·4 min read·Blog

ATT&CKv19: Changes in MITRE ATT&CK® Framework

SS
Shailendra Singh Sachan

Security Researcher

MITRE ATTACKTTPCybersecurityDetectionThreat Research
Image

Overview: MITRE & it's ATT&CK® Framework

MITRE is a not-for-profit organization that operates federally funded research and development centers (FFRDCs) for the U.S. government. MITRE works across cybersecurity, defense, healthcare, aviation, and other critical sectors.

In cybersecurity, MITRE is best known for developing and maintaining the ATT&CK® Framework, which is a globally recognized knowledge base that documents real-world adversary behaviors based on observed cyberattacks. ATT&CK® stands for "Adversarial Tactics, Techniques, and Common Knowledge". The framework helps organizations understand attacker behavior, map cyber threats and malware activities, develop detections and monitoring rules, etc.

MITRE on its ATT&CK® Framework webpage displays the cybersecurity-related information under five major tabs/fields:

  • Matrices
  • Tactics
  • Techniques
  • Defenses
  • CTI

Matrices contain the following information for 3 domains: Enterprise, Mobile & ICS

  1. (T) Tactics: Tactics represent the "why" of an ATT&CK® technique or sub-technique. It is the adversary's tactical goal: the reason for performing an action. For example, an adversary may want to achieve credential access.
  2. (T) Techniques: Techniques represent 'how' an adversary achieves a tactical goal by performing an action. For example, an adversary may dump credentials to achieve credential access.
  3. (P) Sub-Techniques/Procedures: Sub-techniques provide more detailed variations of a technique.

Defenses contain the following information for 3 domains: Enterprise, Mobile & ICS

  1. Mitigations: Mitigations represent security concepts and classes of technologies that can be used to prevent a technique or sub-technique from being successfully executed.
  2. Assets for ICS: Assets represent the devices and systems commonly found within Industrial Control System environments.
  3. Detection strategies, Analytics, and Data components

CTI (Cyber Threat Intelligence) contains information regarding

  1. Groups: Known threat actors, APTs [Advanced Persistent Threats], or adversary organizations that conduct cyber operations (e.g., APT29, Lazarus Group).
  2. Software: Malware, tools, frameworks, or utilities used by threat actors during attacks (e.g., Mimikatz, Cobalt Strike).
  3. Campaigns: Specific cyber operations or attack activities conducted by a threat actor over a defined period against particular targets or sectors. A campaign connects a threat Group, software, techniques, and victims of that cyber attack campaign.

ATT&CK® (v18.1 VS v19.1) : Update Overview and Where it Resides

ATT&CK® v19.1 represents a significant evolution from ATT&CK® v18.1, introducing changes across all three ATT&CK® domains, Enterprise, Mobile, and Industrial Control Systems (ICS), to better reflect modern adversary tradecraft and emerging threat landscapes. From a TTP (Tactics, Techniques, and Procedures) perspective, Enterprise ATT&CK® expanded from 14 to 15 tactics, driven by the introduction of the new Defense Impairment tactic and the renaming of Defense Evasion to Stealth. Enterprise techniques increased from 216 to 222, while Mobile remained unchanged at 12 tactics and 77 techniques. Within the ICS domain, the number of tactics remained constant at 12, while techniques were refined from 83 to 79 through the consolidation of several techniques into new parent-child relationships and the introduction of 18 sub-techniques, providing greater granularity and alignment with the Enterprise ATT&CK® structure. Overall, v19.1 focuses on improving ATT&CK®'s ability to model modern adversary behaviors through better categorization, refined technique structures, and enhanced cross-domain consistency.

Image

From a Cyber Threat Intelligence (CTI) perspective, v19.1 significantly expands ATT&CK®’s representation of real-world threat actors, malware, and campaigns across all domains. The framework grew from 176 to 178 Groups, 910 to 949 Software entries, and 55 to 59 Campaigns, reflecting emerging nation-state activity, AI-enabled operations, supply chain compromises, and cross-domain attacks. New additions include Iranian-linked actors such as Void Manticore, PRC-linked actors such as MirrorFace, AI-related campaign and malware entries including the Anthropic AI-orchestrated Campaign and LAMEHUG, as well as new malware families associated with MuddyWater, Volt Typhoon, and other threat groups. ATT&CK® also introduced coverage for destructive campaigns targeting critical infrastructure, software supply chain attacks affecting the npm ecosystem, and malware spanning Enterprise, Mobile, and ICS environments.

Image

ATT&CK® v19.1: Understanding the Updates in Detail

Updates in Enterprise Edition

Related articles

Fileless Malware and Process-Based Attacks Analysis

Fileless malware is one of the most dangerous and evasive attack techniques. Unlike traditional malware, it leaves no files on disk; instead, it hides inside the system's own trusted processes and tools, making it nearly invisible to conventional security software. In this article, we break down how fileless and process-based attacks work, how attackers use built-in Windows utilities like PowerShell and WMI to execute malicious code entirely in memory, and what defenders need to do to detect and stop them before it's too late.

Asynchronous Process Call Injection: Resurgence in 2024-26

APC Injection had been written off as a solved issue, one for which detection existed in multiple variations; however, it has seen a resurgence since 2024 which has allowed to it cause havoc in small attacks and looks like it will only increase in importance. Process injection sits at the top of the MITRE ATT\&CK heap for the second year running. This blog talks about how it is necessary to track the newer variants of the injection method and the methods offered for the same.

APT 36 aka Transparent Tribe: Evolution & TTP Analysis

Threat Research & Intelligence (TRI) team at Bloo performs profiling and ongoing monitoring of threat actors and their related campaigns to keep a track of the latest Advanced Persistent Threats (APTs). To support threat research and detection engineering, the APT tracking task includes threat actor profiling and attribution, campaign tracking and analysis, infrastructure mapping, Tactics, Techniques, and Procedures (TTPs) analysis, historical activity correlation, and geographic attribution. This tracking framework systematically captures and analyzes key parameters for each identified campaign, including the year of activity, campaign involved, malware or tools deployed by the threat actor, malware classification, targeted sectors or victims, assessed motivation, and critical Indicators of Compromise (IOCs) such as malware hashes, command-and-control (C2) infrastructure details, and associated network artifacts.

We use cookies to provide essential site functionality and, with your consent, to analyze site usage and enhance your experience. View our Privacy Policy