ATT&CK v18 has been released! Check out the blog post or changelog for more information.

Updates - October 2025

Version	Start Date	End Date	Data	Changelogs
ATT&CK v18	October 28, 2025	Current version of ATT&CK	v18.0 on MITRE/CTI	17.1 - 18.0 Details (JSON)

The October 2025 (v18) ATT&CK release updates Techniques, Groups, Campaigns and Software for Enterprise, Mobile, and ICS.

The biggest changes in ATT&CK are related to the defensive portion of the framework. Detections in techniques have been replaced with Detection Strategies resulting in the addition of Detection Strategies and Analytics, major updates to Data Components, as well as the deprecation of Data Sources. ATT&CK's STIX representation, including these new objects, is described in detail in ATT&CK Data Model. A post describing the defensive changes to the ATT&CK website and the rationalle behind them was published to ATT&CK's Blog in July 2025, and an accompanying blog post describes changes across the release.

In this release the Mobile Technique Abuse Accessibility Features has been un-deprecated (last seen in ATT&CK v6).

This release also includes a human-readable detailed changelog showing more specifically what changed in updated ATT&CK objects, and a machine-readable JSON changelog, whose format is described in ATT&CK's Github.

Statistics

This version of ATT&CK contains 910 Software, 176 Groups, and 55 Campaigns.

Broken out by domain:

Enterprise: 14 Tactics, 216 Techniques, 475 Sub-Techniques, 172 Groups, 784 Software, 52 Campaigns, 44 Mitigations, 691 Detection Strategies, 1739 Analytics, and 106 Data Components
Mobile: 12 Tactics, 77 Techniques, 47 Sub-Techniques, 17 Groups, 122 Software, 3 Campaigns, 13 Mitigations, 124 Detection Strategies, 211 Analytics, and 17 Data Components
ICS: 12 Tactics, 83 Techniques, 14 Groups, 23 Software, 7 Campaigns, 52 Mitigations, 18 Assets, 83 Detection Strategies, 82 Analytics, and 36 Data Components

Release Notes Terminology

New objects: ATT&CK objects which are only present in the new release.
Major version changes: ATT&CK objects that have a major version change. (e.g. 1.0 → 2.0)
Minor version changes: ATT&CK objects that have a minor version change. (e.g. 1.0 → 1.1)
Other version changes: ATT&CK objects that have a version change of any other kind. (e.g. 1.0 → 1.2)
Patches: ATT&CK objects that have been patched while keeping the version the same. (e.g., 1.0 → 1.0 but something like a typo, a URL, or some metadata was fixed)
Object revocations: ATT&CK objects which are revoked by a different object.
Object deprecations: ATT&CK objects which are deprecated and no longer in use, and not replaced.
Object deletions: ATT&CK objects which are no longer found in the STIX data.

Table of Contents

Statistics
Release Notes Terminology
Table of Contents
Techniques
Software
Groups
Campaigns
- Enterprise
Assets
- ICS
  - New Assets
  - Major Version Changes
Mitigations
- Enterprise
  - Minor Version Changes
  - Patches
Data Sources
- Enterprise
  - Deprecations
- Mobile
  - Deprecations
- ICS
  - Deprecations
Data Components
Detection Strategies
Analytics
Contributors to this release

Techniques

Enterprise

New Techniques

Command and Scripting Interpreter: Container CLI/API (v1.0)
Data from Information Repositories: Databases (v1.0)
Delay Execution (v1.0)
Event Triggered Execution: Python Startup Hooks (v1.0)
Impair Defenses: Disable or Modify Network Device Firewall (v1.0)
Local Storage Discovery (v1.0)
Masquerading: Browser Fingerprint (v1.0)
Poisoned Pipeline Execution (v1.0)
Search Threat Vendor Data (v1.0)
Selective Exclusion (v1.0)
Software Discovery: Backup Software Discovery (v1.0)
User Execution: Malicious Library (v1.0)

Major Version Changes

Search Closed Sources: Threat Intel Vendors (v1.0→v2.0)
System Information Discovery (v2.6→v3.0)
Unsecured Credentials: Shell History (v1.2→v2.0)
Virtualization/Sandbox Evasion: Time Based Checks (v1.3→v2.0)

Minor Version Changes

Account Access Removal (v1.4→v1.5)
Account Manipulation: Additional Local or Domain Groups (v1.0→v1.1)
Account Manipulation: Device Registration (v1.3→v1.4)
Acquire Infrastructure (v1.4→v1.5)
Botnet (v1.1→v1.2)
Application Layer Protocol: DNS (v1.3→v1.4)
Application Layer Protocol: File Transfer Protocols (v1.3→v1.4)
Application Layer Protocol: Web Protocols (v1.4→v1.5)
Brute Force (v2.7→v2.8)
Password Spraying (v1.7→v1.8)
Command and Scripting Interpreter: Unix Shell (v1.3→v1.4)
Compromise Infrastructure: DNS Server (v1.2→v1.3)
Compromise Infrastructure: Network Devices (v1.0→v1.1)
Create Account: Local Account (v1.4→v1.5)
Data from Local System (v1.7→v1.8)
Develop Capabilities: Malware (v1.2→v1.3)
Email Spoofing (v1.0→v1.1)
Event Triggered Execution: Component Object Model Hijacking (v1.2→v1.3)
Exploit Public-Facing Application (v2.7→v2.8)
External Remote Services (v2.4→v2.5)
Forced Authentication (v1.3→v1.4)
Gather Victim Host Information: Software (v1.1→v1.2)
Gather Victim Identity Information: Email Addresses (v1.2→v1.3)
Hide Artifacts: Hidden Files and Directories (v1.1→v1.2)
Hide Artifacts: Hidden Window (v1.3→v1.4)
Hide Artifacts: Run Virtual Instance (v1.2→v1.3)
Hide Infrastructure (v1.1→v1.2)
Hijack Execution Flow: DLL (v2.0→v2.1)
Hijack Execution Flow: Services Registry Permissions Weakness (v1.2→v1.3)
Impair Defenses: Disable or Modify Tools (v1.6→v1.7)
Indicator Removal (v2.3→v2.4)
Relocate Malware (v1.1→v1.2)
Ingress Tool Transfer (v2.5→v2.6)
Network Boundary Bridging: Network Address Translation Traversal (v1.1→v1.2)
Non-Standard Port (v1.2→v1.3)
Obfuscated Files or Information: Fileless Storage (v2.0→v2.1)
Obfuscated Files or Information: HTML Smuggling (v1.2→v1.3)
Obtain Capabilities: Tool (v1.1→v1.2)
Phishing: Spearphishing Link (v2.7→v2.8)
Phishing for Information: Spearphishing Link (v1.6→v1.7)
Proxy: External Proxy (v1.2→v1.3)
Proxy: Multi-hop Proxy (v2.3→v2.4)
Remote Services: Remote Desktop Protocol (v1.3→v1.4)
Rootkit (v1.2→v1.3)
Scheduled Task/Job: Scheduled Task (v1.7→v1.8)
Service Stop (v1.3→v1.4)
Software Extensions: Browser Extensions (v1.0→v1.1)
Stage Capabilities: Upload Malware (v1.2→v1.3)
Steal Web Session Cookie (v1.4→v1.5)
Supply Chain Compromise (v1.6→v1.7)
Compromise Software Dependencies and Development Tools (v1.2→v1.3)
System Binary Proxy Execution: Rundll32 (v2.4→v2.5)
System Network Configuration Discovery: Internet Connection Discovery (v1.1→v1.2)
System Network Configuration Discovery: Wi-Fi Discovery (v1.0→v1.1)
System Service Discovery (v1.5→v1.6)
System Shutdown/Reboot (v1.4→v1.5)
User Execution: Malicious Copy and Paste (v1.0→v1.1)
User Execution: Malicious File (v1.5→v1.6)

Patches

Abuse Elevation Control Mechanism (v1.5)
Bypass User Account Control (v2.2)
Elevated Execution with Prompt (v1.1)
Setuid and Setgid (v1.2)
Sudo and Sudo Caching (v1.1)
Access Token Manipulation (v2.1)
Create Process with Token (v1.3)
Make and Impersonate Token (v1.2)
Parent PID Spoofing (v1.1)
SID-History Injection (v1.1)
Token Impersonation/Theft (v1.3)
Account Discovery (v2.6)
Cloud Account (v1.3)
Domain Account (v1.2)
Email Account (v1.2)
Local Account (v1.5)
Account Manipulation (v2.8)
Additional Cloud Credentials (v2.8)
Additional Cloud Roles (v2.5)
Additional Email Delegate Permissions (v2.2)
SSH Authorized Keys (v1.4)
Acquire Access (v1.0)
Acquire Infrastructure: DNS Server (v1.0)
Acquire Infrastructure: Domains (v1.4)
Acquire Infrastructure: Server (v1.3)
Acquire Infrastructure: Virtual Private Server (v1.1)
Acquire Infrastructure: Web Services (v1.3)
Active Scanning (v1.0)
Scanning IP Blocks (v1.1)
Vulnerability Scanning (v1.0)
Wordlist Scanning (v1.0)
Adversary-in-the-Middle (v2.5)
ARP Cache Poisoning (v1.1)
DHCP Spoofing (v1.1)
LLMNR/NBT-NS Poisoning and SMB Relay (v1.4)
Application Layer Protocol (v2.4)
Mail Protocols (v1.2)
Application Window Discovery (v1.3)
Archive Collected Data (v1.0)
Archive via Custom Method (v1.0)
Archive via Library (v1.0)
Archive via Utility (v1.3)
Audio Capture (v1.0)
Automated Collection (v1.4)
Automated Exfiltration (v1.3)
Traffic Duplication (v1.4)
BITS Jobs (v1.5)
Boot or Logon Autostart Execution (v1.3)
Active Setup (v1.1)
Authentication Package (v1.1)
Kernel Modules and Extensions (v1.4)
LSASS Driver (v1.1)
Login Items (v1.1)
Port Monitors (v1.3)
Print Processors (v1.2)
Re-opened Applications (v1.2)
Registry Run Keys / Startup Folder (v2.1)
Security Support Provider (v1.1)
Shortcut Modification (v1.3)
Time Providers (v1.2)
Winlogon Helper DLL (v1.3)
XDG Autostart Entries (v1.2)
Boot or Logon Initialization Scripts (v2.4)
Login Hook (v2.0)
Logon Script (Windows) (v1.0)
Network Logon Script (v1.0)
RC Scripts (v2.2)
Startup Items (v1.1)
Browser Information Discovery (v2.0)
Browser Session Hijacking (v2.1)
Brute Force: Credential Stuffing (v1.7)
Brute Force: Password Cracking (v1.4)
Brute Force: Password Guessing (v1.7)
Build Image on Host (v1.3)
Clipboard Data (v1.2)
Cloud Infrastructure Discovery (v1.3)
Cloud Service Dashboard (v1.5)
Cloud Service Discovery (v1.4)
Cloud Storage Object Discovery (v1.0)
Command and Scripting Interpreter (v2.6)
AppleScript (v1.3)
JavaScript (v2.2)
Network Device CLI (v1.2)
PowerShell (v1.5)
Python (v1.1)
Visual Basic (v1.5)
Windows Command Shell (v1.5)
Communication Through Removable Media (v1.0)
Compromise Accounts (v1.2)
Cloud Accounts (v1.1)
Email Accounts (v1.1)
Social Media Accounts (v1.1)
Compromise Host Software Binary (v2.2)
Compromise Infrastructure (v1.6)
Botnet (v1.0)
Domains (v1.4)
Server (v1.2)
Virtual Private Server (v1.1)
Web Services (v1.2)
Container Administration Command (v1.3)
Container and Resource Discovery (v1.1)
Create Account (v2.6)
Cloud Account (v1.6)
Domain Account (v1.1)
Create or Modify System Process (v1.2)
Launch Agent (v1.5)
Launch Daemon (v1.3)
Systemd Service (v1.6)
Windows Service (v1.6)
Credentials from Password Stores (v1.2)
Credentials from Web Browsers (v1.2)
Keychain (v1.1)
Password Managers (v1.1)
Securityd Memory (v1.2)
Windows Credential Manager (v1.1)
Data Destruction (v1.4)
Data Encoding (v1.3)
Non-Standard Encoding (v1.1)
Standard Encoding (v1.1)
Data Encrypted for Impact (v1.5)
Data Manipulation (v1.1)
Runtime Data Manipulation (v1.2)
Stored Data Manipulation (v1.1)
Transmitted Data Manipulation (v1.1)
Data Obfuscation (v1.2)
Junk Data (v1.1)
Protocol or Service Impersonation (v2.1)
Steganography (v1.1)
Data Staged (v1.5)
Local Data Staging (v1.2)
Remote Data Staging (v1.2)
Data Transfer Size Limits (v1.1)
Data from Cloud Storage (v2.2)
Data from Configuration Repository (v1.1)
Network Device Configuration Dump (v1.1)
SNMP (MIB Dump) (v1.1)
Data from Information Repositories (v3.4)
Code Repositories (v1.2)
Confluence (v1.1)
Sharepoint (v1.1)
Data from Network Shared Drive (v1.5)
Data from Removable Media (v1.3)
Debugger Evasion (v1.1)
Defacement (v1.4)
External Defacement (v1.2)
Internal Defacement (v1.2)
Deobfuscate/Decode Files or Information (v1.4)
Deploy Container (v1.4)
Develop Capabilities (v1.1)
Code Signing Certificates (v1.1)
Digital Certificates (v1.2)
Exploits (v1.0)
Direct Volume Access (v2.3)
Disk Wipe (v1.2)
Disk Content Wipe (v1.2)
Disk Structure Wipe (v1.2)
Domain Trust Discovery (v1.2)
Domain or Tenant Policy Modification (v3.2)
Group Policy Modification (v1.1)
Trust Modification (v2.2)
Drive-by Compromise (v1.7)
Dynamic Resolution (v1.1)
DNS Calculation (v1.1)
Domain Generation Algorithms (v1.2)
Fast Flux DNS (v1.1)
Email Collection (v2.6)
Email Forwarding Rule (v1.4)
Local Email Collection (v1.1)
Remote Email Collection (v1.3)
Encrypted Channel (v1.2)
Asymmetric Cryptography (v1.2)
Symmetric Cryptography (v1.2)
Endpoint Denial of Service (v1.2)
Application Exhaustion Flood (v1.3)
Application or System Exploitation (v1.3)
OS Exhaustion Flood (v1.2)
Service Exhaustion Flood (v1.4)
Escape to Host (v1.6)
Establish Accounts (v1.3)
Cloud Accounts (v1.1)
Email Accounts (v1.1)
Social Media Accounts (v1.1)
Event Triggered Execution (v1.4)
Accessibility Features (v1.2)
AppCert DLLs (v1.1)
AppInit DLLs (v1.2)
Application Shimming (v1.1)
Change Default File Association (v1.1)
Emond (v1.1)
Image File Execution Options Injection (v1.2)
LC_LOAD_DYLIB Addition (v1.1)
Netsh Helper DLL (v1.1)
PowerShell Profile (v1.2)
Screensaver (v1.3)
Trap (v1.1)
Udev Rules (v1.0)
Unix Shell Configuration Modification (v2.2)
Windows Management Instrumentation Event Subscription (v1.5)
Execution Guardrails (v1.3)
Environmental Keying (v1.1)
Exfiltration Over Alternative Protocol (v1.6)
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol (v1.2)
Exfiltration Over Symmetric Encrypted Non-C2 Protocol (v1.1)
Exfiltration Over Unencrypted Non-C2 Protocol (v2.2)
Exfiltration Over C2 Channel (v2.3)
Exfiltration Over Other Network Medium (v1.2)
Exfiltration Over Bluetooth (v1.2)
Exfiltration Over Physical Medium (v1.3)
Exfiltration over USB (v1.2)
Exfiltration Over Web Service (v1.5)
Exfiltration to Cloud Storage (v1.3)
Exfiltration to Code Repository (v1.2)
Exploitation for Client Execution (v1.5)
Exploitation for Credential Access (v1.6)
Exploitation for Defense Evasion (v1.5)
Exploitation for Privilege Escalation (v1.6)
Exploitation of Remote Services (v1.2)
Fallback Channels (v1.1)
File and Directory Discovery (v1.7)
File and Directory Permissions Modification (v2.3)
Linux and Mac File and Directory Permissions Modification (v1.2)
Windows File and Directory Permissions Modification (v1.2)
Firmware Corruption (v1.3)
Forge Web Credentials (v1.5)
SAML Tokens (v1.4)
Web Cookies (v1.1)
Gather Victim Host Information (v1.2)
Client Configurations (v1.1)
Firmware (v1.0)
Hardware (v1.1)
Gather Victim Identity Information (v1.3)
Credentials (v1.2)
Employee Names (v1.0)
Gather Victim Network Information (v1.0)
DNS (v1.2)
Domain Properties (v1.1)
IP Addresses (v1.0)
Network Security Appliances (v1.0)
Network Topology (v1.0)
Network Trust Dependencies (v1.0)
Gather Victim Org Information (v1.1)
Business Relationships (v1.0)
Determine Physical Locations (v1.1)
Identify Business Tempo (v1.0)
Identify Roles (v1.0)
Group Policy Discovery (v1.1)
Hardware Additions (v1.7)
Hide Artifacts (v1.4)
Email Hiding Rules (v1.4)
Extended Attributes (v1.0)
Hidden File System (v1.1)
Hidden Users (v1.2)
NTFS File Attributes (v1.2)
Process Argument Spoofing (v1.1)
Resource Forking (v1.1)
VBA Stomping (v1.2)
Hijack Execution Flow (v1.3)
COR_PROFILER (v1.1)
Dylib Hijacking (v2.1)
Dynamic Linker Hijacking (v2.1)
Executable Installer File Permissions Weakness (v1.1)
KernelCallbackTable (v1.0)
Path Interception by PATH Environment Variable (v1.2)
Path Interception by Search Order Hijacking (v1.1)
Path Interception by Unquoted Path (v1.1)
Services File Permissions Weakness (v1.1)
Impair Defenses (v1.7)
Disable Windows Event Logging (v1.4)
Disable or Modify Cloud Firewall (v1.3)
Disable or Modify Cloud Logs (v2.1)
Disable or Modify System Firewall (v1.3)
Downgrade Attack (v1.3)
Impair Command History Logging (v2.3)
Indicator Blocking (v1.5)
Safe Mode Boot (v1.1)
Implant Internal Image (v2.2)
Indicator Removal: Clear Command History (v1.6)
Indicator Removal: Clear Linux or Mac System Logs (v1.0)
Indicator Removal: Clear Windows Event Logs (v1.5)
Indicator Removal: File Deletion (v1.2)
Indicator Removal: Network Share Connection Removal (v1.2)
Indicator Removal: Timestomp (v1.2)
Indirect Command Execution (v1.3)
Inhibit System Recovery (v1.6)
Input Capture (v1.4)
Credential API Hooking (v1.2)
GUI Input Capture (v1.3)
Keylogging (v1.3)
Web Portal Capture (v1.1)
Inter-Process Communication (v1.4)
Component Object Model (v1.2)
Dynamic Data Exchange (v1.4)
Internal Spearphishing (v1.4)
Lateral Tool Transfer (v1.4)
Masquerading (v1.8)
Double File Extension (v1.0)
Invalid Code Signature (v1.0)
Masquerade File Type (v1.1)
Masquerade Task or Service (v1.2)
Match Legitimate Resource Name or Location (v2.0)
Rename Legitimate Utilities (v2.0)
Right-to-Left Override (v1.1)
Space after Filename (v1.1)
Modify Authentication Process (v2.6)
Domain Controller Authentication (v2.1)
Network Device Authentication (v2.1)
Password Filter DLL (v2.1)
Pluggable Authentication Modules (v2.1)
Reversible Encryption (v1.1)
Modify Cloud Compute Infrastructure (v1.2)
Create Cloud Instance (v1.2)
Create Snapshot (v1.2)
Delete Cloud Instance (v1.2)
Revert Cloud Instance (v1.2)
Modify Registry (v2.0)
Modify System Image (v1.1)
Downgrade System Image (v1.1)
Patch System Image (v1.1)
Multi-Factor Authentication Interception (v2.1)
Multi-Factor Authentication Request Generation (v1.2)
Multi-Stage Channels (v1.1)
Native API (v2.3)
Network Boundary Bridging (v1.2)
Network Denial of Service (v1.2)
Direct Network Flood (v1.4)
Reflection Amplification (v1.4)
Network Service Discovery (v3.2)
Network Share Discovery (v3.2)
Network Sniffing (v1.7)
Non-Application Layer Protocol (v2.4)
OS Credential Dumping (v2.2)
/etc/passwd and /etc/shadow (v1.2)
Cached Domain Credentials (v1.1)
DCSync (v1.1)
LSA Secrets (v1.1)
LSASS Memory (v1.5)
NTDS (v1.3)
Proc Filesystem (v1.2)
Security Account Manager (v1.1)
Obfuscated Files or Information (v1.7)
Binary Padding (v1.3)
Compile After Delivery (v1.2)
Indicator Removal from Tools (v1.2)
LNK Icon Smuggling (v1.0)
Software Packing (v1.3)
Steganography (v1.2)
Obtain Capabilities (v1.1)
Artificial Intelligence (v1.1)
Code Signing Certificates (v1.1)
Digital Certificates (v1.2)
Exploits (v1.0)
Malware (v1.1)
Vulnerabilities (v1.0)
Office Application Startup (v1.4)
Add-ins (v1.2)
Office Template Macros (v1.2)
Office Test (v1.3)
Outlook Forms (v1.2)
Outlook Home Page (v1.2)
Outlook Rules (v1.2)
Password Policy Discovery (v1.7)
Peripheral Device Discovery (v1.4)
Permission Groups Discovery (v2.6)
Cloud Groups (v1.5)
Domain Groups (v1.2)
Local Groups (v1.2)
Phishing (v2.7)
Spearphishing Attachment (v2.2)
Spearphishing Voice (v1.2)
Spearphishing via Service (v2.0)
Phishing for Information (v1.4)
Spearphishing Attachment (v1.2)
Spearphishing Service (v1.0)
Plist File Modification (v1.0)
Power Settings (v1.1)
Pre-OS Boot (v1.3)
Bootkit (v1.2)
Component Firmware (v1.2)
ROMMONkit (v1.1)
System Firmware (v1.2)
TFTP Boot (v1.1)
Process Discovery (v1.6)
Process Injection (v1.4)
Asynchronous Procedure Call (v1.2)
Dynamic-link Library Injection (v1.4)
Extra Window Memory Injection (v1.1)
ListPlanting (v1.2)
Portable Executable Injection (v1.2)
Proc Memory (v1.1)
Process Doppelgänging (v1.1)
Process Hollowing (v1.4)
Ptrace System Calls (v1.2)
Thread Execution Hijacking (v1.2)
Thread Local Storage (v1.2)
VDSO Hijacking (v1.2)
Protocol Tunneling (v1.1)
Proxy (v3.2)
Domain Fronting (v1.2)
Internal Proxy (v1.2)
Query Registry (v1.3)
Reflective Code Loading (v1.3)
Remote Access Tools (v3.0)
Remote Service Session Hijacking (v1.1)
RDP Hijacking (v1.1)
SSH Hijacking (v1.1)
Remote Services (v1.6)
Distributed Component Object Model (v1.3)
SMB/Windows Admin Shares (v1.3)
SSH (v1.3)
VNC (v1.2)
Windows Remote Management (v1.2)
Remote System Discovery (v3.6)
Replication Through Removable Media (v1.3)
Resource Hijacking (v2.0)
Rogue Domain Controller (v2.2)
Scheduled Task/Job (v2.4)
At (v2.4)
Container Orchestration Job (v1.4)
Cron (v1.3)
Systemd Timers (v1.3)
Scheduled Transfer (v1.1)
Screen Capture (v1.1)
Search Closed Sources (v1.1)
Purchase Technical Data (v1.0)
Search Open Technical Databases (v1.0)
CDNs (v1.0)
DNS/Passive DNS (v1.0)
Digital Certificates (v1.0)
Scan Databases (v1.0)
WHOIS (v1.0)
Search Open Websites/Domains (v1.1)
Code Repositories (v1.0)
Search Engines (v1.0)
Social Media (v1.0)
Search Victim-Owned Websites (v1.1)
Server Software Component (v1.5)
IIS Components (v1.1)
SQL Stored Procedures (v1.1)
Terminal Services DLL (v1.0)
Transport Agent (v1.1)
Web Shell (v1.5)
Shared Modules (v2.3)
Software Deployment Tools (v3.2)
Software Discovery (v1.5)
Security Software Discovery (v1.5)
Software Extensions (v2.0)
Stage Capabilities (v1.2)
Drive-by Target (v1.3)
Install Digital Certificate (v1.1)
Link Target (v1.4)
Upload Tool (v1.2)
Steal Application Access Token (v1.5)
Steal or Forge Kerberos Tickets (v1.7)
AS-REP Roasting (v1.2)
Golden Ticket (v1.2)
Kerberoasting (v1.3)
Silver Ticket (v1.1)
Subvert Trust Controls (v1.3)
Code Signing (v1.2)
Code Signing Policy Modification (v1.1)
Gatekeeper Bypass (v1.3)
Install Root Certificate (v1.3)
Mark-of-the-Web Bypass (v1.2)
SIP and Trust Provider Hijacking (v1.1)
Supply Chain Compromise: Compromise Hardware Supply Chain (v1.1)
Supply Chain Compromise: Compromise Software Supply Chain (v1.1)
System Binary Proxy Execution (v3.2)
CMSTP (v2.2)
Compiled HTML File (v2.2)
Control Panel (v2.1)
InstallUtil (v2.1)
MMC (v2.1)
Mavinject (v2.0)
Mshta (v2.1)
Msiexec (v2.1)
Odbcconf (v2.1)
Regsvcs/Regasm (v2.1)
Regsvr32 (v2.2)
Verclsid (v2.1)
System Location Discovery (v1.1)
System Language Discovery (v1.1)
System Network Configuration Discovery (v1.7)
System Network Connections Discovery (v2.5)
System Owner/User Discovery (v1.6)
System Script Proxy Execution (v2.1)
PubPrn (v2.1)
System Services (v1.4)
Launchctl (v1.3)
Service Execution (v1.3)
System Time Discovery (v1.5)
Taint Shared Content (v1.6)
Template Injection (v1.4)
Traffic Signaling (v2.5)
Port Knocking (v1.2)
Socket Filters (v1.0)
Transfer Data to Cloud Account (v1.5)
Trusted Developer Utilities Proxy Execution (v1.3)
MSBuild (v1.4)
Trusted Relationship (v2.4)
Unsecured Credentials (v1.5)
Cloud Instance Metadata API (v1.4)
Container API (v1.2)
Credentials In Files (v1.3)
Credentials in Registry (v1.2)
Group Policy Preferences (v1.1)
Private Keys (v1.3)
Unused/Unsupported Cloud Regions (v1.1)
Use Alternate Authentication Material (v1.5)
Application Access Token (v1.8)
Pass the Hash (v1.3)
Pass the Ticket (v1.2)
Web Session Cookie (v1.5)
User Execution (v1.8)
Malicious Image (v1.2)
Malicious Link (v1.2)
Valid Accounts (v2.8)
Cloud Accounts (v1.9)
Default Accounts (v1.5)
Domain Accounts (v1.5)
Local Accounts (v1.5)
Video Capture (v1.2)
Virtualization/Sandbox Evasion (v1.4)
System Checks (v2.3)
User Activity Based Checks (v1.2)
Weaken Encryption (v1.1)
Disable Crypto Hardware (v1.1)
Reduce Key Space (v1.1)
Web Service (v1.3)
Bidirectional Communication (v1.1)
Dead Drop Resolver (v1.1)
One-Way Communication (v1.1)
Windows Management Instrumentation (v1.6)
XSL Script Processing (v1.3)

Mobile

New Techniques

Linked Devices (v1.0)
Protected User Data: Accounts (v1.0)

Major Version Changes

Abuse Accessibility Features (v2.0→v3.0)

Minor Version Changes

Network Denial of Service (v1.3→v1.4)
Phishing (v1.0→v1.1)

Patches

Abuse Accessibility Features (v2.0)
Abuse Elevation Control Mechanism (v1.1)
Device Administrator Permissions (v1.1)
Access Notifications (v1.2)
Account Access Removal (v1.1)
Adversary-in-the-Middle (v2.2)
Application Layer Protocol (v1.2)
Web Protocols (v1.0)
Archive Collected Data (v2.0)
Audio Capture (v3.1)
Boot or Logon Initialization Scripts (v2.1)
Call Control (v1.2)
Clipboard Data (v3.1)
Command and Scripting Interpreter (v1.2)
Unix Shell (v1.2)
Compromise Application Executable (v1.0)
Compromise Client Software Binary (v1.1)
Credentials from Password Store (v1.1)
Keychain (v1.1)
Data Encrypted for Impact (v3.2)
Data Manipulation (v1.1)
Transmitted Data Manipulation (v1.1)
Data from Local System (v1.1)
Download New Code at Runtime (v1.5)
Drive-By Compromise (v2.2)
Dynamic Resolution (v1.1)
Domain Generation Algorithms (v1.1)
Encrypted Channel (v2.0)
Asymmetric Cryptography (v1.0)
Symmetric Cryptography (v1.0)
Endpoint Denial of Service (v1.1)
Event Triggered Execution (v1.1)
Broadcast Receivers (v1.1)
Execution Guardrails (v1.1)
Geofencing (v1.1)
Exfiltration Over Alternative Protocol (v1.1)
Exfiltration Over Unencrypted Non-C2 Protocol (v1.1)
Exfiltration Over C2 Channel (v1.1)
Exploitation for Privilege Escalation (v2.1)
Exploitation of Remote Services (v1.2)
File and Directory Discovery (v1.2)
Foreground Persistence (v2.1)
Generate Traffic from Victim (v1.1)
Hide Artifacts (v1.1)
Suppress Application Icon (v1.1)
User Evasion (v1.0)
Hijack Execution Flow (v1.1)
System Runtime API Hijacking (v1.1)
Hooking (v1.0)
Impair Defenses (v1.1)
Device Lockout (v1.1)
Disable or Modify Tools (v1.1)
Prevent Application Removal (v1.2)
Indicator Removal on Host (v1.1)
Disguise Root/Jailbreak Indicators (v1.1)
File Deletion (v1.1)
Uninstall Malicious Application (v1.1)
Ingress Tool Transfer (v2.2)
Input Capture (v2.3)
GUI Input Capture (v1.1)
Keylogging (v1.1)
Input Injection (v1.2)
Location Tracking (v1.2)
Impersonate SS7 Nodes (v1.1)
Remote Device Management Services (v1.1)
Lockscreen Bypass (v1.3)
Masquerading (v1.0)
Native API (v2.0)
Network Service Scanning (v1.1)
Non-Standard Port (v2.1)
Obfuscated Files or Information (v3.1)
Software Packing (v1.1)
Steganography (v1.0)
Out of Band Data (v2.1)
Process Discovery (v2.1)
Process Injection (v1.1)
Ptrace System Calls (v1.1)
Protected User Data (v1.1)
Calendar Entries (v1.1)
Call Log (v1.1)
Contact List (v1.1)
SMS Messages (v1.1)
Proxy Through Victim (v1.1)
SMS Control (v1.1)
Scheduled Task/Job (v1.0)
Screen Capture (v1.3)
Software Discovery (v2.1)
Security Software Discovery (v1.1)
Steal Application Access Token (v1.2)
URI Hijacking (v1.1)
Stored Application Data (v3.1)
Subvert Trust Controls (v1.1)
Code Signing Policy Modification (v1.1)
Supply Chain Compromise (v2.1)
Compromise Hardware Supply Chain (v1.1)
Compromise Software Dependencies and Development Tools (v1.1)
Compromise Software Supply Chain (v1.1)
System Information Discovery (v1.2)
System Network Configuration Discovery (v2.4)
System Network Connections Discovery (v2.1)
Video Capture (v2.1)
Virtualization/Sandbox Evasion (v1.1)
System Checks (v1.1)
Web Service (v1.3)
Bidirectional Communication (v1.2)
Dead Drop Resolver (v1.2)
One-Way Communication (v1.2)

ICS

Patches

Screen Capture (v1.0)
Theft of Operational Information (v1.0)

Software

Enterprise

New Software

BOOKWORM (v1.0)
BeaverTail (v1.0)
CANONSTAGER (v1.0)
CASTLETAP (v1.0)
CLAIMLOADER (v1.0)
CorKLOG (v1.0)
Embargo (v1.0)
HIUPAN (v1.0)
Havoc (v1.0)
HexEval Loader (v1.0)
InvisibleFerret (v1.0)
MEDUSA (v1.0)
MOPSLED (v1.0)
Medusa Ransomware (v1.0)
PAKLOG (v1.0)
PUBLOAD (v1.0)
Qilin (v1.0)
REPTILE (v1.0)
RIFLESPINE (v1.0)
RedLine Stealer (v1.0)
STATICPLUGIN (v1.0)
SplatCloak (v1.0)
SplatDropper (v1.0)
StarProxy (v1.0)
THINCRUST (v1.0)
TONESHELL (v1.0)
VIRTUALPIE (v1.0)
VIRTUALPITA (v1.0)
XORIndex Loader (v1.0)

Major Version Changes

Lizar (v1.0→v2.0)

Minor Version Changes

Patches

Empire (v1.8)
PlugX (v3.2)

Mobile

New Software

CherryBlos (v1.0)
DCHSpy (v1.0)
GodFather (v1.0)
RatMilad (v1.0)

Major Version Changes

Chameleon (v1.0→v2.0)

ICS

Minor Version Changes

REvil (v2.2→v2.3)

Groups

Enterprise

New Groups

AppleJeus (v1.0)
Contagious Interview (v1.0)
Medusa Group (v1.0)
Storm-0501 (v1.0)
UNC3886 (v1.0)
Water Galura (v1.0)

Major Version Changes

Lazarus Group (v4.1→v5.0)
MuddyWater (v5.1→v6.0)
Mustang Panda (v2.1→v3.0)
Scattered Spider (v2.0→v3.0)
Star Blizzard (v1.0→v2.0)
Threat Group-3390 (v2.2→v3.0)

Minor Version Changes

APT41 (v4.1→v4.2)
Earth Lusca (v2.0→v2.1)
FIN7 (v4.0→v4.1)
Gamaredon Group (v3.1→v3.2)
Higaisa (v1.1→v1.2)
Patchwork (v1.5→v1.6)
TeamTNT (v1.3→v1.4)
Tropic Trooper (v1.5→v1.6)
ZIRCONIUM (v2.2→v2.3)

Patches

Kimsuky (v5.1)

Mobile

New Groups

MuddyWater (v6.0)
Star Blizzard (v2.0)

Major Version Changes

Scattered Spider (v2.0→v3.0)

Minor Version Changes

APT41 (v4.1→v4.2)
Earth Lusca (v2.0→v2.1)

ICS

Major Version Changes

Lazarus Group (v4.1→v5.0)

Minor Version Changes

FIN7 (v4.0→v4.1)

Campaigns

Enterprise

New Campaigns

3CX Supply Chain Attack (v1.0)
Quad7 Activity (v1.0)
RedPenguin (v1.0)
Salesforce Data Exfiltration (v1.0)
SharePoint ToolShell Exploitation (v1.0)

Minor Version Changes

Operation Wocao (v1.1→v1.2)

Patches

SolarWinds Compromise (v1.1)

Assets

ICS

New Assets

Distributed Control System (DCS) Controller (v1.0)
Firewall (v1.0)
Programmable Automation Controller (PAC) (v1.0)
Switch (v1.0)

Major Version Changes

Application Server (v1.0→v2.0)
Control Server (v1.0→v2.0)
Data Gateway (v1.0→v2.0)
Data Historian (v1.0→v2.0)
Routers (v1.0→v2.0)
Workstation (v1.0→v2.0)

Mitigations

Enterprise

Minor Version Changes

Application Isolation and Sandboxing (v1.2→v1.3)

Patches

Multi-factor Authentication (v1.1)

Data Sources

Enterprise

Deprecations

Mobile

Deprecations

Application Vetting (v1.0)
Command (v1.2)
Network Traffic (v1.2)
Process (v1.2)
Sensor Health (v1.1)
User Interface (v1.0)

ICS

Deprecations

Application Log (v1.1)
Asset (v1.0)
Command (v1.2)
Drive (v1.0)
File (v1.1)
Firmware (v1.0)
Logon Session (v1.2)
Module (v1.0)
Network Share (v1.0)
Network Traffic (v1.2)
Operational Databases (v1.0)
Process (v1.2)
Scheduled Job (v1.1)
Script (v1.2)
Service (v1.1)
User Account (v1.2)
Windows Registry (v1.0)

Data Components

Enterprise

Major Version Changes

Active DNS (v1.1→v2.0)
Active Directory Credential Request (v1.1→v2.0)
Active Directory Object Access (v1.1→v2.0)
Active Directory Object Creation (v1.1→v2.0)
Active Directory Object Deletion (v1.1→v2.0)
Active Directory Object Modification (v1.1→v2.0)
Application Log Content (v1.1→v2.0)
Certificate Registration (v1.1→v2.0)
Cloud Service Disable (v1.1→v2.0)
Cloud Service Enumeration (v1.1→v2.0)
Cloud Service Metadata (v1.1→v2.0)
Cloud Service Modification (v1.1→v2.0)
Cloud Storage Access (v1.1→v2.0)
Cloud Storage Creation (v1.1→v2.0)
Cloud Storage Deletion (v1.1→v2.0)
Cloud Storage Enumeration (v1.1→v2.0)
Cloud Storage Metadata (v1.1→v2.0)
Cloud Storage Modification (v1.1→v2.0)
Command Execution (v1.2→v2.0)
Container Creation (v1.1→v2.0)
Container Enumeration (v1.1→v2.0)
Container Start (v1.1→v2.0)
Domain Registration (v1.1→v2.0)
Drive Access (v1.1→v2.0)
Drive Creation (v1.1→v2.0)
Drive Modification (v1.1→v2.0)
Driver Load (v1.1→v2.0)
Driver Metadata (v1.1→v2.0)
File Access (v1.1→v2.0)
File Creation (v1.1→v2.0)
File Deletion (v1.1→v2.0)
File Metadata (v1.1→v2.0)
File Modification (v1.1→v2.0)
Firewall Disable (v1.1→v2.0)
Firewall Enumeration (v1.1→v2.0)
Firewall Metadata (v1.1→v2.0)
Firewall Rule Modification (v1.1→v2.0)
Firmware Modification (v1.1→v2.0)
Group Enumeration (v1.1→v2.0)
Group Metadata (v1.1→v2.0)
Group Modification (v1.1→v2.0)
Host Status (v1.1→v2.0)
Image Creation (v1.1→v2.0)
Image Deletion (v1.1→v2.0)
Image Metadata (v1.1→v2.0)
Image Modification (v1.0→v2.0)
Instance Creation (v1.1→v2.0)
Instance Deletion (v1.1→v2.0)
Instance Enumeration (v1.1→v2.0)
Instance Metadata (v1.0→v2.0)
Instance Modification (v1.1→v2.0)
Instance Start (v1.1→v2.0)
Instance Stop (v1.1→v2.0)
Kernel Module Load (v1.1→v2.0)
Logon Session Creation (v1.2→v2.0)
Logon Session Metadata (v1.0→v2.0)
Malware Content (v1.2→v2.0)
Malware Metadata (v1.1→v2.0)
Module Load (v1.1→v2.0)
Named Pipe Metadata (v1.1→v2.0)
Network Connection Creation (v1.2→v2.0)
Network Share Access (v1.1→v2.0)
Network Traffic Content (v1.1→v2.0)
Network Traffic Flow (v1.1→v2.0)
OS API Execution (v1.1→v2.0)
Passive DNS (v1.1→v2.0)
Pod Creation (v1.1→v2.0)
Pod Enumeration (v1.1→v2.0)
Pod Modification (v1.1→v2.0)
Process Access (v1.1→v2.0)
Process Creation (v1.2→v2.0)
Process Metadata (v1.0→v2.0)
Process Modification (v1.1→v2.0)
Process Termination (v1.1→v2.0)
Response Content (v1.1→v2.0)
Response Metadata (v1.1→v2.0)
Scheduled Job Creation (v1.1→v2.0)
Scheduled Job Metadata (v1.0→v2.0)
Scheduled Job Modification (v1.0→v2.0)
Script Execution (v1.2→v2.0)
Service Creation (v1.1→v2.0)
Service Metadata (v1.0→v2.0)
Service Modification (v1.1→v2.0)
Snapshot Creation (v1.1→v2.0)
Snapshot Deletion (v1.1→v2.0)
Snapshot Enumeration (v1.1→v2.0)
Snapshot Metadata (v1.0→v2.0)
Snapshot Modification (v1.1→v2.0)
Social Media (v1.1→v2.0)
User Account Authentication (v1.2→v2.0)
User Account Creation (v1.1→v2.0)
User Account Deletion (v1.1→v2.0)
User Account Metadata (v1.0→v2.0)
User Account Modification (v1.1→v2.0)
Volume Creation (v1.1→v2.0)
Volume Deletion (v1.1→v2.0)
Volume Enumeration (v1.0→v2.0)
Volume Metadata (v1.0→v2.0)
Volume Modification (v1.0→v2.0)
WMI Creation (v1.1→v2.0)
Web Credential Creation (v1.0→v2.0)
Web Credential Usage (v1.0→v2.0)
Windows Registry Key Access (v1.1→v2.0)
Windows Registry Key Creation (v1.1→v2.0)
Windows Registry Key Deletion (v1.1→v2.0)
Windows Registry Key Modification (v1.1→v2.0)

Mobile

Major Version Changes

API Calls (v1.0→v2.0)
Application Assets (v1.0→v2.0)
Command Execution (v1.2→v2.0)
Host Status (v1.1→v2.0)
Network Communication (v1.0→v2.0)
Network Connection Creation (v1.2→v2.0)
Network Traffic Content (v1.1→v2.0)
Network Traffic Flow (v1.1→v2.0)
OS API Execution (v1.1→v2.0)
Permissions Request (v1.0→v2.0)
Permissions Requests (v1.0→v2.0)
Process Creation (v1.2→v2.0)
Process Metadata (v1.0→v2.0)
Process Termination (v1.1→v2.0)
Protected Configuration (v1.0→v2.0)
System Notifications (v1.0→v2.0)
System Settings (v1.0→v2.0)

ICS

Major Version Changes

Application Log Content (v1.1→v2.0)
Asset Inventory (v1.0→v2.0)
Command Execution (v1.2→v2.0)
Device Alarm (v1.0→v2.0)
Drive Creation (v1.1→v2.0)
Drive Modification (v1.1→v2.0)
File Access (v1.1→v2.0)
File Creation (v1.1→v2.0)
File Deletion (v1.1→v2.0)
File Metadata (v1.1→v2.0)
File Modification (v1.1→v2.0)
Firmware Modification (v1.1→v2.0)
Logon Session Creation (v1.2→v2.0)
Logon Session Metadata (v1.0→v2.0)
Module Load (v1.1→v2.0)
Network Connection Creation (v1.2→v2.0)
Network Share Access (v1.1→v2.0)
Network Traffic Content (v1.1→v2.0)
Network Traffic Flow (v1.1→v2.0)
OS API Execution (v1.1→v2.0)
Process Creation (v1.2→v2.0)
Process History/Live Data (v1.0→v2.0)
Process Metadata (v1.0→v2.0)
Process Termination (v1.1→v2.0)
Process/Event Alarm (v1.0→v2.0)
Scheduled Job Creation (v1.1→v2.0)
Scheduled Job Metadata (v1.0→v2.0)
Scheduled Job Modification (v1.0→v2.0)
Script Execution (v1.2→v2.0)
Service Creation (v1.1→v2.0)
Service Metadata (v1.0→v2.0)
Service Modification (v1.1→v2.0)
Software (v1.0→v2.0)
User Account Authentication (v1.2→v2.0)
Windows Registry Key Deletion (v1.1→v2.0)
Windows Registry Key Modification (v1.1→v2.0)

Detection Strategies

Enterprise

New Detection Strategies

Mobile

New Detection Strategies

Detection of Abuse Accessibility Features (v1.0)
Detection of Abuse Elevation Control Mechanism (v1.0)
Detection of Access Notifications (v1.0)
Detection of Account Access Removal (v1.0)
Detection of Accounts (v1.0)
Detection of Adversary-in-the-Middle (v1.0)
Detection of Application Layer Protocol (v1.0)
Detection of Application Versioning (v1.0)
Detection of Archive Collected Data (v1.0)
Detection of Asymmetric Cryptography (v1.0)
Detection of Audio Capture (v1.0)
Detection of Bidirectional Communication (v1.0)
Detection of Boot or Logon Initialization Scripts (v1.0)
Detection of Broadcast Receivers (v1.0)
Detection of Calendar Entries (v1.0)
Detection of Call Control (v1.0)
Detection of Call Log (v1.0)
Detection of Clipboard Data (v1.0)
Detection of Code Signing Policy Modification (v1.0)
Detection of Command and Scripting Interpreter (v1.0)
Detection of Compromise Application Executable (v1.0)
Detection of Compromise Client Software Binary (v1.0)
Detection of Compromise Hardware Supply Chain (v1.0)
Detection of Compromise Software Dependencies and Development Tools (v1.0)
Detection of Compromise Software Supply Chain (v1.0)
Detection of Conceal Multimedia Files (v1.0)
Detection of Contact List (v1.0)
Detection of Credentials from Password Store (v1.0)
Detection of Data Destruction (v1.0)
Detection of Data Encrypted for Impact (v1.0)
Detection of Data Manipulation (v1.0)
Detection of Data from Local System (v1.0)
Detection of Dead Drop Resolver (v1.0)
Detection of Device Administrator Permissions (v1.0)
Detection of Device Lockout (v1.0)
Detection of Disable or Modify Tools (v1.0)
Detection of Disguise Root/Jailbreak Indicators (v1.0)
Detection of Domain Generation Algorithms (v1.0)
Detection of Download New Code at Runtime (v1.0)
Detection of Drive-By Compromise (v1.0)
Detection of Dynamic Resolution (v1.0)
Detection of Encrypted Channel (v1.0)
Detection of Endpoint Denial of Service (v1.0)
Detection of Event Triggered Execution (v1.0)
Detection of Execution Guardrails (v1.0)
Detection of Exfiltration Over Alternative Protocol (v1.0)
Detection of Exfiltration Over C2 Channel (v1.0)
Detection of Exfiltration Over Unencrypted Non-C2 Protocol (v1.0)
Detection of Exploitation for Client Execution (v1.0)
Detection of Exploitation for Initial Access (v1.0)
Detection of Exploitation for Privilege Escalation (v1.0)
Detection of Exploitation of Remote Services (v1.0)
Detection of File Deletion (v1.0)
Detection of File and Directory Discovery (v1.0)
Detection of Foreground Persistence (v1.0)
Detection of GUI Input Capture (v1.0)
Detection of Generate Traffic from Victim (v1.0)
Detection of Geofencing (v1.0)
Detection of Hide Artifacts (v1.0)
Detection of Hijack Execution Flow (v1.0)
Detection of Hooking (v1.0)
Detection of Impair Defenses (v1.0)
Detection of Impersonate SS7 Nodes (v1.0)
Detection of Indicator Removal on Host (v1.0)
Detection of Ingress Tool Transfer (v1.0)
Detection of Input Capture (v1.0)
Detection of Input Injection (v1.0)
Detection of Internet Connection Discovery (v1.0)
Detection of Keychain (v1.0)
Detection of Keylogging (v1.0)
Detection of Linked Devices (v1.0)
Detection of Location Tracking (v1.0)
Detection of Lockscreen Bypass (v1.0)
Detection of Masquerading (v1.0)
Detection of Match Legitimate Name or Location (v1.0)
Detection of Native API (v1.0)
Detection of Network Denial of Service (v1.0)
Detection of Network Service Scanning (v1.0)
Detection of Non-Standard Port (v1.0)
Detection of Obfuscated Files or Information (v1.0)
Detection of One-Way Communication (v1.0)
Detection of Out of Band Data (v1.0)
Detection of Phishing (v1.0)
Detection of Prevent Application Removal (v1.0)
Detection of Process Discovery (v1.0)
Detection of Process Injection (v1.0)
Detection of Protected User Data (v1.0)
Detection of Proxy Through Victim (v1.0)
Detection of Ptrace System Calls (v1.0)
Detection of Remote Access Software (v1.0)
Detection of Remote Device Management Services (v1.0)
Detection of Replication Through Removable Media (v1.0)
Detection of SIM Card Swap (v1.0)
Detection of SMS Control (v1.0)
Detection of SMS Messages (v1.0)
Detection of SSL Pinning (v1.0)
Detection of Scheduled Task/Job (v1.0)
Detection of Screen Capture (v1.0)
Detection of Security Software Discovery (v1.0)
Detection of Software Discovery (v1.0)
Detection of Software Packing (v1.0)
Detection of Steal Application Access Token (v1.0)
Detection of Steganography (v1.0)
Detection of Stored Application Data (v1.0)
Detection of Subvert Trust Controls (v1.0)
Detection of Supply Chain Compromise (v1.0)
Detection of Suppress Application Icon (v1.0)
Detection of Symmetric Cryptography (v1.0)
Detection of System Checks (v1.0)
Detection of System Information Discovery (v1.0)
Detection of System Network Configuration Discovery (v1.0)
Detection of System Network Connections Discovery (v1.0)
Detection of System Runtime API Hijacking (v1.0)
Detection of Transmitted Data Manipulation (v1.0)
Detection of URI Hijacking (v1.0)
Detection of Uninstall Malicious Application (v1.0)
Detection of Unix Shell (v1.0)
Detection of User Evasion (v1.0)
Detection of Video Capture (v1.0)
Detection of Virtualization Solution (v1.0)
Detection of Virtualization/Sandbox Evasion (v1.0)
Detection of Web Protocols (v1.0)
Detection of Web Service (v1.0)
Detection of Wi-Fi Discovery (v1.0)

ICS

New Detection Strategies

Detection of Activate Firmware Update Mode (v1.0)
Detection of Adversary-in-the-Middle (v1.0)
Detection of Alarm Suppression (v1.0)
Detection of Automated Collection (v1.0)
Detection of Autorun Image (v1.0)
Detection of Block Command Message (v1.0)
Detection of Block Reporting Message (v1.0)
Detection of Block Serial COM (v1.0)
Detection of Brute Force I/O (v1.0)
Detection of Change Credential (v1.0)
Detection of Change Operating Mode (v1.0)
Detection of Command-Line Interface (v1.0)
Detection of Commonly Used Port (v1.0)
Detection of Connection Proxy (v1.0)
Detection of Damage to Property (v1.0)
Detection of Data Destruction (v1.0)
Detection of Data from Information Repositories (v1.0)
Detection of Data from Local System (v1.0)
Detection of Default Credentials (v1.0)
Detection of Denial of Control (v1.0)
Detection of Denial of Service (v1.0)
Detection of Denial of View (v1.0)
Detection of Detect Operating Mode (v1.0)
Detection of Device Restart/Shutdown (v1.0)
Detection of Drive-by Compromise (v1.0)
Detection of Execution through API (v1.0)
Detection of Exploit Public-Facing Application (v1.0)
Detection of Exploitation for Evasion (v1.0)
Detection of Exploitation for Privilege Escalation (v1.0)
Detection of Exploitation of Remote Services (v1.0)
Detection of External Remote Services (v1.0)
Detection of Graphical User Interface (v1.0)
Detection of Hardcoded Credentials (v1.0)
Detection of Hooking (v1.0)
Detection of I/O Image (v1.0)
Detection of Indicator Removal on Host (v1.0)
Detection of Internet Accessible Device (v1.0)
Detection of Lateral Tool Transfer (v1.0)
Detection of Loss of Availability (v1.0)
Detection of Loss of Control (v1.0)
Detection of Loss of Productivity and Revenue (v1.0)
Detection of Loss of Protection (v1.0)
Detection of Loss of Safety (v1.0)
Detection of Loss of View (v1.0)
Detection of Manipulate I/O Image (v1.0)
Detection of Manipulation of Control (v1.0)
Detection of Manipulation of View (v1.0)
Detection of Masquerading (v1.0)
Detection of Modify Alarm Settings (v1.0)
Detection of Modify Controller Tasking (v1.0)
Detection of Modify Parameter (v1.0)
Detection of Modify Program (v1.0)
Detection of Module Firmware (v1.0)
Detection of Monitor Process State (v1.0)
Detection of Native API (v1.0)
Detection of Network Connection Enumeration (v1.0)
Detection of Network Sniffing (v1.0)
Detection of Point & Tag Identification (v1.0)
Detection of Program Download (v1.0)
Detection of Program Upload (v1.0)
Detection of Project File Infection (v1.0)
Detection of Remote Services (v1.0)
Detection of Remote System Discovery (v1.0)
Detection of Remote System Information Discovery (v1.0)
Detection of Replication Through Removable Media (v1.0)
Detection of Rogue Master (v1.0)
Detection of Rootkit (v1.0)
Detection of Screen Capture (v1.0)
Detection of Scripting (v1.0)
Detection of Service Stop (v1.0)
Detection of Spearphishing Attachment (v1.0)
Detection of Spoof Reporting Message (v1.0)
Detection of Standard Application Layer Protocol (v1.0)
Detection of Supply Chain Compromise (v1.0)
Detection of System Binary Proxy Execution (v1.0)
Detection of System Firmware (v1.0)
Detection of Theft of Operational Information (v1.0)
Detection of Transient Cyber Asset (v1.0)
Detection of Unauthorized Command Message (v1.0)
Detection of User Execution (v1.0)
Detection of Valid Accounts (v1.0)
Detection of Wireless Compromise (v1.0)
Detection of Wireless Sniffing (v1.0)

Analytics

Enterprise

New Analytics

Mobile

New Analytics

ICS

New Analytics

Contributors to this release