ATT&CK v18: Detection Strategies, More Adversary Insights,

ATT&CK v18: The Detection Overhaul You’ve Been Waiting ForWe’ve spent the last six months focused on making ATT&CK more usable and actionable for defenders, and with the help of the community the results are here!First, we’re excited for you to finally experience the detection overhaul with two new ATT&CK objects, Detection Strategies and Analytics, that shift guidance from single-sentence notes to structured, behavior-focused strategies. Workbench now supports Detection Strategies, so upgrade your instance to take full advantage of the defensive updates.Across domains, we’ve deepened coverage of threats organizations are facing today. Enterprise adds techniques for modern infrastructure, Kubernetes, CI/CD pipelines, and cloud databases, along with ransomware preparation behaviors and adversaries monitoring their own threat intel. CTI features new groups, campaigns, and software tied to cascading supply chain compromises, cloud identity abuse, and attacks on edge and virtualization systems, and includes expanded content on the Democratic People’s Republic of Korea (DPRK) and People’s Republic of China (PRC) operations.On the Mobile front, there’s coverage of state-sponsored abuse of Signal/WhatsApp linked devices and enhanced account collection techniques. And in ICS, new and updated Asset objects expand the range of industrial equipment and attack scenarios ATT&CK can represent, including improved connections across sector-specific terminology through Related Assets.Looking into the future, we’re launching the ATT&CK Advisory Council to formalize community input on the framework’s direction and yes, we’re already working on v19.For all the details on our updates/additions across Techniques, Software, Groups and Campaigns take a look at our release notes, our detailed changelog, or our changelog.json.DefensiveAs Lex Crumpton discussed in-depth in her recent blog post on Medium, and presented on a couple of weeks ago at ATT&CKcon 6.0, we’re upgrading how ATT&CK handles detection, and if you’re building detections, integrations, or automation on top of ATT&CK data, hopefully you’re tracking the updates. The new ATT&CK guidance renovates detections from single-sentence notes into structured, behavior-driven strategies to reflect how adversaries move through environments. It’s a work in progress, and we know there’s always room to improve, but we think it’s a major step toward making ATT&CK more usable and detection engineering-aligned.TLDR: We’re introducing two new ATT&CK objects, Detection Strategies and Analytics, that replace the old detection fields and relationships you might be used to. Techniques now connect to Detection Strategy objects that point to platform-specific Analytics, which then link to Log Sources and Data Components. Log Sources aren’t separate objects anymore, they now live directly on Data Components.Analytics: AN0351Detection Strategy: DET0119Our goal with this approach is to better support defenders in detecting how attacks actually happen. Adversaries don’t trip a single alert and call it a day, they move through your environment in stages, and our detection guidance needs to reflect that reality. The new model breaks down detection into modular pieces where Detection Strategies describe what behavior you’re looking for, Analytics give you platform-specific guidance with tunable settings, and Log Sources use clear naming (like wineventlog:security or auditd:SYSCALL) so you know exactly what telemetry you need. If you’ve built tools that rely on the old detection fields, you’ll need to update them, but Workbench will support the new Detection Strategies right away, and we have sample STIX files, schemas, and compatibility resources on GitHub to help.EnterpriseFor this release, we focused on enriching and upgrading what’s currently in ATT&CK, and were more deliberate about building out the new behaviors to reflect some of the targets we’re seeing adversaries exploit, including Kubernetes clusters, DevOps workflows, and the automated infrastructure running your business.T1059.013: Command and Scripting Interpreter: Container CLI/API captures adversaries using Docker CLI, Kubernetes APIs, and container SDKs to execute commands, pull images, spin up pods, and steal cloud credentials. Before they strike, T1680: Local Storage Discovery shows them mapping drives, volumes, and storage across systems, hypervisors, and cloud platforms to set up maximum disruption. T1213.006: Data from Information Repositories: Databases covers adversaries raiding MySQL, PostgreSQL, RDS, Azure SQL, and other databases for credentials, PII, and financial data. T1677: Poisoned Pipeline Execution documents how they poison CI/CD pipelines by modifying configuration files, corrupting build scripts, or crafting malicious pull requests that leak secrets and inject compromised components.T1546.018: Event Triggered Execution: Python Startup Hooks shows adversaries exploiting Python’s startup mechanisms through .pth files and sitecustomize.py to maintain persistence in DevOps and automation workflows. T1562.013: Impair Defenses: Disable or Modify Network Device Firewall captures them breaking into firewall consoles to disable protections or create openings for C2 and exfiltration. T1036.012: Masquerading: Browser Fingerprint documents them spoofing User-Agent strings and browser attributes to make malicious traffic look legitimate and evade behavioral analytics. T1518.002: Software Discovery: Backup Software Discovery formalizes how ransomware operators hunt down Veeam, Acronis, Paragon, and other backup tools before launching attacks. T1679: Selective Exclusion captures them carefully avoiding .dll, .exe, and critical system files during encryption to keep systems functional enough to display ransom notes. T1681: Search Threat Vendor Data documents how adversaries are monitoring threat intel about their own campaigns, replacing infrastructure within days of exposure, and overall treating public reporting as real-time feedback on their detection footprint.Looking ForwardWe’re wrestling with some interesting challenges as we plan future updates, and we’d love the community’s input on where to draw some lines:· Adversary use of AI, beyond just “obtaining” ItRight now, T1588.007: Obtain Capabilities: Artificial Intelligence captures adversaries acquiring AI tools and models, but we’re seeing reporting that suggests they’re using AI and LLMs for way more than just resource development. The question is: what other tactics are they leveraging AI for in meaningful ways? We need the data to highlight where AI use is crossing the threshold into more· Where to draw the line on Social EngineeringSocial engineering has always been tricky territory for ATT&CK because it spans so many behaviors. We’ve got some coverage already (Phishing, Phishing for Information, User Execution, Impersonation, Malicious Copy Paste (ClickFix) technique) but the challenge is deciding which social engineering behaviors deserve their own techniques versus which ones are just variations of existing coverage. Social engineering is fundamentally about manipulating people, so many initial access or credential theft behaviors have some social engineering component. How do we determine what’s distinct enough to warrant inclusion?Defense Evasion Split, Beta VersionOver time, Defense Evasion has become a catch-all for too many distinct behaviors, so we’ve been talking about how to rescope for over a year now (at the last two ATT&CKcons and ATT&CKing Mondays). We took the first stab at splitting the Defense Evasion tactic into two new tactics that better reflect what adversaries are doing, and how to better detect it.Two Tactics Instead of OneWe’re proposing to split Defense Evasion into Stealth and Impair Defenses.· Stealth would capture techniques where adversaries change what defenders see in their tools, like email hiding rules, hidden users and files, building images on host to avoid registries, impersonation, breaking process trees, and using unsupported or unused cloud regions. These are behaviors about blending in, and manipulating the data that shows up in your monitoring tools.· Impair Defenses would cover techniques where adversaries actively sabotage your security controls, which would include all the current “Impair Defenses” sub-techniques, as well as behaviors like conditional access policy modifications, code signing policy changes, most of “Indicator Removal,” domain or tenant policy manipulation, and subverting trust controls. These are direct attacks on your defensive infrastructure.Shuffling Techniques to Better HomesThis will also provide an opportunity to move the techniques that never quite fit Defense Evasion in the first place. Two sub-techniques under T1448: Abuse Control Mechanism, T1548.006: TCC Manipulation and T1548.005: Temporary Elevated Cloud Access, are heading to Privilege Escalation, and T1197: BITS Jobsand T1578.005: Modify Cloud Compute Infrastructure: Modify Cloud Configurations are moving to Persistence since that’s their primary purpose. We’re also rethinking how to make Process Injection more effective, potentially by breaking it into Process Redirection and Process Injection under Execution because that’s fundamentally what’s happening. DLL Sideloading, Reflective Code Loading, and Hijack Execution Flow would also moving to Execution too. And everyone’s favorite technique, Valid Accounts, would get pulled from Defense Evasion entirely. Last but not least, we’re proposing to delete Modify Registry and Rootkit as standalone techniques since they’re better captured elsewhere or are too broad.We Want to Hear From You!This is a significant restructuring of how ATT&CK organizes adversary behavior, and we’re not doing it in a vacuum. Does this split make sense for how you’re seeing attacks unfold? Are there techniques we’re moving that should stay put, or ones we’re keeping that should move? Does the Stealth versus Impair Defenses distinction map to how you think about detection and response?Cyber Threat IntelligenceThis release focuses on the threats coming at us from all directions, from geopolitical operations, fast-moving cybercrime, and the tools that keep both moving. We added six new threat groups and expanded several existing ones to reflect how these adversaries are adapting, as well as 29 new Software tools, and five new Campaigns.We’re seeing supply chain compromises cascade across ecosystems, with C0057:3CX Supply Chain Attackbeing a prime example, where G1049:AppleJeus turned one trusted dependency into another foothold. To capture how cybercriminals and ransomware groups continue to adopt more flexible Ransomware-as-a-Service models and shared tooling, new groups and software include G1051:Medusa Group (S1244:Medusa Ransomware), G1053:Storm-0501 (S1247:Embargo Ransomware), and G150:Water Galura (S1242:Qilin Ransomware). We also added S1240:RedLine Stealer, a Malware-as-a-Service infostealer sold to Initial Access Brokers whose stolen credentials fuel further intrusions. Identity remains a high-pressure battleground, and the updated G1015:Scattered Spider entry highlight how the group keeps proving that social engineering beats perimeter defenses, by impersonating IT staff, bypassing MFA, and reaching into Okta, AWS, and Office 365. The new C0059:Salesforce Data Exfiltration campaign shows how UNC6040 used vishing to get into corporate Salesforce environments, followed by UNC6240 extortion under the “ShinyHunters” name.With adversaries pushing into the parts of the network hardest to see, the edges, we added G1048:UNC3886 leveraging zero-days and custom malware against routers and virtualization platforms, documented in the C0056:RedPenguin campaign. And C0058:SharePoint ToolShell Exploitation shows how actors like Storm-2603, G0027:Threat Group-3390, and G0128:ZIRCONIUM moved quickly against newly disclosed server-side vulnerabilities across multiple sectors and regions. We’ve also expanded coverage of the Democratic People’s Republic of Korea (DPRK) and People’s Republic of China (PRC) operations. From AppleJeus and G1052:Contagious Interview driving cryptocurrency theft, to G0129:Mustang Pandarefining espionage tooling with six new malware families. And in the Quad7 Activity campaign, China-linked operators use compromised SOHO routers for password spraying against government, NGO, and defense organizations.For all of the updates across CTI, check out the release notes.Looking ForwardWe’ll continue tracking the professionalization of cybercriminal operations, the growing convergence of cybercrime with state-backed activity, and the shift toward cloud identity, SaaS services, and edge infrastructure. We’re also expanding our geographic and sector coverage to address gaps in underreported regions. To better reflect how adversaries operate and connect, we’ll be assessing how to refine our approach to describe group relationships, shared infrastructure, and attribution complexity, to help inform defense strategies. In line with the Workbench updates, we’re prioritizing faster intelligence cycles for more rapid CTI releases.We’d like to thank all of the contributors who provided research, data, and time to help us capture these Groups, Campaigns and Software. We truly appreciate the time and expertise the community brings to ATT&CK, and look forward to collaborating with you for the next release!MobileWe’ve made some focused updates to Mobile ATT&CK in this release based on what the community has been asking for and what we’re seeing across the domain.Similar to how we brought back T1451: SIM Card Swap in v17, we’ve reintroduced T1453: Abuse Accessibility Features after hearing from the community and tracking multiple reports showing how adversaries are leveraging accessibility features across different attack scenarios. We’ve also added T1676: Linked Devices, which captures something we’re seeing more of: adversaries conducting cross-domain operations that span Enterprise and Mobile environments. Threat actors are abusing the “linked devices” feature in apps like Signal and WhatsApp to register a victim’s account on attacker-controlled devices. They phish users into scanning malicious QR codes, often disguised as group invites or security alerts, which links the account to their infrastructure. Once connected, adversaries can then persist through the victim’s account, access messages and contacts, and send messages from the linked device. We’ve observed this in the wild with groups like G0034:Sandworm Team targeting Signal accounts on devices captured on the battlefield and G1033:Star Blizzard connecting WhatsApp accounts to adversary infrastructure for message exfil.Finally, we’ve added T1636.005: Protected User Data: Accounts to capture how adversaries collect account data from compromised devices. On Android, this means abusing the AccountManager API to list accounts; on iOS, it’s leveraging Keychain services. If devices are jailbroken or rooted, adversaries can access this information without users ever knowing. We’re seeing this in malware like S1243:DCHSpy and S1241:RatMilad, which gather account names and types as part of their collection routines. These updates, along with new software entries for threats like S1225:CherryBlos (an Android credential stealer targeting cryptocurrency), S1231:GodFather (banking malware using virtualization to mimic legitimate apps), aim to provide better coverage of what we’re seeing in the threat landscape and what we’re hearing from the community.Looking ForwardOur goal is to continue working closely with vendors and the security community to add critical new techniques and refine existing ones so they’re more actionable and reflect real-world threats. We’ll also be upgrading mitigations with more detailed, practical guidance and expanding on mobile-specific CTI, from mobile malware to OS vulnerabilities to adversarial abuse of platform-level services. And we’ll be partnering with the Defense team to bring the new Detection Strategies model to Mobile, and provide the same structured, behavior-driven detection guidance for mobile threats.ICSFor this release, we created new Asset objects and updated existing ones to expand the set of ICS equipment that ATT&CK can represent. Assets, operational devices and infrastructure in ICS networks, have been part of ATT&CK for a while, but naming varies across sectors. This can make it difficult to reference the same device consistently, so we’ve been building out the Related Assets field, which links sector-specific terminology based on similar functions, architectural placement, and exposure to adversary techniques. These updates also provide examples of other equipment you may encounter, even if it isn’t designated as a core Asset object, helping you identify devices in your own environment. Each related asset includes a name, optional sector identifier, and a short description for added context.We also clarified descriptions for existing assets like A0009:Data Gateways and A0006:Data Historians to better reflect their capabilities. And we updated platform fields to mirror real-world configurations more accurately. For example, a router has an embedded operating system and serves as network equipment, so it maps to both embedded and network platforms.Our three new Assets include:A0017: Distributed Control System (DCS) ControllerRepresents microprocessor units managing large-scale, continuous industrial processes (e.g., chemicals, manufacturing, oil and gas). DCS Controllers operate within coordinated networks of controllers, software, and operator stations and are typically programmed using IEC-61131 languages. Related assets include Field Device/Controller (general function) and Programmable Logic Controller (PLC), which offers similar functionality but usually with less advanced control capability.A0016: FirewallRepresents gateways enforcing network access policies. In ICS environments, firewalls are critical for segmenting ICS from business networks, restricting ingress and egress, and defining security zones to limit adversary movement. Related assets include Boundary Firewalls (between Purdue levels) and Device Firewalls (device-level protections).A0015: SwitchRepresents network devices that connect endpoints, including workstations, servers, Human-Machine Interfaces (HMIs), and PLCs, and forward traffic at OSI Layer 2 or 3 using MAC or IP addresses. Switches typically define network segments within Purdue levels. Related assets include Core Switches, Access Switches, Layer 2/3 Switches, and Distribution Switches.Looking ForwardMoving into 2026, we’ll be working to update detections to match the new detection strategies model, refreshing CTI content (including new software, groups, and cross-domain campaigns), and expanding Asset coverage into more sectors and system types. We’ll also keep refining techniques, adding sub-techniques where it makes sense, and incorporating community contributions.SoftwareWe’ve been working to support the major STIX updates to Data Sources and Data Components introduced in this release, particularly the new detection strategies model. If you’re running your own ATT&CK Workbench instance, you should upgrade to the latest version to take advantage of the new detection strategies support and other improvements in this release.Visit the ATT&CK Workbench repository on GitHub for upgrade instructions and release details.Looking ForwardThe team will continue to restructure our development approach to maintain a higher tempo for Groups and Software updates independent of ATT&CK’s biannual release cycle, to allow us to get threat intelligence updates out to you faster while managing more complex changes at their own pace.What’s Next for ATT&CKAdvisory CouncilATT&CK has always been community-driven, shaped by your research and data, real-world experience, and your needs as defenders. We take our role as stewards seriously, and we’ve long thought about a more formal channel that reflects how the community’s input directly informs ATT&CK’s direction. That’s why we’re excited to launch the ATT&CK Advisory Council.The Council will provide a structured channel for the strategic input our community has always given, from advising on emerging threats and industry needs, and sharing perspectives on roadmap priorities, to helping us keep the framework grounded in real-world defense. Members will represent a diverse set of stakeholders, end users from major industries, vendors integrating ATT&CK into their products, government organizations, and academia. Advisors will be technical leaders committed to benefiting the global cybersecurity community and will serve staggered terms to ensure continuity. The Council will complement, not replace, the existing CTID Advisory Council and Evals Vendor Forum.This is the first step, and we want you to be involved. We’ll be refining the structure and engagement approach with the community, and we welcome your ideas on how ATT&CK governance and communication can best support you. Our commitment is to ensure that ATT&CK continues to be a public resource that serves defenders first, and this Council is one of the ways that we’re formalizing that commitment.V19 ReleaseWe’re already working on v19, incorporating feedback from this release, tracking threats, and refining the Detection Strategies model for Mobile and ICS. The work doesn’t stop between releases, and we’re constantly evaluating new intelligence, assessing technique proposals, and collaborating with vendors, researchers, and practitioners to make sure the next update reflects what you need. If you’ve submitted contributions or have ideas for what should be prioritized, we’d like to keep those conversations going.As always, we’d love to connect with you on Email, Bluesky, LinkedIn, or Slack.©2025 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited. 25–01291–1.ATT&CK v18: Detection Strategies, More Adversary Insights, was originally published in MITRE ATT&CK® on Medium, where people are continuing the conversation by highlighting and responding to this story.MITRE ATT&CK® – MediumRead More