MITRE ATT&CK® Released Updates in Oct 2021 With Additional Techniques and Structuring

MITRE ATT&CK® is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

With the creation of ATT&CK, MITRE is fulfilling its mission to solve problems for a safer world — by bringing communities together to develop more effective cybersecurity. ATT&CK is open and available to any person or organization for use at no charge.

MITRE ATT&CK® Released The October 2021 (v10) ATT&CK updates Techniques, Groups, and Software for Enterprise, Mobile, and ICS. The biggest change is the addition of a new set of Data Source and Data Component objects in Enterprise ATT&CK, complementing the ATT&CK Data Source name changes released in ATT&CK v9. An accompanying blog post describes these changes as well as improvements across ATT&CK’s various domains and platforms.” As stated by MITRE.

In this release, MITRE has renamed T1185 and T1557 to be more inclusive, and deprecated T1053.004 to better reflect adversary behavior.

This version of ATT&CK for Enterprise contains 14 Tactics, 188 Techniques, 379 Sub-techniques, 129 Groups, and 637 Pieces of Software.

Techniques

Enterprise

New Techniques:

• Boot or Logon Autostart Execution: Login Items
• Cloud Storage Object Discovery
• Data from Information Repositories: Code Repositories
• Group Policy Discovery
• Hide Artifacts: Email Hiding Rules
• Hide Artifacts: Resource Forking
• Impair Defenses: Downgrade Attack
• Impair Defenses: Safe Mode Boot
• Masquerading: Double File Extension
• Obfuscated Files or Information: HTML Smuggling
• Reflective Code Loading
• Server Software Component: IIS Components
• Signed Binary Proxy Execution: MMC
• Signed Binary Proxy Execution: Mavinject
• System Location Discovery: System Language Discovery

Technique changes:

• Access Token Manipulation: Create Process with Token
• Account Discovery: Local Account
• Account Manipulation: Exchange Email Delegate Permissions
• Acquire Infrastructure
  • Domains
  • Server
  • Virtual Private Server
  • Web Services
• Adversary-in-the-Middle
  • ARP Cache Poisoning
  • LLMNR/NBT-NS Poisoning and SMB Relay
• Automated Exfiltration: Traffic Duplication
• Boot or Logon Autostart Execution: Kernel Modules and Extensions
• Boot or Logon Autostart Execution: Plist Modification
• Browser Session Hijacking
• Brute Force
• Build Image on Host
• Cloud Infrastructure Discovery
• Command and Scripting Interpreter
  • JavaScript
  • Network Device CLI
  • PowerShell
  • Unix Shell
  • Visual Basic
  • Windows Command Shell
• Compromise Accounts
  • Social Media Accounts
• Compromise Infrastructure
  • DNS Server
  • Domains
  • Server
  • Virtual Private Server
  • Web Services
• Create Account: Local Account
• Create or Modify System Process: Launch Agent
• Create or Modify System Process: Launch Daemon
• Data Encrypted for Impact
• Data from Information Repositories
• Data from Local System
• Data from Removable Media
• Develop Capabilities
  • Code Signing Certificates
  • Digital Certificates
  • Malware
• Drive-by Compromise
• Email Collection
  • Email Forwarding Rule
• Escape to Host
• Establish Accounts
  • Social Media Accounts
• Event Triggered Execution: Unix Shell Configuration Modification
• Event Triggered Execution: Windows Management Instrumentation Event Subscription
• Exfiltration Over Alternative Protocol
  • Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
  • Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
• Exfiltration Over C2 Channel
• Exfiltration Over Physical Medium
  • Exfiltration over USB
• Exfiltration Over Web Service
• Exploitation for Client Execution
• External Remote Services
• File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification
• Forge Web Credentials
  • SAML Tokens
  • Web Cookies
• Gather Victim Host Information
  • Client Configurations
  • Hardware
  • Software
• Gather Victim Org Information
  • Determine Physical Locations
• Hardware Additions
• Hide Artifacts
  • Hidden Users
  • Run Virtual Instance
  • VBA Stomping
• Hijack Execution Flow: Services Registry Permissions Weakness
• Impair Defenses
  • Disable Windows Event Logging
  • Disable or Modify Tools
• Input Capture: GUI Input Capture
• Inter-Process Communication
  • Component Object Model
  • Dynamic Data Exchange
• Lateral Tool Transfer
• Masquerading: Masquerade Task or Service
• Masquerading: Right-to-Left Override
• Native API
• Network Share Discovery
• OS Credential Dumping
  • LSASS Memory
• Obfuscated Files or Information
  • Binary Padding
  • Software Packing
  • Steganography
• Obtain Capabilities
  • Code Signing Certificates
  • Digital Certificates
  • Malware
  • Tool
• Office Application Startup
  • Add-ins
  • Office Template Macros
  • Office Test
  • Outlook Forms
  • Outlook Home Page
  • Outlook Rules
• Password Policy Discovery
• Permission Groups Discovery
  • Cloud Groups
• Phishing
  • Spearphishing Attachment
• Process Injection
  • Asynchronous Procedure Call
  • Dynamic-link Library Injection
  • Portable Executable Injection
  • Process Hollowing
  • Ptrace System Calls
  • Thread Execution Hijacking
  • Thread Local Storage
• Remote Services
  • Distributed Component Object Model
  • SSH
  • VNC
  • Windows Remote Management
• Remote System Discovery
• Replication Through Removable Media
• Scheduled Task/Job: At (Linux)
• Scheduled Task/Job: Container Orchestration Job
• Scheduled Task/Job: Cron
• Scheduled Task/Job: Systemd Timers
• Server Software Component
  • Web Shell
• Shared Modules
• Signed Binary Proxy Execution: Mshta
• Signed Binary Proxy Execution: Rundll32
• Signed Script Proxy Execution: PubPrn
• Stage Capabilities
  • Drive-by Target
  • Install Digital Certificate
  • Link Target
  • Upload Malware
  • Upload Tool
• Steal Web Session Cookie
• Steal or Forge Kerberos Tickets
• Subvert Trust Controls
  • Gatekeeper Bypass
  • Install Root Certificate
• System Information Discovery
• System Network Configuration Discovery
• System Owner/User Discovery
• System Service Discovery
• System Services
  • Launchctl
  • Service Execution
• Taint Shared Content
• Trusted Developer Utilities Proxy Execution: MSBuild
• Use Alternate Authentication Material
  • Web Session Cookie
• User Execution
  • Malicious File
  • Malicious Image
• Valid Accounts
  • Cloud Accounts
  • Domain Accounts
  • Local Accounts
• Virtualization/Sandbox Evasion
  • System Checks
  • Time Based Evasion
  • User Activity Based Checks
• Windows Management Instrumentation

Minor Technique changes:

• Access Token Manipulation
• Account Discovery
  • Domain Account
• Account Manipulation
• Automated Exfiltration
• Boot or Logon Autostart Execution
• Command and Scripting Interpreter: Python
• Compromise Client Software Binary
• Create Account
• Create or Modify System Process
• Credentials from Password Stores
  • Password Managers
• Data from Information Repositories: Confluence
• Data from Information Repositories: Sharepoint
• Event Triggered Execution
• Execution Guardrails
  • Environmental Keying
• Exploit Public-Facing Application
• File and Directory Discovery
• File and Directory Permissions Modification
• Hijack Execution Flow
  • COR_PROFILER
• Indicator Removal on Host
• Input Capture
• Masquerading
• Modify Authentication Process
  • Pluggable Authentication Modules
• Proxy
• Scheduled Task/Job
• Server Software Component: Transport Agent
• Signed Binary Proxy Execution
  • Msiexec
• Signed Script Proxy Execution
• Steal or Forge Kerberos Tickets: AS-REP Roasting
• System Location Discovery
• Trusted Developer Utilities Proxy Execution
• Use Alternate Authentication Material: Application Access Token
• Use Alternate Authentication Material: Pass the Hash
• Use Alternate Authentication Material: Pass the Ticket

Technique revocations: No changes

Technique deprecations:

• Scheduled Task/Job: Launchd

Mobile

New Techniques:

• Call Control
• Hooking
• User Evasion

Technique changes:

• Exploit SS7 to Redirect Phone Calls/SMS
• Manipulate Device Communication
• SIM Card Swap

Minor Technique changes: No changes

Technique revocations: No changes

Technique deprecations: No changes

Software

Enterprise

New Software:

• AppleSeed
• Avaddon
• BADFLICK
• BLUELIGHT
• Babuk
• Bad Rabbit
• BoomBox
• BoxCaon
• Chaes
• Clop
• Conficker
• CostaBricks
• Cuba
• DEATHRANSOM
• EKANS
• Ecipekac
• EnvyScout
• FIVEHANDS
• FYAnti
• GrimAgent
• HELLOKITTY
• Industroyer
• JSS Loader
• KillDisk
• Kobalos
• LiteDuke
• MarkiRAT
• NativeZone
• Nebulae
• ObliqueRAT
• P8RAT
• PS1
• Peppy
• ProLock
• QakBot
• RainyDay
• SMOKEDHAM
• Seth-Locker
• SideTwist
• Siloscape
• Sliver
• SodaMaster
• SombRAT
• SpicyOmelette
• Stuxnet
• Turian
• VaporRage
• WastedLocker
• Wevtutil
• XCSSET
• xCaon

Software changes:

• Aria-body
• Bandook
• Bazar
• Bisonal
• BloodHound
• Bundlore
• Carberp
• China Chopper
• Cobalt Strike
• Conti
• Crimson
• Dok
• Dridex
• DropBook
• Emissary
• Empire
• FatDuke
• GuLoader
• Hildegard
• Impacket
• Kerrdown
• Keydnap
• Kinsing
• LaZagne
• Lokibot
• LoudMiner
• Lucifer
• Maze
• Metamorfo
• MimiPenguin
• Mimikatz
• MiniDuke
• NETWIRE
• Net
• Nltest
• OSX/Shlayer
• OSX_OCEANLOTUS.D
• Octopus
• OwaAuth
• PoisonIvy
• PowerSploit
• PsExec
• QuasarRAT
• REvil
• RGDoor
• Ryuk
• SUNBURST
• SharpStage
• Spark
• SynAck
• Taidoor
• ThiefQuest
• TrickBot
• Zeus Panda
• certutil
• esentutl

Minor Software changes:

• BADNEWS
• BOOTRASH
• ECCENTRICBANDWAGON
• Egregor
• Hikit
• HyperBro
• Reg
• WindTail
• zwShell

Software revocations: No changes

Software deprecations: No changes

Mobile

New Software:

• BusyGasper

Software changes:

• Anubis
• CarbonSteal
• Monokle

Minor Software changes: No changes

Software revocations: No changes

Software deprecations: No changes

Groups

Enterprise

New Groups:

• Andariel
• BackdoorDiplomacy
• CostaRicto
• Ferocious Kitten
• IndigoZebra
• Nomadic Octopus
• TeamTNT
• Tonto Team
• Transparent Tribe

Group changes:

• APT-C-36
• APT1
• APT19
• APT28
• APT29
• APT3
• APT32
• APT33
• APT37
• APT38
• APT39
• APT41
• BRONZE BUTLER
• Blue Mockingbird
• Carbanak
• Chimera
• Cleaver
• Cobalt Group
• CopyKittens
• Dark Caracal
• DarkHydrus
• DarkVishnya
• Dragonfly
• Dragonfly 2.0
• FIN10
• FIN4
• FIN5
• FIN6
• FIN7
• FIN8
• Frankenstein
• Gorgon Group
• Inception
• Indrik Spider
• Ke3chang
• Kimsuky
• Lazarus Group
• Leafminer
• Leviathan
• Magic Hound
• Mustang Panda
• Naikon
• Night Dragon
• OilRig
• Patchwork
• PittyTiger
• Sandworm Team
• Silence
• TA505
• TA551
• TEMP.Veles
• Threat Group-3390
• Thrip
• Turla
• WIRTE
• Whitefly
• Wizard Spider
• menuPass

Minor Group changes:

• Machete

Group revocations:

• Stolen Pencil (revoked by Kimsuky)

Group deprecations:

• Taidoor

Mobile

New Groups: No changes

Group changes:

• APT28
• Dark Caracal
• Sandworm Team

Minor Group changes: No changes

Group revocations: No changes

Group deprecations: No changes

Mitigations

Enterprise

New Mitigations:

• Data Loss Prevention

Mitigation changes: No changes

Minor Mitigation changes: No changes

Mitigation revocations: No changes

Mitigation deprecations: No changes

Mobile

New Mitigations: No changes

Mitigation changes: No changes

Minor Mitigation changes: No changes

Mitigation revocations: No changes

Mitigation deprecations: No changes