Skip to main content

MITRE ATT&CK update

Update of the MITRE ATT&CK module

Content

On October 31, 2023, the new 14th version of MITRE ATT&CK was released. We have already implemented the changes into our universal monitoring platform SAF. In particular, the updates affected the MITRE ATT&CK module. In this article, we would like to share the details of the release.

In the 14th version of Enterprise MITRE ATT&CK, 18 new Techniques have been added and over 100 existing Techniques have been updated.

  • New Techniques

    • Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (v1.0)
    • Account Manipulation: Additional Container Cluster Roles (v1.0)
    • Content Injection (v1.0)
    • Credentials from Password Stores: Cloud Secrets Management Stores (v1.0)
    • Exfiltration Over Web Service: Exfiltration Over Webhook (v1.0)
    • Financial Theft (v1.0)
    • Hide Artifacts: Ignore Process Interrupts (v1.0)
    • Impair Defenses: Disable or Modify Linux Audit System (v1.0)
    • Impersonation (v1.0)
    • Log Enumeration (v1.0)
    • Masquerading: Break Process Trees (v1.0)
    • Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations (v1.0)
    • Obfuscated Files or Information: LNK Icon Smuggling (v1.0)
    • Phishing: Spearphishing Voice (v1.0)
    • Phishing for Information: Spearphishing Voice (v1.0)
    • Power Settings (v1.0)
    • Remote Services: Direct Cloud VM Connections (v1.0)
    • System Network Configuration Discovery: Wi-Fi Discovery (v1.0)

  • Major Version Changes

    • Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (v1.2→v2.0)
    • Impair Defenses: Disable or Modify Cloud Logs (v1.3→v2.0)

  • Minor Version Changes

    • Abuse Elevation Control Mechanism (v1.1→v1.2)
    • Access Token Manipulation: Token Impersonation/Theft (v1.1→v1.2)
    • Account Manipulation (v2.5→v2.6)
    • Additional Cloud Credentials (v2.5→v2.6)
    • Additional Cloud Roles (v2.2→v2.3)
    • Additional Email Delegate Permissions (v2.0→v2.1)
    • Device Registration (v1.1→v1.2)
    • SSH Authorized Keys (v1.2→v1.3)
    • Acquire Infrastructure (v1.2→v1.3)
    • Adversary-in-the-Middle (v2.2→v2.3)
    • Application Layer Protocol: File Transfer Protocols (v1.0→v1.1)
    • Application Layer Protocol: Web Protocols (v1.1→v1.2)
    • Archive Collected Data: Archive via Utility (v1.2→v1.3)
    • Boot or Logon Autostart Execution: Print Processors (v1.0→v1.1)
    • Boot or Logon Autostart Execution: Winlogon Helper DLL (v1.0→v1.1)
    • Boot or Logon Autostart Execution: XDG Autostart Entries (v1.0→v1.1)
    • Boot or Logon Initialization Scripts (v2.1→v2.2)
    • Brute Force: Credential Stuffing (v1.3→v1.4)
    • Brute Force: Password Guessing (v1.4→v1.5)
    • Brute Force: Password Spraying (v1.3→v1.4)
    • Cloud Service Dashboard (v1.1→v1.2)
    • Command and Scripting Interpreter: Windows Command Shell (v1.2→v1.3)
    • Compromise Client Software Binary (v1.0→v1.1)
    • Compromise Infrastructure (v1.3→v1.4)
    • Create Account (v2.3→v2.4)
    • Cloud Account (v1.3→v1.4)
    • Domain Account (v1.0→v1.1)
    • Local Account (v1.2→v1.3)
    • Create or Modify System Process: Systemd Service (v1.3→v1.4)
    • Create or Modify System Process: Windows Service (v1.3→v1.4)
    • Credentials from Password Stores (v1.0→v1.1)
    • Data Destruction (v1.1→v1.2)
    • Data from Cloud Storage (v2.0→v2.1)
    • Data from Network Shared Drive (v1.3→v1.4)
    • Deobfuscate/Decode Files or Information (v1.2→v1.3)
    • Direct Volume Access (v2.0→v2.1)
    • Email Collection (v2.4→v2.5)
    • Remote Email Collection (v1.1→v1.2)
    • Event Triggered Execution: Screensaver (v1.1→v1.2)
    • Exfiltration Over Other Network Medium (v1.1→v1.2)
    • Exfiltration Over Web Service (v1.2→v1.3)
    • Exfiltration to Cloud Storage (v1.1→v1.2)
    • Exfiltration to Code Repository (v1.0→v1.1)
    • Exploitation for Credential Access (v1.4→v1.5)
    • Exploitation for Defense Evasion (v1.3→v1.4)
    • File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification (v1.1→v1.2)
    • Forced Authentication (v1.2→v1.3)
    • Forge Web Credentials (v1.3→v1.4)
    • Hide Artifacts: Email Hiding Rules (v1.2→v1.3)
    • Hijack Execution Flow: Path Interception by PATH Environment Variable (v1.0→v1.1)
    • Impair Defenses (v1.4→v1.5)
    • Disable Windows Event Logging (v1.2→v1.3)
    • Disable or Modify Tools (v1.4→v1.5)
    • Downgrade Attack (v1.1→v1.2)
    • Indicator Blocking (v1.2→v1.3)
    • Indicator Removal: Clear Network Connection History and Configurations (v1.0→v1.1)
    • Indicator Removal: Clear Windows Event Logs (v1.2→v1.3)
    • Ingress Tool Transfer (v2.2→v2.3)
    • Inhibit System Recovery (v1.2→v1.3)
    • Input Capture: Keylogging (v1.1→v1.2)
    • Inter-Process Communication: Dynamic Data Exchange (v1.2→v1.3)
    • Lateral Tool Transfer (v1.2→v1.3)
    • Masquerading (v1.5→v1.6)
    • Masquerade Task or Service (v1.1→v1.2)
    • Match Legitimate Name or Location (v1.1→v1.2)
    • Modify Authentication Process: Multi-Factor Authentication (v1.0→v1.1)
    • Modify Cloud Compute Infrastructure (v1.1→v1.2)
    • Modify Registry (v1.3→v1.4)
    • Native API (v2.1→v2.2)
    • Network Service Discovery (v3.0→v3.1)
    • Network Share Discovery (v3.1→v3.2)
    • Network Sniffing (v1.4→v1.5)
    • Non-Application Layer Protocol (v2.2→v2.3)
    • OS Credential Dumping: LSASS Memory (v1.2→v1.3)
    • OS Credential Dumping: NTDS (v1.1→v1.2)
    • OS Credential Dumping: Security Account Manager (v1.0→v1.1)
    • Obfuscated Files or Information (v1.4→v1.5)
    • Embedded Payloads (v1.0→v1.1)
    • HTML Smuggling (v1.0→v1.1)
    • Phishing (v2.3→v2.4)
    • Spearphishing Link (v2.4→v2.5)
    • Phishing for Information (v1.2→v1.3)
    • Spearphishing Link (v1.4→v1.5)
    • Process Discovery (v1.3→v1.4)
    • Process Injection: Dynamic-link Library Injection (v1.2→v1.3)
    • Process Injection: Process Hollowing (v1.2→v1.3)
    • Reflective Code Loading (v1.0→v1.1)
    • Remote Access Software (v2.1→v2.2)
    • Remote Service Session Hijacking: RDP Hijacking (v1.0→v1.1)
    • Remote Services (v1.3→v1.4)
    • Distributed Component Object Model (v1.2→v1.3)
    • Remote Desktop Protocol (v1.1→v1.2)
    • SMB/Windows Admin Shares (v1.1→v1.2)
    • SSH (v1.1→v1.2)
    • Windows Remote Management (v1.1→v1.2)
    • Remote System Discovery (v3.4→v3.5)
    • Resource Hijacking (v1.3→v1.4)
    • Scheduled Task/Job: At (v2.0→v2.1)
    • Scheduled Task/Job: Scheduled Task (v1.3→v1.4)
    • Scheduled Task/Job: Systemd Timers (v1.1→v1.2)
    • Shared Modules (v2.1→v2.2)
    • Software Deployment Tools (v2.1→v2.2)
    • Subvert Trust Controls: Install Root Certificate (v1.1→v1.2)
    • System Binary Proxy Execution: Rundll32 (v2.1→v2.2)
    • System Network Configuration Discovery (v1.5→v1.6)
    • System Owner/User Discovery (v1.4→v1.5)
    • System Services: Service Execution (v1.1→v1.2)
    • Taint Shared Content (v1.3→v1.4)
    • Trusted Developer Utilities Proxy Execution: MSBuild (v1.2→v1.3)
    • Unsecured Credentials: Credentials In Files (v1.1→v1.2)
    • Unsecured Credentials: Credentials in Registry (v1.0→v1.1)
    • Use Alternate Authentication Material: Pass the Hash (v1.1→v1.2)
    • Valid Accounts: Cloud Accounts (v1.5→v1.6)
    • Valid Accounts: Domain Accounts (v1.3→v1.4)
    • Valid Accounts: Local Accounts (v1.3→v1.4)
    • Windows Management Instrumentation (v1.3→v1.4)

  • Patches

    • Cloud Service Discovery (v1.3) - Event Triggered Execution: PowerShell Profile (v1.1)
    • Forge Web Credentials: SAML Tokens (v1.2)
    • Forge Web Credentials: Web Cookies (v1.1)
    • Masquerading: Masquerade File Type (v1.0)
    • Masquerading: Rename System Utilities (v1.1)
    • OS Credential Dumping: Cached Domain Credentials (v1.0)
    • Replication Through Removable Media (v1.2)
    • Steal Application Access Token (v1.2)
    • Steal Web Session Cookie (v1.2)
    • System Binary Proxy Execution: Compiled HTML File (v2.1)
    • Use Alternate Authentication Material: Application Access Token (v1.5)
    • Use Alternate Authentication Material: Web Session Cookie (v1.3)

14 new Software have been added and over 40 existing Software have been updated.

  • New Software

    • ANDROMEDA (v1.0)
    • AsyncRAT (v1.0)
    • BADHATCH (v1.0)
    • Disco (v1.0)
    • KOPILUWAK (v1.0)
    • NightClub (v1.0)
    • Pacu (v1.0)
    • QUIETCANARY (v1.0)
    • QUIETEXIT (v1.0)
    • RotaJakiro (v1.0)
    • Sardonic (v1.0)
    • SharpDisco (v1.0)
    • Snip3 (v1.0)
    • ngrok (v1.2)

  • Major Version Changes

    • OSX_OCEANLOTUS.D (v2.2→v3.0)
    • Uroburos (v1.0→v2.0)

  • Minor Version Changes

    • AdFind (v1.2→v1.3)
    • Agent Tesla (v1.2→v1.3)
    • Arp (v1.1→v1.2)
    • BITSAdmin (v1.3→v1.4)
    • BlackEnergy (v1.3→v1.4)
    • BloodHound (v1.4→v1.5)
    • Cobalt Strike (v1.10→v1.11)
    • Conti (v2.1→v2.2)
    • CrossRAT (v1.1→v1.2)
    • Dridex (v2.0→v2.1)
    • Emotet (v1.4→v1.5)
    • Empire (v1.6→v1.7)
    • Fysbis (v1.2→v1.3)
    • GoldMax (v2.1→v2.2)
    • Imminent Monitor (v1.0→v1.1)
    • Impacket (v1.4→v1.5)
    • KillDisk (v1.1→v1.2)
    • LaZagne (v1.4→v1.5)
    • Mimikatz (v1.7→v1.8)
    • NETWIRE (v1.5→v1.6)
    • Net (v2.4→v2.5)
    • Nltest (v1.1→v1.2)
    • OSX/Shlayer (v1.3→v1.4)
    • Ping (v1.3→v1.4)
    • PsExec (v1.4→v1.5)
    • Pupy (v1.2→v1.3)
    • Ragnar Locker (v1.1→v1.2)
    • Regin (v1.1→v1.2)
    • Revenge RAT (v1.1→v1.2)
    • Rubeus (v1.0→v1.1)
    • Ryuk (v1.3→v1.4)
    • TrickBot (v2.0→v2.1)
    • WarzoneRAT (v1.0→v1.1)
    • certutil (v1.3→v1.4)
    • esentutl (v1.2→v1.3)
    • jRAT (v2.1→v2.2)
    • netstat (v1.1→v1.2)
    • njRAT (v1.4→v1.5)

  • Patches

    • BlackCat (v1.0)
    • Calisto (v1.1)
    • Carbanak (v1.1)
    • Doki (v1.0)
    • Industroyer (v1.1)
    • LockerGoga (v2.0)
    • PUNCHBUGGY (v2.1)
    • PUNCHTRACK (v1.1)
    • PowerSploit (v1.6)

5 new Groups have been added and 17 existing Groups have been updated.

  • New Groups

    • FIN13 (v1.0)
    • MoustachedBouncer (v1.0)
    • Scattered Spider (v1.0)
    • TA2541 (v1.0)
    • Volt Typhoon (v1.0)

  • Major Version Changes

    • APT29 (v4.0→v5.0)
    • FIN7 (v2.2→v3.0)
    • FIN8 (v1.3→v2.0)
    • Indrik Spider (v2.1→v3.0)
    • Turla (v3.1→v4.0)
    • Wizard Spider (v2.1→v3.0)

  • Minor Version Changes

    • APT32 (v2.6→v2.7)
    • Confucius (v1.0→v1.1)
    • Dragonfly (v3.1→v3.2)
    • LAPSUS$ (v1.1→v1.2)
    • Magic Hound (v5.1→v5.2)
    • Sandworm Team (v3.0→v3.1)
    • SilverTerrier (v1.1→v1.2)

  • Patches

    • APT37 (v2.0)
    • Ajax Security Team (v1.0)
    • Darkhotel (v2.1)
    • Kimsuky (v3.1)

3 new Campaigns have been added and 1 existing Campaign has been updated.

  • New Campaigns

    • 2015 Ukraine Electric Power Attack (v1.0)
    • C0026 (v1.0)
    • C0027 (v1.0)

  • Minor Version Changes

    • Operation Dream Job (v1.0→v1.1)
These updates have allowed us to improve the functionality of the module and provide a higher level of security against constantly changing methods and tactics of malicious actors.

We also want to note that we do not rely solely on MITRE ATT&CK. We constantly monitor modern cybersecurity trends and add new defense methods regardless of MITRE updates. Our goal is to ensure the maximum protection of our clients' data and information resources, so we are always ready for rapid changes and adaptation to new threats.

If you are interested in the MITRE ATT&CK module, you can contact us to discuss the details 🔥

Contact Us

We use cookies on our website. Some of them are essential for the operation of the site, while others help us to improve this site and the user experience (tracking cookies). You can decide for yourself whether you want to allow cookies or not. Please note that if you reject them, you may not be able to use all the functionalities of the site.

Ok Decline
More information