- Replaced
GCP
,AWS
andAzure
platforms under the enterprise domain withIaaS
(Infrastructure as a Service). - Added
Containers
andGoogle Workspace
to the platforms of the enterprise domain. - Revised the data sources of the enterprise domain. Data sources are still represented as a string array, but the elements within that array are now formatted
"data source: data component"
to reflect the new data source representation. More information on the new data sources can be found on our attack-datasources GitHub repository. Note that the data sources in the ICS domain was not affected by this change.
With the release of ATT&CK version 9 we are also hosting an excel representation of the knowledge base on our website. You can find that representation and more about ATT&CK tools on the updated Working with ATT&CK page.
- Added new platforms under the enterprise domain:
Network
andPRE
. - Deprecated the pre-ATT&CK domain. Pre-ATT&CK has been migrated to two new tactics in the Enterprise domain tagged with the
PRE
platform. Please see the new PRE matrix for the replacing Enterprise tactics and techniques. All objects within the pre-ATT&CK domain have been marked as deprecated, along with a new description pointing to their new home in Enterprise. - Added the ATT&CK for ICS domain.
-
Added sub-techniques:
- A sub-technique is an attack-pattern where
x_mitre_is_subtechnique
istrue
. - Relationships of type
subtechnique-of
between sub-techniques and techniques convey their hierarchy.
For more information about the representation of sub-techniques in STIX, please see the sub-techniques section of the USAGE document.
- A sub-technique is an attack-pattern where
-
Revised the representation of deprecated objects. The first paragraph of deprecated objects' descriptions should in most cases convey the reason the object was deprecated.
We've also rewritten the USAGE document with additional information about the ATT&CK data model and more examples of how to access and use ATT&CK in Python.
- Added cloud platforms under the enterprise domain:
AWS
,GCP
,Azure
,Office 365
,Azure AD
, andSaaS
.
- Descriptions added to relationships of type
mitigates
under the enterprise domain
x_mitre_impact_type
added for enterprise techniques within theImpact
tactic- Descriptions added to relationships between software/groups
x_mitre_platforms
added for enterprise malware/toolsx_mitre_detection
added to attack-patterns- Custom MITRE attributes removed from descriptions in attack-patterns
- Alias descriptions added for malware/tools/intrusion-sets as external references
- Descriptions added to relationships between groups/attack-patterns in PRE-ATT&CK
- Names of ATT&CK objects replaced in descriptions and x_mitre_detection fields with markdown links
CAPEC ids
added to external references for attack-patterns- Citations in alias descriptions added as external references in the object containing the alias description
- Added
x-mitre-tactic
andx-mitre-matrix
objects - Changed ===Windows=== subheadings to ### Windows subheadings (Windows is just one example)
- Added space between asterisks (ex. *Content to * Content) to populate markdown correctly
- Changed "true" to True in
x_mitre_deprecated
- Added old ATT&CK IDs to Mobile/PRE-ATT&CK objects whose IDs have changed as
x-mitre-old-attack-id