v1.0)
• Remote Services: VNC (v1.1)
• Remote Services: Windows Remote Management (v1.2)
• Scheduled Task/Job (v2.3)
  • Container Orchestration Job (v1.3)
  • Systemd Timers (v1.2)
• Search Open Websites/Domains (v1.1)
  • Search Engines (v1.0)
• Server Software Component: Terminal Services DLL (v1.0)
• Service Stop (v1.2)
• Stage Capabilities: Link Target (v1.4)
• Stage Capabilities: Upload Malware (v1.2)
• Steal or Forge Kerberos Tickets: Kerberoasting (v1.2)
• Supply Chain Compromise (v1.6)
• System Binary Proxy Execution: CMSTP (v2.1)
• System Information Discovery (v2.5)
• System Script Proxy Execution: SyncAppvPublishingServer (v1.0)
• System Services: Service Execution (v1.2)
• Unsecured Credentials: Cloud Instance Metadata API (v1.4)
• Unsecured Credentials: Container API (v1.2)
• Unsecured Credentials: Credentials In Files (v1.2)
• Unsecured Credentials: Credentials in Registry (v1.1)
• Use Alternate Authentication Material: Pass the Ticket (v1.1)
• Valid Accounts: Local Accounts (v1.4)
• Virtualization/Sandbox Evasion (v1.3)
  • System Checks (v2.2)
  • Time Based Evasion (v1.2)
  • User Activity Based Checks (v1.1)
• Windows Management Instrumentation (v1.5)
• XSL Script Processing (v1.2)

Mobile

Patches

• Clipboard Data (v3.1)
• Hide Artifacts: Suppress Application Icon (v1.1)
• Input Capture: GUI Input Capture (v1.1)

ICS

Patches

• Denial of Service (v1.1)

Software

Enterprise

New Software

• Apostle (v1.0)
• BFG Agonizer (v1.0)
• BPFDoor (v1.0)
• CHIMNEYSWEEP (v1.0)
• Covenant (v1.0)
• Cuckoo Stealer (v1.0)
• DEADWOOD (v1.0)
• DUSTPAN (v1.0)
• DUSTTRAP (v1.0)
• FRP (v1.0)
• Gootloader (v1.0)
• IMAPLoader (v1.0)
• INC Ransomware (v1.0)
• IPsec Helper (v1.0)
• Latrodectus (v1.0)
• LunarLoader (v1.0)
• LunarMail (v1.0)
• LunarWeb (v1.0)
• Manjusaka (v1.0)
• MgBot (v1.0)
• Moneybird (v1.0)
• MultiLayer Wiper (v1.0)
• NPPSPY (v1.0)
• Nightdoor (v1.0)
• Pikabot (v1.0)
• Playcrypt (v1.0)
• ROADSWEEP (v1.0)
• Raccoon Stealer (v1.0)
• Raspberry Robin (v1.0)
• Spica (v1.0)
• VPNFilter (v2.0)
• VersaMem (v1.0)
• ZeroCleare (v1.0)

Major Version Changes

• BabyShark (v1.2→v2.0)
• Ebury (v1.3→v2.0)
• MacMa (v1.0→v2.0)
• OutSteel (v1.0→v2.0)
• Saint Bot (v1.0→v2.0)

Minor Version Changes

• ASPXSpy (v1.2→v1.3)
• AdFind (v1.4→v1.5)
• Amadey (v1.0→v1.1)
• BloodHound (v1.5→v1.6)
• Brute Ratel C4 (v1.0→v1.1)
• Bumblebee (v1.0→v1.1)
• Cobalt Strike (v1.12→v1.13)
• Cyclops Blink (v1.0→v1.1)
• Emotet (v1.5→v1.6)
• Empire (v1.7→v1.8)
• EvilBunny (v1.2→v1.3)
• GLOOXMAIL (v1.1→v1.2)
• Gold Dragon (v1.2→v1.3)
• IcedID (v1.1→v1.2)
• Impacket (v1.6→v1.7)
• Nltest (v1.2→v1.3)
• PoetRAT (v2.2→v2.3)
• PsExec (v1.6→v1.7)
• QakBot (v1.2→v1.3)
• QuasarRAT (v2.0→v2.1)
• RawDisk (v1.0→v1.1)
• Remsec (v1.3→v1.4)
• SILENTTRINITY (v1.0→v1.1)
• Wevtutil (v1.1→v1.2)
• ftp (v2.0→v2.1)
• gh0st RAT (v3.2→v3.3)

Patches

• AADInternals (v1.2)
• Astaroth (v2.3)
• BLACKCOFFEE (v1.1)
• ChChes (v1.1)
• CreepyDrive (v1.0)
• DDKONG (v1.0)
• DarkGate (v1.0)
• DarkWatchman (v1.2)
• FinFisher (v1.4)
• Flagpro (v1.0)
• GrimAgent (v1.1)
• HAPPYWORK (v1.0)
• Janicab (v1.1)
• Koadic (v2.0)
• MailSniper (v1.1)
• Micropsia (v1.2)
• Mimikatz (v1.9)
• Miner-C (v1.0)
• NanoCore (v1.1)
• PoisonIvy (v2.2)
• ROADTools (v1.0)
• RedLeaves (v1.2)
• Ruler (v1.1)
• SHUTTERSPEED (v1.0)
• SLOTHFULMEDIA (v1.0)
• Ursnif (v1.5)
• WINERACK (v1.0)
• Windows Credential Editor (v1.1)
• Winexe (v1.0)

Mobile

Patches

• Anubis (v1.3)
• Exobot (v1.0)
• FinFisher (v1.4)

Deprecations

• Marcher (v1.0)

ICS

New Software

• Fuxnet (v1.0)

Major Version Changes

• VPNFilter (v1.1→v2.0)

Groups

Enterprise

New Groups

• Agrius (v1.0)
• Daggerfly (v1.0)
• INC Ransom (v1.0)
• Moonstone Sleet (v1.0)
• Play (v1.0)
• RedCurl (v1.0)
• Saint Bear (v1.0)
• Star Blizzard (v1.0)
• TA577 (v1.0)
• TA578 (v1.0)
• Winter Vivern (v1.0)

Major Version Changes

• Aquatic Panda (v1.1→v2.0)
• CURIUM (v2.0→v3.0)
• Ember Bear (v1.1→v2.0)
• Kimsuky (v4.0→v5.0)
• Volt Typhoon (v1.1→v2.0)

Minor Version Changes

• APT28 (v5.0→v5.1)
• APT29 (v6.0→v6.1)
• APT41 (v4.0→v4.1)
• Blue Mockingbird (v1.2→v1.3)
• Gamaredon Group (v3.0→v3.1)
• HEXANE (v2.2→v2.3)
• Indrik Spider (v4.0→v4.1)
• Magic Hound (v6.0→v6.1)
• MuddyWater (v5.0→v5.1)
• OilRig (v4.0→v4.1)
• Sandworm Team (v4.0→v4.1)
• Turla (v5.0→v5.1)
• ZIRCONIUM (v2.0→v2.1)

Patches

• APT17 (v1.1)
• APT3 (v1.4)
• APT38 (v3.0)
• Akira (v1.0)
• Andariel (v2.0)
• Chimera (v2.2)
• Earth Lusca (v2.0)
• TeamTNT (v1.3)
• menuPass (v3.0)

Mobile

Minor Version Changes

• APT28 (v5.0→v5.1)
• Sandworm Team (v4.0→v4.1)

Patches

• Earth Lusca (v2.0)

ICS

Minor Version Changes

• HEXANE (v2.2→v2.3)
• OilRig (v4.0→v4.1)
• Sandworm Team (v4.0→v4.1)

Patches

• APT38 (v3.0)

Campaigns

Enterprise

New Campaigns

• APT41 DUST (v1.0)
• HomeLand Justice (v1.0)
• KV Botnet Activity (v1.0)
• Pikabot Distribution February 2024 (v1.0)
• Versa Director Zero Day Exploitation (v1.0)
• Water Curupira Pikabot Distribution (v1.0)

Minor Version Changes

• SolarWinds Compromise (v1.0→v1.1)

Mitigations

Enterprise

New Mitigations

• Out-of-Band Communications Channel (v1.0)

Minor Version Changes

• Active Directory Configuration (v1.1→v1.2)

Patches

• Audit (v1.2)
• Credential Access Protection (v1.1)
• Execution Prevention (v1.2)
• Filter Network Traffic (v1.1)
• Limit Software Installation (v1.0)
• Network Intrusion Prevention (v1.0)
• Privileged Account Management (v1.1)
• User Training (v1.2)

Minor Version Changes

• Software Process and Device Authentication (v1.0→v1.1)

Data Sources

Enterprise

Patches

• Active Directory (v1.0)
• Application Log (v1.0)
• Cloud Service (v1.0)
• Firewall (v1.0)
• Group (v1.0)
• Logon Session (v1.1)
• User Account (v1.1)
• Web Credential (v1.0)

ICS

Patches

• Application Log (v1.0)
• Logon Session (v1.1)
• User Account (v1.1)

Contributors to this release

• @grahamhelton3
• Ale Houspanossian
• Arun Seelagan, CISA
• Asritha Narina
• Aung Kyaw Min Naing, @Nolan
• Barbara Louis-Sidney (OWN-CERT)
• Catherine Williams, BT Security
• Centre for Cybersecurity Belgium (CCB)
• Cris Tomboc, Truswave SpiderLabs
• Csaba Fitzl @theevilbit of Kandji
• Daniel Acevedo, Blackbot
• DeFord L. Smith
• Denise Tan
• Diego Sappa, Securonix
• Domenico Mazzaferro Palmeri
• Dray Agha, Huntress Labs
• Eder Pérez Ignacio, @ch4ik0
• Eduardo González Hernández (@codexlynx)
• Fernando Bacchin
• Furkan Celik, PURE7
• Hakan KARABACAK
• Harikrishnan Muthu, Cyble
• Harry Hill, BT Security
• Inna Danilevich
• Jai Minton, CrowdStrike
• James Emery-Callcott, Emerging Threats Team, Proofpoint
• James P Callahan, Professional Paranoid
• Jamie Williams (U ω U), PANW Unit 42
• Jennifer Kim Roman, CrowdStrike
• Joe Gumke, U.S. Bank
• Jorge Orchilles
• Liran Ravich, CardinalOps
• Madhukar Raina (Senior Security Researcher - Hack The Box, UK)
• Manikantan Srinivasan, NEC Corporation India
• Marco Pedrinazzi, @pedrinazziM
• Massimo Giaimo, Würth Group Cyber Defence Center
• Matt Anderson, @‌nosecurething, Huntress
• Matt Brenton
• Menachem Goldstein
• Michael Forret, Quorum Cyber
• Mike Hartley @mikehartley10
• Nagahama Hiroki – NEC Corporation Japan
• Naveen Vijayaraghavan
• Nilesh Dherange (Gurucul)
• Obsidian Security
• Onur Atali
• OWN
• Phyo Paing Htun (ChiLai)
• Pooja Natarajan, NEC Corporation India
• ReliaQuest
• Riku Katsuse, NEC Corporation
• Ruben Groenewoud, Elastic
• Sam Seabrook, Duke Energy
• Sarathkumar Rajendran, Microsoft Defender365
• Sareena Karapoola, NEC Corporation India
• Sharon Brizinov, Claroty Team82 Research
• Sofia Sanchez Margolles
• Subhash Thapa
• Swachchhanda Shrawan Poudel
• Takemasa Kamatani, NEC Corporation
• TruKno
• Vito Alfano, Group-IB
• Wirapong Petshagun
• Wojciech Reguła @_r3ggi
• Ye Yint Min Thu Htut, Active Defense Team, DBS Bank
• Yoshihiro Kori, NEC Corporation
• Zaw Min Htun, @z3tae