MITRE ATT&CK version 13

MITRE ATT&CK version 13 has been recently launched, bringing some significant updates. These include:

• Key website enhancements
• Increased focus on cloud and Linux coverage
• More detailed detection guidance for specific techniques, including in the ICS area
• Coverage of mobile-specific data sources
• Introduction of two new types of changelogs to provide more precise information on what has changed
• Pseudocode analytics, which offers more context on how to identify certain types of behaviors and serves as a blueprint for custom detections
• Improved release notes format

ATT&CK version 13 for Enterprise includes 14 tactics, 196 techniques, 411 sub-techniques, 138 groups, b22 campaigns, and 740 software pieces. The upcoming version 14, set to release in October, will further enhance the coverage across domains, introduce renovated mitigations, new cross-domain mappings, more pseudocodes, and mobile structured detections.

MITRE is striving to create enhanced tools for lower-resourced defenders, improving ATT&CK’s website usability, and evolving the content and structure. Additionally, MITRE is adding entries from criminal group operations and expanding on hybrid campaigns. The asset refactoring effort aims to align different industries’ asset descriptions and map device functionality to core dependencies better. Towards the end of the year, MITRE intends to utilize ATT&CK for the cloud.

The April 2023 (v13) ATT&CK release updates Techniques, Groups, Campaigns and Software for Enterprise, Mobile, and ICS. The biggest changes in ATT&CK v13 are the addition of detailed detection guidance to some Techniques in ATT&CK for Enterprise, Mobile Data Sources, and two new types of changelogs to help identify more precisely what has changed in ATT&CK. An accompanying blog post describes these changes as well as improvements across ATT&CK’s various domains and platforms.

This release includes a new human-readable detailed changelog showing more specifically what changed in updated ATT&CK objects, and a new machine-readable JSON changelog, whose format is described in ATT&CK’s Github. The terminology used in these release notes has also been updated to better describe the changes to various ATT&CK objects:

• New objects: ATT&CK objects which are only present in the new release.
• Major version changes: ATT&CK objects that have a major version change. (e.g., 1.0 → 2.0)
• Minor version changes: ATT&CK objects that have a minor version change. (e.g., 1.0 → 1.1)
• Patches: ATT&CK objects that have been patched while keeping the version the same. (e.g., 1.0 → 1.0 but something like a typo, a URL, or some metadata was fixed)
• Object revocations: ATT&CK objects which are revoked by a different object.
• Object deprecations: ATT&CK objects which are deprecated and no longer in use, and not replaced.
• Object deletions: ATT&CK objects which are no longer found in the STIX data.

This version of ATT&CK for Enterprise contains 14 Tactics, 196 Techniques, 411 Sub-techniques, 138 Groups, 22 Campaigns, and 740 Pieces of Software.

Techniques

Enterprise

New Techniques

• Acquire Access (v1.0)
• Acquire Infrastructure: Malvertising (v1.0)
• Cloud Administration Command (v1.0)
• Command and Scripting Interpreter: Cloud API (v1.0)
• Device Driver Discovery (v1.0)
• Exfiltration Over Web Service: Exfiltration to Text Storage Sites (v1.0)
• Impair Defenses: Spoof Security Alerting (v1.0)
• Masquerading: Masquerade File Type (v1.0)
• Modify Authentication Process: Network Provider DLL (v1.0)
• Obfuscated Files or Information: Command Obfuscation (v1.0)
• Obfuscated Files or Information: Fileless Storage (v1.0)
• Remote Services: Cloud Services (v1.0)
• Unsecured Credentials: Chat Messages (v1.0)

Major Version Changes

• Browser Information Discovery (v1.0→v2.0)

Minor Version Changes

• Abuse Elevation Control Mechanism (v1.0→v1.1)
• Bypass User Account Control (v2.0→v2.1)
• Access Token Manipulation: Create Process with Token (v1.1→v1.2)
• Access Token Manipulation: Make and Impersonate Token (v1.0→v1.1)
• Access Token Manipulation: Token Impersonation/Theft (v1.0→v1.1)
• Account Access Removal (v1.1→v1.2)
• Account Discovery (v2.3→v2.4)
• Domain Account (v1.1→v1.2)
• Local Account (v1.3→v1.4)
• Account Manipulation (v2.4→v2.5)
• Additional Cloud Credentials (v2.4→v2.5)
• Additional Cloud Roles (v2.1→v2.2)
• Device Registration (v1.0→v1.1)
• SSH Authorized Keys (v1.1→v1.2)
• Acquire Infrastructure (v1.1→v1.2)
• Server (v1.1→v1.2)
• Web Services (v1.1→v1.2)
• Application Layer Protocol (v2.0→v2.1)
• Web Protocols (v1.0→v1.1)
• Application Window Discovery (v1.2→v1.3)
• Archive Collected Data: Archive via Utility (v1.1→v1.2)
• Automated Exfiltration: Traffic Duplication (v1.1→v1.2)
• BITS Jobs (v1.3→v1.4)
• Brute Force (v2.4→v2.5)
• Credential Stuffing (v1.2→v1.3)
• Password Guessing (v1.3→v1.4)
• Password Spraying (v1.2→v1.3)
• Build Image on Host (v1.2→v1.3)
• Clipboard Data (v1.1→v1.2)
• Cloud Service Discovery (v1.2→v1.3)
• Command and Scripting Interpreter (v2.3→v2.4)
• PowerShell (v1.2→v1.3)
• Visual Basic (v1.3→v1.4)
• Compromise Accounts (v1.1→v1.2)
• Email Accounts (v1.0→v1.1)
• Compromise Infrastructure (v1.2→v1.3)
• Domains (v1.2→v1.3)
• Server (v1.1→v1.2)
• Web Services (v1.1→v1.2)
• Container Administration Command (v1.1→v1.2)
• Container and Resource Discovery (v1.0→v1.1)
• Create Account (v2.2→v2.3)
• Cloud Account (v1.2→v1.3)
• Local Account (v1.1→v1.2)
• Create or Modify System Process: Systemd Service (v1.2→v1.3)
• Create or Modify System Process: Windows Service (v1.2→v1.3)
• Data Encoding (v1.1→v1.2)
• Data from Local System (v1.5→v1.6)
• Deobfuscate/Decode Files or Information (v1.1→v1.2)
• Deploy Container (v1.1→v1.2)
• Disk Wipe (v1.0→v1.1)
• Disk Structure Wipe (v1.0→v1.1)
• Drive-by Compromise (v1.4→v1.5)
• Email Collection (v2.3→v2.4)
• Email Forwarding Rule (v1.2→v1.3)
• Escape to Host (v1.3→v1.4)
• Event Triggered Execution: Accessibility Features (v1.0→v1.1)
• Event Triggered Execution: AppInit DLLs (v1.0→v1.1)
• Event Triggered Execution: Component Object Model Hijacking (v1.0→v1.1)
• Event Triggered Execution: Screensaver (v1.0→v1.1)
• Event Triggered Execution: Windows Management Instrumentation Event Subscription (v1.2→v1.3)
• Exfiltration Over Alternative Protocol (v1.3→v1.4)
• Exfiltration Over Unencrypted Non-C2 Protocol (v2.0→v2.1)
• Exfiltration Over C2 Channel (v2.1→v2.2)
• Exploit Public-Facing Application (v2.3→v2.4)
• Exploitation for Privilege Escalation (v1.4→v1.5)
• File and Directory Permissions Modification: Windows File and Directory Permissions Modification (v1.1→v1.2)
• Forge Web Credentials (v1.2→v1.3)
• Gather Victim Identity Information: Credentials (v1.0→v1.1)
• Group Policy Discovery (v1.0→v1.1)
• Hide Artifacts: Email Hiding Rules (v1.1→v1.2)
• Impair Defenses (v1.3→v1.4)
• Disable Cloud Logs (v1.2→v1.3)
• Disable Windows Event Logging (v1.1→v1.2)
• Disable or Modify Cloud Firewall (v1.1→v1.2)
• Disable or Modify System Firewall (v1.0→v1.1)
• Disable or Modify Tools (v1.3→v1.4)
• Indicator Blocking (v1.1→v1.2)
• Indicator Removal (v2.0→v2.1)
• Clear Command History (v1.3→v1.4)
• Clear Mailbox Data (v1.0→v1.1)
• Clear Persistence (v1.0→v1.1)
• Clear Windows Event Logs (v1.1→v1.2)
• Network Share Connection Removal (v1.0→v1.1)
• Ingress Tool Transfer (v2.1→v2.2)
• Inhibit System Recovery (v1.1→v1.2)
• Masquerading (v1.4→v1.5)
• Rename System Utilities (v1.0→v1.1)
• Modify Authentication Process (v2.2→v2.3)
• Modify Registry (v1.2→v1.3)
• Multi-Factor Authentication Interception (v2.0→v2.1)
• Network Sniffing (v1.3→v1.4)
• Non-Application Layer Protocol (v2.1→v2.2)
• Non-Standard Port (v1.0→v1.1)
• OS Credential Dumping: LSASS Memory (v1.1→v1.2)
• OS Credential Dumping: Proc Filesystem (v1.0→v1.1)
• Obfuscated Files or Information (v1.3→v1.4)
• Permission Groups Discovery (v2.4→v2.5)
• Cloud Groups (v1.3→v1.4)
• Domain Groups (v1.1→v1.2)
• Local Groups (v1.1→v1.2)
• Phishing (v2.2→v2.3)
• Spearphishing Link (v2.3→v2.4)
• Phishing for Information (v1.1→v1.2)
• Spearphishing Link (v1.3→v1.4)
• Process Discovery (v1.2→v1.3)
• Query Registry (v1.2→v1.3)
• Remote Services (v1.2→v1.3)
• Distributed Component Object Model (v1.1→v1.2)
• SMB/Windows Admin Shares (v1.0→v1.1)
• Scheduled Task/Job: Container Orchestration Job (v1.2→v1.3)
• Scheduled Task/Job: Scheduled Task (v1.2→v1.3)
• Software Discovery: Security Software Discovery (v1.3→v1.4)
• Stage Capabilities: Drive-by Target (v1.2→v1.3)
• Stage Capabilities: Link Target (v1.2→v1.3)
• Stage Capabilities: Upload Malware (v1.1→v1.2)
• Steal or Forge Authentication Certificates (v1.0→v1.1)
• System Binary Proxy Execution: CMSTP (v2.0→v2.1)
• System Binary Proxy Execution: Compiled HTML File (v2.0→v2.1)
• System Binary Proxy Execution: Regsvr32 (v2.0→v2.1)
• System Binary Proxy Execution: Rundll32 (v2.0→v2.1)
• System Owner/User Discovery (v1.3→v1.4)
• System Service Discovery (v1.4→v1.5)
• System Shutdown/Reboot (v1.2→v1.3)
• System Time Discovery (v1.2→v1.3)
• Unsecured Credentials (v1.2→v1.3)
• Cloud Instance Metadata API (v1.3→v1.4)
• Container API (v1.1→v1.2)
• Private Keys (v1.0→v1.1)
• Use Alternate Authentication Material: Application Access Token (v1.4→v1.5)
• User Execution: Malicious File (v1.2→v1.3)
• Valid Accounts (v2.5→v2.6)
• Cloud Accounts (v1.4→v1.5)
• Domain Accounts (v1.2→v1.3)
• Local Accounts (v1.2→v1.3)
• Windows Management Instrumentation (v1.2→v1.3)

Patches

• Abuse Elevation Control Mechanism: Setuid and Setgid (v1.1)
• Access Token Manipulation (v2.0)
• Acquire Infrastructure: Domains (v1.2)
• Active Scanning: Vulnerability Scanning (v1.0)
• Adversary-in-the-Middle (v2.2)
• Audio Capture (v1.0)
• Boot or Logon Autostart Execution (v1.1)
• Active Setup (v1.0)
• Registry Run Keys / Startup Folder (v1.2)
• Shortcut Modification (v1.2)
• Winlogon Helper DLL (v1.0)
• Boot or Logon Initialization Scripts (v2.1)
• Brute Force: Password Cracking (v1.2)
• Create or Modify System Process: Launch Daemon (v1.2)
• Data Encoding: Standard Encoding (v1.0)
• Data from Network Shared Drive (v1.3)
• Disk Wipe: Disk Content Wipe (v1.0)
• Domain Policy Modification: Group Policy Modification (v1.0)
• Endpoint Denial of Service (v1.1)
• OS Exhaustion Flood (v1.2)
• Service Exhaustion Flood (v1.3)
• Event Triggered Execution: Change Default File Association (v1.0)
• External Remote Services (v2.4)
• File and Directory Discovery (v1.5)
• Hardware Additions (v1.6)
• Hijack Execution Flow: DLL Search Order Hijacking (v1.1)
• Hijack Execution Flow: DLL Side-Loading (v2.0)
• Hijack Execution Flow: Dylib Hijacking (v2.0)
• Hijack Execution Flow: Dynamic Linker Hijacking (v2.0)
• Hijack Execution Flow: Path Interception by PATH Environment Variable (v1.0)
• Hijack Execution Flow: Path Interception by Search Order Hijacking (v1.0)
• Hijack Execution Flow: Path Interception by Unquoted Path (v1.1)
• Hijack Execution Flow: Services File Permissions Weakness (v1.0)
• Hijack Execution Flow: Services Registry Permissions Weakness (v1.1)
• Impair Defenses: Impair Command History Logging (v2.2)
• Input Capture (v1.2)
• GUI Input Capture (v1.2)
• Keylogging (v1.1)
• Web Portal Capture (v1.0)
• Masquerading: Match Legitimate Name or Location (v1.1)
• Masquerading: Space after Filename (v1.0)
• Modify Authentication Process: Multi-Factor Authentication (v1.0)
• Multi-Factor Authentication Request Generation (v1.0)
• Network Denial of Service: Direct Network Flood (v1.3)
• Network Denial of Service: Reflection Amplification (v1.3)
• Network Service Discovery (v3.0)
• Network Share Discovery (v3.1)
• Obfuscated Files or Information: Binary Padding (v1.2)
• Obfuscated Files or Information: Software Packing (v1.2)
• Obfuscated Files or Information: Steganography (v1.2)
• Peripheral Device Discovery (v1.3)
• Phishing: Spearphishing Attachment (v2.2)
• Phishing: Spearphishing via Service (v2.0)
• Pre-OS Boot: Bootkit (v1.1)
• Pre-OS Boot: System Firmware (v1.0)
• Process Injection (v1.3)
• Proxy: Domain Fronting (v1.1)
• Remote Services: Remote Desktop Protocol (v1.1)
• Remote Services: SSH (v1.1)
• Remote Services: VNC (v1.1)
• Remote System Discovery (v3.4)
• Rootkit (v1.1)
• Scheduled Task/Job (v2.2)
• Screen Capture (v1.1)
• Server Software Component: Web Shell (v1.3)
• Software Deployment Tools (v2.1)
• Software Discovery (v1.3)
• Stage Capabilities: SEO Poisoning (v1.0)
• Steal or Forge Kerberos Tickets (v1.4)
• Kerberoasting (v1.2)
• Subvert Trust Controls: Install Root Certificate (v1.1)
• Subvert Trust Controls: Mark-of-the-Web Bypass (v1.1)
• Supply Chain Compromise (v1.5)
• System Information Discovery (v2.5)
• System Network Configuration Discovery (v1.5)
• Taint Shared Content (v1.3)
• Unsecured Credentials: Credentials In Files (v1.1)
• Use Alternate Authentication Material: Pass the Hash (v1.1)
• Use Alternate Authentication Material: Pass the Ticket (v1.1)
• Use Alternate Authentication Material: Web Session Cookie (v1.3)
• Valid Accounts: Default Accounts (v1.2)
• Video Capture (v1.1)

Mobile

Minor Version Changes

• Abuse Elevation Control Mechanism (v1.0→v1.1)
• Device Administrator Permissions (v1.0→v1.1)
• Access Notifications (v1.1→v1.2)
• Account Access Removal (v1.0→v1.1)
• Adversary-in-the-Middle (v2.0→v2.1)
• Audio Capture (v3.0→v3.1)
• Boot or Logon Initialization Scripts (v2.0→v2.1)
• Call Control (v1.0→v1.1)
• Clipboard Data (v3.0→v3.1)
• Command and Scripting Interpreter (v1.0→v1.1)
• Unix Shell (v1.0→v1.1)
• Compromise Client Software Binary (v1.0→v1.1)
• Credentials from Password Store (v1.0→v1.1)
• Keychain (v1.0→v1.1)
• Data Encrypted for Impact (v3.1→v3.2)
• Data Manipulation (v1.0→v1.1)
• Transmitted Data Manipulation (v1.0→v1.1)
• Download New Code at Runtime (v1.3→v1.4)
• Drive-By Compromise (v2.0→v2.1)
• Endpoint Denial of Service (v1.0→v1.1)
• Event Triggered Execution (v1.0→v1.1)
• Broadcast Receivers (v1.0→v1.1)
• Execution Guardrails (v1.0→v1.1)
• Geofencing (v1.0→v1.1)
• Exploitation for Privilege Escalation (v2.0→v2.1)
• Exploitation of Remote Services (v1.1→v1.2)
• File and Directory Discovery (v1.1→v1.2)
• Foreground Persistence (v2.0→v2.1)
• Generate Traffic from Victim (v1.0→v1.1)
• Hide Artifacts (v1.0→v1.1)
• Suppress Application Icon (v1.0→v1.1)
• Hijack Execution Flow (v1.0→v1.1)
• System Runtime API Hijacking (v1.0→v1.1)
• Impair Defenses (v1.0→v1.1)
• Device Lockout (v1.0→v1.1)
• Disable or Modify Tools (v1.0→v1.1)
• Prevent Application Removal (v1.0→v1.1)
• Indicator Removal on Host (v1.0→v1.1)
• Disguise Root/Jailbreak Indicators (v1.0→v1.1)
• File Deletion (v1.0→v1.1)
• Uninstall Malicious Application (v1.0→v1.1)
• Ingress Tool Transfer (v2.0→v2.1)
• Input Capture (v2.2→v2.3)
• GUI Input Capture (v1.0→v1.1)
• Keylogging (v1.0→v1.1)
• Location Tracking (v1.1→v1.2)
• Impersonate SS7 Nodes (v1.0→v1.1)
• Remote Device Management Services (v1.0→v1.1)
• Network Denial of Service (v1.2→v1.3)
• Non-Standard Port (v2.0→v2.1)
• Obfuscated Files or Information: Software Packing (v1.0→v1.1)
• Out of Band Data (v2.0→v2.1)
• Process Discovery (v2.0→v2.1)
• Process Injection (v1.0→v1.1)
• Ptrace System Calls (v1.0→v1.1)
• Protected User Data (v1.0→v1.1)
• Calendar Entries (v1.0→v1.1)
• Call Log (v1.0→v1.1)
• Contact List (v1.0→v1.1)
• SMS Messages (v1.0→v1.1)
• Proxy Through Victim (v1.0→v1.1)
• SMS Control (v1.0→v1.1)
• Screen Capture (v1.2→v1.3)
• Software Discovery (v2.0→v2.1)
• Security Software Discovery (v1.0→v1.1)
• Steal Application Access Token (v1.0→v1.1)
• URI Hijacking (v1.0→v1.1)
• Stored Application Data (v3.0→v3.1)
• Subvert Trust Controls (v1.0→v1.1)
• Code Signing Policy Modification (v1.0→v1.1)
• Supply Chain Compromise (v2.0→v2.1)
• Compromise Hardware Supply Chain (v1.0→v1.1)
• Compromise Software Dependencies and Development Tools (v1.0→v1.1)
• Compromise Software Supply Chain (v1.0→v1.1)
• System Network Configuration Discovery (v2.2→v2.3)
• Video Capture (v2.0→v2.1)
• Virtualization/Sandbox Evasion (v1.0→v1.1)
• System Checks (v1.0→v1.1)
• Web Service (v1.1→v1.2)
• Bidirectional Communication (v1.0→v1.1)
• Dead Drop Resolver (v1.0→v1.1)
• One-Way Communication (v1.0→v1.1)

ICS

New Techniques

• Change Credential (v1.0)
• Data from Local System (v1.0)

Minor Version Changes

• Alarm Suppression (v1.1→v1.2)
• Brute Force I/O (v1.0→v1.1)
• Damage to Property (v1.0→v1.1)
• Data from Information Repositories (v1.1→v1.2)
• Denial of Control (v1.0→v1.1)
• Denial of Service (v1.0→v1.1)
• Denial of View (v1.0→v1.1)
• External Remote Services (v1.0→v1.1)
• Hooking (v1.1→v1.2)
• Modify Alarm Settings (v1.1→v1.2)
• Modify Parameter (v1.1→v1.2)
• Rogue Master (v1.1→v1.2)
• Spoof Reporting Message (v1.1→v1.2)
• Transient Cyber Asset (v1.1→v1.2)
• Unauthorized Command Message (v1.1→v1.2)
• Wireless Compromise (v1.1→v1.2)

Patches

• Adversary-in-the-Middle (v2.0)
• Automated Collection (v1.0)
• Change Operating Mode (v1.0)
• Command-Line Interface (v1.1)
• Commonly Used Port (v1.1)
• Connection Proxy (v1.1)
• Default Credentials (v1.0)
• Detect Operating Mode (v1.0)
• Drive-by Compromise (v1.0)
• Execution through API (v1.1)
• Exploit Public-Facing Application (v1.0)
• Exploitation for Evasion (v1.1)
• Exploitation of Remote Services (v1.0)
• Graphical User Interface (v1.1)
• Hardcoded Credentials (v1.0)
• I/O Image (v1.1)
• Indicator Removal on Host (v1.0)
• Internet Accessible Device (v1.0)
• Lateral Tool Transfer (v1.1)
• Loss of Availability (v1.0)
• Loss of Control (v1.0)
• Loss of Productivity and Revenue (v1.0)
• Loss of Protection (v1.0)
• Loss of Safety (v1.0)
• Loss of View (v1.0)
• Manipulation of Control (v1.0)
• Manipulation of View (v1.0)
• Masquerading (v1.1)
• Modify Controller Tasking (v1.1)
• Modify Program (v1.1)
• Module Firmware (v1.1)
• Monitor Process State (v1.0)
• Native API (v1.0)
• Network Connection Enumeration (v1.1)
• Network Sniffing (v1.0)
• Point & Tag Identification (v1.1)
• Program Download (v1.1)
• Program Upload (v1.0)
• Project File Infection (v1.0)
• Remote Services (v1.1)
• Remote System Discovery (v1.1)
• Remote System Information Discovery (v1.1)
• Replication Through Removable Media (v1.0)
• Rootkit (v1.1)
• Screen Capture (v1.0)
• Scripting (v1.0)
• Spearphishing Attachment (v1.1)
• Standard Application Layer Protocol (v1.0)
• Supply Chain Compromise (v1.1)
• System Firmware (v1.1)
• Theft of Operational Information (v1.0)
• User Execution (v1.1)
• Valid Accounts (v1.1)
• Wireless Sniffing (v1.1)

Software

Enterprise

New Software

• AvosLocker (v1.0)
• Black Basta (v1.0)
• BlackCat (v1.0)
• Brute Ratel C4 (v1.0)
• DEADEYE (v1.0)
• DarkTortilla (v1.0)
• Industroyer2 (v1.0)
• KEYPLUG (v1.0)
• Mafalda (v1.0)
• Prestige (v1.0)
• Royal (v1.0)
• Rubeus (v1.0)
• SVCReady (v1.0)
• Woody RAT (v1.0)
• metaMain (v1.0)

Minor Version Changes

• AADInternals (v1.1→v1.2)
• AdFind (v1.1→v1.2)
• Astaroth (v2.0→v2.1)
• BackConfig (v1.0→v1.1)
• BloodHound (v1.3→v1.4)
• CARROTBAT (v1.0→v1.1)
• CHOPSTICK (v2.2→v2.3)
• Chaes (v1.0→v1.1)
• China Chopper (v2.3→v2.4)
• Cobalt Strike (v1.9→v1.10)
• ComRAT (v1.3→v1.4)
• CookieMiner (v1.0→v1.1)
• DRATzarus (v1.0→v1.1)
• DarkWatchman (v1.0→v1.1)
• Denis (v1.1→v1.2)
• Emotet (v1.3→v1.4)
• Empire (v1.5→v1.6)
• Exaramel for Windows (v2.1→v2.2)
• FruitFly (v1.1→v1.2)
• Gelsemium (v1.0→v1.1)
• GoldFinder (v1.0→v1.1)
• GoldMax (v2.0→v2.1)
• Grandoreiro (v1.0→v1.1)
• HOPLIGHT (v1.1→v1.2)
• IceApple (v1.0→v1.1)
• Impacket (v1.3→v1.4)
• KOCTOPUS (v1.1→v1.2)
• LaZagne (v1.3→v1.4)
• LoudMiner (v1.2→v1.3)
• Machete (v2.0→v2.1)
• Mimikatz (v1.6→v1.7)
• Mosquito (v1.1→v1.2)
• NETWIRE (v1.4→v1.5)
• Net (v2.3→v2.4)
• Netwalker (v1.0→v1.1)
• POWERSTATS (v2.2→v2.3)
• Pillowmint (v1.1→v1.2)
• Ping (v1.2→v1.3)
• PipeMon (v1.0→v1.1)
• PlugX (v3.0→v3.1)
• PoetRAT (v2.1→v2.2)
• PolyglotDuke (v1.0→v1.1)
• PowerLess (v1.0→v1.1)
• PowerPunch (v1.0→v1.1)
• PowerSploit (v1.5→v1.6)
• PsExec (v1.3→v1.4)
• QUADAGENT (v1.1→v1.2)
• QakBot (v1.0→v1.1)
• RCSession (v1.0→v1.1)
• REvil (v2.0→v2.1)
• Raindrop (v1.1→v1.2)
• RegDuke (v1.0→v1.1)
• Remsec (v1.1→v1.2)
• Responder (v1.1→v1.2)
• RogueRobin (v2.1→v2.2)
• S-Type (v1.2→v1.3)
• SHARPSTATS (v1.0→v1.1)
• SMOKEDHAM (v1.1→v1.2)
• SQLRat (v1.1→v1.2)
• SUNBURST (v2.3→v2.4)
• SUNSPOT (v1.1→v1.2)
• ServHelper (v1.1→v1.2)
• ShadowPad (v1.1→v1.2)
• Sibot (v1.0→v1.1)
• Sliver (v1.0→v1.1)
• Stuxnet (v1.2→v1.3)
• SysUpdate (v1.0→v1.1)
• Systeminfo (v1.1→v1.2)
• TEARDROP (v1.1→v1.2)
• TYPEFRAME (v1.1→v1.2)
• ThreatNeedle (v1.0→v1.1)
• TinyTurla (v1.0→v1.1)
• Torisma (v1.0→v1.1)
• TrailBlazer (v1.0→v1.1)
• Ursnif (v1.3→v1.4)
• Valak (v1.2→v1.3)
• Volgmer (v1.1→v1.2)
• WhisperGate (v1.0→v1.1)
• Zeus Panda (v1.2→v1.3)
• certutil (v1.2→v1.3)
• dsquery (v1.3→v1.4)
• netsh (v1.1→v1.2)

Patches

• CORESHELL (v2.1)
• ChChes (v1.1)
• Conficker (v1.0)
• ConnectWise (v1.0)
• Crimson (v1.3)
• Derusbi (v1.2)
• Duqu (v1.2)
• EKANS (v2.0)
• EvilGrab (v1.1)
• HDoor (v1.0)
• Hikit (v1.3)
• Hydraq (v2.0)
• KeyBoy (v1.2)
• KillDisk (v1.1)
• LockerGoga (v2.0)
• Ngrok (v1.1)
• NotPetya (v2.0)
• OLDBAIT (v1.1)
• PoisonIvy (v2.1)
• Rclone (v1.0)
• RedLeaves (v1.1)
• Remcos (v1.3)
• SILENTTRINITY (v1.0)
• TrickBot (v2.0)
• WannaCry (v1.1)
• Winnti for Windows (v3.0)
• YAHOYAH (v1.1)
• Zox (v1.0)
• ZxShell (v1.2)
• gh0st RAT (v3.1)

Mobile

New Software

• AbstractEmu (v1.0)
• Drinik (v1.0)
• FluBot (v1.0)
• S.O.V.A. (v1.0)
• SharkBot (v1.0)
• TangleBot (v1.0)
• TianySpy (v1.0)

Major Version Changes

• YiSpecter (v1.0→v2.0)

Minor Version Changes

• Bread (v1.1→v1.2)
• HummingBad (v1.0→v1.1)

Patches

• BusyGasper (v1.0)

ICS

New Software

• Industroyer2 (v1.0)

Minor Version Changes

• REvil (v2.0→v2.1)
• Stuxnet (v1.2→v1.3)

Patches

• Conficker (v1.0)
• Duqu (v1.2)
• EKANS (v2.0)
• INCONTROLLER (v1.0)
• KillDisk (v1.1)
• LockerGoga (v2.0)
• NotPetya (v2.0)
• Triton (v1.0)
• WannaCry (v1.1)

Groups

Enterprise

New Groups

• CURIUM (v1.0)
• LuminousMoth (v1.0)
• Metador (v1.0)

Major Version Changes

• APT29 (v3.1→v4.0)
• GOLD SOUTHFIELD (v1.1→v2.0)
• Sandworm Team (v2.2→v3.0)

Minor Version Changes

• APT19 (v1.4→v1.5)
• APT32 (v2.5→v2.6)
• APT41 (v3.0→v3.1)
• Aquatic Panda (v1.0→v1.1)
• Chimera (v2.1→v2.2)
• Cobalt Group (v2.0→v2.1)
• Ember Bear (v1.0→v1.1)
• FIN6 (v3.2→v3.3)
• FIN7 (v2.1→v2.2)
• FIN8 (v1.2→v1.3)
• Fox Kitten (v1.0→v1.1)
• Gamaredon Group (v2.0→v2.1)
• HAFNIUM (v1.2→v1.3)
• HEXANE (v2.0→v2.1)
• LAPSUS$ (v1.0→v1.1)
• Lazarus Group (v3.1→v3.2)
• LazyScripter (v1.0→v1.1)
• Leafminer (v2.3→v2.4)
• Magic Hound (v5.0→v5.1)
• MuddyWater (v4.0→v4.1)
• Mustang Panda (v2.0→v2.1)
• OilRig (v3.0→v3.1)
• Patchwork (v1.4→v1.5)
• Sidewinder (v1.0→v1.1)
• Silence (v2.1→v2.2)
• TA505 (v2.0→v2.1)
• TA551 (v1.1→v1.2)
• Threat Group-3390 (v2.0→v2.1)
• Turla (v3.0→v3.1)
• Wizard Spider (v2.0→v2.1)
• ZIRCONIUM (v1.0→v1.1)

Patches

• APT28 (v4.0)
• APT33 (v1.4)
• Andariel (v1.0)
• Axiom (v2.0)
• Dragonfly (v3.1)
• FIN4 (v1.2)
• Kimsuky (v3.1)
• TEMP.Veles (v1.3)
• Winnti Group (v1.2)
• menuPass (v2.1)

Mobile

Major Version Changes

• Sandworm Team (v2.2→v3.0)

Patches

• APT28 (v4.0)

ICS

Major Version Changes

• GOLD SOUTHFIELD (v1.1→v2.0)
• Sandworm Team (v2.2→v3.0)

Minor Version Changes

• FIN6 (v3.2→v3.3)
• FIN7 (v2.1→v2.2)
• HEXANE (v2.0→v2.1)
• Lazarus Group (v3.1→v3.2)
• OilRig (v3.0→v3.1)
• Wizard Spider (v2.0→v2.1)

Patches

• APT33 (v1.4)
• Dragonfly (v3.1)
• TEMP.Veles (v1.3)

Campaigns

Enterprise

New Campaigns

• 2016 Ukraine Electric Power Attack (v1.0)
• C0017 (v1.0)
• C0018 (v1.0)
• C0021 (v1.0)
• Operation Dream Job (v1.0)
• Operation Ghost (v1.0)
• SolarWinds Compromise (v1.0)

Minor Version Changes

• Frankenstein (v1.0→v1.1)
• Operation CuckooBees (v1.0→v1.1)
• Operation Wocao (v1.0→v1.1)

Mobile

ICS

New Campaigns

• 2016 Ukraine Electric Power Attack (v1.0)
• Maroochy Water Breach (v1.0)

Mitigations

Enterprise

Minor Version Changes

• Audit (v1.1→v1.2)
• Operating System Configuration (v1.1→v1.2)
• Restrict Registry Permissions (v1.0→v1.1)

Mobile

ICS

New Mitigations

• Validate Program Inputs (v1.0)

Minor Version Changes

• Static Network Configuration (v1.0→v1.1)

Patches

• Access Management (v1.0)
• Account Use Policies (v1.0)
• Antivirus/Antimalware (v1.0)
• Application Developer Guidance (v1.0)
• Application Isolation and Sandboxing (v1.0)
• Audit (v1.0)
• Authorization Enforcement (v1.0)
• Boot Integrity (v1.0)
• Code Signing (v1.0)
• Communication Authenticity (v1.0)
• Data Backup (v1.0)
• Data Loss Prevention (v1.0)
• Disable or Remove Feature or Program (v1.0)
• Encrypt Network Traffic (v1.0)
• Encrypt Sensitive Information (v1.0)
• Execution Prevention (v1.0)
• Exploit Protection (v1.0)
• Filter Network Traffic (v1.0)
• Human User Authentication (v1.0)
• Limit Access to Resource Over Network (v1.0)
• Limit Hardware Installation (v1.0)
• Minimize Wireless Signal Propagation (v1.0)
• Multi-factor Authentication (v1.0)
• Network Allowlists (v1.0)
• Network Intrusion Prevention (v1.0)
• Network Segmentation (v1.0)
• Operating System Configuration (v1.0)
• Operational Information Confidentiality (v1.0)
• Out-of-Band Communications Channel (v1.0)
• Password Policies (v1.0)
• Privileged Account Management (v1.0)
• Redundancy of Service (v1.0)
• Restrict File and Directory Permissions (v1.0)
• Restrict Library Loading (v1.0)
• Restrict Registry Permissions (v1.0)
• Restrict Web-Based Content (v1.0)
• Software Configuration (v1.0)
• Software Process and Device Authentication (v1.0)
• Supply Chain Management (v1.0)
• Update Software (v1.0)
• User Account Management (v1.0)
• User Training (v1.0)
• Vulnerability Scanning (v1.0)
• Watchdog Timers (v1.0)

Data Sources

Enterprise

Patches

• Command (v1.1)
• File (v1.0)
• Logon Session (v1.1)
• Malware Repository (v1.1)
• Network Traffic (v1.1)
• Process (v1.1)
• Script (v1.1)
• Sensor Health (v1.1)
• User Account (v1.1)

Mobile

New Data Sources

• Application Vetting (v1.0)
• Command (v1.1)
• Network Traffic (v1.1)
• Process (v1.1)
• Sensor Health (v1.1)
• User Interface (v1.0)

ICS

Patches

• Asset (v1.0)
• Command (v1.1)
• File (v1.0)
• Logon Session (v1.1)
• Network Traffic (v1.1)
• Operational Databases (v1.0)
• Process (v1.1)
• Script (v1.1)
• User Account (v1.1)

Data Components

Enterprise

Patches

• OS API Execution (v1.0)

Mobile

New Data Components

• API Calls (v1.0)
• Command Execution (v1.1)
• Host Status (v1.1)
• Network Communication (v1.0)
• Network Connection Creation (v1.1)
• Network Traffic Content (v1.0)
• Network Traffic Flow (v1.0)
• Permissions Request (v1.0)
• Permissions Requests (v1.0)
• Process Creation (v1.1)
• Process Metadata (v1.0)
• Process Termination (v1.0)
• Protected Configuration (v1.0)
• System Notifications (v1.0)
• System Settings (v1.0)

ICS

Patches

• OS API Execution (v1.0)

Contributors to this release

• Adam Lichters
• Adrien Bataille
• Akiko To, NEC Corporation
• Akshat Pradhan, Qualys
• Anders Vejlby
• Austin Clark, @c2defense
• Ben Smith
• Bryan Onel
• Caio Silva
• Center for Threat-Informed Defense (CTID)
• Christopher Peacock
• Cisco
• CrowdStrike Falcon OverWatch
• Daniel Acevedo, @darmad0, ARMADO
• Daniyal Naeem, BT Security
• Denise Tan
• Dor Edry, Microsoft
• Douglas Weir
• Duane Michael
• Dylan
• Elpidoforos Maragkos, @emaragkos
• Emad Al-Mousa, Saudi Aramco
• ExtraHop
• Felix Eberstaller
• Filip Kafka, ESET
• Flavio Costa, Cisco
• Gavin Knapp
• George Thomas
• Goldstein Menachem
• Hiroki Nagahama, NEC Corporation
• Hubert Mank
• Inna Danilevich, U.S Bank
• Jared Wilson
• Jason Sevilla
• Jeffrey Barto
• Jeremy Kennelly
• Jimmy Wylie, Dragos, Inc.
• Joas Antonio dos Santos, @C0d3Cr4zy
• Joe Gumke, U.S. Bank
• Jonny Johnson
• Josh Arenas, Trustwave Spiderlabs
• Juan Carlos Campuzano – Mnemo-CERT
• Kuessner Consulting
• Kyaw Pyiyt Htet, @KyawPyiytHtet
• Liora Itkin
• Liran Ravich, CardinalOps
• Lucas Heiligenstein
• Manikantan Srinivasan, NEC Corporation India
• Marcus Weeks
• Mark Wee
• Massimiliano Romano, BT Security
• Mathieu Hinse
• Matt Brenton, Zurich Global Information Security
• Mayuresh Dani, Qualys
• Mindaugas Gudzis, BT Security
• Miroslav Babiš, ESET
• Muhammad Moiz Arshad, @5T34L7H
• Nader Zaveri
• Nichols Jasper
• Ohad Zaidenberg, @ohad_mz
• Ozan Olali
• Pallavi Sivakumaran
• Pooja Natarajan, NEC Corporation India
• Ross Brittain
• Scott Cook, Capital One
• Shailesh Tiwary (Indian Army)
• Simona David
• Sittikorn Sangrattanapitak
• Thanabodi
• Tim (Wadhwa-)Brown
• Tim Peck
• Tom Hegel
• Tristan Bennett, Seamless Intelligence
• TruKno
• Vinayak Wadhwa, SAFE Security
• Wataru Takahashi, NEC Corporation
• Yinon Engelsman, Talon Cyber Security
• Yonatan Gotlib, Talon Cyber Security
• Yoshihiro Kori, NEC Corporation
• Zaw Min Htun, @Z3TAE
• Zuzana Legáthová, ESET