Updates - Updates - October 2019

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href='/theme/favicon.ico' type='image/x-icon'> <title>Updates - Updates - October 2019 | MITRE ATT&CK®</title>   <link rel='stylesheet' href='/theme/style/bootstrap.min.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-tourist.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-select.min.css' />  <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1">  <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href='/'><img src="/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/groups">Groups</a> <a class="dropdown-item" href="/software">Software</a> <a class="dropdown-item" href="/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/resources/">Get Started</a> <a class="dropdown-item" href="/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>  <img src="/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1">  <div class="col px-0">   <div class="container-fluid banner-message"> Reminder: the TAXII 2.0 server will be <a href='https://medium.com/mitre-attack/introducing-taxii-2-1-and-a-fond-farewell-to-taxii-2-0-d9fca6ce4c58'>retiring on December 18</a>. Please switch to the <a href='https://github.com/mitre-attack/attack-workbench-taxii-server/blob/main/docs/USAGE.md'>TAXII 2.1 server</a> to ensure uninterrupted service. </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0">   <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div> <div id="sidebars"></div> </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/">Home</a></li> <li class="breadcrumb-item"><a href="/resources/">Resources</a></li> <li class="breadcrumb-item"><a href="/resources/versions/">Version History</a></li> <li class="breadcrumb-item">October 2019 Release Notes</a></li> </ol> <div class="container-fluid blog-post pb-3"> <h1 class="blog-post-title mb-4">Updates - October 2019</h1> <table> <thead> <tr> <th style="text-align: left;">Version</th> <th style="text-align: left;">Start Date</th> <th style="text-align: left;">End Date</th> <th style="text-align: left;">Data</th> </tr> </thead> <tbody> <tr> <td style="text-align: left;"><a href="/versions/v6">ATT&CK v6</a></td> <td style="text-align: left;">October 24, 2019</td> <td style="text-align: left;">July 7, 2020</td> <td style="text-align: left;"><a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v6.3">v6.3 on MITRE/CTI</a></td> </tr> </tbody> </table> <p>The October 2019 ATT&CK release updates techniques, Groups, and Software for both Enterprise and Mobile. The biggest change is the addition of cloud-focused techniques.</p> <h4>ATT&CK for Cloud</h4> <p>36 techniques have been added or updated to cover adversary behavior against cloud-based platforms. We鈥檝e added three infrastructure as a service (IaaS) platforms, <a href="/matrices/enterprise/cloud/aws/">Amazon Web Services (AWS)</a>, <a href="/matrices/enterprise/cloud/azure/">Microsoft Azure (Azure)</a>, and <a href="/matrices/enterprise/cloud/gcp/">Google Cloud Platform (GCP)</a>. The <a href="/matrices/enterprise/cloud/saas/">Software as a service (SaaS)</a> platform will cover techniques against general cloud-based software platforms. Separately from IaaS and SaaS, we've also added two cloud software platforms, <a href="/matrices/enterprise/cloud/azuread/">Azure Active Directory (Azure AD)</a> and <a href="/matrices/enterprise/cloud/office365/">Office 365</a>, to cover techniques against those specific platforms.</p> <h4>New techniques and updates for cloud:</h4> <ul> <li><a href="/techniques/T1527">Application Access Token</a></li> <li><a href="/techniques/T1522">Cloud Instance Metadata API</a></li> <li><a href="/techniques/T1538">Cloud Service Dashboard</a></li> <li><a href="/techniques/T1526">Cloud Service Discovery</a></li> <li><a href="/techniques/T1530">Data from Cloud Storage Object</a></li> <li><a href="/techniques/T1525">Implant Container Image</a></li> <li><a href="/techniques/T1534">Internal Spearphishing</a></li> <li><a href="/techniques/T1536">Revert Cloud Instance</a></li> <li><a href="/techniques/T1528">Steal Application Access Token</a></li> <li><a href="/techniques/T1539">Steal Web Session Cookie</a></li> <li><a href="/techniques/T1537">Transfer Data to Cloud Account</a></li> <li><a href="/techniques/T1535">Unused Cloud Regions</a></li> <li><a href="/techniques/T1506">Web Session Cookie</a></li> <li><a href="/techniques/T1087">Account Discovery</a></li> <li><a href="/techniques/T1098">Account Manipulation</a></li> <li><a href="/techniques/T1110">Brute Force</a></li> <li><a href="/techniques/T1136">Create Account</a></li> <li><a href="/techniques/T1081">Credentials in Files</a></li> <li><a href="/techniques/T1213">Data from Information Repositories</a></li> <li><a href="/techniques/T1005">Data from Local System</a></li> <li><a href="/techniques/T1074">Data Staged</a></li> <li><a href="/techniques/T1189">Drive-by Compromise</a></li> <li><a href="/techniques/T1114">Email Collection</a></li> <li><a href="/techniques/T1190">Exploit Public-Facing Application</a></li> <li><a href="/techniques/T1046">Network Service Scanning</a></li> <li><a href="/techniques/T1135">Network Share Discovery</a></li> <li><a href="/techniques/T1137">Office Application Startup</a></li> <li><a href="/techniques/T1069">Permission Groups Discovery</a></li> <li><a href="/techniques/T1108">Redundant Access</a></li> <li><a href="/techniques/T1018">Remote System Discovery</a></li> <li><a href="/techniques/T1496">Resource Hijacking</a></li> <li><a href="/techniques/T1192">Spearphishing Link</a></li> <li><a href="/techniques/T1082">System Information Discovery</a></li> <li><a href="/techniques/T1049">System Network Connections Discovery</a></li> <li><a href="/techniques/T1199">Trusted Relationship</a></li> <li><a href="/techniques/T1078">Valid Accounts</a></li> </ul> <p>The majority of the people and organizations we talked to while defining what ATT&CK means in a cloud environment said that they consider it an extension of an enterprise network, so we made it part of ATT&CK for Enterprise instead of creating a separate model. The ATT&CK for Cloud matrix along with the individual platforms can still be viewed separately from the rest of the Enterprise matrix. Due to web applications being thought of as the new perimeter with cloud, we've had to expand the definition of Lateral Movement a bit to cover access and interaction with cloud-based systems and services. Common credentialing material such as web browser cookies and application access tokens like OAuth are commonplace and are targeted for access to cloud-based software.</p> <p>The current list of cloud platforms was selected based on input from contributors and what has been reported in incidents. We plan on re-evaluating them as needed to expand or refine them based on the threat landscape.</p> <p>We shifted priorities a bit this year to this effort because of the overwhelming demand for cloud coverage in ATT&CK. The lack of public incident reporting made it difficult to do, but we were able to use a lot of the community's expertise and knowledge in building it. ATT&CK for Cloud is the first new technology domain that has been created based on almost 100% community contributions for technique ideas! Cloud is by no means finished. We will continue to build out additional cloud-based techniques for another release next year.</p> <h3>Techniques</h3> <p><strong>Enterprise</strong></p> <p>View enterprise technique updates in the ATT&CK Navigator <a href="https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2Fmitre-attack%2Fattack-website%2Fmaster%2Fmodules%2Fresources%2Fdocs%2Frelease-layers-archive%2FOctober_2019_Updates_Enterprise.json">here</a>.</p> <p>New Techniques:</p> <ul> <li><a href="/techniques/T1531">Account Access Removal</a></li> <li><a href="/techniques/T1527">Application Access Token</a></li> <li><a href="/techniques/T1522">Cloud Instance Metadata API</a></li> <li><a href="/techniques/T1538">Cloud Service Dashboard</a></li> <li><a href="/techniques/T1526">Cloud Service Discovery</a></li> <li><a href="/techniques/T1503">Credentials from Web Browsers</a></li> <li><a href="/techniques/T1530">Data from Cloud Storage Object</a></li> <li><a href="/techniques/T1514">Elevated Execution with Prompt</a></li> <li><a href="/techniques/T1519">Emond</a></li> <li><a href="/techniques/T1525">Implant Container Image</a></li> <li><a href="/techniques/T1534">Internal Spearphishing</a></li> <li><a href="/techniques/T1502">Parent PID Spoofing</a></li> <li><a href="/techniques/T1504">PowerShell Profile</a></li> <li><a href="/techniques/T1536">Revert Cloud Instance</a></li> <li><a href="/techniques/T1505">Server Software Component</a></li> <li><a href="/techniques/T1518">Software Discovery</a></li> <li><a href="/techniques/T1528">Steal Application Access Token</a></li> <li><a href="/techniques/T1539">Steal Web Session Cookie</a></li> <li><a href="/techniques/T1529">System Shutdown/Reboot</a></li> <li><a href="/techniques/T1537">Transfer Data to Cloud Account</a></li> <li><a href="/techniques/T1535">Unused/Unsupported Cloud Regions</a></li> <li><a href="/techniques/T1506">Web Session Cookie</a></li> </ul> <p>Technique deletions: No changes</p> <p>Technique changes:</p> <ul> <li><a href="/techniques/T1156">.bash_profile and .bashrc</a></li> <li><a href="/techniques/T1087">Account Discovery</a></li> <li><a href="/techniques/T1098">Account Manipulation</a></li> <li><a href="/techniques/T1009">Binary Padding</a></li> <li><a href="/techniques/T1110">Brute Force</a></li> <li><a href="/techniques/T1175">Component Object Model and Distributed COM</a></li> <li><a href="/techniques/T1090">Connection Proxy</a></li> <li><a href="/techniques/T1136">Create Account</a></li> <li><a href="/techniques/T1003">Credential Dumping</a></li> <li><a href="/techniques/T1081">Credentials in Files</a></li> <li><a href="/techniques/T1074">Data Staged</a></li> <li><a href="/techniques/T1213">Data from Information Repositories</a></li> <li><a href="/techniques/T1005">Data from Local System</a></li> <li><a href="/techniques/T1189">Drive-by Compromise</a></li> <li><a href="/techniques/T1114">Email Collection</a></li> <li><a href="/techniques/T1048">Exfiltration Over Alternative Protocol</a></li> <li><a href="/techniques/T1190">Exploit Public-Facing Application</a></li> <li><a href="/techniques/T1068">Exploitation for Privilege Escalation</a></li> <li><a href="/techniques/T1083">File and Directory Discovery</a></li> <li><a href="/techniques/T1222">File and Directory Permissions Modification</a></li> <li><a href="/techniques/T1187">Forced Authentication</a></li> <li><a href="/techniques/T1144">Gatekeeper Bypass</a></li> <li><a href="/techniques/T1143">Hidden Window</a></li> <li><a href="/techniques/T1054">Indicator Blocking</a></li> <li><a href="/techniques/T1118">InstallUtil</a></li> <li><a href="/techniques/T1036">Masquerading</a></li> <li><a href="/techniques/T1170">Mshta</a></li> <li><a href="/techniques/T1046">Network Service Scanning</a></li> <li><a href="/techniques/T1135">Network Share Discovery</a></li> <li><a href="/techniques/T1137">Office Application Startup</a></li> <li><a href="/techniques/T1120">Peripheral Device Discovery</a></li> <li><a href="/techniques/T1069">Permission Groups Discovery</a></li> <li><a href="/techniques/T1205">Port Knocking</a></li> <li><a href="/techniques/T1057">Process Discovery</a></li> <li><a href="/techniques/T1012">Query Registry</a></li> <li><a href="/techniques/T1164">Re-opened Applications</a></li> <li><a href="/techniques/T1108">Redundant Access</a></li> <li><a href="/techniques/T1121">Regsvcs/Regasm</a></li> <li><a href="/techniques/T1117">Regsvr32</a></li> <li><a href="/techniques/T1018">Remote System Discovery</a></li> <li><a href="/techniques/T1496">Resource Hijacking</a></li> <li><a href="/techniques/T1053">Scheduled Task</a></li> <li><a href="/techniques/T1063">Security Software Discovery</a></li> <li><a href="/techniques/T1058">Service Registry Permissions Weakness</a></li> <li><a href="/techniques/T1045">Software Packing</a></li> <li><a href="/techniques/T1153">Source</a></li> <li><a href="/techniques/T1192">Spearphishing Link</a></li> <li><a href="/techniques/T1082">System Information Discovery</a></li> <li><a href="/techniques/T1016">System Network Configuration Discovery</a></li> <li><a href="/techniques/T1049">System Network Connections Discovery</a></li> <li><a href="/techniques/T1033">System Owner/User Discovery</a></li> <li><a href="/techniques/T1007">System Service Discovery</a></li> <li><a href="/techniques/T1080">Taint Shared Content</a></li> <li><a href="/techniques/T1072">Third-party Software</a></li> <li><a href="/techniques/T1099">Timestomp</a></li> <li><a href="/techniques/T1154">Trap</a></li> <li><a href="/techniques/T1127">Trusted Developer Utilities</a></li> <li><a href="/techniques/T1199">Trusted Relationship</a></li> <li><a href="/techniques/T1204">User Execution</a></li> <li><a href="/techniques/T1078">Valid Accounts</a></li> <li><a href="/techniques/T1497">Virtualization/Sandbox Evasion</a></li> <li><a href="/techniques/T1077">Windows Admin Shares</a></li> <li><a href="/techniques/T1084">Windows Management Instrumentation Event Subscription</a></li> <li><a href="/techniques/T1028">Windows Remote Management</a></li> <li><a href="/techniques/T1220">XSL Script Processing</a></li> </ul> <p>Technique revocations: No changes</p> <p>Technique deprecations: No changes</p> <p>Minor Technique changes:</p> <ul> <li><a href="/techniques/T1134">Access Token Manipulation</a></li> <li><a href="/techniques/T1015">Accessibility Features</a></li> <li><a href="/techniques/T1182">AppCert DLLs</a></li> <li><a href="/techniques/T1103">AppInit DLLs</a></li> <li><a href="/techniques/T1155">AppleScript</a></li> <li><a href="/techniques/T1017">Application Deployment Software</a></li> <li><a href="/techniques/T1138">Application Shimming</a></li> <li><a href="/techniques/T1123">Audio Capture</a></li> <li><a href="/techniques/T1131">Authentication Package</a></li> <li><a href="/techniques/T1119">Automated Collection</a></li> <li><a href="/techniques/T1197">BITS Jobs</a></li> <li><a href="/techniques/T1139">Bash History</a></li> <li><a href="/techniques/T1067">Bootkit</a></li> <li><a href="/techniques/T1176">Browser Extensions</a></li> <li><a href="/techniques/T1088">Bypass User Account Control</a></li> <li><a href="/techniques/T1191">CMSTP</a></li> <li><a href="/techniques/T1146">Clear Command History</a></li> <li><a href="/techniques/T1115">Clipboard Data</a></li> <li><a href="/techniques/T1059">Command-Line Interface</a></li> <li><a href="/techniques/T1043">Commonly Used Port</a></li> <li><a href="/techniques/T1092">Communication Through Removable Media</a></li> <li><a href="/techniques/T1223">Compiled HTML File</a></li> <li><a href="/techniques/T1109">Component Firmware</a></li> <li><a href="/techniques/T1196">Control Panel Items</a></li> <li><a href="/techniques/T1214">Credentials in Registry</a></li> <li><a href="/techniques/T1094">Custom Command and Control Protocol</a></li> <li><a href="/techniques/T1024">Custom Cryptographic Protocol</a></li> <li><a href="/techniques/T1038">DLL Search Order Hijacking</a></li> <li><a href="/techniques/T1073">DLL Side-Loading</a></li> <li><a href="/techniques/T1002">Data Compressed</a></li> <li><a href="/techniques/T1485">Data Destruction</a></li> <li><a href="/techniques/T1132">Data Encoding</a></li> <li><a href="/techniques/T1486">Data Encrypted for Impact</a></li> <li><a href="/techniques/T1001">Data Obfuscation</a></li> <li><a href="/techniques/T1030">Data Transfer Size Limits</a></li> <li><a href="/techniques/T1491">Defacement</a></li> <li><a href="/techniques/T1089">Disabling Security Tools</a></li> <li><a href="/techniques/T1488">Disk Content Wipe</a></li> <li><a href="/techniques/T1487">Disk Structure Wipe</a></li> <li><a href="/techniques/T1172">Domain Fronting</a></li> <li><a href="/techniques/T1483">Domain Generation Algorithms</a></li> <li><a href="/techniques/T1482">Domain Trust Discovery</a></li> <li><a href="/techniques/T1157">Dylib Hijacking</a></li> <li><a href="/techniques/T1173">Dynamic Data Exchange</a></li> <li><a href="/techniques/T1499">Endpoint Denial of Service</a></li> <li><a href="/techniques/T1480">Execution Guardrails</a></li> <li><a href="/techniques/T1106">Execution through API</a></li> <li><a href="/techniques/T1129">Execution through Module Load</a></li> <li><a href="/techniques/T1041">Exfiltration Over Command and Control Channel</a></li> <li><a href="/techniques/T1011">Exfiltration Over Other Network Medium</a></li> <li><a href="/techniques/T1052">Exfiltration Over Physical Medium</a></li> <li><a href="/techniques/T1203">Exploitation for Client Execution</a></li> <li><a href="/techniques/T1212">Exploitation for Credential Access</a></li> <li><a href="/techniques/T1211">Exploitation for Defense Evasion</a></li> <li><a href="/techniques/T1210">Exploitation of Remote Services</a></li> <li><a href="/techniques/T1133">External Remote Services</a></li> <li><a href="/techniques/T1008">Fallback Channels</a></li> <li><a href="/techniques/T1107">File Deletion</a></li> <li><a href="/techniques/T1044">File System Permissions Weakness</a></li> <li><a href="/techniques/T1495">Firmware Corruption</a></li> <li><a href="/techniques/T1061">Graphical User Interface</a></li> <li><a href="/techniques/T1484">Group Policy Modification</a></li> <li><a href="/techniques/T1148">HISTCONTROL</a></li> <li><a href="/techniques/T1200">Hardware Additions</a></li> <li><a href="/techniques/T1147">Hidden Users</a></li> <li>Indicator Removal on Host</li> <li><a href="/techniques/T1490">Inhibit System Recovery</a></li> <li><a href="/techniques/T1056">Input Capture</a></li> <li><a href="/techniques/T1141">Input Prompt</a></li> <li><a href="/techniques/T1130">Install Root Certificate</a></li> <li><a href="/techniques/T1208">Kerberoasting</a></li> <li><a href="/techniques/T1215">Kernel Modules and Extensions</a></li> <li><a href="/techniques/T1142">Keychain</a></li> <li><a href="/techniques/T1161">LC_LOAD_DYLIB Addition</a></li> <li><a href="/techniques/T1149">LC_MAIN Hijacking</a></li> <li><a href="/techniques/T1171">LLMNR/NBT-NS Poisoning and Relay</a></li> <li><a href="/techniques/T1177">LSASS Driver</a></li> <li><a href="/techniques/T1159">Launch Agent</a></li> <li><a href="/techniques/T1160">Launch Daemon</a></li> <li><a href="/techniques/T1152">Launchctl</a></li> <li><a href="/techniques/T1168">Local Job Scheduling</a></li> <li><a href="/techniques/T1162">Login Item</a></li> <li><a href="/techniques/T1037">Logon Scripts</a></li> <li><a href="/techniques/T1185">Man in the Browser</a></li> <li><a href="/techniques/T1031">Modify Existing Service</a></li> <li><a href="/techniques/T1112">Modify Registry</a></li> <li><a href="/techniques/T1104">Multi-Stage Channels</a></li> <li><a href="/techniques/T1188">Multi-hop Proxy</a></li> <li><a href="/techniques/T1026">Multiband Communication</a></li> <li><a href="/techniques/T1079">Multilayer Encryption</a></li> <li><a href="/techniques/T1096">NTFS File Attributes</a></li> <li><a href="/techniques/T1498">Network Denial of Service</a></li> <li><a href="/techniques/T1040">Network Sniffing</a></li> <li><a href="/techniques/T1050">New Service</a></li> <li><a href="/techniques/T1027">Obfuscated Files or Information</a></li> <li><a href="/techniques/T1075">Pass the Hash</a></li> <li><a href="/techniques/T1097">Pass the Ticket</a></li> <li><a href="/techniques/T1174">Password Filter DLL</a></li> <li><a href="/techniques/T1201">Password Policy Discovery</a></li> <li><a href="/techniques/T1034">Path Interception</a></li> <li><a href="/techniques/T1150">Plist Modification</a></li> <li><a href="/techniques/T1086">PowerShell</a></li> <li><a href="/techniques/T1145">Private Keys</a></li> <li><a href="/techniques/T1186">Process Doppelg盲nging</a></li> <li><a href="/techniques/T1055">Process Injection</a></li> <li><a href="/techniques/T1163">Rc.common</a></li> <li><a href="/techniques/T1060">Registry Run Keys / Startup Folder</a></li> <li><a href="/techniques/T1219">Remote Access Tools</a></li> <li><a href="/techniques/T1076">Remote Desktop Protocol</a></li> <li><a href="/techniques/T1105">Remote File Copy</a></li> <li><a href="/techniques/T1021">Remote Services</a></li> <li><a href="/techniques/T1091">Replication Through Removable Media</a></li> <li><a href="/techniques/T1014">Rootkit</a></li> <li><a href="/techniques/T1085">Rundll32</a></li> <li><a href="/techniques/T1494">Runtime Data Manipulation</a></li> <li><a href="/techniques/T1178">SID-History Injection</a></li> <li><a href="/techniques/T1198">SIP and Trust Provider Hijacking</a></li> <li><a href="/techniques/T1184">SSH Hijacking</a></li> <li><a href="/techniques/T1029">Scheduled Transfer</a></li> <li><a href="/techniques/T1113">Screen Capture</a></li> <li><a href="/techniques/T1180">Screensaver</a></li> <li><a href="/techniques/T1064">Scripting</a></li> <li><a href="/techniques/T1101">Security Support Provider</a></li> <li><a href="/techniques/T1035">Service Execution</a></li> <li><a href="/techniques/T1489">Service Stop</a></li> <li><a href="/techniques/T1166">Setuid and Setgid</a></li> <li><a href="/techniques/T1051">Shared Webroot</a></li> <li><a href="/techniques/T1023">Shortcut Modification</a></li> <li><a href="/techniques/T1218">Signed Binary Proxy Execution</a></li> <li><a href="/techniques/T1216">Signed Script Proxy Execution</a></li> <li><a href="/techniques/T1151">Space after Filename</a></li> <li><a href="/techniques/T1193">Spearphishing Attachment</a></li> <li><a href="/techniques/T1194">Spearphishing via Service</a></li> <li><a href="/techniques/T1071">Standard Application Layer Protocol</a></li> <li><a href="/techniques/T1032">Standard Cryptographic Protocol</a></li> <li><a href="/techniques/T1095">Standard Non-Application Layer Protocol</a></li> <li><a href="/techniques/T1165">Startup Items</a></li> <li><a href="/techniques/T1492">Stored Data Manipulation</a></li> <li><a href="/techniques/T1206">Sudo Caching</a></li> <li><a href="/techniques/T1169">Sudo</a></li> <li><a href="/techniques/T1195">Supply Chain Compromise</a></li> <li><a href="/techniques/T1019">System Firmware</a></li> <li><a href="/techniques/T1124">System Time Discovery</a></li> <li><a href="/techniques/T1501">Systemd Service</a></li> <li><a href="/techniques/T1221">Template Injection</a></li> <li><a href="/techniques/T1209">Time Providers</a></li> <li><a href="/techniques/T1493">Transmitted Data Manipulation</a></li> <li><a href="/techniques/T1111">Two-Factor Authentication Interception</a></li> <li><a href="/techniques/T1065">Uncommonly Used Port</a></li> <li><a href="/techniques/T1125">Video Capture</a></li> <li><a href="/techniques/T1102">Web Service</a></li> <li><a href="/techniques/T1100">Web Shell</a></li> <li><a href="/techniques/T1047">Windows Management Instrumentation</a></li> <li><a href="/techniques/T1004">Winlogon Helper DLL</a></li> </ul> <p><strong>PRE-ATT&CK</strong></p> <p>New Techniques: No changes</p> <p>Technique deletions: No changes</p> <p>Technique changes: No changes</p> <p>Technique revocations: No changes</p> <p>Technique deprecations: No changes</p> <p>Minor Technique changes: No changes</p> <p><strong>Mobile</strong></p> <p>View mobile technique updates in the ATT&CK Navigator <a href="https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2Fmitre-attack%2Fattack-website%2Fmaster%2Fmodules%2Fresources%2Fdocs%2Frelease-layers-archive%2FOctober_2019_Updates_Mobile.json">here</a>.</p> <p>New Techniques:</p> <ul> <li><a href="/techniques/T1517">Access Notifications</a></li> <li><a href="/techniques/T1512">Capture Camera</a></li> <li><a href="/techniques/T1510">Clipboard Modification</a></li> <li><a href="/techniques/T1532">Data Encrypted</a></li> <li><a href="/techniques/T1533">Data from Local System</a></li> <li><a href="/techniques/T1520">Domain Generation Algorithms</a></li> <li><a href="/techniques/T1523">Evade Analysis Environment</a></li> <li><a href="/techniques/T1516">Input Injection</a></li> <li><a href="/techniques/T1507">Network Information Discovery</a></li> <li><a href="/techniques/T1513">Screen Capture</a></li> <li><a href="/techniques/T1521">Standard Cryptographic Protocol</a></li> <li><a href="/techniques/T1508">Suppress Application Icon</a></li> <li><a href="/techniques/T1509">Uncommonly Used Port</a></li> </ul> <p>Technique deletions: No changes</p> <p>Technique changes:</p> <ul> <li><a href="/techniques/T1433">Access Call Log</a></li> <li><a href="/techniques/T1409">Access Stored Application Data</a></li> <li><a href="/techniques/T1429">Capture Audio</a></li> <li><a href="/techniques/T1414">Capture Clipboard Data</a></li> <li><a href="/techniques/T1412">Capture SMS Messages</a></li> <li><a href="/techniques/T1471">Data Encrypted for Impact</a></li> <li><a href="/techniques/T1447">Delete Device Data</a></li> <li><a href="/techniques/T1475">Deliver Malicious App via Authorized App Store</a></li> <li><a href="/techniques/T1476">Deliver Malicious App via Other Means</a></li> <li><a href="/techniques/T1446">Device Lockout</a></li> <li><a href="/techniques/T1407">Download New Code at Runtime</a></li> <li><a href="/techniques/T1417">Input Capture</a></li> <li><a href="/techniques/T1411">Input Prompt</a></li> <li><a href="/techniques/T1444">Masquerade as Legitimate Application</a></li> <li><a href="/techniques/T1403">Modify Cached Executable Code</a></li> <li><a href="/techniques/T1400">Modify System Partition</a></li> </ul> <p>Technique revocations:</p> <ul> <li>Device Type Discovery (revoked by <a href="/techniques/T1426">System Information Discovery</a>)</li> </ul> <p>Technique deprecations:</p> <ul> <li><a href="/techniques/T1453">Abuse Accessibility Features</a></li> </ul> <p>Minor Technique changes:</p> <ul> <li><a href="/techniques/T1402">App Auto-Start at Device Boot</a></li> <li><a href="/techniques/T1436">Commonly Used Port</a></li> <li><a href="/techniques/T1472">Generate Fraudulent Advertising Revenue</a></li> <li><a href="/techniques/T1430">Location Tracking</a></li> <li><a href="/techniques/T1452">Manipulate App Store Rankings or Ratings</a></li> <li><a href="/techniques/T1406">Obfuscated Files or Information</a></li> <li><a href="/techniques/T1448">Premium SMS Toll Fraud</a></li> <li><a href="/techniques/T1426">System Information Discovery</a></li> </ul> <h3>Software</h3> <p><strong>Enterprise</strong></p> <p>Exaramel changed to <a href="/software/S0343/">Exaramel for Windows</a>, and <a href="/software/S0401/">Exaramel for Linux</a> was added separately.</p> <p>New Software:</p> <ul> <li><a href="/software/S0415">BOOSTWRITE</a></li> <li><a href="/software/S0414">BabyShark</a></li> <li><a href="/software/S0401">Exaramel for Linux</a></li> <li><a href="/software/S0410">Fysbis</a></li> <li><a href="/software/S0417">GRIFFON</a></li> <li><a href="/software/S0409">Machete</a></li> <li><a href="/software/S0413">MailSniper</a></li> <li><a href="/software/S0402">OSX/Shlayer</a></li> <li><a href="/software/S0416">RDFSNIFFER</a></li> <li><a href="/software/S0400">RobbinHood</a></li> <li><a href="/software/S0412">ZxShell</a></li> <li><a href="/software/S0404">esentutl</a></li> </ul> <p>Software deletions: No changes</p> <p>Software changes:</p> <ul> <li><a href="/software/S0373">Astaroth</a></li> <li><a href="/software/S0190">BITSAdmin</a></li> <li><a href="/software/S0360">BONDUPDATER</a></li> <li><a href="/software/S0134">Downdelph</a></li> <li><a href="/software/S0343">Exaramel for Windows</a></li> <li><a href="/software/S0037">HAMMERTOSS</a></li> <li><a href="/software/S0387">KeyBoy</a></li> <li><a href="/software/S0372">LockerGoga</a></li> <li><a href="/software/S0284">More_eggs</a></li> <li><a href="/software/S0368">NotPetya</a></li> <li><a href="/software/S0352">OSX_OCEANLOTUS.D</a></li> <li><a href="/software/S0365">Olympic Destroyer</a></li> <li><a href="/software/S0229">Orz</a></li> <li><a href="/software/S0378">PoshC2</a></li> <li><a href="/software/S0386">Ursnif</a></li> <li><a href="/software/S0160">certutil</a></li> </ul> <p>Software revocations: No changes</p> <p>Software deprecations: No changes</p> <p>Minor Software changes:</p> <ul> <li><a href="/software/S0021">Derusbi</a></li> <li><a href="/software/S0182">FinFisher</a></li> <li><a href="/software/S0398">HyperBro</a></li> <li><a href="/software/S0379">Revenge RAT</a></li> <li><a href="/software/S0333">UBoatRAT</a></li> <li><a href="/software/S0180">Volgmer</a></li> </ul> <p><strong>PRE-ATT&CK</strong></p> <p>New Software: No changes</p> <p>Software deletions: No changes</p> <p>Software changes: No changes</p> <p>Software revocations: No changes</p> <p>Software deprecations: No changes</p> <p>Minor Software changes: No changes</p> <p><strong>Mobile</strong></p> <p>New Software:</p> <ul> <li><a href="/software/S0405">Exodus</a></li> <li><a href="/software/S0408">FlexiSpy</a></li> <li><a href="/software/S0406">Gustuff</a></li> <li><a href="/software/S0407">Monokle</a></li> <li><a href="/software/S0403">Riltok</a></li> <li><a href="/software/S0411">Rotexy</a></li> </ul> <p>Software deletions:</p> <ul> <li>Android Overlay Malware (removed due to the determination that the name did not identify a specific malware family)</li> </ul> <p>Software changes:</p> <ul> <li><a href="/software/S0310">ANDROIDOS_ANSERVER.A</a></li> <li><a href="/software/S0304">Android/Chuli.A</a></li> <li><a href="/software/S0301">Dendroid</a></li> <li><a href="/software/S0320">DroidJack</a></li> <li><a href="/software/S0290">Gooligan</a></li> <li><a href="/software/S0399">Pallas</a></li> <li><a href="/software/S0316">Pegasus for Android</a></li> <li><a href="/software/S0295">RCSAndroid</a></li> <li><a href="/software/S0326">RedDrop</a></li> <li><a href="/software/S0327">Skygofree</a></li> <li><a href="/software/S0324">SpyDealer</a></li> <li><a href="/software/S0305">SpyNote RAT</a></li> <li><a href="/software/S0328">Stealth Mango</a></li> <li><a href="/software/S0329">Tangelo</a></li> </ul> <p>Software revocations: No changes</p> <p>Software deprecations: No changes</p> <p>Minor Software changes:</p> <ul> <li><a href="/software/S0323">Charger</a></li> <li><a href="/software/S0182">FinFisher</a></li> </ul> <h3>Groups</h3> <p><strong>Enterprise</strong></p> <p>New Groups:</p> <ul> <li><a href="/groups/G0096">APT41</a></li> <li><a href="/groups/G0094">Kimsuky</a></li> <li><a href="/groups/G0095">Machete</a></li> </ul> <p>Group deletions: No changes</p> <p>Group changes:</p> <ul> <li><a href="/groups/G0073">APT19</a></li> <li><a href="/groups/G0007">APT28</a></li> <li><a href="/groups/G0050">APT32</a></li> <li><a href="/groups/G0067">APT37</a></li> <li><a href="/groups/G0082">APT38</a></li> <li><a href="/groups/G0022">APT3</a></li> <li><a href="/groups/G0001">Axiom</a></li> <li><a href="/groups/G0052">CopyKittens</a></li> <li><a href="/groups/G0079">DarkHydrus</a></li> <li><a href="/groups/G0009">Deep Panda</a></li> <li><a href="/groups/G0037">FIN6</a></li> <li><a href="/groups/G0046">FIN7</a></li> <li><a href="/groups/G0078">Gorgon Group</a></li> <li><a href="/groups/G0032">Lazarus Group</a></li> <li><a href="/groups/G0077">Leafminer</a></li> <li><a href="/groups/G0059">Magic Hound</a></li> <li><a href="/groups/G0049">OilRig</a></li> <li><a href="/groups/G0027">Threat Group-3390</a></li> <li><a href="/groups/G0081">Tropic Trooper</a></li> <li><a href="/groups/G0018">admin@338</a></li> <li><a href="/groups/G0045">menuPass</a></li> </ul> <p>Group revocations: No changes</p> <p>Group deprecations: No changes</p> <p>Minor Group changes:</p> <ul> <li><a href="/groups/G0006">APT1</a></li> <li><a href="/groups/G0061">FIN8</a></li> <li><a href="/groups/G0065">Leviathan</a></li> </ul> <p><strong>PRE-ATT&CK</strong></p> <p>New Groups: No changes</p> <p>Group deletions: No changes</p> <p>Group changes: No changes</p> <p>Group revocations: No changes</p> <p>Group deprecations: No changes</p> <p>Minor Group changes: No changes</p> <p><strong>Mobile</strong></p> <p>New Groups: No changes</p> <p>Group deletions: No changes</p> <p>Group changes:</p> <ul> <li><a href="/groups/G0007">APT28</a></li> </ul> <p>Group revocations: No changes</p> <p>Group deprecations: No changes</p> <p>Minor Group changes: No changes</p> <h3>Mitigations</h3> <p><strong>Enterprise</strong></p> <p>New Mitigations:</p> <ul> <li><a href="/mitigations/M1013">Application Developer Guidance</a></li> </ul> <p>Mitigation deletions: No changes</p> <p>Mitigation changes:</p> <ul> <li><a href="/mitigations/M1037">Filter Network Traffic</a></li> </ul> <p>Mitigation revocations: No changes</p> <p>Mitigation deprecations: No changes</p> <p>Minor Mitigation changes: No changes</p> <p><strong>PRE-ATT&CK</strong></p> <p>New Mitigations: No changes</p> <p>Mitigation deletions: No changes</p> <p>Mitigation changes: No changes</p> <p>Mitigation revocations: No changes</p> <p>Mitigation deprecations: No changes</p> <p>Minor Mitigation changes: No changes</p> <p><strong>Mobile</strong></p> <p>New Mitigations: No changes</p> <p>Mitigation deletions:</p> <ul> <li>Use Device-Provided Credential Storage (this removal is temporary; the mitigation will be re-added in a future update)</li> </ul> <p>Mitigation changes: No changes</p> <p>Mitigation revocations: No changes</p> <p>Mitigation deprecations: No changes</p> <p>Minor Mitigation changes:</p> <ul> <li><a href="/mitigations/M1005">Application Vetting</a></li> <li><a href="/mitigations/M1002">Attestation</a></li> <li><a href="/mitigations/M1001">Security Updates</a></li> <li><a href="/mitigations/M1011">User Guidance</a></li> </ul> </div> </div> </div>   <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner">  <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div>  <div id="search-body" class="search-body"> <div class="results" id="search-results">  </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1">  <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&CK content v16.1Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> © 2015 - 2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div>  </div>  <script src="/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/theme/scripts/popper.min.js"></script> <script src="/theme/scripts/bootstrap-select.min.js"></script> <script src="/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/theme/scripts/site.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/search_bundle.js"></script>  <script src="/theme/scripts/resizer.js"></script> <script src="/theme/scripts/sidebar-load-all.js"></script> </body> </html>

CINXE.COM

Updates - Updates - October 2019 | MITRE ATT&CK®