MITRE ATT&CK® Released Updates in Oct 2021 With Additional Techniques and Structuring
MITRE ATT&CK® is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
With the creation of ATT&CK, MITRE is fulfilling its mission to solve problems for a safer world — by bringing communities together to develop more effective cybersecurity. ATT&CK is open and available to any person or organization for use at no charge.
MITRE ATT&CK® Released The October 2021 (v10) ATT&CK updates Techniques, Groups, and Software for Enterprise, Mobile, and ICS. The biggest change is the addition of a new set of Data Source and Data Component objects in Enterprise ATT&CK, complementing the ATT&CK Data Source name changes released in ATT&CK v9. An accompanying blog post describes these changes as well as improvements across ATT&CK’s various domains and platforms.” As stated by MITRE.
In this release, MITRE has renamed T1185 and T1557 to be more inclusive, and deprecated T1053.004 to better reflect adversary behavior.
This version of ATT&CK for Enterprise contains 14 Tactics, 188 Techniques, 379 Sub-techniques, 129 Groups, and 637 Pieces of Software.
Techniques
Enterprise
New Techniques:
- Boot or Logon Autostart Execution: Login Items
- Cloud Storage Object Discovery
- Data from Information Repositories: Code Repositories
- Group Policy Discovery
- Hide Artifacts: Email Hiding Rules
- Hide Artifacts: Resource Forking
- Impair Defenses: Downgrade Attack
- Impair Defenses: Safe Mode Boot
- Masquerading: Double File Extension
- Obfuscated Files or Information: HTML Smuggling
- Reflective Code Loading
- Server Software Component: IIS Components
- Signed Binary Proxy Execution: MMC
- Signed Binary Proxy Execution: Mavinject
- System Location Discovery: System Language Discovery
Technique changes:
- Access Token Manipulation: Create Process with Token
- Account Discovery: Local Account
- Account Manipulation: Exchange Email Delegate Permissions
- Acquire Infrastructure
- Adversary-in-the-Middle
- Automated Exfiltration: Traffic Duplication
- Boot or Logon Autostart Execution: Kernel Modules and Extensions
- Boot or Logon Autostart Execution: Plist Modification
- Browser Session Hijacking
- Brute Force
- Build Image on Host
- Cloud Infrastructure Discovery
- Command and Scripting Interpreter
- Compromise Accounts
- Compromise Infrastructure
- Create Account: Local Account
- Create or Modify System Process: Launch Agent
- Create or Modify System Process: Launch Daemon
- Data Encrypted for Impact
- Data from Information Repositories
- Data from Local System
- Data from Removable Media
- Develop Capabilities
- Drive-by Compromise
- Email Collection
- Escape to Host
- Establish Accounts
- Event Triggered Execution: Unix Shell Configuration Modification
- Event Triggered Execution: Windows Management Instrumentation Event Subscription
- Exfiltration Over Alternative Protocol
- Exfiltration Over C2 Channel
- Exfiltration Over Physical Medium
- Exfiltration Over Web Service
- Exploitation for Client Execution
- External Remote Services
- File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification
- Forge Web Credentials
- Gather Victim Host Information
- Gather Victim Org Information
- Hardware Additions
- Hide Artifacts
- Hijack Execution Flow: Services Registry Permissions Weakness
- Impair Defenses
- Input Capture: GUI Input Capture
- Inter-Process Communication
- Lateral Tool Transfer
- Masquerading: Masquerade Task or Service
- Masquerading: Right-to-Left Override
- Native API
- Network Share Discovery
- OS Credential Dumping
- Obfuscated Files or Information
- Obtain Capabilities
- Office Application Startup
- Password Policy Discovery
- Permission Groups Discovery
- Phishing
- Process Injection
- Remote Services
- Remote System Discovery
- Replication Through Removable Media
- Scheduled Task/Job: At (Linux)
- Scheduled Task/Job: Container Orchestration Job
- Scheduled Task/Job: Cron
- Scheduled Task/Job: Systemd Timers
- Server Software Component
- Shared Modules
- Signed Binary Proxy Execution: Mshta
- Signed Binary Proxy Execution: Rundll32
- Signed Script Proxy Execution: PubPrn
- Stage Capabilities
- Steal Web Session Cookie
- Steal or Forge Kerberos Tickets
- Subvert Trust Controls
- System Information Discovery
- System Network Configuration Discovery
- System Owner/User Discovery
- System Service Discovery
- System Services
- Taint Shared Content
- Trusted Developer Utilities Proxy Execution: MSBuild
- Use Alternate Authentication Material
- User Execution
- Valid Accounts
- Virtualization/Sandbox Evasion
- Windows Management Instrumentation
Minor Technique changes:
- Access Token Manipulation
- Account Discovery
- Account Manipulation
- Automated Exfiltration
- Boot or Logon Autostart Execution
- Command and Scripting Interpreter: Python
- Compromise Client Software Binary
- Create Account
- Create or Modify System Process
- Credentials from Password Stores
- Data from Information Repositories: Confluence
- Data from Information Repositories: Sharepoint
- Event Triggered Execution
- Execution Guardrails
- Exploit Public-Facing Application
- File and Directory Discovery
- File and Directory Permissions Modification
- Hijack Execution Flow
- Indicator Removal on Host
- Input Capture
- Masquerading
- Modify Authentication Process
- Proxy
- Scheduled Task/Job
- Server Software Component: Transport Agent
- Signed Binary Proxy Execution
- Signed Script Proxy Execution
- Steal or Forge Kerberos Tickets: AS-REP Roasting
- System Location Discovery
- Trusted Developer Utilities Proxy Execution
- Use Alternate Authentication Material: Application Access Token
- Use Alternate Authentication Material: Pass the Hash
- Use Alternate Authentication Material: Pass the Ticket
Technique revocations: No changes
Technique deprecations:
- Scheduled Task/Job: Launchd
Mobile
New Techniques:
Technique changes:
Minor Technique changes: No changes
Technique revocations: No changes
Technique deprecations: No changes
Software
Enterprise
New Software:
- AppleSeed
- Avaddon
- BADFLICK
- BLUELIGHT
- Babuk
- Bad Rabbit
- BoomBox
- BoxCaon
- Chaes
- Clop
- Conficker
- CostaBricks
- Cuba
- DEATHRANSOM
- EKANS
- Ecipekac
- EnvyScout
- FIVEHANDS
- FYAnti
- GrimAgent
- HELLOKITTY
- Industroyer
- JSS Loader
- KillDisk
- Kobalos
- LiteDuke
- MarkiRAT
- NativeZone
- Nebulae
- ObliqueRAT
- P8RAT
- PS1
- Peppy
- ProLock
- QakBot
- RainyDay
- SMOKEDHAM
- Seth-Locker
- SideTwist
- Siloscape
- Sliver
- SodaMaster
- SombRAT
- SpicyOmelette
- Stuxnet
- Turian
- VaporRage
- WastedLocker
- Wevtutil
- XCSSET
- xCaon
Software changes:
- Aria-body
- Bandook
- Bazar
- Bisonal
- BloodHound
- Bundlore
- Carberp
- China Chopper
- Cobalt Strike
- Conti
- Crimson
- Dok
- Dridex
- DropBook
- Emissary
- Empire
- FatDuke
- GuLoader
- Hildegard
- Impacket
- Kerrdown
- Keydnap
- Kinsing
- LaZagne
- Lokibot
- LoudMiner
- Lucifer
- Maze
- Metamorfo
- MimiPenguin
- Mimikatz
- MiniDuke
- NETWIRE
- Net
- Nltest
- OSX/Shlayer
- OSX_OCEANLOTUS.D
- Octopus
- OwaAuth
- PoisonIvy
- PowerSploit
- PsExec
- QuasarRAT
- REvil
- RGDoor
- Ryuk
- SUNBURST
- SharpStage
- Spark
- SynAck
- Taidoor
- ThiefQuest
- TrickBot
- Zeus Panda
- certutil
- esentutl
Minor Software changes:
Software revocations: No changes
Software deprecations: No changes
Mobile
New Software:
Software changes:
Minor Software changes: No changes
Software revocations: No changes
Software deprecations: No changes
Groups
Enterprise
New Groups:
- Andariel
- BackdoorDiplomacy
- CostaRicto
- Ferocious Kitten
- IndigoZebra
- Nomadic Octopus
- TeamTNT
- Tonto Team
- Transparent Tribe
Group changes:
- APT-C-36
- APT1
- APT19
- APT28
- APT29
- APT3
- APT32
- APT33
- APT37
- APT38
- APT39
- APT41
- BRONZE BUTLER
- Blue Mockingbird
- Carbanak
- Chimera
- Cleaver
- Cobalt Group
- CopyKittens
- Dark Caracal
- DarkHydrus
- DarkVishnya
- Dragonfly
- Dragonfly 2.0
- FIN10
- FIN4
- FIN5
- FIN6
- FIN7
- FIN8
- Frankenstein
- Gorgon Group
- Inception
- Indrik Spider
- Ke3chang
- Kimsuky
- Lazarus Group
- Leafminer
- Leviathan
- Magic Hound
- Mustang Panda
- Naikon
- Night Dragon
- OilRig
- Patchwork
- PittyTiger
- Sandworm Team
- Silence
- TA505
- TA551
- TEMP.Veles
- Threat Group-3390
- Thrip
- Turla
- WIRTE
- Whitefly
- Wizard Spider
- menuPass
Minor Group changes:
Group revocations:
- Stolen Pencil (revoked by Kimsuky)
Group deprecations:
Mobile
New Groups: No changes
Group changes:
Minor Group changes: No changes
Group revocations: No changes
Group deprecations: No changes
Mitigations
Enterprise
New Mitigations:
Mitigation changes: No changes
Minor Mitigation changes: No changes
Mitigation revocations: No changes
Mitigation deprecations: No changes
Mobile
New Mitigations: No changes
Mitigation changes: No changes
Minor Mitigation changes: No changes
Mitigation revocations: No changes
Mitigation deprecations: No changes