CINXE.COM

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href='/theme/favicon.ico' type='image/x-icon'> <title>Updates - Updates - April 2022 | MITRE ATT&CK®</title>   <link rel='stylesheet' href='/theme/style/bootstrap.min.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-tourist.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-select.min.css' />  <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1">  <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href='/'><img src="/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/groups">Groups</a> <a class="dropdown-item" href="/software">Software</a> <a class="dropdown-item" href="/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/resources/">Get Started</a> <a class="dropdown-item" href="/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>  <img src="/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1">  <div class="col px-0">   <div class="container-fluid banner-message"> ATT&CK v16 has been released! Check out the <a href='https://medium.com/mitre-attack/attack-v16-561c76af94cf'>blog post</a> for more information. </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0">   <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div> <div id="sidebars"></div> </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/">Home</a></li> <li class="breadcrumb-item"><a href="/resources/">Resources</a></li> <li class="breadcrumb-item"><a href="/resources/versions/">Version History</a></li> <li class="breadcrumb-item">April 2022 Release Notes</a></li> </ol> <div class="container-fluid blog-post pb-3"> <h1 class="blog-post-title mb-4">Updates - April 2022</h1> <table> <thead> <tr> <th style="text-align: left;">Version</th> <th style="text-align: left;">Start Date</th> <th style="text-align: left;">End Date</th> <th style="text-align: left;">Data</th> <th style="text-align: left;">Changelogs</th> </tr> </thead> <tbody> <tr> <td style="text-align: left;"><a href="/versions/v11">ATT&CK v11</a></td> <td style="text-align: left;">April 25, 2022</td> <td style="text-align: left;">October 24, 2022</td> <td style="text-align: left;"><a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v11.0">v11.0 on MITRE/CTI</a><br /><a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v11.1">v11.1 on MITRE/CTI</a><br /><a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v11.2">v11.2 on MITRE/CTI</a><br /><a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v11.3">v11.3 on MITRE/CTI</a></td> <td style="text-align: left;">v10.1 - v11.0 <a href="/docs/changelogs/v10.1-v11.0/changelog-detailed.html">Details</a> (<a href="/docs/changelogs/v10.1-v11.0/changelog.json">JSON</a>)<br />v11.0 - v11.1 <a href="/docs/changelogs/v11.0-v11.1/changelog-detailed.html">Details</a> (<a href="/docs/changelogs/v11.0-v11.1/changelog.json">JSON</a>)<br />v11.1 - v11.2 <a href="/docs/changelogs/v11.1-v11.2/changelog-detailed.html">Details</a> (<a href="/docs/changelogs/v11.1-v11.2/changelog.json">JSON</a>)<br />v11.2 - v11.3 <a href="/docs/changelogs/v11.2-v11.3/changelog-detailed.html">Details</a> (<a href="/docs/changelogs/v11.2-v11.3/changelog.json">JSON</a>)</td> </tr> </tbody> </table> <p>The April 2022 (v11) ATT&CK release updates Techniques, Groups, and Software for Enterprise, Mobile, and ICS. The biggest changes are the restructuring of Detections, now tied to <a href="/datasources/">Data Source</a> and Data Component objects in Enterprise ATT&CK, a beta release of ATT&CK for Mobile leveraging sub-techniques, and <a href="/matrices/ics/">ATT&CK for ICS now on attack.mitre.org</a> An <a href="https://medium.com/mitre-attack/attack-goes-to-v11-599a9112a025">accompanying blog post</a> describes these changes as well as improvements across ATT&CK's various domains and platforms.</p> <p>This release contains a beta version of <a href="/matrices/mobile/">ATT&CK for Mobile</a> represented using sub-techniques. The current stable version of ATT&CK for Mobile can still be found at <a href="https://attack.mitre.org/versions/v10/matrices/mobile/">https://attack.mitre.org/versions/v10/matrices/mobile/</a>. Information on how to make the transition to this new version of ATT&CK for Mobile can be found in an <a href="https://medium.com/mitre-attack/attack-goes-to-v11-599a9112a025">accompanying blog post</a>. A version of this beta content rendered in STIX can be found in our <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v11.0-mobile-beta">GitHub repo</a>.</p> <p>In this release we have replaced the Enterprise Sub-Techniques <a href="https://attack.mitre.org/versions/v10/techniques/T1547/011/">Boot or Logon Autostart Execution: Plist Modification (T1547.011)</a> with <a href="/techniques/T1647/">Plist File Modification (T1647)</a> and <a href="https://attack.mitre.org/versions/v10/techniques/T1053/001/">Scheduled Task/Job: At (Linux)(T1053.001)</a> was incorporated into <a href="/techniques/T1053/002/">Scheduled Task/Job: At (T1053.002)</a> in to better reflect adversary behavior.</p> <p>This version of ATT&CK for Enterprise contains 14 Tactics, 191 Techniques, 386 Sub-techniques, 134 Groups, and 680 Pieces of Software.</p> <h2>Techniques</h2> <h3>Enterprise</h3> <h4>New Techniques</h4> <ul> <li>Account Manipulation: <a href="/techniques/T1098/005">Device Registration</a></li> <li>Active Scanning: <a href="/techniques/T1595/003">Wordlist Scanning</a></li> <li>Adversary-in-the-Middle: <a href="/techniques/T1557/003">DHCP Spoofing</a></li> <li><a href="/techniques/T1622">Debugger Evasion</a></li> <li>Hide Artifacts: <a href="/techniques/T1564/010">Process Argument Spoofing</a></li> <li>Hijack Execution Flow: <a href="/techniques/T1574/013">KernelCallbackTable</a></li> <li>Inter-Process Communication: <a href="/techniques/T1559/003">XPC Services</a></li> <li>Modify Authentication Process: <a href="/techniques/T1556/005">Reversible Encryption</a></li> <li><a href="/techniques/T1621">Multi-Factor Authentication Request Generation</a></li> <li><a href="/techniques/T1647">Plist File Modification</a></li> <li>Process Injection: <a href="/techniques/T1055/015">ListPlanting</a></li> <li>Server Software Component: <a href="/techniques/T1505/005">Terminal Services DLL</a></li> </ul> <h4>Technique changes</h4> <ul> <li>Abuse Elevation Control Mechanism: <a href="/techniques/T1548/001">Setuid and Setgid</a></li> <li><a href="/techniques/T1531">Account Access Removal</a></li> <li><a href="/techniques/T1098">Account Manipulation</a></li> <li><a href="/techniques/T1098/001">Additional Cloud Credentials</a></li> <li><a href="/techniques/T1098/003">Additional Cloud Roles</a></li> <li><a href="/techniques/T1098/002">Additional Email Delegate Permissions</a></li> <li><a href="/techniques/T1098/004">SSH Authorized Keys</a></li> <li><a href="/techniques/T1557">Adversary-in-the-Middle</a></li> <li><a href="/techniques/T1010">Application Window Discovery</a></li> <li>Archive Collected Data: <a href="/techniques/T1560/001">Archive via Utility</a></li> <li><a href="/techniques/T1119">Automated Collection</a></li> <li>Boot or Logon Autostart Execution: <a href="/techniques/T1547/006">Kernel Modules and Extensions</a></li> <li>Boot or Logon Autostart Execution: <a href="/techniques/T1547/010">Port Monitors</a></li> <li>Boot or Logon Autostart Execution: <a href="/techniques/T1547/007">Re-opened Applications</a></li> <li>Boot or Logon Initialization Scripts: <a href="/techniques/T1037/002">Login Hook</a></li> <li><a href="/techniques/T1110">Brute Force</a></li> <li><a href="/techniques/T1110/002">Password Cracking</a></li> <li><a href="/techniques/T1110/001">Password Guessing</a></li> <li><a href="/techniques/T1612">Build Image on Host</a></li> <li><a href="/techniques/T1580">Cloud Infrastructure Discovery</a></li> <li><a href="/techniques/T1059">Command and Scripting Interpreter</a></li> <li><a href="/techniques/T1059/001">PowerShell</a></li> <li><a href="/techniques/T1059/005">Visual Basic</a></li> <li><a href="/techniques/T1584">Compromise Infrastructure</a></li> <li><a href="/techniques/T1584/002">DNS Server</a></li> <li><a href="/techniques/T1584/001">Domains</a></li> <li><a href="/techniques/T1609">Container Administration Command</a></li> <li>Create Account: <a href="/techniques/T1136/003">Cloud Account</a></li> <li><a href="/techniques/T1543">Create or Modify System Process</a></li> <li><a href="/techniques/T1543/001">Launch Agent</a></li> <li><a href="/techniques/T1543/003">Windows Service</a></li> <li>Credentials from Password Stores: <a href="/techniques/T1555/001">Keychain</a></li> <li>Credentials from Password Stores: <a href="/techniques/T1555/002">Securityd Memory</a></li> <li><a href="/techniques/T1486">Data Encrypted for Impact</a></li> <li><a href="/techniques/T1565">Data Manipulation</a></li> <li><a href="/techniques/T1565/003">Runtime Data Manipulation</a></li> <li><a href="/techniques/T1565/001">Stored Data Manipulation</a></li> <li><a href="/techniques/T1565/002">Transmitted Data Manipulation</a></li> <li><a href="/techniques/T1074">Data Staged</a></li> <li><a href="/techniques/T1074/001">Local Data Staging</a></li> <li><a href="/techniques/T1005">Data from Local System</a></li> <li><a href="/techniques/T1491">Defacement</a></li> <li><a href="/techniques/T1491/002">External Defacement</a></li> <li><a href="/techniques/T1491/001">Internal Defacement</a></li> <li><a href="/techniques/T1610">Deploy Container</a></li> <li><a href="/techniques/T1189">Drive-by Compromise</a></li> <li>Endpoint Denial of Service: <a href="/techniques/T1499/003">Application Exhaustion Flood</a></li> <li>Endpoint Denial of Service: <a href="/techniques/T1499/004">Application or System Exploitation</a></li> <li>Endpoint Denial of Service: <a href="/techniques/T1499/001">OS Exhaustion Flood</a></li> <li>Endpoint Denial of Service: <a href="/techniques/T1499/002">Service Exhaustion Flood</a></li> <li><a href="/techniques/T1611">Escape to Host</a></li> <li>Event Triggered Execution: <a href="/techniques/T1546/013">PowerShell Profile</a></li> <li>Exfiltration Over Alternative Protocol: <a href="/techniques/T1048/003">Exfiltration Over Unencrypted Non-C2 Protocol</a></li> <li>Exfiltration Over Other Network Medium: <a href="/techniques/T1011/001">Exfiltration Over Bluetooth</a></li> <li><a href="/techniques/T1203">Exploitation for Client Execution</a></li> <li><a href="/techniques/T1083">File and Directory Discovery</a></li> <li><a href="/techniques/T1495">Firmware Corruption</a></li> <li><a href="/techniques/T1589">Gather Victim Identity Information</a></li> <li><a href="/techniques/T1589/002">Email Addresses</a></li> <li><a href="/techniques/T1200">Hardware Additions</a></li> <li>Hide Artifacts: <a href="/techniques/T1564/008">Email Hiding Rules</a></li> <li>Hide Artifacts: <a href="/techniques/T1564/002">Hidden Users</a></li> <li>Hide Artifacts: <a href="/techniques/T1564/003">Hidden Window</a></li> <li><a href="/techniques/T1574">Hijack Execution Flow</a></li> <li>Impair Defenses: <a href="/techniques/T1562/008">Disable Cloud Logs</a></li> <li>Impair Defenses: <a href="/techniques/T1562/010">Downgrade Attack</a></li> <li>Impair Defenses: <a href="/techniques/T1562/003">Impair Command History Logging</a></li> <li><a href="/techniques/T1525">Implant Internal Image</a></li> <li><a href="/techniques/T1070">Indicator Removal on Host</a></li> <li><a href="/techniques/T1070/003">Clear Command History</a></li> <li><a href="/techniques/T1070/001">Clear Windows Event Logs</a></li> <li><a href="/techniques/T1070/004">File Deletion</a></li> <li><a href="/techniques/T1105">Ingress Tool Transfer</a></li> <li><a href="/techniques/T1490">Inhibit System Recovery</a></li> <li>Input Capture: <a href="/techniques/T1056/002">GUI Input Capture</a></li> <li><a href="/techniques/T1559">Inter-Process Communication</a></li> <li><a href="/techniques/T1559/002">Dynamic Data Exchange</a></li> <li><a href="/techniques/T1534">Internal Spearphishing</a></li> <li><a href="/techniques/T1570">Lateral Tool Transfer</a></li> <li><a href="/techniques/T1556">Modify Authentication Process</a></li> <li><a href="/techniques/T1111">Multi-Factor Authentication Interception</a></li> <li><a href="/techniques/T1599">Network Boundary Bridging</a></li> <li>Network Denial of Service: <a href="/techniques/T1498/001">Direct Network Flood</a></li> <li>Network Denial of Service: <a href="/techniques/T1498/002">Reflection Amplification</a></li> <li><a href="/techniques/T1046">Network Service Discovery</a></li> <li><a href="/techniques/T1040">Network Sniffing</a></li> <li>OS Credential Dumping: <a href="/techniques/T1003/003">NTDS</a></li> <li>Obfuscated Files or Information: <a href="/techniques/T1027/002">Software Packing</a></li> <li><a href="/techniques/T1201">Password Policy Discovery</a></li> <li><a href="/techniques/T1120">Peripheral Device Discovery</a></li> <li>Phishing: <a href="/techniques/T1566/002">Spearphishing Link</a></li> <li>Phishing for Information: <a href="/techniques/T1598/003">Spearphishing Link</a></li> <li>Pre-OS Boot: <a href="/techniques/T1542/002">Component Firmware</a></li> <li>Process Injection: <a href="/techniques/T1055/012">Process Hollowing</a></li> <li><a href="/techniques/T1219">Remote Access Software</a></li> <li>Remote Services: <a href="/techniques/T1021/001">Remote Desktop Protocol</a></li> <li><a href="/techniques/T1018">Remote System Discovery</a></li> <li><a href="/techniques/T1496">Resource Hijacking</a></li> <li><a href="/techniques/T1207">Rogue Domain Controller</a></li> <li><a href="/techniques/T1053">Scheduled Task/Job</a></li> <li><a href="/techniques/T1053/002">At</a></li> <li><a href="/techniques/T1053/007">Container Orchestration Job</a></li> <li><a href="/techniques/T1053/005">Scheduled Task</a></li> <li><a href="/techniques/T1505">Server Software Component</a></li> <li>Software Discovery: <a href="/techniques/T1518/001">Security Software Discovery</a></li> <li>Stage Capabilities: <a href="/techniques/T1608/004">Drive-by Target</a></li> <li><a href="/techniques/T1528">Steal Application Access Token</a></li> <li><a href="/techniques/T1558">Steal or Forge Kerberos Tickets</a></li> <li><a href="/techniques/T1558/003">Kerberoasting</a></li> <li>Subvert Trust Controls: <a href="/techniques/T1553/005">Mark-of-the-Web Bypass</a></li> <li><a href="/techniques/T1195">Supply Chain Compromise</a></li> <li><a href="/techniques/T1218">System Binary Proxy Execution</a></li> <li><a href="/techniques/T1218/003">CMSTP</a></li> <li><a href="/techniques/T1218/001">Compiled HTML File</a></li> <li><a href="/techniques/T1218/002">Control Panel</a></li> <li><a href="/techniques/T1218/004">InstallUtil</a></li> <li><a href="/techniques/T1218/014">MMC</a></li> <li><a href="/techniques/T1218/013">Mavinject</a></li> <li><a href="/techniques/T1218/005">Mshta</a></li> <li><a href="/techniques/T1218/007">Msiexec</a></li> <li><a href="/techniques/T1218/008">Odbcconf</a></li> <li><a href="/techniques/T1218/009">Regsvcs/Regasm</a></li> <li><a href="/techniques/T1218/010">Regsvr32</a></li> <li><a href="/techniques/T1218/011">Rundll32</a></li> <li><a href="/techniques/T1218/012">Verclsid</a></li> <li><a href="/techniques/T1082">System Information Discovery</a></li> <li><a href="/techniques/T1016">System Network Configuration Discovery</a></li> <li><a href="/techniques/T1049">System Network Connections Discovery</a></li> <li><a href="/techniques/T1216">System Script Proxy Execution</a></li> <li><a href="/techniques/T1216/001">PubPrn</a></li> <li><a href="/techniques/T1007">System Service Discovery</a></li> <li><a href="/techniques/T1569">System Services</a></li> <li><a href="/techniques/T1529">System Shutdown/Reboot</a></li> <li><a href="/techniques/T1221">Template Injection</a></li> <li><a href="/techniques/T1205">Traffic Signaling</a></li> <li><a href="/techniques/T1537">Transfer Data to Cloud Account</a></li> <li>Unsecured Credentials: <a href="/techniques/T1552/003">Bash History</a></li> <li>Unsecured Credentials: <a href="/techniques/T1552/005">Cloud Instance Metadata API</a></li> <li>Unsecured Credentials: <a href="/techniques/T1552/007">Container API</a></li> <li>Use Alternate Authentication Material: <a href="/techniques/T1550/001">Application Access Token</a></li> <li><a href="/techniques/T1204">User Execution</a></li> <li><a href="/techniques/T1204/002">Malicious File</a></li> <li><a href="/techniques/T1078">Valid Accounts</a></li> <li><a href="/techniques/T1078/004">Cloud Accounts</a></li> <li><a href="/techniques/T1125">Video Capture</a></li> </ul> <h4>Minor Technique changes</h4> <ul> <li><a href="/techniques/T1548">Abuse Elevation Control Mechanism</a></li> <li><a href="/techniques/T1548/002">Bypass User Account Control</a></li> <li><a href="/techniques/T1548/003">Sudo and Sudo Caching</a></li> <li><a href="/techniques/T1595">Active Scanning</a></li> <li><a href="/techniques/T1560">Archive Collected Data</a></li> <li><a href="/techniques/T1020">Automated Exfiltration</a></li> <li><a href="/techniques/T1020/001">Traffic Duplication</a></li> <li><a href="/techniques/T1547">Boot or Logon Autostart Execution</a></li> <li><a href="/techniques/T1547/002">Authentication Package</a></li> <li><a href="/techniques/T1547/008">LSASS Driver</a></li> <li><a href="/techniques/T1547/001">Registry Run Keys / Startup Folder</a></li> <li><a href="/techniques/T1547/003">Time Providers</a></li> <li><a href="/techniques/T1547/004">Winlogon Helper DLL</a></li> <li><a href="/techniques/T1037">Boot or Logon Initialization Scripts</a></li> <li><a href="/techniques/T1037/005">Startup Items</a></li> <li><a href="/techniques/T1176">Browser Extensions</a></li> <li><a href="/techniques/T1185">Browser Session Hijacking</a></li> <li><a href="/techniques/T1619">Cloud Storage Object Discovery</a></li> <li>Command and Scripting Interpreter: <a href="/techniques/T1059/002">AppleScript</a></li> <li>Command and Scripting Interpreter: <a href="/techniques/T1059/008">Network Device CLI</a></li> <li>Compromise Infrastructure: <a href="/techniques/T1584/005">Botnet</a></li> <li><a href="/techniques/T1555">Credentials from Password Stores</a></li> <li><a href="/techniques/T1555/003">Credentials from Web Browsers</a></li> <li><a href="/techniques/T1555/005">Password Managers</a></li> <li><a href="/techniques/T1602">Data from Configuration Repository</a></li> <li><a href="/techniques/T1602/002">Network Device Configuration Dump</a></li> <li><a href="/techniques/T1213">Data from Information Repositories</a></li> <li>Develop Capabilities: <a href="/techniques/T1587/001">Malware</a></li> <li><a href="/techniques/T1482">Domain Trust Discovery</a></li> <li><a href="/techniques/T1568">Dynamic Resolution</a></li> <li><a href="/techniques/T1568/002">Domain Generation Algorithms</a></li> <li><a href="/techniques/T1499">Endpoint Denial of Service</a></li> <li><a href="/techniques/T1546">Event Triggered Execution</a></li> <li><a href="/techniques/T1546/001">Change Default File Association</a></li> <li><a href="/techniques/T1546/014">Emond</a></li> <li><a href="/techniques/T1546/006">LC_LOAD_DYLIB Addition</a></li> <li><a href="/techniques/T1546/007">Netsh Helper DLL</a></li> <li><a href="/techniques/T1546/002">Screensaver</a></li> <li><a href="/techniques/T1546/003">Windows Management Instrumentation Event Subscription</a></li> <li><a href="/techniques/T1011">Exfiltration Over Other Network Medium</a></li> <li><a href="/techniques/T1190">Exploit Public-Facing Application</a></li> <li><a href="/techniques/T1210">Exploitation of Remote Services</a></li> <li><a href="/techniques/T1564">Hide Artifacts</a></li> <li><a href="/techniques/T1562">Impair Defenses</a></li> <li><a href="/techniques/T1056">Input Capture</a></li> <li>Modify Authentication Process: <a href="/techniques/T1556/004">Network Device Authentication</a></li> <li><a href="/techniques/T1106">Native API</a></li> <li><a href="/techniques/T1498">Network Denial of Service</a></li> <li><a href="/techniques/T1095">Non-Application Layer Protocol</a></li> <li><a href="/techniques/T1003">OS Credential Dumping</a></li> <li><a href="/techniques/T1027">Obfuscated Files or Information</a></li> <li>Permission Groups Discovery: <a href="/techniques/T1069/003">Cloud Groups</a></li> <li><a href="/techniques/T1566">Phishing</a></li> <li><a href="/techniques/T1598">Phishing for Information</a></li> <li><a href="/techniques/T1542">Pre-OS Boot</a></li> <li><a href="/techniques/T1055">Process Injection</a></li> <li><a href="/techniques/T1055/014">VDSO Hijacking</a></li> <li><a href="/techniques/T1620">Reflective Code Loading</a></li> <li><a href="/techniques/T1021">Remote Services</a></li> <li>Scheduled Task/Job: <a href="/techniques/T1053/003">Cron</a></li> <li><a href="/techniques/T1129">Shared Modules</a></li> <li><a href="/techniques/T1518">Software Discovery</a></li> <li><a href="/techniques/T1608">Stage Capabilities</a></li> <li><a href="/techniques/T1553">Subvert Trust Controls</a></li> <li>Supply Chain Compromise: <a href="/techniques/T1195/001">Compromise Software Dependencies and Development Tools</a></li> <li>Supply Chain Compromise: <a href="/techniques/T1195/002">Compromise Software Supply Chain</a></li> <li><a href="/techniques/T1033">System Owner/User Discovery</a></li> <li>Traffic Signaling: <a href="/techniques/T1205/001">Port Knocking</a></li> <li><a href="/techniques/T1552">Unsecured Credentials</a></li> <li><a href="/techniques/T1550">Use Alternate Authentication Material</a></li> <li>Valid Accounts: <a href="/techniques/T1078/002">Domain Accounts</a></li> <li><a href="/techniques/T1047">Windows Management Instrumentation</a></li> </ul> <h4>Technique revocations</h4> <ul> <li>Boot or Logon Autostart Execution: Plist Modification (revoked by <a href="/techniques/T1647/">Plist File Modification (T1647)</a>)</li> <li>Scheduled Task/Job: At (Linux) (revoked by Scheduled Task/Job: <a href="/techniques/T1053/002/">At (T1053.002)</a>)</li> </ul> <h4>Technique deprecations</h4> <ul> <li>No changes</li> </ul> <h3>Mobile v11.0-beta</h3> <p>The below changes represent the Mobile v11.0-beta release. The current production release at <a href="https://attack.mitre.org/versions/v10/matrices/mobile/">https://attack.mitre.org/versions/v10/matrices/mobile/</a> remains unchanged.</p> <h4>New Techniques</h4> <ul> <li><a href="/techniques/T1626">Abuse Elevation Control Mechanism</a></li> <li><a href="/techniques/T1626/001">Device Administrator Permissions</a></li> <li><a href="/techniques/T1640">Account Access Removal</a></li> <li><a href="/techniques/T1638">Adversary-in-the-Middle</a></li> <li>Application Layer Protocol: <a href="/techniques/T1437/001">Web Protocols</a></li> <li><a href="/techniques/T1623">Command and Scripting Interpreter</a></li> <li><a href="/techniques/T1623/001">Unix Shell</a></li> <li><a href="/techniques/T1645">Compromise Client Software Binary</a></li> <li><a href="/techniques/T1634">Credentials from Password Store</a></li> <li><a href="/techniques/T1634/001">Keychain</a></li> <li><a href="/techniques/T1641">Data Manipulation</a></li> <li><a href="/techniques/T1641/001">Transmitted Data Manipulation</a></li> <li><a href="/techniques/T1637">Dynamic Resolution</a></li> <li><a href="/techniques/T1637/001">Domain Generation Algorithms</a></li> <li>Encrypted Channel: <a href="/techniques/T1521/002">Asymmetric Cryptography</a></li> <li>Encrypted Channel: <a href="/techniques/T1521/001">Symmetric Cryptography</a></li> <li><a href="/techniques/T1642">Endpoint Denial of Service</a></li> <li><a href="/techniques/T1624">Event Triggered Execution</a></li> <li><a href="/techniques/T1624/001">Broadcast Receivers</a></li> <li><a href="/techniques/T1627">Execution Guardrails</a></li> <li><a href="/techniques/T1627/001">Geofencing</a></li> <li><a href="/techniques/T1639">Exfiltration Over Alternative Protocol</a></li> <li><a href="/techniques/T1639/001">Exfiltration Over Unencrypted Non-C2 Protocol</a></li> <li><a href="/techniques/T1646">Exfiltration Over C2 Channel</a></li> <li><a href="/techniques/T1643">Generate Traffic from Victim</a></li> <li><a href="/techniques/T1628">Hide Artifacts</a></li> <li><a href="/techniques/T1628/001">Suppress Application Icon</a></li> <li><a href="/techniques/T1628/002">User Evasion</a></li> <li><a href="/techniques/T1625">Hijack Execution Flow</a></li> <li><a href="/techniques/T1625/001">System Runtime API Hijacking</a></li> <li><a href="/techniques/T1629">Impair Defenses</a></li> <li><a href="/techniques/T1629/002">Device Lockout</a></li> <li><a href="/techniques/T1629/003">Disable or Modify Tools</a></li> <li><a href="/techniques/T1629/001">Prevent Application Removal</a></li> <li><a href="/techniques/T1630">Indicator Removal on Host</a></li> <li><a href="/techniques/T1630/003">Disguise Root/Jailbreak Indicators</a></li> <li><a href="/techniques/T1630/002">File Deletion</a></li> <li><a href="/techniques/T1630/001">Uninstall Malicious Application</a></li> <li>Input Capture: <a href="/techniques/T1417/002">GUI Input Capture</a></li> <li>Input Capture: <a href="/techniques/T1417/001">Keylogging</a></li> <li>Location Tracking: <a href="/techniques/T1430/002">Impersonate SS7 Nodes</a></li> <li>Location Tracking: <a href="/techniques/T1430/001">Remote Device Management Services</a></li> <li>Obfuscated Files or Information: <a href="/techniques/T1406/002">Software Packing</a></li> <li>Obfuscated Files or Information: <a href="/techniques/T1406/001">Steganography</a></li> <li><a href="/techniques/T1644">Out of Band Data</a></li> <li><a href="/techniques/T1631">Process Injection</a></li> <li><a href="/techniques/T1631/001">Ptrace System Calls</a></li> <li><a href="/techniques/T1636">Protected User Data</a></li> <li><a href="/techniques/T1636/001">Calendar Entries</a></li> <li><a href="/techniques/T1636/002">Call Log</a></li> <li><a href="/techniques/T1636/003">Contact List</a></li> <li><a href="/techniques/T1636/004">SMS Messages</a></li> <li>Software Discovery: <a href="/techniques/T1418/001">Security Software Discovery</a></li> <li><a href="/techniques/T1635">Steal Application Access Token</a></li> <li><a href="/techniques/T1635/001">URI Hijacking</a></li> <li><a href="/techniques/T1632">Subvert Trust Controls</a></li> <li><a href="/techniques/T1632/001">Code Signing Policy Modification</a></li> <li>Supply Chain Compromise: <a href="/techniques/T1474/002">Compromise Hardware Supply Chain</a></li> <li>Supply Chain Compromise: <a href="/techniques/T1474/001">Compromise Software Dependencies and Development Tools</a></li> <li>Supply Chain Compromise: <a href="/techniques/T1474/003">Compromise Software Supply Chain</a></li> <li><a href="/techniques/T1633">Virtualization/Sandbox Evasion</a></li> <li><a href="/techniques/T1633/001">System Checks</a></li> <li>Web Service: <a href="/techniques/T1481/002">Bidirectional Communication</a></li> <li>Web Service: <a href="/techniques/T1481/001">Dead Drop Resolver</a></li> <li>Web Service: <a href="/techniques/T1481/003">One-Way Communication</a></li> </ul> <h4>Technique changes</h4> <ul> <li><a href="/techniques/T1517">Access Notifications</a></li> <li><a href="/techniques/T1437">Application Layer Protocol</a></li> <li><a href="/techniques/T1532">Archive Collected Data</a></li> <li><a href="/techniques/T1429">Audio Capture</a></li> <li><a href="/techniques/T1398">Boot or Logon Initialization Scripts</a></li> <li><a href="/techniques/T1414">Clipboard Data</a></li> <li><a href="/techniques/T1471">Data Encrypted for Impact</a></li> <li><a href="/techniques/T1533">Data from Local System</a></li> <li><a href="/techniques/T1407">Download New Code at Runtime</a></li> <li><a href="/techniques/T1456">Drive-By Compromise</a></li> <li><a href="/techniques/T1521">Encrypted Channel</a></li> <li><a href="/techniques/T1404">Exploitation for Privilege Escalation</a></li> <li><a href="/techniques/T1428">Exploitation of Remote Services</a></li> <li><a href="/techniques/T1420">File and Directory Discovery</a></li> <li><a href="/techniques/T1541">Foreground Persistence</a></li> <li><a href="/techniques/T1544">Ingress Tool Transfer</a></li> <li><a href="/techniques/T1417">Input Capture</a></li> <li><a href="/techniques/T1430">Location Tracking</a></li> <li><a href="/techniques/T1461">Lockscreen Bypass</a></li> <li><a href="/techniques/T1575">Native API</a></li> <li><a href="/techniques/T1464">Network Denial of Service</a></li> <li><a href="/techniques/T1423">Network Service Scanning</a></li> <li><a href="/techniques/T1509">Non-Standard Port</a></li> <li><a href="/techniques/T1406">Obfuscated Files or Information</a></li> <li><a href="/techniques/T1424">Process Discovery</a></li> <li><a href="/techniques/T1458">Replication Through Removable Media</a></li> <li><a href="/techniques/T1513">Screen Capture</a></li> <li><a href="/techniques/T1418">Software Discovery</a></li> <li><a href="/techniques/T1409">Stored Application Data</a></li> <li><a href="/techniques/T1474">Supply Chain Compromise</a></li> <li><a href="/techniques/T1426">System Information Discovery</a></li> <li><a href="/techniques/T1422">System Network Configuration Discovery</a></li> <li><a href="/techniques/T1421">System Network Connections Discovery</a></li> <li><a href="/techniques/T1512">Video Capture</a></li> <li><a href="/techniques/T1481">Web Service</a></li> </ul> <h4>Minor Technique changes</h4> <ul> <li>No changes</li> </ul> <h4>Technique revocations</h4> <ul> <li>Access Calendar Entries (revoked by Protected User Data: <a href="/techniques/T1636/001">Calendar Entries</a>)</li> <li>Access Call Log (revoked by Protected User Data: <a href="/techniques/T1636/002">Call Log</a>)</li> <li>Access Contact List (revoked by Protected User Data: <a href="/techniques/T1636/003">Contact List</a>)</li> <li>Broadcast Receivers (revoked by Event Triggered Execution : <a href="/techniques/T1624/001">Broadcast Receivers</a>)</li> <li>Capture SMS Messages (revoked by Protected User Data: <a href="/techniques/T1636/004">SMS Messages</a>)</li> <li>Carrier Billing Fraud (revoked by <a href="/techniques/T1643">Generate Traffic from Victim</a>)</li> <li>Clipboard Modification (revoked by Data Manipulation: <a href="/techniques/T1641/001">Transmitted Data Manipulation</a>)</li> <li>Code Injection (revoked by Process Injection: <a href="/techniques/T1631/001">Ptrace System Calls</a>)</li> <li>Command-Line Interface (revoked by Command and Scripting Interpreter: <a href="/techniques/T1623/001">Unix Shell</a>)</li> <li>Delete Device Data (revoked by Indicator Removal on Host: <a href="/techniques/T1630/002">File Deletion</a>)</li> <li>Device Administrator Permissions (revoked by Abuse Elevation Control Mechanism: <a href="/techniques/T1626/001">Device Administrator Permissions</a>)</li> <li>Device Lockout (revoked by Impair Defenses: <a href="/techniques/T1629/002">Device Lockout</a>)</li> <li>Disguise Root/Jailbreak Indicators (revoked by Indicator Removal on Host: <a href="/techniques/T1630/003">Disguise Root/Jailbreak Indicators</a>)</li> <li>Domain Generation Algorithms (revoked by Dynamic Resolution: <a href="/techniques/T1637/001">Domain Generation Algorithms</a>)</li> <li>Downgrade to Insecure Protocols (revoked by <a href="/techniques/T1638">Adversary-in-the-Middle</a>)</li> <li>Eavesdrop on Insecure Network Communication (revoked by <a href="/techniques/T1638">Adversary-in-the-Middle</a>)</li> <li>Evade Analysis Environment (revoked by Virtualization/Sandbox Evasion: <a href="/techniques/T1633/001">System Checks</a>)</li> <li>Exfiltration Over Other Network Medium (revoked by <a href="/techniques/T1644">Out of Band Data</a>)</li> <li>Exploit SS7 to Track Device Location (revoked by Location Tracking: <a href="/techniques/T1430/002">Impersonate SS7 Nodes</a>)</li> <li>Generate Fraudulent Advertising Revenue (revoked by <a href="/techniques/T1643">Generate Traffic from Victim</a>)</li> <li>Geofencing (revoked by Execution Guardrails: <a href="/techniques/T1627/001">Geofencing</a>)</li> <li>Input Prompt (revoked by Input Capture: <a href="/techniques/T1417/002">GUI Input Capture</a>)</li> <li>Install Insecure or Malicious Configuration (revoked by Subvert Trust Controls: <a href="/techniques/T1632/001">Code Signing Policy Modification</a>)</li> <li>Keychain (revoked by Credentials from Password Store: <a href="/techniques/T1634/001">Keychain</a>)</li> <li>Manipulate App Store Rankings or Ratings (revoked by <a href="/techniques/T1643">Generate Traffic from Victim</a>)</li> <li>Manipulate Device Communication (revoked by <a href="/techniques/T1638">Adversary-in-the-Middle</a>)</li> <li>Modify System Partition (revoked by Hijack Execution Flow: <a href="/techniques/T1625/001">System Runtime API Hijacking</a>)</li> <li>Network Information Discovery (revoked by <a href="/techniques/T1421">System Network Connections Discovery</a>)</li> <li>Network Traffic Capture or Redirection (revoked by <a href="/techniques/T1638">Adversary-in-the-Middle</a>)</li> <li>Remotely Track Device Without Authorization (revoked by Location Tracking: <a href="/techniques/T1430/001">Remote Device Management Services</a>)</li> <li>Rogue Cellular Base Station (revoked by <a href="/techniques/T1638">Adversary-in-the-Middle</a>)</li> <li>Rogue Wi-Fi Access Points (revoked by <a href="/techniques/T1638">Adversary-in-the-Middle</a>)</li> <li>Suppress Application Icon (revoked by Hide Artifacts: <a href="/techniques/T1628/001">Suppress Application Icon</a>)</li> <li>URI Hijacking (revoked by Steal Application Access Token: <a href="/techniques/T1635/001">URI Hijacking</a>)</li> <li>Uninstall Malicious Application (revoked by Indicator Removal on Host: <a href="/techniques/T1630/001">Uninstall Malicious Application</a>)</li> <li>User Evasion (revoked by Hide Artifacts: <a href="/techniques/T1628/002">User Evasion</a>)</li> </ul> <h4>Technique deprecations</h4> <ul> <li><a href="/techniques/T1413">Access Sensitive Data in Device Logs</a></li> <li><a href="/techniques/T1427">Attack PC via USB Connection</a></li> <li><a href="/techniques/T1436">Commonly Used Port</a></li> <li><a href="/techniques/T1475">Deliver Malicious App via Authorized App Store</a></li> <li><a href="/techniques/T1476">Deliver Malicious App via Other Means</a></li> <li><a href="/techniques/T1449">Exploit SS7 to Redirect Phone Calls/SMS</a></li> <li><a href="/techniques/T1405">Exploit TEE Vulnerability</a></li> <li><a href="/techniques/T1477">Exploit via Radio Interfaces</a></li> <li><a href="/techniques/T1444">Masquerade as Legitimate Application</a></li> <li><a href="/techniques/T1403">Modify Cached Executable Code</a></li> <li><a href="/techniques/T1399">Modify Trusted Execution Environment</a></li> <li><a href="/techniques/T1470">Obtain Device Cloud Backups</a></li> <li><a href="/techniques/T1469">Remotely Wipe Data Without Authorization</a></li> <li><a href="/techniques/T1451">SIM Card Swap</a></li> </ul> <h2>Software</h2> <h3>Enterprise</h3> <h4>New Software</h4> <ul> <li><a href="/software/S0677">AADInternals</a></li> <li><a href="/software/S0693">CaddyWiper</a></li> <li><a href="/software/S0674">CharmPower</a></li> <li><a href="/software/S0667">Chrommme</a></li> <li><a href="/software/S0660">Clambling</a></li> <li><a href="/software/S0687">Cyclops Blink</a></li> <li><a href="/software/S0694">DRATzarus</a></li> <li><a href="/software/S0673">DarkWatchman</a></li> <li><a href="/software/S0659">Diavol</a></li> <li><a href="/software/S0695">Donut</a></li> <li><a href="/software/S0679">Ferocious</a></li> <li><a href="/software/S0696">Flagpro</a></li> <li><a href="/software/S0661">FoggyWeb</a></li> <li><a href="/software/S0666">Gelsemium</a></li> <li><a href="/software/S0690">Green Lambert</a></li> <li><a href="/software/S0697">HermeticWiper</a></li> <li><a href="/software/S0698">HermeticWizard</a></li> <li><a href="/software/S0669">KOCTOPUS</a></li> <li><a href="/software/S0680">LitePower</a></li> <li><a href="/software/S0681">Lizar</a></li> <li><a href="/software/S0688">Meteor</a></li> <li><a href="/software/S0699">Mythic</a></li> <li><a href="/software/S0691">Neoichor</a></li> <li><a href="/software/S0664">Pandora</a></li> <li><a href="/software/S0683">Peirates</a></li> <li><a href="/software/S0685">PowerPunch</a></li> <li><a href="/software/S0686">QuietSieve</a></li> <li><a href="/software/S0662">RCSession</a></li> <li><a href="/software/S0684">ROADTools</a></li> <li><a href="/software/S0692">SILENTTRINITY</a></li> <li><a href="/software/S0663">SysUpdate</a></li> <li><a href="/software/S0665">ThreatNeedle</a></li> <li><a href="/software/S0668">TinyTurla</a></li> <li><a href="/software/S0671">Tomiris</a></li> <li><a href="/software/S0678">Torisma</a></li> <li><a href="/software/S0682">TrailBlazer</a></li> <li><a href="/software/S0670">WarzoneRAT</a></li> <li><a href="/software/S0689">WhisperGate</a></li> <li><a href="/software/S0672">Zox</a></li> </ul> <h4>Software changes</h4> <ul> <li><a href="/software/S0622">AppleSeed</a></li> <li><a href="/software/S0099">Arp</a></li> <li><a href="/software/S0093">Backdoor.Oldrea</a></li> <li><a href="/software/S0268">Bisonal</a></li> <li><a href="/software/S0521">BloodHound</a></li> <li><a href="/software/S0252">Brave Prince</a></li> <li><a href="/software/S0023">CHOPSTICK</a></li> <li><a href="/software/S0154">Cobalt Strike</a></li> <li><a href="/software/S0575">Conti</a></li> <li><a href="/software/S0021">Derusbi</a></li> <li><a href="/software/S0605">EKANS</a></li> <li><a href="/software/S0363">Empire</a></li> <li><a href="/software/S0182">FinFisher</a></li> <li><a href="/software/S0249">Gold Dragon</a></li> <li><a href="/software/S0588">GoldMax</a></li> <li><a href="/software/S0009">Hikit</a></li> <li><a href="/software/S0203">Hydraq</a></li> <li><a href="/software/S0398">HyperBro</a></li> <li><a href="/software/S0260">InvisiMole</a></li> <li><a href="/software/S0356">KONNI</a></li> <li><a href="/software/S0607">KillDisk</a></li> <li><a href="/software/S0250">Koadic</a></li> <li><a href="/software/S0372">LockerGoga</a></li> <li><a href="/software/S0002">Mimikatz</a></li> <li><a href="/software/S0508">Ngrok</a></li> <li><a href="/software/S0352">OSX_OCEANLOTUS.D</a></li> <li><a href="/software/S0229">Orz</a></li> <li><a href="/software/S0435">PLEAD</a></li> <li><a href="/software/S0097">Ping</a></li> <li><a href="/software/S0013">PlugX</a></li> <li><a href="/software/S0428">PoetRAT</a></li> <li><a href="/software/S0012">PoisonIvy</a></li> <li><a href="/software/S0113">Prikormka</a></li> <li><a href="/software/S0147">Pteranodon</a></li> <li><a href="/software/S0262">QuasarRAT</a></li> <li><a href="/software/S0496">REvil</a></li> <li><a href="/software/S0240">ROKRAT</a></li> <li><a href="/software/S0332">Remcos</a></li> <li><a href="/software/S0174">Responder</a></li> <li><a href="/software/S0446">Ryuk</a></li> <li><a href="/software/S0559">SUNBURST</a></li> <li><a href="/software/S0615">SombRAT</a></li> <li><a href="/software/S0603">Stuxnet</a></li> <li><a href="/software/S0595">ThiefQuest</a></li> <li><a href="/software/S0094">Trojan.Karagany</a></li> <li><a href="/software/S0136">USBStealer</a></li> <li><a href="/software/S0579">Waterbear</a></li> <li><a href="/software/S0141">Winnti for Windows</a></li> <li><a href="/software/S0658">XCSSET</a></li> <li><a href="/software/S0412">ZxShell</a></li> <li><a href="/software/S0110">at</a></li> <li><a href="/software/S0095">ftp</a></li> <li><a href="/software/S0032">gh0st RAT</a></li> <li><a href="/software/S0385">njRAT</a></li> <li><a href="/software/S0103">route</a></li> <li><a href="/software/S0111">schtasks</a></li> </ul> <h4>Minor Software changes</h4> <ul> <li><a href="/software/S0504">Anchor</a></li> <li><a href="/software/S0635">BoomBox</a></li> <li><a href="/software/S0482">Bundlore</a></li> <li><a href="/software/S0020">China Chopper</a></li> <li><a href="/software/S0568">EVILNUM</a></li> <li><a href="/software/S0604">Industroyer</a></li> <li><a href="/software/S0449">Maze</a></li> <li><a href="/software/S0084">Mis-Type</a></li> <li><a href="/software/S0083">Misdat</a></li> <li><a href="/software/S0118">Nidiran</a></li> <li><a href="/software/S0340">Octopus</a></li> <li><a href="/software/S0085">S-Type</a></li> <li><a href="/software/S0519">SYNful Knock</a></li> <li><a href="/software/S0436">TSCookie</a></li> <li><a href="/software/S0466">WindTail</a></li> <li><a href="/software/S0086">ZLib</a></li> </ul> <h4>Software revocations</h4> <ul> <li>No changes</li> </ul> <h4>Software deprecations</h4> <ul> <li>No changes</li> </ul> <h3>Mobile</h3> <h4>New Software</h4> <ul> <li>No changes</li> </ul> <h4>Software changes</h4> <ul> <li><a href="/software/S0182">FinFisher</a></li> <li><a href="/software/S0490">XLoader for iOS</a></li> </ul> <h4>Minor Software changes</h4> <ul> <li><a href="/software/S0293">BrainTest</a></li> </ul> <h4>Software revocations</h4> <ul> <li>No changes</li> </ul> <h4>Software deprecations</h4> <ul> <li>No changes</li> </ul> <h2>Groups</h2> <h3>Enterprise</h3> <h4>New Groups</h4> <ul> <li><a href="/groups/G0143">Aquatic Panda</a></li> <li><a href="/groups/G0142">Confucius</a></li> <li><a href="/groups/G0141">Gelsemium</a></li> <li><a href="/groups/G0140">LazyScripter</a></li> </ul> <h4>Group changes</h4> <ul> <li><a href="/groups/G0007">APT28</a></li> <li><a href="/groups/G0016">APT29</a></li> <li><a href="/groups/G0001">Axiom</a></li> <li><a href="/groups/G0098">BlackTech</a></li> <li><a href="/groups/G0035">Dragonfly</a></li> <li><a href="/groups/G0046">FIN7</a></li> <li><a href="/groups/G0047">Gamaredon Group</a></li> <li><a href="/groups/G0125">HAFNIUM</a></li> <li><a href="/groups/G0119">Indrik Spider</a></li> <li><a href="/groups/G0004">Ke3chang</a></li> <li><a href="/groups/G0094">Kimsuky</a></li> <li><a href="/groups/G0032">Lazarus Group</a></li> <li><a href="/groups/G0059">Magic Hound</a></li> <li><a href="/groups/G0129">Mustang Panda</a></li> <li><a href="/groups/G0034">Sandworm Team</a></li> <li><a href="/groups/G0139">TeamTNT</a></li> <li><a href="/groups/G0027">Threat Group-3390</a></li> <li><a href="/groups/G0131">Tonto Team</a></li> <li><a href="/groups/G0010">Turla</a></li> <li><a href="/groups/G0123">Volatile Cedar</a></li> <li><a href="/groups/G0090">WIRTE</a></li> <li><a href="/groups/G0044">Winnti Group</a></li> </ul> <h4>Minor Group changes</h4> <ul> <li><a href="/groups/G0082">APT38</a></li> <li><a href="/groups/G0130">Ajax Security Team</a></li> <li><a href="/groups/G0114">Chimera</a></li> <li><a href="/groups/G0031">Dust Storm</a></li> <li><a href="/groups/G0065">Leviathan</a></li> <li><a href="/groups/G0049">OilRig</a></li> <li><a href="/groups/G0116">Operation Wocao</a></li> <li><a href="/groups/G0039">Suckfly</a></li> <li><a href="/groups/G0092">TA505</a></li> </ul> <h4>Group revocations</h4> <ul> <li>Dragonfly 2.0 (revoked by <a href="/groups/G0035">Dragonfly</a>)</li> </ul> <h4>Group deprecations</h4> <ul> <li>No changes</li> </ul> <h3>Mobile</h3> <h4>New Groups</h4> <ul> <li>No changes</li> </ul> <h4>Group changes</h4> <ul> <li><a href="/groups/G0007">APT28</a></li> <li><a href="/groups/G0034">Sandworm Team</a></li> </ul> <h4>Minor Group changes</h4> <ul> <li>No changes</li> </ul> <h4>Group revocations</h4> <ul> <li>No changes</li> </ul> <h4>Group deprecations</h4> <ul> <li>No changes</li> </ul> <h2>Mitigations</h2> <h3>Enterprise</h3> <h4>New Mitigations</h4> <ul> <li>No changes</li> </ul> <h4>Mitigation changes</h4> <ul> <li><a href="/mitigations/M1038">Execution Prevention</a></li> </ul> <h4>Minor Mitigation changes</h4> <ul> <li>No changes</li> </ul> <h4>Mitigation revocations</h4> <ul> <li>No changes</li> </ul> <h4>Mitigation deprecations</h4> <ul> <li>No changes</li> </ul> <h3>Mobile</h3> <h4>New Mitigations</h4> <ul> <li>No changes</li> </ul> <h4>Mitigation changes</h4> <ul> <li>No changes</li> </ul> <h4>Minor Mitigation changes</h4> <ul> <li>No changes</li> </ul> <h4>Mitigation revocations</h4> <ul> <li>No changes</li> </ul> <h4>Mitigation deprecations</h4> <ul> <li><a href="/mitigations/M1005">Application Vetting</a></li> <li><a href="/mitigations/M1007">Caution with Device Administrator Access</a></li> </ul> <h2>Data Sources and/or Components</h2> <h3>Enterprise</h3> <h4>New Data Sources and/or Components</h4> <ul> <li>No changes</li> </ul> <p>Data Source and/or Component changes:</p> <ul> <li>No changes</li> </ul> <h4>Minor Data Source and/or Component changes</h4> <ul> <li><a href="/datasources/DS0026">Active Directory</a></li> <li><a href="/datasources/DS0015">Application Log</a></li> <li><a href="/datasources/DS0025">Cloud Service</a></li> <li><a href="/datasources/DS0017">Command</a></li> <li>Domain Name: <a href="/datasources/DS0038/#Active%20DNS">Active DNS</a></li> <li><a href="/datasources/DS0016">Drive</a></li> <li><a href="/datasources/DS0027">Driver</a></li> <li><a href="/datasources/DS0022">File</a></li> <li><a href="/datasources/DS0022/#File%20Deletion">File Deletion</a></li> <li><a href="/datasources/DS0018">Firewall</a></li> <li><a href="/datasources/DS0001">Firmware</a></li> <li><a href="/datasources/DS0036">Group</a></li> <li><a href="/datasources/DS0028">Logon Session</a></li> <li>Malware Repository: <a href="/datasources/DS0004/#Malware%20Content">Malware Content</a></li> <li>Malware Repository: <a href="/datasources/DS0004/#Malware%20Metadata">Malware Metadata</a></li> <li><a href="/datasources/DS0011">Module</a></li> <li><a href="/datasources/DS0023">Named Pipe</a></li> <li><a href="/datasources/DS0033">Network Share</a></li> <li><a href="/datasources/DS0029">Network Traffic</a></li> <li><a href="/datasources/DS0029/#Network%20Connection%20Creation">Network Connection Creation</a></li> <li><a href="/datasources/DS0009">Process</a></li> <li><a href="/datasources/DS0009/#OS%20API%20Execution">OS API Execution</a></li> <li><a href="/datasources/DS0003">Scheduled Job</a></li> <li><a href="/datasources/DS0013">Sensor Health</a></li> <li><a href="/datasources/DS0013/#Host%20Status">Host Status</a></li> <li><a href="/datasources/DS0019">Service</a></li> <li><a href="/datasources/DS0002">User Account</a></li> <li><a href="/datasources/DS0034">Volume</a></li> <li><a href="/datasources/DS0006">Web Credential</a></li> </ul> <h4>Data Source and/or Component revocations</h4> <ul> <li>No changes</li> </ul> <h4>Data Source and/or Component deprecations</h4> <ul> <li>No changes</li> </ul> <h3>Mobile</h3> <p>ATT&CK for Mobile does not support data sources</p> <h2>Contributors to this release</h2> <ul> <li>Abhijit Mohanta, @abhijit_mohanta, Uptycs</li> <li>Akshat Pradhan, Qualys</li> <li>Alex Hinchliffe, Palo Alto Networks</li> <li>Alex Parsons, Crowdstrike</li> <li>Alex Spivakovsky, Pentera</li> <li>Andrew Northern, @ex_raritas</li> <li>Antonio Piazza, @antman1p</li> <li>Austin Clark, @c2defense</li> <li>Bryan Campbell, @bry_campbell</li> <li>Chris Romano, Crowdstrike</li> <li>Clément Notin, Tenable</li> <li>Cody Thomas, SpecterOps</li> <li>Craig Smith, BT Security</li> <li>Csaba Fitzl @theevilbit of Offensive Security</li> <li>Daniel Acevedo, Blackbot</li> <li>Daniel Feichter, @VirtualAllocEx, Infosec Tirol</li> <li>Daniyal Naeem, BT Security</li> <li>Darin Smith, Cisco</li> <li>Dror Alon, Palo Alto Networks</li> <li>Edward Millington</li> <li>Elvis Veliz, Citi</li> <li>Emily Ratliff, IBM</li> <li>Eric Kaiser @ideologysec</li> <li>ESET</li> <li>Hannah Simes, BT Security</li> <li>Harshal Tupsamudre, Qualys</li> <li>Hiroki Nagahama, NEC Corporation</li> <li>Isif Ibrahima, Mandiant</li> <li>Jack Burns, HubSpot</li> <li>James_inthe_box, Me</li> <li>Jan Petrov, Citi</li> <li>Jannie Li, Microsoft Threat Intelligence Center (MSTIC)</li> <li>Jeremy Galloway</li> <li>Joas Antonio dos Santos, @C0d3Cr4zy, Inmetrics</li> <li>John Page (aka hyp3rlinx), ApparitionSec</li> <li>Jon Sternstein, Stern Security</li> <li>Kobi Haimovich, CardinalOps</li> <li>Krishnan Subramanian, @krish203</li> <li>Kyaw Pyiyt Htet, @KyawPyiytHtet</li> <li>Leo Zhang, Trend Micro</li> <li>Manikantan Srinivasan, NEC Corporation India</li> <li>Massimiliano Romano, BT Security</li> <li>Matthew Green</li> <li>Mayan Arora aka Mayan Mohan</li> <li>Mayuresh Dani, Qualys</li> <li>Michael Raggi @aRtAGGI</li> <li>Mohamed Kmal</li> <li>NEC</li> <li>NST Assure Research Team, NetSentries Technologies</li> <li>Oleg Kolesnikov, Securonix</li> <li>Or Kliger, Palo Alto Networks</li> <li>Pawel Partyka, Microsoft 365 Defender</li> <li>Phil Taylor, BT Security</li> <li>Pià Consigny, Tenable</li> <li>Pooja Natarajan, NEC Corporation India</li> <li>Praetorian</li> <li>Prasad Somasamudram, McAfee</li> <li>Ram Pliskin, Microsoft Azure Security Center</li> <li>Richard Julian, Citi</li> <li>Runa Sandvik</li> <li>Sekhar Sarukkai, McAfee </li> <li>Selena Larson, @selenalarson</li> <li>Shilpesh Trivedi, Uptycs</li> <li>Sittikorn Sangrattanapitak</li> <li>Steven Du, Trend Micro</li> <li>Suzy Schapperle - Microsoft Azure Red Team</li> <li>Syed Ummar Farooqh, McAfee</li> <li>Taewoo Lee, KISA</li> <li>The Wover, @TheRealWover</li> <li>Tiago Faria, 3CORESec</li> <li>Tony Lee</li> <li>Travis Smith, Qualys</li> <li>TruKno</li> <li>Tsubasa Matsuda, NEC Corporation</li> <li>Vinay Pidathala</li> <li>Wes Hurd</li> <li>Wietze Beukema, @wietze</li> <li>Wojciech Lesicki</li> <li>Zachary Abzug, @ZackDoesML</li> <li>Zachary Stanford, @svch0st</li> </ul> </div> </div> </div>   <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner">  <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div>  <div id="search-body" class="search-body"> <div class="results" id="search-results">  </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1">  <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&CK content v16.1Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> © 2015 - 2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div>  </div>  <script src="/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/theme/scripts/popper.min.js"></script> <script src="/theme/scripts/bootstrap-select.min.js"></script> <script src="/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/theme/scripts/site.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/search_bundle.js"></script>  <script src="/theme/scripts/resizer.js"></script> <script src="/theme/scripts/sidebar-load-all.js"></script> </body> </html>