MITRE ATT&CK April 2021 Update: New Techniques

MITRE ATT&CK® is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. With the creation of ATT&CK, MITRE is fulfilling its mission to solve problems for a safer world — by bringing communities together to develop more effective cybersecurity. ATT&CK is open and available to any person or organization for use at no charge. MITRE ATT&CK® Released Updates in April 2021 With Additional Techniques and Structuring update versioned as ATT&CK v9. “The April 2021 (v9) ATT&CK release updates Techniques, Groups, and Software for Enterprise, Mobile, and ICS. The biggest changes are a change in how we describe data sources, the addition of the Containers and Google Workspace platforms, and the replacement of the AWS, GCP, and Azure platforms with a single IaaS (Infrastructure as a Service) platform. An accompanying blog post describes these changes and additions in more detail, with a focus on the new structure of data sources.” As stated by MITRE. This version of ATT&CK for Enterprise contains 14 Tactics, 185 Techniques, and 367 Sub-techniques.

Techniques

Enterprise New Techniques:

• Boot or Logon Autostart Execution: Active Setup
• Boot or Logon Autostart Execution: XDG Autostart Entries
• Build Image on Host
• Container Administration Command
• Container and Resource Discovery
• Credentials from Password Stores: Password Managers
• Credentials from Password Stores: Windows Credential Manager
• Deploy Container
• Escape to Host
• Scheduled Task/Job: Container Orchestration Job
• Stage Capabilities
  • Drive-by Target
  • Install Digital Certificate
  • Link Target
  • Upload Malware
  • Upload Tool
• Subvert Trust Controls: Code Signing Policy Modification
• Subvert Trust Controls: Mark-of-the-Web Bypass
• System Location Discovery
• System Network Configuration Discovery: Internet Connection Discovery
• Unsecured Credentials: Container API
• User Execution: Malicious Image

Technique changes:

• Account Discovery
  • Cloud Account
  • Email Account
  • Local Account
• Account Manipulation
  • Additional Cloud Credentials
• BITS Jobs
• Boot or Logon Autostart Execution: Kernel Modules and Extensions
• Boot or Logon Autostart Execution: Shortcut Modification
• Boot or Logon Initialization Scripts: RC Scripts
• Browser Extensions
• Brute Force
  • Credential Stuffing
  • Password Guessing
  • Password Spraying
• Cloud Infrastructure Discovery
• Cloud Service Dashboard
• Cloud Service Discovery
• Command and Scripting Interpreter: JavaScript
• Command and Scripting Interpreter: Windows Command Shell
• Create Account
  • Cloud Account
• Credentials from Password Stores: Credentials from Web Browsers
• Data Destruction
• Data Encrypted for Impact
• Data Staged
  • Remote Data Staging
• Data from Cloud Storage Object
• Data from Information Repositories
• Defacement
  • External Defacement
• Develop Capabilities: Digital Certificates
• Develop Capabilities: Malware
• Email Collection
  • Email Forwarding Rule
  • Remote Email Collection
• Endpoint Denial of Service
  • Application Exhaustion Flood
  • Application or System Exploitation
  • Service Exhaustion Flood
• Establish Accounts
• Event Triggered Execution: Unix Shell Configuration Modification
• Event Triggered Execution: Windows Management Instrumentation Event Subscription
• Exploit Public-Facing Application
• Exploitation for Privilege Escalation
• External Remote Services
• Forge Web Credentials
  • SAML Tokens
• Hijack Execution Flow
  • DLL Search Order Hijacking
  • DLL Side-Loading
  • Dylib Hijacking
  • Dynamic Linker Hijacking
• Impair Defenses
  • Disable Cloud Logs
  • Disable or Modify Cloud Firewall
  • Disable or Modify Tools
• Implant Internal Image
• Indicator Removal on Host
• Internal Spearphishing
• Masquerading
  • Match Legitimate Name or Location
• Modify Authentication Process
  • Domain Controller Authentication
  • Network Device Authentication
  • Password Filter DLL
  • Pluggable Authentication Modules
• Modify Cloud Compute Infrastructure
  • Create Cloud Instance
  • Create Snapshot
  • Delete Cloud Instance
  • Revert Cloud Instance
• Network Denial of Service
  • Direct Network Flood
  • Reflection Amplification
• Network Service Scanning
• Network Sniffing
• Obtain Capabilities: Digital Certificates
• Permission Groups Discovery
  • Cloud Groups
• Phishing
  • Spearphishing Attachment
  • Spearphishing Link
• Phishing for Information
  • Spearphishing Attachment
  • Spearphishing Link
• Remote System Discovery
• Resource Hijacking
• Scheduled Task/Job
• Service Stop
• Signed Binary Proxy Execution: Msiexec
• Software Discovery
  • Security Software Discovery
• Steal Application Access Token
• Steal Web Session Cookie
• Steal or Forge Kerberos Tickets
  • Golden Ticket
• System Information Discovery
• System Network Connections Discovery
• System Time Discovery
• Traffic Signaling
• Transfer Data to Cloud Account
• Trusted Developer Utilities Proxy Execution: MSBuild
• Trusted Relationship
• Unsecured Credentials
  • Cloud Instance Metadata API
  • Credentials In Files
• Unused/Unsupported Cloud Regions
• Use Alternate Authentication Material
  • Application Access Token
  • Pass the Hash
  • Pass the Ticket
  • Web Session Cookie
• User Execution
• Valid Accounts
  • Cloud Accounts
  • Default Accounts
  • Local Accounts
• Virtualization/Sandbox Evasion: System Checks
• Virtualization/Sandbox Evasion: Time Based Evasion

Minor Technique changes:

• Access Token Manipulation
  • Parent PID Spoofing
  • SID-History Injection
• Acquire Infrastructure
  • Botnet
  • DNS Server
  • Domains
  • Server
  • Virtual Private Server
  • Web Services
• Active Scanning
  • Scanning IP Blocks
  • Vulnerability Scanning
• Automated Exfiltration
• Boot or Logon Autostart Execution
  • Plist Modification
  • Registry Run Keys / Startup Folder
• Boot or Logon Initialization Scripts
• Command and Scripting Interpreter
• Compromise Accounts
  • Email Accounts
  • Social Media Accounts
• Compromise Infrastructure
  • Botnet
  • DNS Server
  • Domains
  • Server
  • Virtual Private Server
  • Web Services
• Credentials from Password Stores
• Data Manipulation
• Develop Capabilities
  • Code Signing Certificates
  • Exploits
• Direct Volume Access
• Domain Policy Modification
  • Group Policy Modification
• Dynamic Resolution: Domain Generation Algorithms
• Encrypted Channel
  • Asymmetric Cryptography
• Establish Accounts: Email Accounts
• Establish Accounts: Social Media Accounts
• Event Triggered Execution
  • AppCert DLLs
  • AppInit DLLs
  • Application Shimming
  • Component Object Model Hijacking
  • Image File Execution Options Injection
  • LC_LOAD_DYLIB Addition
• Execution Guardrails: Environmental Keying
• Exploitation of Remote Services
• Gather Victim Host Information
  • Client Configurations
  • Firmware
  • Hardware
  • Software
• Gather Victim Identity Information
  • Credentials
  • Email Addresses
  • Employee Names
• Gather Victim Network Information
  • DNS
  • Domain Properties
  • IP Addresses
  • Network Security Appliances
  • Network Topology
  • Network Trust Dependencies
• Gather Victim Org Information
  • Business Relationships
  • Determine Physical Locations
  • Identify Business Tempo
  • Identify Roles
• Hardware Additions
• Impair Defenses: Impair Command History Logging
• Impair Defenses: Indicator Blocking
• Indicator Removal on Host: Network Share Connection Removal
• Input Capture: Credential API Hooking
• Man in the Browser
• Man-in-the-Middle: ARP Cache Poisoning
• Masquerading: Masquerade Task or Service
• Masquerading: Rename System Utilities
• Network Share Discovery
• OS Credential Dumping
  • DCSync
  • LSA Secrets
  • NTDS
• Obfuscated Files or Information
• Obtain Capabilities
  • Code Signing Certificates
  • Exploits
  • Malware
  • Tool
  • Vulnerabilities
• Phishing for Information: Spearphishing Service
• Process Injection
  • Asynchronous Procedure Call
  • Dynamic-link Library Injection
  • Extra Window Memory Injection
  • Portable Executable Injection
  • Process DoppelgÀnging
  • Process Hollowing
  • Thread Execution Hijacking
  • Thread Local Storage
• Rogue Domain Controller
• Scheduled Task/Job: Scheduled Task
• Search Closed Sources
  • Purchase Technical Data
  • Threat Intel Vendors
• Search Open Technical Databases
  • CDNs
  • DNS/Passive DNS
  • Digital Certificates
  • Scan Databases
  • WHOIS
• Search Open Websites/Domains
  • Search Engines
  • Social Media
• Search Victim-Owned Websites
• Signed Binary Proxy Execution
  • Mshta
  • Rundll32
• Software Deployment Tools
• Subvert Trust Controls
  • SIP and Trust Provider Hijacking
• Supply Chain Compromise
• System Network Configuration Discovery
• Trusted Developer Utilities Proxy Execution
• Virtualization/Sandbox Evasion
• XSL Script Processing

Technique revocations: No changes Technique deprecations: No changes Mobile New Techniques:

• Command-Line Interface
• Proxy Through Victim
• Scheduled Task/Job

Technique changes:

• Device Administrator Permissions

Minor Technique changes:

• Deliver Malicious App via Other Means
• Supply Chain Compromise

Technique revocations: No changes Technique deprecations: No changes

Software

Enterprise New Software:

• AppleJeus
• BLINDINGCAN
• Bazar
• BendyBear
• BitPaymer
• BlackMould
• CSPY Downloader
• Caterpillar WebShell
• ConnectWise
• Conti
• Crutch
• Doki
• DropBook
• Dtrack
• ECCENTRICBANDWAGON
• EVILNUM
• Egregor
• Explosive
• GoldFinder
• GoldMax
• Grandoreiro
• GuLoader
• Hildegard
• HyperStack
• IronNetInjector
• Javali
• KGH_SPY
• Kerrdown
• Kinsing
• LookBack
• Lucifer
• MegaCortex
• Melcoz
• MoleNet
• NBTscan
• Out1
• P.A.S. Webshell
• Pay2Key
• Penquin
• Pysa
• RemoteUtilities
• SLOTHFULMEDIA
• SUPERNOVA
• ShadowPad
• SharpStage
• Sibot
• Spark
• TAINTEDSCRIBE
• ThiefQuest
• Waterbear

Software changes:

• Agent Tesla
• Astaroth
• BabyShark
• BlackEnergy
• Carbon
• China Chopper
• Cobalt Strike
• ComRAT
• Ebury
• Empire
• EvilBunny
• Exaramel for Linux
• FALLCHILL
• Fysbis
• Gazer
• HTRAN
• HiddenWasp
• Hikit
• Kazuar
• LaZagne
• Machete
• Matryoshka
• Mimikatz
• More_eggs
• NETWIRE
• Net
• NotPetya
• OSX_OCEANLOTUS.D
• Olympic Destroyer
• PoetRAT
• PoisonIvy
• PowerSploit
• Proton
• REvil
• ROKRAT
• Ragnar Locker
• Raindrop
• Ramsay
• Ryuk
• SDBbot
• SEASHARPEE
• SUNBURST
• SUNSPOT
• TEARDROP
• TrickBot
• Ursnif
• Valak
• Zebrocy
• gh0st RAT

Minor Software changes:

• BONDUPDATER
• BOOTRASH
• Briba
• Carbanak
• Catchamas
• DustySky
• Emotet
• HAMMERTOSS
• Hi-Zor
• Hydraq
• KeyBoy
• Linfo
• Linux Rabbit
• Naid
• Nerex
• Net Crawler
• Orz
• PUNCHBUGGY
• Pasam
• PoshC2
• PowerStallion
• ROCKBOOT
• Reaver
• SeaDuke
• Shamoon
• TURNEDUP
• TinyZBot
• Vasport
• WellMess
• Wiarp
• jRAT
• meek
• spwebmember

Software revocations: No changes Software deprecations: No changes Mobile New Software:

• Android/AdDisplay.Ashas
• AndroidOS/MalLocker.B
• Asacub
• CHEMISTGAMES
• CarbonSteal
• Circles
• DoubleAgent
• Exobot
• FrozenCell
• GPlayed
• Golden Cup
• GoldenEagle
• HenBox
• Red Alert 2.0
• SilkBean
• TERRACOTTA
• Tiktok Pro

Software changes:

• Anubis
• Desert Scorpion

Minor Software changes: No changes Software revocations: No changes Software deprecations: No changes

Groups

Enterprise New Groups:

• Ajax Security Team
• Bouncing Golf
• Evilnum
• Fox Kitten
• HAFNIUM
• Higaisa
• Indrik Spider
• Mustang Panda
• Operation Wocao
• Sidewinder
• Silent Librarian
• TA551
• Volatile Cedar
• Windigo
• ZIRCONIUM

Group changes:

• APT28
• APT29
• APT32
• APT39
• APT41
• BRONZE BUTLER
• BlackTech
• Carbanak
• Chimera
• Cobalt Group
• CopyKittens
• Darkhotel
• Dragonfly 2.0
• Elderwood
• FIN6
• GALLIUM
• GOLD SOUTHFIELD
• Kimsuky
• Lazarus Group
• Machete
• Magic Hound
• Molerats
• MuddyWater
• OilRig
• PLATINUM
• Sandworm Team
• Silence
• Stealth Falcon
• TA505
• Threat Group-3390
• Tropic Trooper
• Turla
• Windshift
• Wizard Spider
• menuPass

Minor Group changes:

• APT19
• APT3
• Cleaver
• DarkHydrus
• Deep Panda
• Dragonfly
• FIN8
• Gamaredon Group
• Gorgon Group
• Ke3chang
• TEMP.Veles

Group revocations:

• UNC2452 (revoked by APT29)

Group deprecations: No changes Group deletions:

• Charming Kitten

Mobile New Groups:

• Windshift

Group changes:

• APT28

Minor Group changes: No changes Group revocations: No changes Group deprecations: No changes

Mitigations

Enterprise New Mitigations: No changes Mitigation changes: No changes Minor Mitigation changes:

• Audit

Mitigation revocations: No changes Mitigation deprecations: No changes Mitigation deletions:

• Group Policy Modification Mitigation

Mobile New Mitigations: No changes Mitigation changes: No changes Minor Mitigation changes:

• Application Vetting

Mitigation revocations: No changes Mitigation deprecations: No changes Resources:

1. https://attack.mitre.org/
2. https://attack.mitre.org/resources/updates/