ATT&CK v17
We are excited to announce that the Tidal Cyber Enterprise and Community Editions are now on the new v17 version of MITRE ATT&CK. Like we do with every ATT&CK update, we’ve done the heavy lifting to analyze the new content additions, and where relevant, merge them with existing content added by our team so users have a seamless experience in the platform. Read on for a summary of some of the key highlights and commentary on some of the new ATT&CK additions.
NARC Update
New for this iteration of our ATT&CK update blogs, we are excited to announce that our AI-powered NARC capability, recently brought in-house to Tidal Cyber – was updated to support extraction of all new v17 Techniques within mere hours of the release! This means that all NARC users can immediately begin processing public threat reporting and be sure that they are identifying all of the latest Techniques and Sub-Techniques that might be referenced within the source content. Used heavily by Tidal’s Adversary Intelligence team, NARC has been essential in enabling many of the threat content “extensions” highlighted in the next sections.
Threat Objects
v17 saw the addition of 65 Group, Campaign, and Software objects. More than ever before, new objects overlapped with existing objects authored by Tidal Cyber’s Adversary Intelligence team, underscoring how Tidal users gain timely visibility into the threat landscape and the behaviors used by new and trending adversaries.
Twenty-two of ATT&CK's new threat objects (34%) were already in the Tidal Cyber Knowledge Base, meaning users have already been able to take advantage of this CTI in their threat assessments. This is an increase in both number and percentage from the 15 overlaps we saw in v16.
As always, we’ve now merged existing Tidal content with the gold-standard ATT&CK objects, and we’ve enriched both these overlapping objects and net-new additions with victim- & attribution-focused metadata and many Tags around themes like capability types, targeted technologies, and exploited vulnerabilities. A few highlights include:
- Salt Typhoon: One of the most high-profile actors identified over the past year. We’ve added several discrete campaigns attributed to threat clusters linked to this highly capable Chinese espionage group.
- APT42: We’ve extended this prominent Iranian APT with significant amounts of metadata, Tags, and Technique relationships.
- LockBit ecosystem: The dominant ransomware groups from the past several years, v17 saw the addition of the 2.0 and 3.0 versions of LockBit malware (or for a more timely look, you can find the 4.0 version recently added by Tidal here).
Techniques
New v17 Techniques reflect evolutions in the threat landscape, while some revised Techniques reflect updated or reconsidered scopes for previously defined attacker activity. In all cases, Tidal Cyber users can rest assured that everything they view in Tidal is through the lens of the latest version of the ATT&CK knowledge base:
The addition of User Execution: Malicious Copy and Paste comes in response to a trend of adversaries tricking users into copying and executing code, often PowerShell commands, directly onto their systems.
- Tidal Cyber has been warning its users about such activity for months (previously mapping to the broader User Execution Technique) and has added four Campaign objects related to “ClickFix” and similar activity since last July (in fact, these are the only threat objects currently related to this new Sub-Technique!)
ESXi-related techniques
- This release introduced a new platform “ESXi” for describing adversary behaviors against VMWare ESXi hypervisors. Four new techniques specifically targeted this new platform
- ESXi Administration Control
- Command and Scripting Interpreter: Hypervisor CLI
- Wider in scope than just ESXi
- Server Software Component: vSphere Installation Bundles
- Virtual Machine Discovery
- Wider in scope than just ESXi
- Similarly, Tidal Cyber has been warning its users about the uptick in targeting of ESXi and broader virtualization environments for a considerable amount of time. We first released virtualization-focused Tags to spotlight threats targeting these platforms in November 2023 and continue to update and maintain it (including labeling relevant v17 additions).
Email related techniques: Email Bombing and Email Spoofing. Stay tuned for updates related to Email Security products.
- Email Bombing is focused on burying legitimate emails to disrupt business operations, and/or be a precursor to a social engineering attack
- Email spoofing is a more direct email filter defense evasion technique such as bypassing DMARC protections
Some further commentary on notable Technique updates from the Adversary Intelligence team:
- Hijack Execution Flow: DLL, one sub-technique to rule them all. In this release, Hijack Execution Flow: DLL Side-Loading was merged into Hijack Execution Flow: DLL and Hijack Execution Flow: DLL Search Order Hijacking was revoked and mapped into the same DLL sub-technique. This updated sub-technique now includes a few new documented ways of how DLLs can be abused to hijack execution flow to maintain persistence, escalate privileges, and/or evade defenses. The updated sub-technique now behaves as a parent technique to the several ways adversaries abuse DLLs.
- Masquerading: Match Legitimate Resource Name or Location was updated to include an increased focus on matching valid Registry keys to bypass defenses.
- Another sub-technique under Masquerading received a major update with a name change: Rename System Utilities is now Rename Legitimate Utilities, to increase scope of legitimate utilities such as PSExec.
- Modify Registry increased mention of modifying the registry to hide configuration information or malicious payloads via Obfuscated Files or Information.
- Remote Access Software was renamed to Remote Access Tools to highlight legitimate remote access tools and the inclusion of three new sub-techniques: IDE Tunneling, Remote Access Hardware, and Remote Desktop Software.
- We’ve reviewed and updated (where relevant) numerous threat objects that previously mapped to the Remote Access Software Technique but are now more appropriately aligned with the new Remote Desktop Software Sub-Technique (and view our Remote Administration Tools Tag for a roundup of many of these items).
- Browser Extension was downgraded to a sub-technique under a new parent technique named Software Extensions. Software Extensions received the same technique ID T1176, and while mappings are still valid, we recommend previous ATT&CK mappings to Browser Extensions to be mapped to the new sub-technique under T1176.001.
