ATT&CK v12 is now accessible! Revisions – October 2022

25 October 2022 Staff

600

Updates to Techniques, Groups, and Software for Enterprise, Mobile, and ICS are included in the October 2022 (v12) ATT&CK release. The addition of detections to ATT&CK for ICS and the inclusion of Campaigns are the two biggest updates in ATT&CK v12.

The ATT&CK for ICS detections are tied to particular Data Sources and Data Components, following the model first introduced to ATT&CK for Enterprise in ATT&CK v11. These detections describe ways of detecting various ICS techniques. Our blog post on the ATT&CK v11 release went into great detail about this detection format.

The newly added detections make use of ICS-specific sources like Asset and Operational Databases as well as conventional host- and network-based data collection. Some ICS detections include references to Enterprise techniques due to overlaps between the Enterprise and ICS ATT&CK domains; this additional context may be useful to defenders.

With this release, ATT&CK and a small initial group of Campaigns are introduced to the Campaign data structure. A collection of intrusion activities carried out over a predetermined period of time with similar targets and goals is referred to as an ATT&CK Campaign. The fact that an activity may or may not be connected to a specific threat actor is a crucial component of campaigns. A detailed description of campaigns can be found in the blog post Introducing Campaigns to MITRE ATT&CK.

The STIX 2.0 Data Model and STIX 2.1 Data Model from ATT&CK provide specifics on how Campaigns are implemented in the Enterprise, ICS, and Mobile STIX representations. It was determined that a few existing Groups could be converted to Campaigns because they more closely matched the Campaign definition than the Group definition. The seven impacted groups (listed below) were deprecated, and new Campaigns were made in their place.

In order to better account for adversary behaviour in cloud environments, we have renamed the Enterprise Technique “Indicator Removal on Host” to Indicator Removal (T1070) and rescoped it.

This version of ATT&CK for Enterprise includes 135 Groups, 14 Campaigns, 14 Tactics, 193 Techniques, 401 Sub-techniques, and 718 Pieces of Software.

New Campaigns in ATT&CK

C0010 (v1.0)
C0011 (v1.0)
C0015 (v1.0)
CostaRicto (v1.0) (replaces the group G0132/CostaRicto)
Frankenstein (v1.0) (replaces the group G0101/Frankenstein)
FunnyDream (v1.0)
Night Dragon (v1.0) (replaces the group G0014/Night Dragon)
Oldsmar Treatment Plant Intrusion (v1.0)
Operation CuckooBees (v1.0)
Operation Dust Storm (v1.0) (replaces the group G0031/Dust Storm)
Operation Honeybee (v1.0) (replaces the group G0072/HoneyBee)
Operation Sharpshooter (v1.0) (replaces the group G0104/Sharpshooter)
Operation Spalax (v1.0)
Operation Wocao (v1.0) (replaces the group G0116/Operation Wocao)

Techniques

Enterprise

New Techniques

Acquire Infrastructure: Serverless (v1.0)
Compromise Accounts: Cloud Accounts (v1.0)
Compromise Infrastructure: Serverless (v1.0)
Establish Accounts: Cloud Accounts (v1.0)
Event Triggered Execution: Installer Packages (v1.0)
Indicator Removal: Clear Mailbox Data (v1.0)
Indicator Removal: Clear Network Connection History and Configurations (v1.0)
Indicator Removal: Clear Persistence (v1.0)
Modify Authentication Process: Hybrid Identity (v1.0)
Modify Authentication Process: Multi-Factor Authentication (v1.0)
Obfuscated Files or Information: Dynamic API Resolution (v1.0)
Obfuscated Files or Information: Embedded Payloads (v1.0)
Obfuscated Files or Information: Stripped Payloads (v1.0)
Search Open Websites/Domains: Code Repositories (v1.0)
Serverless Execution (v1.0)
Stage Capabilities: SEO Poisoning (v1.0)
Steal or Forge Authentication Certificates (v1.0)
Traffic Signaling: Socket Filters (v1.0)

Technique Changes

Account Discovery: Domain Account (v1.0→v1.1)
Account Discovery: Local Account (v1.2→v1.3)
Account Manipulation (v2.3→v2.4)
Additional Cloud Credentials (v2.3→v2.4)
Additional Cloud Roles (v2.0→v2.1)
Acquire Infrastructure: Domains (v1.1→v1.2)
Adversary-in-the-Middle (v2.1→v2.2)
DHCP Spoofing (v1.0→v1.1)
LLMNR/NBT-NS Poisoning and SMB Relay (v1.2→v1.3)
Application Layer Protocol: DNS (v1.0→v1.1)
BITS Jobs (v1.2→v1.3)
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (v1.1→v1.2)
Boot or Logon Autostart Execution: Shortcut Modification (v1.1→v1.2)
Credentials from Password Stores: Windows Credential Manager (v1.0→v1.1)
Data Encrypted for Impact (v1.3→v1.4)
Data from Cloud Storage (v1.1→v2.0)
Data from Information Repositories: Code Repositories (v1.0→v1.1)
Data from Local System (v1.4→v1.5)
Data from Network Shared Drive (v1.2→v1.3)
Domain Policy Modification: Domain Trust Modification (v1.0→v1.1)
Domain Trust Discovery (v1.1→v1.2)
Escape to Host (v1.2→v1.3)
Event Triggered Execution (v1.1→v1.2)
Exfiltration Over Web Service (v1.1→v1.2)
Exfiltration to Cloud Storage (v1.0→v1.1)
Exploitation for Privilege Escalation (v1.3→v1.4)
External Remote Services (v2.3→v2.4)
File and Directory Discovery (v1.4→v1.5)
File and Directory Permissions Modification (v2.1→v2.2)
Firmware Corruption (v1.1→v1.2)
Gather Victim Identity Information: Email Addresses (v1.1→v1.2)
Gather Victim Network Information: DNS (v1.0→v1.1)
Gather Victim Network Information: Domain Properties (v1.0→v1.1)
Impair Defenses (v1.2→v1.3)
Disable or Modify Tools (v1.2→v1.3)
Impair Command History Logging (v2.1→v2.2)
Indicator Blocking (v1.0→v1.1)
Indicator Removal (v1.3→v2.0)
Clear Command History (v1.2→v1.3)
Modify Authentication Process (v2.1→v2.2)
Obfuscated Files or Information (v1.2→v1.3)
Password Policy Discovery (v1.4→v1.5)
Permission Groups Discovery: Domain Groups (v1.0→v1.1)
Permission Groups Discovery: Local Groups (v1.0→v1.1)
Phishing: Spearphishing Link (v2.2→v2.3)
Phishing for Information: Spearphishing Link (v1.2→v1.3)
Process Injection (v1.2→v1.3)
Dynamic-link Library Injection (v1.1→v1.2)
VDSO Hijacking (v1.0→v1.1)
Remote System Discovery (v3.3→v3.4)
Replication Through Removable Media (v1.1→v1.2)
Scheduled Task/Job: Scheduled Task (v1.1→v1.2)
Search Open Websites/Domains (v1.0→v1.1)
Server Software Component (v1.3→v1.4)
Web Shell (v1.2→v1.3)
Stage Capabilities (v1.1→v1.2)
Link Target (v1.1→v1.2)
Upload Tool (v1.1→v1.2)
Subvert Trust Controls: Code Signing (v1.0→v1.1)
Subvert Trust Controls: Gatekeeper Bypass (v1.1→v1.2)
System Information Discovery (v2.4→v2.5)
System Network Configuration Discovery (v1.4→v1.5)
System Network Connections Discovery (v2.3→v2.4)
System Service Discovery (v1.3→v1.4)
System Shutdown/Reboot (v1.1→v1.2)
Traffic Signaling (v2.3→v2.4)
Transfer Data to Cloud Account (v1.2→v1.3)
Trusted Relationship (v2.2→v2.3)
Use Alternate Authentication Material: Application Access Token (v1.3→v1.4)
Valid Accounts (v2.4→v2.5)

Minor Technique Changes

Abuse Elevation Control Mechanism: Elevated Execution with Prompt (v1.0→v1.0)
Adversary-in-the-Middle: ARP Cache Poisoning (v1.1→v1.1)
Brute Force: Password Guessing (v1.3→v1.3)
Command and Scripting Interpreter: AppleScript (v1.1→v1.1)
Compromise Infrastructure (v1.2→v1.2)
Create or Modify System Process: Windows Service (v1.2→v1.2)
Data Staged (v1.4→v1.4)
Defacement: Internal Defacement (v1.1→v1.1)
Disk Wipe (v1.0→v1.0)
Disk Content Wipe (v1.0→v1.0)
Hijack Execution Flow: Path Interception by Unquoted Path (v1.1→v1.1)
Multi-Factor Authentication Request Generation (v1.0→v1.0)
OS Credential Dumping: LSASS Memory (v1.1→v1.1)
OS Credential Dumping: Security Account Manager (v1.0→v1.0)
Search Open Technical Databases (v1.0→v1.0)
Service Stop (v1.2→v1.2)

Technique Revocations

No changes

Technique Deprecations

No changes

Mobile

New Techniques

No changes

Technique Changes

No changes

Minor Technique Changes

Location Tracking: Impersonate SS7 Nodes (v1.0→v1.0)
Location Tracking: Remote Device Management Services (v1.0→v1.0)

Technique Revocations

No changes

Technique Deprecations

No changes

ICS

Technique Revocations

No changes

Technique Deprecations

No changes

Software

Enterprise

New Software

Action RAT (v1.0)
Amadey (v1.0)
AuTo Stealer (v1.0)
Bumblebee (v1.0)
Chinoxy (v1.0)
CreepyDrive (v1.0)
CreepySnail (v1.0)
DCSrv (v1.0)
DanBot (v1.0)
DnsSystem (v1.0)
FunnyDream (v1.0)
Heyoka Backdoor (v1.0)
IceApple (v1.0)
Kevin (v1.0)
MacMa (v1.0)
Milan (v1.0)
Mongall (v1.0)
Mori (v1.0)
OutSteel (v1.0)
PcShare (v1.0)
PingPull (v1.0)
PowGoop (v1.0)
PowerLess (v1.0)
PyDCrypt (v1.0)
Rclone (v1.0)
STARWHALE (v1.0)
SUGARDUMP (v1.0)
SUGARUSH (v1.0)
Saint Bot (v1.0)
Shark (v1.0)
Small Sieve (v1.0)
Squirrelwaffle (v1.0)
StrifeWater (v1.0)
Tarrask (v1.0)
ZxxZ (v1.0)
ccf32 (v1.0)
macOS.OSAMiner (v1.0)

Software Changes

AADInternals (v1.0→v1.1)
ASPXSpy (v1.1→v1.2)
AdFind (v1.0→v1.1)
AppleJeus (v1.0→v1.1)
Azorult (v1.2→v1.3)
BITSAdmin (v1.2→v1.3)
Bazar (v1.1→v1.2)
BloodHound (v1.2→v1.3)
Cobalt Strike (v1.8→v1.9)
ComRAT (v1.2→v1.3)
Conti (v2.0→v2.1)
CostaBricks (v1.0→v1.1)
Crimson (v1.2→v1.3)
Dtrack (v1.0→v1.1)
Empire (v1.4→v1.5)
FlawedAmmyy (v1.1→v1.2)
Goopy (v1.0→v1.1)
GrimAgent (v1.0→v1.1)
Impacket (v1.2→v1.3)
Industroyer (v1.0→v1.1)
Invoke-PSImage (v1.0→v1.1)
KOCTOPUS (v1.0→v1.1)
MCMD (v1.0→v1.1)
Mimikatz (v1.5→v1.6)
Mis-Type (v1.1→v1.2)
Misdat (v1.1→v1.2)
OSX/Shlayer (v1.2→v1.3)
POWERSTATS (v2.1→v2.2)
PS1 (v1.0→v1.1)
Penquin (v1.0→v1.1)
Pillowmint (v1.0→v1.1)
Ping (v1.1→v1.2)
PoisonIvy (v2.0→v2.1)
PoshC2 (v1.2→v1.3)
PowerSploit (v1.4→v1.5)
PsExec (v1.2→v1.3)
Pteranodon (v2.0→v2.1)
QuasarRAT (v1.3→v2.0)
RTM (v1.1→v1.2)
Reg (v1.0→v1.1)
Remcos (v1.2→v1.3)
Rising Sun (v1.0→v2.0)
S-Type (v1.1→v1.2)
SDBbot (v2.0→v2.1)
SMOKEDHAM (v1.0→v1.1)
SUNBURST (v2.2→v2.3)
SYSCON (v1.0→v1.1)
ShadowPad (v1.0→v1.1)
SombRAT (v1.1→v1.2)
Stuxnet (v1.1→v1.2)
Systeminfo (v1.0→v1.1)
Tasklist (v1.0→v1.1)
Tor (v1.1→v1.2)
Wevtutil (v1.0→v1.1)
XCSSET (v1.1→v1.2)
ZLib (v1.1→v1.2)
at (v1.2→v1.3)
cmd (v1.1→v1.2)
dsquery (v1.2→v1.3)
gh0st RAT (v3.0→v3.1)
gsecdump (v1.1→v1.2)
ipconfig (v1.0→v1.1)
netstat (v1.0→v1.1)
njRAT (v1.3→v1.4)
zwShell (v1.1→v2.0)

Minor Software Changes

Backdoor.Oldrea (v2.0→v2.0)
Bad Rabbit (v1.0→v1.0)
BlackEnergy (v1.3→v1.3)
CSPY Downloader (v1.0→v1.0)
DarkWatchman (v1.0→v1.0)
ELMER (v1.1→v1.1)
Flame (v1.1→v1.1)
Grandoreiro (v1.0→v1.0)
HermeticWiper (v1.0→v1.0)
Metamorfo (v2.0→v2.0)
MirageFox (v1.1→v1.1)
Mivast (v1.1→v1.1)
Net Crawler (v1.1→v1.1)
POWERSOURCE (v1.1→v1.1)
REvil (v2.0→v2.0)
RawDisk (v1.0→v1.0)
Ryuk (v1.3→v1.3)
Sibot (v1.0→v1.0)
TEXTMATE (v1.1→v1.1)
TinyZBot (v1.1→v1.1)

Software Revocations

No changes

Software Deprecations

No changes

Mobile

New Software

No changes

Software Changes

No changes

Minor Software Changes

No changes

Software Revocations

No changes

Software Deprecations

No changes

ICS

New Software

INCONTROLLER (v1.0)

Software Changes

Industroyer (v1.0→v1.1)
Stuxnet (v1.1→v1.2)

Minor Software Changes

ACAD/Medre.A (v1.0→v1.0)
Backdoor.Oldrea (v2.0→v2.0)
Bad Rabbit (v1.0→v1.0)
BlackEnergy (v1.3→v1.3)
Flame (v1.1→v1.1)
PLC-Blaster (v1.0→v1.0)
Triton (v1.0→v1.0)
VPNFilter (v1.0→v1.0)

Software Revocations

No changes

Software Deprecations

No changes

Groups

Enterprise

New Groups

Aoqin Dragon (v1.0)
BITTER (v1.0)
EXOTIC LILY (v1.0)
Earth Lusca (v1.0)
Ember Bear (v1.0)
HEXANE (v2.0)
LAPSUS$ (v1.0)
Moses Staff (v1.0)
POLONIUM (v1.0)
SideCopy (v1.0)

Group Changes

APT29 (v3.0→v3.1)
CopyKittens (v1.5→v1.6)
Darkhotel (v2.0→v2.1)
Dragonfly (v3.0→v3.1)
GALLIUM (v2.0→v3.0)
HAFNIUM (v1.1→v1.2)
Lazarus Group (v3.0→v3.1)
Magic Hound (v4.1→v5.0)
MuddyWater (v3.0→v4.0)
TA505 (v1.3→v2.0)
TeamTNT (v1.1→v1.2)
Transparent Tribe (v1.0→v1.1)

Minor Group Changes

APT16 (v1.1→v1.1)
APT39 (v3.1→v3.1)
APT41 (v3.0→v3.0)
Aquatic Panda (v1.0→v1.0)
Cleaver (v1.3→v1.3)
Confucius (v1.0→v1.0)
Deep Panda (v1.2→v1.2)
FIN6 (v3.2→v3.2)
FIN7 (v2.1→v2.1)
Fox Kitten (v1.0→v1.0)
Indrik Spider (v2.1→v2.1)
Ke3chang (v2.0→v2.0)
Nomadic Octopus (v1.0→v1.0)
OilRig (v3.0→v3.0)
Patchwork (v1.4→v1.4)
Sandworm Team (v2.2→v2.2)
Silence (v2.1→v2.1)
Turla (v3.0→v3.0)
menuPass (v2.1→v2.1)

Group Revocations

No changes

Group Deprecations

CostaRicto (v1.0)
Dust Storm (v1.0)
Frankenstein (v1.1)
Honeybee (v1.1)
Night Dragon (v1.4)
Operation Wocao (v1.0)
Sharpshooter (v1.0)

Mobile

New Groups

Earth Lusca (v1.0)

Group Changes

No changes

Minor Group Changes

Sandworm Team (v2.2→v2.2)

Group Revocations

No changes

Group Deprecations

No changes

ICS

New Groups

No changes

Group Changes

Dragonfly (v3.0→v3.1)
HEXANE (v1.0→v2.0)
Lazarus Group (v3.0→v3.1)

Minor Group Changes

FIN6 (v3.2→v3.2)
FIN7 (v2.1→v2.1)
OilRig (v3.0→v3.0)
Sandworm Team (v2.2→v2.2)

Group Revocations

No changes

Group Deprecations

No changes

Mitigations

Enterprise

New Mitigations

No changes

Mitigation Changes

No changes

Minor Mitigation Changes

Account Use Policies (v1.0→v1.0)
Audit (v1.1→v1.1)
Credential Access Protection (v1.1→v1.1)
Multi-factor Authentication (v1.0→v1.0)
Password Policies (v1.0→v1.0)

Mitigation Revocations

No changes

Mitigation Deprecations

No changes

Mobile

New Mitigations

No changes

Mitigation Changes

No changes

Minor Mitigation Changes

No changes

Mitigation Revocations

No changes

Mitigation Deprecations

No changes

ICS

New Mitigations

No changes

Mitigation Changes

No changes

Minor Mitigation Changes

No changes

Mitigation Revocations

No changes

Mitigation Deprecations

No changes

Data Sources and/or Components

Enterprise

New Data Sources and/or Components

No changes

Data Source and/or Component Changes

Command (v1.0→v1.1)
Command Execution (v1.0→v1.1)
Logon Session (v1.0→v1.1)
Logon Session Creation (v1.0→v1.1)
Malware Repository (v1.0→v1.1)
Malware Content (v1.0→v1.1)
Malware Metadata (v1.0→v1.1)
Network Traffic (v1.0→v1.1)
Network Connection Creation (v1.0→v1.1)
Process (v1.0→v1.1)
Process Creation (v1.0→v1.1)
Script (v1.0→v1.1)
Script Execution (v1.0→v1.1)
Sensor Health (v1.0→v1.1)
Host Status (v1.0→v1.1)
User Account (v1.0→v1.1)
User Account Authentication (v1.0→v1.1)

Minor Data Source and/or Component Changes

No changes

Data Source and/or Component Revocations

No changes

Data Source and/or Component Deprecations

Cluster (v1.0)
Cluster Metadata (v1.0)

Mobile

ATT&CK for Mobile does not support structured data sources

ICS

New Data Sources and/or Components

Asset (v1.0)
Asset Inventory (v1.0)
Software (v1.0)
Scheduled Job: Scheduled Job Creation (v1.0)
Service: Service Modification (v1.0)

Data Source and/or Component Changes

Command (v1.0→v1.1)
Command Execution (v1.0→v1.1)
Logon Session (v1.0→v1.1)
Logon Session Creation (v1.0→v1.1)
Network Traffic (v1.0→v1.1)
Network Connection Creation (v1.0→v1.1)
Process (v1.0→v1.1)
Process Creation (v1.0→v1.1)
Script (v1.0→v1.1)
Script Execution (v1.0→v1.1)
User Account (v1.0→v1.1)
User Account Authentication (v1.0→v1.1)

Minor Data Source and/or Component Changes

No changes

Data Source and/or Component Revocations

No changes

Data Source and/or Component Deprecations

No changes