diff --git a/CHANGELOG.md b/CHANGELOG.md
index f36e5cfaf44..6cc5c83ec51 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,10 @@
+# v4.2.1 (2024-11-12)
+
+## Features
+
+* Release ATT&CK content version 16.1.
+ See detailed changes [here](https://github.com/mitre/cti/releases/tag/ATT%26CK-v16.1).
+
# v4.2.0 (2024-10-31)
## Features
diff --git a/data/versions.json b/data/versions.json
index 31ae02bf010..355645fb318 100644
--- a/data/versions.json
+++ b/data/versions.json
@@ -1,9 +1,9 @@
{
"current": {
- "name": "v16.0",
+ "name": "v16.1",
"date_start": "October 31, 2024",
"changelog": "updates-october-2024",
- "cti_url": "https://github.com/mitre/cti/releases/tag/ATT%26CK-v16.0"
+ "cti_url": "https://github.com/mitre/cti/releases/tag/ATT%26CK-v16.1"
},
"previous": [
{
diff --git a/modules/resources/docs/changelogs/v16.0-v16.1/changelog-detailed.html b/modules/resources/docs/changelogs/v16.0-v16.1/changelog-detailed.html
new file mode 100644
index 00000000000..548c80d9ddd
--- /dev/null
+++ b/modules/resources/docs/changelogs/v16.0-v16.1/changelog-detailed.html
@@ -0,0 +1,50 @@
+
+
+
+ ATT&CK Changes
+
+
+
+
+ATT&CK Changes Between v16.0 and v16.1
Key
+
+- New objects: ATT&CK objects which are only present in the new release.
+- Major version changes: ATT&CK objects that have a major version change. (e.g. 1.0 → 2.0)
+- Minor version changes: ATT&CK objects that have a minor version change. (e.g. 1.0 → 1.1)
+- Other version changes: ATT&CK objects that have a version change of any other kind. (e.g. 1.0 → 1.2)
+- Patches: ATT&CK objects that have been patched while keeping the version the same. (e.g., 1.0 → 1.0 but something like a typo, a URL, or some metadata was fixed)
+- Object revocations: ATT&CK objects which are revoked by a different object.
+- Object deprecations: ATT&CK objects which are deprecated and no longer in use, and not replaced.
+- Object deletions: ATT&CK objects which are no longer found in the STIX data.
+
+
+
+
+ Colors for description field |
+ Added |
+ Changed |
+ Deleted |
+
+ |
+
+
+Additional formats
+These ATT&CK Navigator layer files can be uploaded to ATT&CK Navigator manually.
+
+This JSON file contains the machine readble output used to create this page: changelog.json
+Techniques
enterprise-attack
Patches
[T1590.002] Gather Victim Network Information: DNS
Current version: 1.2
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-09-12 19:36:20.374000+00:00 | 2024-11-11 16:13:02.196000+00:00 |
external_references[5]['description'] | Sean Metcalf. (2019, May 9). Sean Metcalf Twitter. September 12, 2024. | Sean Metcalf. (2019, May 9). Sean Metcalf Twitter. Retrieved September 12, 2024. |
[T1557.004] Adversary-in-the-Middle: Evil Twin
Current version: 1.0
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-10-13 15:40:18.743000+00:00 | 2024-11-11 18:52:53.686000+00:00 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_contributors | | DeFord L. Smith |
[T1546.017] Event Triggered Execution: Udev Rules
Current version: 1.0
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-10-17 20:17:53.469000+00:00 | 2024-11-11 19:05:38.708000+00:00 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
kill_chain_phases | | {'kill_chain_name': 'mitre-attack', 'phase_name': 'privilege-escalation'} |
[T1204] User Execution
Current version: 1.7
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-10-13 15:43:49.208000+00:00 | 2024-11-11 18:52:12.103000+00:00 |
iterable_item_addedSTIX Field | Old value | New Value |
---|
x_mitre_contributors | | Ale Houspanossian |
x_mitre_contributors | | Fernando Bacchin |
Groups
enterprise-attack
Patches
[G1034] Daggerfly
Current version: 1.0
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-10-10 14:33:17.448000+00:00 | 2024-10-31 18:33:10.434000+00:00 |
x_mitre_contributors[0] | Furkan Celiik | Furkan Celik, PURE7 |
Campaigns
enterprise-attack
Patches
[C0038] HomeLand Justice
Current version: 1.0
Details
values_changedSTIX Field | Old value | New Value |
---|
modified | 2024-08-21 18:21:02.205000+00:00 | 2024-10-31 16:06:50.414000+00:00 |
last_seen | 2002-09-01 04:00:00+00:00 | 2022-09-01 04:00:00+00:00 |
+
+
+
\ No newline at end of file
diff --git a/modules/resources/docs/changelogs/v16.0-v16.1/changelog.json b/modules/resources/docs/changelogs/v16.0-v16.1/changelog.json
new file mode 100644
index 00000000000..55b32ce2812
--- /dev/null
+++ b/modules/resources/docs/changelogs/v16.0-v16.1/changelog.json
@@ -0,0 +1,751 @@
+{
+ "enterprise-attack": {
+ "techniques": {
+ "additions": [],
+ "major_version_changes": [],
+ "minor_version_changes": [],
+ "other_version_changes": [],
+ "patches": [
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--48b836c6-e4ca-435a-82a3-29c03e5b492e",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2024-09-17 14:27:40.947000+00:00",
+ "modified": "2024-11-11 18:52:53.686000+00:00",
+ "name": "Evil Twin",
+ "description": "Adversaries may host seemingly genuine Wi-Fi access points to deceive users into connecting to malicious networks as a way of supporting follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002), or [Input Capture](https://attack.mitre.org/techniques/T1056).(Citation: Australia \u2018Evil Twin\u2019)\n\nBy using a Service Set Identifier (SSID) of a legitimate Wi-Fi network, fraudulent Wi-Fi access points may trick devices or users into connecting to malicious Wi-Fi networks.(Citation: Kaspersky evil twin)(Citation: medium evil twin) Adversaries may provide a stronger signal strength or block access to Wi-Fi access points to coerce or entice victim devices into connecting to malicious networks.(Citation: specter ops evil twin) A Wi-Fi Pineapple \u2013 a network security auditing and penetration testing tool \u2013 may be deployed in Evil Twin attacks for ease of use and broader range. Custom certificates may be used in an attempt to intercept HTTPS traffic. \n\nSimilarly, adversaries may also listen for client devices sending probe requests for known or previously connected networks (Preferred Network Lists or PNLs). When a malicious access point receives a probe request, adversaries can respond with the same SSID to imitate the trusted, known network.(Citation: specter ops evil twin) Victim devices are led to believe the responding access point is from their PNL and initiate a connection to the fraudulent network.\n\nUpon logging into the malicious Wi-Fi access point, a user may be directed to a fake login page or captive portal webpage to capture the victim\u2019s credentials. Once a user is logged into the fraudulent Wi-Fi network, the adversary may able to monitor network activity, manipulate data, or steal additional credentials. Locations with high concentrations of public Wi-Fi access, such as airports, coffee shops, or libraries, may be targets for adversaries to set up illegitimate Wi-Fi access points. ",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "credential-access"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "collection"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1557/004",
+ "external_id": "T1557.004"
+ },
+ {
+ "source_name": "Kaspersky evil twin",
+ "description": "AO Kaspersky Lab. (n.d.). Evil twin attacks and how to prevent them. Retrieved September 17, 2024.",
+ "url": "https://usa.kaspersky.com/resource-center/preemptive-safety/evil-twin-attacks"
+ },
+ {
+ "source_name": "medium evil twin",
+ "description": "Gihan, Kavishka. (2021, August 8). Wireless Security\u2014 Evil Twin Attack. Retrieved September 17, 2024.",
+ "url": "https://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59"
+ },
+ {
+ "source_name": "specter ops evil twin",
+ "description": "Ryan, Gabriel. (2019, October 28). Modern Wireless Tradecraft Pt I \u2014 Basic Rogue AP Theory \u2014 Evil Twin and Karma Attacks. Retrieved September 17, 2024.",
+ "url": "https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-theory-evil-twin-and-karma-attacks-35a8571550ee"
+ },
+ {
+ "source_name": "Australia \u2018Evil Twin\u2019",
+ "description": "Toulas, Bill. (2024, July 1). Australian charged for \u2018Evil Twin\u2019 WiFi attack on plane. Retrieved September 17, 2024.",
+ "url": "https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "Menachem Goldstein",
+ "DeFord L. Smith"
+ ],
+ "x_mitre_data_sources": [
+ "Network Traffic: Network Traffic Content",
+ "Network Traffic: Network Traffic Flow"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Network"
+ ],
+ "x_mitre_version": "1.0",
+ "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2024-11-11 18:52:53.686000+00:00\", \"old_value\": \"2024-10-13 15:40:18.743000+00:00\"}}, \"iterable_item_added\": {\"root['x_mitre_contributors'][1]\": \"DeFord L. Smith\"}}",
+ "previous_version": "1.0",
+ "changelog_mitigations": {
+ "shared": [
+ "M1017: User Training",
+ "M1031: Network Intrusion Prevention"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detections": {
+ "shared": [
+ "DS0029: Network Traffic (Network Traffic Content)",
+ "DS0029: Network Traffic (Network Traffic Flow)"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--f4c3f644-ab33-433d-8648-75cc03a95792",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2024-09-26 17:02:09.888000+00:00",
+ "modified": "2024-11-11 19:05:38.708000+00:00",
+ "name": "Udev Rules",
+ "description": "Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the `/dev` directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with `match keys` to specify the conditions a hardware event must meet and `action keys` to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, `/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and `/lib/udev/rules.d/`. Rule priority is determined by both directory and by the digit prefix in the rule filename.(Citation: Ignacio Udev research 2024)(Citation: Elastic Linux Persistence 2024)\n\nAdversaries may abuse the udev subsystem by adding or modifying rules in udev rule files to execute malicious content. For example, an adversary may configure a rule to execute their binary each time the pseudo-device file, such as `/dev/random`, is accessed by an application. Although udev is limited to running short tasks and is restricted by systemd-udevd's sandbox (blocking network and filesystem access), attackers may use scripting commands under the action key `RUN+=` to detach and run the malicious content\u2019s process in the background to bypass these controls.(Citation: Reichert aon sedexp 2024)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "persistence"
+ },
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "privilege-escalation"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1546/017",
+ "external_id": "T1546.017"
+ },
+ {
+ "source_name": "Ignacio Udev research 2024",
+ "description": "Eder P. Ignacio. (2024, February 21). Leveraging Linux udev for persistence. Retrieved September 26, 2024.",
+ "url": "https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/"
+ },
+ {
+ "source_name": "Elastic Linux Persistence 2024",
+ "description": "Ruben Groenewoud. (2024, August 29). Linux Detection Engineering - A Sequel on Persistence Mechanisms. Retrieved October 16, 2024.",
+ "url": "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms"
+ },
+ {
+ "source_name": "Reichert aon sedexp 2024",
+ "description": "Zachary Reichert. (2024, August 19). Unveiling \"sedexp\": A Stealthy Linux Malware Exploiting udev Rules. Retrieved September 26, 2024.",
+ "url": "https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "Eduardo Gonz\u00e1lez Hern\u00e1ndez (@codexlynx)",
+ "Eder P\u00e9rez Ignacio, @ch4ik0",
+ "Wirapong Petshagun",
+ "@grahamhelton3",
+ "Ruben Groenewoud, Elastic"
+ ],
+ "x_mitre_data_sources": [
+ "Process: Process Creation",
+ "File: File Modification"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "Monitor file creation and modification of Udev rule files in `/etc/udev/rules.d/`, `/lib/udev/rules.d/`, and /usr/lib/udev/rules.d/, specifically the `RUN` action key commands.(Citation: Ignacio Udev research 2024) ",
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux"
+ ],
+ "x_mitre_version": "1.0",
+ "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2024-11-11 19:05:38.708000+00:00\", \"old_value\": \"2024-10-17 20:17:53.469000+00:00\"}}, \"iterable_item_added\": {\"root['kill_chain_phases'][1]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"privilege-escalation\"}}}",
+ "previous_version": "1.0",
+ "changelog_mitigations": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detections": {
+ "shared": [
+ "DS0009: Process (Process Creation)",
+ "DS0022: File (File Modification)"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--0ff59227-8aa8-4c09-bf1f-925605bd07ea",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2020-10-02 15:47:10.102000+00:00",
+ "modified": "2024-11-11 16:13:02.196000+00:00",
+ "name": "DNS",
+ "description": "Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target\u2019s subdomains, mail servers, and other hosts. DNS MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)\n\nAdversaries may gather this information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://attack.mitre.org/techniques/T1596/001). DNS information may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Active Scanning](https://attack.mitre.org/techniques/T1595)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).\n\nAdversaries may also use DNS zone transfer (DNS query type AXFR) to collect all records from a misconfigured DNS server.(Citation: Trails-DNS)(Citation: DNS-CISA)(Citation: Alexa-dns)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "reconnaissance"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1590/002",
+ "external_id": "T1590.002"
+ },
+ {
+ "source_name": "Circl Passive DNS",
+ "description": "CIRCL Computer Incident Response Center. (n.d.). Passive DNS. Retrieved October 20, 2020.",
+ "url": "https://www.circl.lu/services/passive-dns/"
+ },
+ {
+ "source_name": "DNS-CISA",
+ "description": "CISA. (2016, September 29). DNS Zone Transfer AXFR Requests May Leak Domain Information. Retrieved June 5, 2024.",
+ "url": "https://www.cisa.gov/news-events/alerts/2015/04/13/dns-zone-transfer-axfr-requests-may-leak-domain-information"
+ },
+ {
+ "source_name": "DNS Dumpster",
+ "description": "Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.",
+ "url": "https://dnsdumpster.com/"
+ },
+ {
+ "source_name": "Alexa-dns",
+ "description": "Scanning Alexa's Top 1M for AXFR. (2015, March 29). Retrieved June 5, 2024.",
+ "url": "https://en.internetwache.org/scanning-alexas-top-1m-for-axfr-29-03-2015/"
+ },
+ {
+ "source_name": "Sean Metcalf Twitter DNS Records",
+ "description": "Sean Metcalf. (2019, May 9). Sean Metcalf Twitter. Retrieved September 12, 2024.",
+ "url": "https://x.com/PyroTek3/status/1126487227712921600"
+ },
+ {
+ "source_name": "Trails-DNS",
+ "description": "SecurityTrails. (2018, March 14). Wrong Bind Configuration Exposes the Complete List of Russian TLD's to the Internet. Retrieved June 5, 2024.",
+ "url": "https://web.archive.org/web/20180615055527/https://securitytrails.com/blog/russian-tlds"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "Jannie Li, Microsoft Threat Intelligence\u202fCenter\u202f(MSTIC)"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": true,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "PRE"
+ ],
+ "x_mitre_version": "1.2",
+ "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2024-11-11 16:13:02.196000+00:00\", \"old_value\": \"2024-09-12 19:36:20.374000+00:00\"}, \"root['external_references'][5]['description']\": {\"new_value\": \"Sean Metcalf. (2019, May 9). Sean Metcalf Twitter. Retrieved September 12, 2024.\", \"old_value\": \"Sean Metcalf. (2019, May 9). Sean Metcalf Twitter. September 12, 2024.\"}}}",
+ "previous_version": "1.2",
+ "changelog_mitigations": {
+ "shared": [
+ "M1054: Software Configuration"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detections": {
+ "shared": [],
+ "new": [],
+ "dropped": []
+ }
+ },
+ {
+ "type": "attack-pattern",
+ "id": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2018-04-18 17:59:24.739000+00:00",
+ "modified": "2024-11-11 18:52:12.103000+00:00",
+ "name": "User Execution",
+ "description": "An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).\n\nWhile [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).\n\nAdversaries may also deceive users into performing actions such as:\n\n* Enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary\n* Running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)s(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)\n* Downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204)\n* Coerceing users to copy, paste, and execute malicious code manually(Citation: Reliaquest-execution)(Citation: proofpoint-selfpwn)\n\nFor example, tech support scams can be facilitated through [Phishing](https://attack.mitre.org/techniques/T1566), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software](https://attack.mitre.org/techniques/T1219).(Citation: Telephone Attack Delivery)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-attack",
+ "phase_name": "execution"
+ }
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T1204",
+ "external_id": "T1204"
+ },
+ {
+ "source_name": "Krebs Discord Bookmarks 2023",
+ "description": "Brian Krebs. (2023, May 30). Discord Admins Hacked by Malicious Bookmarks. Retrieved January 2, 2024.",
+ "url": "https://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/"
+ },
+ {
+ "source_name": "Reliaquest-execution",
+ "description": "Reliaquest. (2024, May 31). New Execution Technique in ClearFake Campaign. Retrieved August 2, 2024.",
+ "url": "https://www.reliaquest.com/blog/new-execution-technique-in-clearfake-campaign/"
+ },
+ {
+ "source_name": "Telephone Attack Delivery",
+ "description": "Selena Larson, Sam Scholten, Timothy Kromphardt. (2021, November 4). Caught Beneath the Landline: A 411 on Telephone Oriented Attack Delivery. Retrieved January 5, 2022.",
+ "url": "https://www.proofpoint.com/us/blog/threat-insight/caught-beneath-landline-411-telephone-oriented-attack-delivery"
+ },
+ {
+ "source_name": "Talos Roblox Scam 2023",
+ "description": "Tiago Pereira. (2023, November 2). Attackers use JavaScript URLs, API forms and more to scam users in popular online game \u201cRoblox\u201d. Retrieved January 2, 2024.",
+ "url": "https://blog.talosintelligence.com/roblox-scam-overview/"
+ },
+ {
+ "source_name": "proofpoint-selfpwn",
+ "description": "Tommy Madjar, Dusty Miller, Selena Larson. (2024, June 17). From Clipboard to Compromise: A PowerShell Self-Pwn. Retrieved August 2, 2024.",
+ "url": "https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "Oleg Skulkin, Group-IB",
+ "Menachem Goldstein",
+ "Harikrishnan Muthu, Cyble",
+ "ReliaQuest",
+ "Ale Houspanossian",
+ "Fernando Bacchin"
+ ],
+ "x_mitre_data_sources": [
+ "Instance: Instance Start",
+ "File: File Creation",
+ "Network Traffic: Network Connection Creation",
+ "Container: Container Creation",
+ "Instance: Instance Creation",
+ "Network Traffic: Network Traffic Content",
+ "Process: Process Creation",
+ "Command: Command Execution",
+ "Image: Image Creation",
+ "Application Log: Application Log Content",
+ "Container: Container Start"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.\n\nAnti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe).",
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "Windows",
+ "macOS",
+ "IaaS",
+ "Containers"
+ ],
+ "x_mitre_remote_support": false,
+ "x_mitre_version": "1.7",
+ "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2024-11-11 18:52:12.103000+00:00\", \"old_value\": \"2024-10-13 15:43:49.208000+00:00\"}}, \"iterable_item_added\": {\"root['x_mitre_contributors'][4]\": \"Ale Houspanossian\", \"root['x_mitre_contributors'][5]\": \"Fernando Bacchin\"}}",
+ "previous_version": "1.7",
+ "changelog_mitigations": {
+ "shared": [
+ "M1017: User Training",
+ "M1021: Restrict Web-Based Content",
+ "M1031: Network Intrusion Prevention",
+ "M1038: Execution Prevention",
+ "M1040: Behavior Prevention on Endpoint"
+ ],
+ "new": [],
+ "dropped": []
+ },
+ "changelog_detections": {
+ "shared": [
+ "DS0007: Image (Image Creation)",
+ "DS0009: Process (Process Creation)",
+ "DS0015: Application Log (Application Log Content)",
+ "DS0017: Command (Command Execution)",
+ "DS0022: File (File Creation)",
+ "DS0029: Network Traffic (Network Connection Creation)",
+ "DS0029: Network Traffic (Network Traffic Content)",
+ "DS0030: Instance (Instance Creation)",
+ "DS0030: Instance (Instance Start)",
+ "DS0032: Container (Container Creation)",
+ "DS0032: Container (Container Start)"
+ ],
+ "new": [],
+ "dropped": []
+ }
+ }
+ ],
+ "revocations": [],
+ "deprecations": [],
+ "deletions": []
+ },
+ "software": {
+ "additions": [],
+ "major_version_changes": [],
+ "minor_version_changes": [],
+ "other_version_changes": [],
+ "patches": [],
+ "revocations": [],
+ "deprecations": [],
+ "deletions": []
+ },
+ "groups": {
+ "additions": [],
+ "major_version_changes": [],
+ "minor_version_changes": [],
+ "other_version_changes": [],
+ "patches": [
+ {
+ "type": "intrusion-set",
+ "id": "intrusion-set--f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2024-07-25 17:13:06.098000+00:00",
+ "modified": "2024-10-31 18:33:10.434000+00:00",
+ "name": "Daggerfly",
+ "description": "[Daggerfly](https://attack.mitre.org/groups/G1034) is a People's Republic of China-linked APT entity active since at least 2012. [Daggerfly](https://attack.mitre.org/groups/G1034) has targeted individuals, government and NGO entities, and telecommunication companies in Asia and Africa. [Daggerfly](https://attack.mitre.org/groups/G1034) is associated with exclusive use of [MgBot](https://attack.mitre.org/software/S1146) malware and is noted for several potential supply chain infection campaigns.(Citation: Symantec Daggerfly 2023)(Citation: ESET EvasivePanda 2023)(Citation: Symantec Daggerfly 2024)(Citation: ESET EvasivePanda 2024)",
+ "aliases": [
+ "Daggerfly",
+ "Evasive Panda",
+ "BRONZE HIGHLAND"
+ ],
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/groups/G1034",
+ "external_id": "G1034"
+ },
+ {
+ "source_name": "Evasive Panda",
+ "description": "(Citation: Symantec Daggerfly 2023)(Citation: ESET EvasivePanda 2024)"
+ },
+ {
+ "source_name": "BRONZE HIGHLAND",
+ "description": "(Citation: Symantec Daggerfly 2023)(Citation: ESET EvasivePanda 2024)"
+ },
+ {
+ "source_name": "ESET EvasivePanda 2024",
+ "description": "Ahn Ho, Facundo Mu\u00f1oz, & Marc-Etienne M.L\u00e9veill\u00e9. (2024, March 7). Evasive Panda leverages Monlam Festival to target Tibetans. Retrieved July 25, 2024.",
+ "url": "https://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/"
+ },
+ {
+ "source_name": "ESET EvasivePanda 2023",
+ "description": "Facundo Mu\u00f1oz. (2023, April 26). Evasive Panda APT group delivers malware via updates for popular Chinese software. Retrieved July 25, 2024.",
+ "url": "https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/"
+ },
+ {
+ "source_name": "Symantec Daggerfly 2023",
+ "description": "Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024.",
+ "url": "https://symantec-enterprise-blogs.security.com/threat-intelligence/apt-attacks-telecoms-africa-mgbot"
+ },
+ {
+ "source_name": "Symantec Daggerfly 2024",
+ "description": "Threat Hunter Team. (2024, July 23). Daggerfly: Espionage Group Makes Major Update to Toolset. Retrieved July 25, 2024.",
+ "url": "https://symantec-enterprise-blogs.security.com/threat-intelligence/daggerfly-espionage-updated-toolset"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "Furkan Celik, PURE7"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2024-10-31 18:33:10.434000+00:00\", \"old_value\": \"2024-10-10 14:33:17.448000+00:00\"}, \"root['x_mitre_contributors'][0]\": {\"new_value\": \"Furkan Celik, PURE7\", \"old_value\": \"Furkan Celiik\"}}}",
+ "previous_version": "1.0"
+ }
+ ],
+ "revocations": [],
+ "deprecations": [],
+ "deletions": []
+ },
+ "campaigns": {
+ "additions": [],
+ "major_version_changes": [],
+ "minor_version_changes": [],
+ "other_version_changes": [],
+ "patches": [
+ {
+ "type": "campaign",
+ "id": "campaign--7e21077d-2589-43a7-a5f9-490061289526",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2024-08-06 20:52:19.002000+00:00",
+ "modified": "2024-10-31 16:06:50.414000+00:00",
+ "name": "HomeLand Justice",
+ "description": "[HomeLand Justice](https://attack.mitre.org/campaigns/C0038) was a disruptive campaign involving the use of ransomware, wiper malware, and sensitive information leaks conducted by Iranian state cyber actors against Albanian government networks in July and September 2022. Initial access for [HomeLand Justice](https://attack.mitre.org/campaigns/C0038) was established in May 2021 as threat actors subsequently moved laterally, exfiltrated sensitive information, and maintained persistence for approximately 14 months prior to the attacks. Responsibility was claimed by the \"HomeLand Justice\" front whose messaging indicated targeting of the Mujahedeen-e Khalq (MEK), an Iranian opposition group who maintain a refugee camp in Albania, and were formerly designated a terrorist organization by the US State Department.(Citation: Mandiant ROADSWEEP August 2022)(Citation: Microsoft Albanian Government Attacks September 2022)(Citation: CISA Iran Albanian Attacks September 2022) A second wave of attacks was launched in September 2022 using similar tactics after public attribution of the previous activity to Iran and the severing of diplomatic ties between Iran and Albania.(Citation: CISA Iran Albanian Attacks September 2022)\n\n",
+ "aliases": [
+ "HomeLand Justice"
+ ],
+ "first_seen": "2021-05-01 04:00:00+00:00",
+ "last_seen": "2022-09-01 04:00:00+00:00",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/campaigns/C0038",
+ "external_id": "C0038"
+ },
+ {
+ "source_name": "CISA Iran Albanian Attacks September 2022",
+ "description": "CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024.",
+ "url": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-264a"
+ },
+ {
+ "source_name": "Mandiant ROADSWEEP August 2022",
+ "description": "Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.",
+ "url": "https://cloud.google.com/blog/topics/threat-intelligence/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against/"
+ },
+ {
+ "source_name": "Microsoft Albanian Government Attacks September 2022",
+ "description": "MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024.",
+ "url": "https://www.microsoft.com/en-us/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "Aung Kyaw Min Naing, @Nolan"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_first_seen_citation": "(Citation: Mandiant ROADSWEEP August 2022)(Citation: Microsoft Albanian Government Attacks September 2022)(Citation: CISA Iran Albanian Attacks September 2022)",
+ "x_mitre_last_seen_citation": "(Citation: CISA Iran Albanian Attacks September 2022)",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2024-10-31 16:06:50.414000+00:00\", \"old_value\": \"2024-08-21 18:21:02.205000+00:00\"}, \"root['last_seen']\": {\"new_value\": \"2022-09-01 04:00:00+00:00\", \"old_value\": \"2002-09-01 04:00:00+00:00\"}}}",
+ "previous_version": "1.0"
+ }
+ ],
+ "revocations": [],
+ "deprecations": [],
+ "deletions": []
+ },
+ "assets": {
+ "additions": [],
+ "major_version_changes": [],
+ "minor_version_changes": [],
+ "other_version_changes": [],
+ "patches": [],
+ "revocations": [],
+ "deprecations": [],
+ "deletions": []
+ },
+ "mitigations": {
+ "additions": [],
+ "major_version_changes": [],
+ "minor_version_changes": [],
+ "other_version_changes": [],
+ "patches": [],
+ "revocations": [],
+ "deprecations": [],
+ "deletions": []
+ },
+ "datasources": {
+ "additions": [],
+ "major_version_changes": [],
+ "minor_version_changes": [],
+ "other_version_changes": [],
+ "patches": [],
+ "revocations": [],
+ "deprecations": [],
+ "deletions": []
+ },
+ "datacomponents": {
+ "additions": [],
+ "major_version_changes": [],
+ "minor_version_changes": [],
+ "other_version_changes": [],
+ "patches": [],
+ "revocations": [],
+ "deprecations": [],
+ "deletions": []
+ }
+ },
+ "mobile-attack": {
+ "techniques": {
+ "additions": [],
+ "major_version_changes": [],
+ "minor_version_changes": [],
+ "other_version_changes": [],
+ "patches": [],
+ "revocations": [],
+ "deprecations": [],
+ "deletions": []
+ },
+ "software": {
+ "additions": [],
+ "major_version_changes": [],
+ "minor_version_changes": [],
+ "other_version_changes": [],
+ "patches": [],
+ "revocations": [],
+ "deprecations": [],
+ "deletions": []
+ },
+ "groups": {
+ "additions": [],
+ "major_version_changes": [],
+ "minor_version_changes": [],
+ "other_version_changes": [],
+ "patches": [],
+ "revocations": [],
+ "deprecations": [],
+ "deletions": []
+ },
+ "campaigns": {
+ "additions": [],
+ "major_version_changes": [],
+ "minor_version_changes": [],
+ "other_version_changes": [],
+ "patches": [],
+ "revocations": [],
+ "deprecations": [],
+ "deletions": []
+ },
+ "assets": {
+ "additions": [],
+ "major_version_changes": [],
+ "minor_version_changes": [],
+ "other_version_changes": [],
+ "patches": [],
+ "revocations": [],
+ "deprecations": [],
+ "deletions": []
+ },
+ "mitigations": {
+ "additions": [],
+ "major_version_changes": [],
+ "minor_version_changes": [],
+ "other_version_changes": [],
+ "patches": [],
+ "revocations": [],
+ "deprecations": [],
+ "deletions": []
+ },
+ "datasources": {
+ "additions": [],
+ "major_version_changes": [],
+ "minor_version_changes": [],
+ "other_version_changes": [],
+ "patches": [],
+ "revocations": [],
+ "deprecations": [],
+ "deletions": []
+ },
+ "datacomponents": {
+ "additions": [],
+ "major_version_changes": [],
+ "minor_version_changes": [],
+ "other_version_changes": [],
+ "patches": [],
+ "revocations": [],
+ "deprecations": [],
+ "deletions": []
+ }
+ },
+ "ics-attack": {
+ "techniques": {
+ "additions": [],
+ "major_version_changes": [],
+ "minor_version_changes": [],
+ "other_version_changes": [],
+ "patches": [],
+ "revocations": [],
+ "deprecations": [],
+ "deletions": []
+ },
+ "software": {
+ "additions": [],
+ "major_version_changes": [],
+ "minor_version_changes": [],
+ "other_version_changes": [],
+ "patches": [],
+ "revocations": [],
+ "deprecations": [],
+ "deletions": []
+ },
+ "groups": {
+ "additions": [],
+ "major_version_changes": [],
+ "minor_version_changes": [],
+ "other_version_changes": [],
+ "patches": [],
+ "revocations": [],
+ "deprecations": [],
+ "deletions": []
+ },
+ "campaigns": {
+ "additions": [],
+ "major_version_changes": [],
+ "minor_version_changes": [],
+ "other_version_changes": [],
+ "patches": [],
+ "revocations": [],
+ "deprecations": [],
+ "deletions": []
+ },
+ "assets": {
+ "additions": [],
+ "major_version_changes": [],
+ "minor_version_changes": [],
+ "other_version_changes": [],
+ "patches": [],
+ "revocations": [],
+ "deprecations": [],
+ "deletions": []
+ },
+ "mitigations": {
+ "additions": [],
+ "major_version_changes": [],
+ "minor_version_changes": [],
+ "other_version_changes": [],
+ "patches": [],
+ "revocations": [],
+ "deprecations": [],
+ "deletions": []
+ },
+ "datasources": {
+ "additions": [],
+ "major_version_changes": [],
+ "minor_version_changes": [],
+ "other_version_changes": [],
+ "patches": [],
+ "revocations": [],
+ "deprecations": [],
+ "deletions": []
+ },
+ "datacomponents": {
+ "additions": [],
+ "major_version_changes": [],
+ "minor_version_changes": [],
+ "other_version_changes": [],
+ "patches": [],
+ "revocations": [],
+ "deprecations": [],
+ "deletions": []
+ }
+ },
+ "new-contributors": [
+ "Ale Houspanossian",
+ "DeFord L. Smith",
+ "Fernando Bacchin",
+ "Furkan Celik, PURE7"
+ ]
+}
\ No newline at end of file
diff --git a/modules/resources/docs/changelogs/v16.0-v16.1/layer-enterprise.json b/modules/resources/docs/changelogs/v16.0-v16.1/layer-enterprise.json
new file mode 100644
index 00000000000..b6a349b0c9f
--- /dev/null
+++ b/modules/resources/docs/changelogs/v16.0-v16.1/layer-enterprise.json
@@ -0,0 +1,97 @@
+{
+ "versions": {
+ "layer": "4.5",
+ "navigator": "5.0.0",
+ "attack": "16.1"
+ },
+ "name": "November 2024 Enterprise Updates",
+ "description": "Enterprise updates for the November 2024 release of ATT&CK",
+ "domain": "enterprise-attack",
+ "techniques": [
+ {
+ "techniqueID": "T1590.002",
+ "tactic": "reconnaissance",
+ "enabled": true,
+ "color": "#B99095",
+ "comment": "patche"
+ },
+ {
+ "techniqueID": "T1557.004",
+ "tactic": "credential-access",
+ "enabled": true,
+ "color": "#B99095",
+ "comment": "patche"
+ },
+ {
+ "techniqueID": "T1557.004",
+ "tactic": "collection",
+ "enabled": true,
+ "color": "#B99095",
+ "comment": "patche"
+ },
+ {
+ "techniqueID": "T1546.017",
+ "tactic": "persistence",
+ "enabled": true,
+ "color": "#B99095",
+ "comment": "patche"
+ },
+ {
+ "techniqueID": "T1546.017",
+ "tactic": "privilege-escalation",
+ "enabled": true,
+ "color": "#B99095",
+ "comment": "patche"
+ },
+ {
+ "techniqueID": "T1204",
+ "tactic": "execution",
+ "enabled": true,
+ "color": "#B99095",
+ "comment": "patche"
+ }
+ ],
+ "sorting": 0,
+ "hideDisabled": false,
+ "legendItems": [
+ {
+ "color": "#a1d99b",
+ "label": "additions: ATT&CK objects which are only present in the new release."
+ },
+ {
+ "color": "#fcf3a2",
+ "label": "major_version_changes: ATT&CK objects that have a major version change. (e.g. 1.0 \u2192 2.0)"
+ },
+ {
+ "color": "#c7c4e0",
+ "label": "minor_version_changes: ATT&CK objects that have a minor version change. (e.g. 1.0 \u2192 1.1)"
+ },
+ {
+ "color": "#B5E5CF",
+ "label": "other_version_changes: ATT&CK objects that have a version change of any other kind. (e.g. 1.0 \u2192 1.2)"
+ },
+ {
+ "color": "#B99095",
+ "label": "patches: ATT&CK objects that have been patched while keeping the version the same. (e.g., 1.0 \u2192 1.0 but something like a typo, a URL, or some metadata was fixed)"
+ },
+ {
+ "color": "#ff9000",
+ "label": "revocations: ATT&CK objects which are revoked by a different object."
+ },
+ {
+ "color": "#ff6363",
+ "label": "deprecations: ATT&CK objects which are deprecated and no longer in use, and not replaced."
+ },
+ {
+ "color": "#ff00e1",
+ "label": "deletions: ATT&CK objects which are no longer found in the STIX data."
+ },
+ {
+ "color": "#ffffff",
+ "label": "unchanged: ATT&CK objects which did not change between the two versions."
+ }
+ ],
+ "showTacticRowBackground": true,
+ "tacticRowBackground": "#205b8f",
+ "selectTechniquesAcrossTactics": true
+}
\ No newline at end of file
diff --git a/modules/resources/docs/changelogs/v16.0-v16.1/layer-ics.json b/modules/resources/docs/changelogs/v16.0-v16.1/layer-ics.json
new file mode 100644
index 00000000000..5289f3b87f6
--- /dev/null
+++ b/modules/resources/docs/changelogs/v16.0-v16.1/layer-ics.json
@@ -0,0 +1,54 @@
+{
+ "versions": {
+ "layer": "4.5",
+ "navigator": "5.0.0",
+ "attack": "16.1"
+ },
+ "name": "November 2024 ICS Updates",
+ "description": "ICS updates for the November 2024 release of ATT&CK",
+ "domain": "ics-attack",
+ "techniques": [],
+ "sorting": 0,
+ "hideDisabled": false,
+ "legendItems": [
+ {
+ "color": "#a1d99b",
+ "label": "additions: ATT&CK objects which are only present in the new release."
+ },
+ {
+ "color": "#fcf3a2",
+ "label": "major_version_changes: ATT&CK objects that have a major version change. (e.g. 1.0 \u2192 2.0)"
+ },
+ {
+ "color": "#c7c4e0",
+ "label": "minor_version_changes: ATT&CK objects that have a minor version change. (e.g. 1.0 \u2192 1.1)"
+ },
+ {
+ "color": "#B5E5CF",
+ "label": "other_version_changes: ATT&CK objects that have a version change of any other kind. (e.g. 1.0 \u2192 1.2)"
+ },
+ {
+ "color": "#B99095",
+ "label": "patches: ATT&CK objects that have been patched while keeping the version the same. (e.g., 1.0 \u2192 1.0 but something like a typo, a URL, or some metadata was fixed)"
+ },
+ {
+ "color": "#ff9000",
+ "label": "revocations: ATT&CK objects which are revoked by a different object."
+ },
+ {
+ "color": "#ff6363",
+ "label": "deprecations: ATT&CK objects which are deprecated and no longer in use, and not replaced."
+ },
+ {
+ "color": "#ff00e1",
+ "label": "deletions: ATT&CK objects which are no longer found in the STIX data."
+ },
+ {
+ "color": "#ffffff",
+ "label": "unchanged: ATT&CK objects which did not change between the two versions."
+ }
+ ],
+ "showTacticRowBackground": true,
+ "tacticRowBackground": "#205b8f",
+ "selectTechniquesAcrossTactics": true
+}
\ No newline at end of file
diff --git a/modules/resources/docs/changelogs/v16.0-v16.1/layer-mobile.json b/modules/resources/docs/changelogs/v16.0-v16.1/layer-mobile.json
new file mode 100644
index 00000000000..a0cfa75a04b
--- /dev/null
+++ b/modules/resources/docs/changelogs/v16.0-v16.1/layer-mobile.json
@@ -0,0 +1,54 @@
+{
+ "versions": {
+ "layer": "4.5",
+ "navigator": "5.0.0",
+ "attack": "16.1"
+ },
+ "name": "November 2024 Mobile Updates",
+ "description": "Mobile updates for the November 2024 release of ATT&CK",
+ "domain": "mobile-attack",
+ "techniques": [],
+ "sorting": 0,
+ "hideDisabled": false,
+ "legendItems": [
+ {
+ "color": "#a1d99b",
+ "label": "additions: ATT&CK objects which are only present in the new release."
+ },
+ {
+ "color": "#fcf3a2",
+ "label": "major_version_changes: ATT&CK objects that have a major version change. (e.g. 1.0 \u2192 2.0)"
+ },
+ {
+ "color": "#c7c4e0",
+ "label": "minor_version_changes: ATT&CK objects that have a minor version change. (e.g. 1.0 \u2192 1.1)"
+ },
+ {
+ "color": "#B5E5CF",
+ "label": "other_version_changes: ATT&CK objects that have a version change of any other kind. (e.g. 1.0 \u2192 1.2)"
+ },
+ {
+ "color": "#B99095",
+ "label": "patches: ATT&CK objects that have been patched while keeping the version the same. (e.g., 1.0 \u2192 1.0 but something like a typo, a URL, or some metadata was fixed)"
+ },
+ {
+ "color": "#ff9000",
+ "label": "revocations: ATT&CK objects which are revoked by a different object."
+ },
+ {
+ "color": "#ff6363",
+ "label": "deprecations: ATT&CK objects which are deprecated and no longer in use, and not replaced."
+ },
+ {
+ "color": "#ff00e1",
+ "label": "deletions: ATT&CK objects which are no longer found in the STIX data."
+ },
+ {
+ "color": "#ffffff",
+ "label": "unchanged: ATT&CK objects which did not change between the two versions."
+ }
+ ],
+ "showTacticRowBackground": true,
+ "tacticRowBackground": "#205b8f",
+ "selectTechniquesAcrossTactics": true
+}
\ No newline at end of file
diff --git a/modules/resources/static_pages/updates-october-2024.md b/modules/resources/static_pages/updates-october-2024.md
index 42f8e1f3548..b6cd4a797d1 100644
--- a/modules/resources/static_pages/updates-october-2024.md
+++ b/modules/resources/static_pages/updates-october-2024.md
@@ -8,7 +8,7 @@ save_as: resources/updates/updates-october-2024/index.html
| Version | Start Date | End Date | Data | Changelogs |
|:--------|:-----------|:---------|:-----|:-----------|
-| [ATT&CK v16](/versions/v16) | October 31, 2024 | Current version of ATT&CK | [v16.0 on MITRE/CTI](https://github.com/mitre/cti/releases/tag/ATT%26CK-v16.0) | 15.1 - 16.0 [Details](/docs/changelogs/v15.1-v16.0/changelog-detailed.html) ([JSON](/docs/changelogs/v15.1-v16.0/changelog.json)) |
+| [ATT&CK v16](/versions/v16) | October 31, 2024 | Current version of ATT&CK | [v16.0 on MITRE/CTI](https://github.com/mitre/cti/releases/tag/ATT%26CK-v16.0)
[v16.1 on MITRE/CTI](https://github.com/mitre/cti/releases/tag/ATT%26CK-v16.1) | 15.1 - 16.0 [Details](/docs/changelogs/v15.1-v16.0/changelog-detailed.html) ([JSON](/docs/changelogs/v15.1-v16.0/changelog.json))
16.0 - 16.1 [Details](/docs/changelogs/v16.0-v16.1/changelog-detailed.html) ([JSON](/docs/changelogs/v16.0-v16.1/changelog.json)) |
The October 2024 (v16) ATT&CK release updates Techniques, Groups, Campaigns and Software for Enterprise.
@@ -635,6 +635,7 @@ Broken out by domain:
## Contributors to this release
* @grahamhelton3
+* Ale Houspanossian
* Arun Seelagan, CISA
* Asritha Narina
* Aung Kyaw Min Naing, @Nolan
@@ -644,13 +645,15 @@ Broken out by domain:
* Cris Tomboc, Truswave SpiderLabs
* Csaba Fitzl @theevilbit of Kandji
* Daniel Acevedo, Blackbot
+* DeFord L. Smith
* Denise Tan
* Diego Sappa, Securonix
* Domenico Mazzaferro Palmeri
* Dray Agha, Huntress Labs
* Eder Pérez Ignacio, @ch4ik0
* Eduardo González Hernández (@codexlynx)
-* Furkan Celiik
+* Fernando Bacchin
+* Furkan Celik, PURE7
* Hakan KARABACAK
* Harikrishnan Muthu, Cyble
* Harry Hill, BT Security
diff --git a/pyproject.toml b/pyproject.toml
index 7e417aaa7e0..fd752cf6cce 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -6,7 +6,7 @@ profile = "black"
[tool.towncrier]
name = "ATT&CK website"
- version = "4.2.0"
+ version = "4.2.1"
filename = "CHANGELOG.md"
issue_format = "[#{issue}](https://github.com/mitre-attack/attack-website/issues/{issue})"
template = ".towncrier.template.md"
diff --git a/requirements.txt b/requirements.txt
index a16331926ab..594d4df6733 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -4,7 +4,7 @@ bleach==6.1.0
colorama==0.4.6
future==1.0.0
loguru==0.7.2
-mitreattack-python==3.0.7
+mitreattack-python==3.0.8
pelican==4.8.0
pyScss==1.4.0
python-dotenv==1.0.1